On the Embedding of Multiway De ision Graphsin HOLTarek MhamdiA ThesisinThe DepartmentofEle tri al and Computer Engineering

Presented in Partial Ful�llment of the Requirementsfor the Degree of Master of Applied S ien e atCon ordia UniversityMontreal, Quebe , CanadaAugust 2003 Tarek Mhamdi, 2003

CONCORDIA UNIVERSITYDivision of Graduate StudiesThis is to ertify that the thesis preparedBy: Tarek MhamdiEntitled: On the Embedding of Multiway De ision Graphs in HOLand submitted in partial ful�lment of the requirements for the degree ofMaster of Applied S ien e omplies with the regulations of this University and meets the a epted standardswith respe t to originality and quality.Signed by the �nal examining ommittee: Dr. M. Reza SoleymaniDr. Otmane Ait-MohamedDr. Ahmed Se�ahDr. So��ene TaharApproved by Chair of the ECE Department2003 Dean of Engineering

ABSTRACTOn the Embedding of Multiway De ision Graphs in HOL

Tarek MhamdiThe in reasing omplexity of hardware systems requires more and more sophisti atedmethods of veri� ation. While model he king su�ers from the state spa e explosionproblem, theorem proving is quite tedious and impra ti al for verifying omplex de-signs. In this thesis, we propose a veri� ation framework in whi h we attempt tostrike the balan e between the expressiveness of theorem proving and the eÆ ien yand automation of state exploration te hniques. To this end, we propose to integratea layer of he king algorithms based on Multiway De ision Graphs (MDG) in theHOL theorem prover. We embedded the MDG underlying logi in HOL and imple-mented a platform that provides a set of algorithms allowing the user to develophis/her own state-exploration based appli ation inside HOL. While the veri� ationproblem is spe i�ed in HOL, the proof is derived by tightly ombining the MDGbased omputations and the theorem prover fa ilities. We have been able to imple-ment di�erent state exploration te hniques within HOL su h as MDG rea habilityanalysis, equivalen e and model he king.iii

To My Family

iv

ACKNOWLEDGEMENTSI have been very fortunate to have Dr. So��ene Tahar as my supervisor. I amdeeply grateful for his strong support and en ouragement through out my Master'sstudies. His expertise and ompetent advi e have shaped the hara ter of my re-sear h.I would like to thank the examination ommittee members for reviewing mythesis and giving me invaluable feedba k. I am parti ularity grateful to Dr. Oth-mane Ait-Mohamed for his fruitful dis ussions.My olleagues from the Hardware Veri� ation Group (HVG) provided a ni eatmosphere for dis ussions and resear h, I thank them for all their support and valu-able hints.I also wish to thank the University Mission of Tunisia in North Ameri a for�nan ing my studies fa ilitating me to a tively on entrate on resear h.I would like to reserve my deepest thanks for my family for their perpetuallove.

v

TABLE OF CONTENTSLIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xLIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiLIST OF ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii1 Introdu tion 11.1 Formal Veri� ation Te hniques . . . . . . . . . . . . . . . . . . . . . 31.1.1 Theorem Proving . . . . . . . . . . . . . . . . . . . . . . . . . 41.1.2 Model Che king . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3 S ope of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.4 Contributions of the Thesis . . . . . . . . . . . . . . . . . . . . . . . 121.5 Outline of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Preliminaries 152.1 The HOL Theorem Prover . . . . . . . . . . . . . . . . . . . . . . . . 152.1.1 Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.1.2 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.2 Abstra t State Ma hines . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.1 Formal Logi . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.2.2 Dire ted Formulae . . . . . . . . . . . . . . . . . . . . . . . . 22vi

2.2.3 Abstra t Des ription of State Ma hines . . . . . . . . . . . . . 232.2.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.3 Multiway De ision Graphs . . . . . . . . . . . . . . . . . . . . . . . . 272.3.1 From BDDs to MDGs . . . . . . . . . . . . . . . . . . . . . . 272.3.2 Well-formedness Conditions . . . . . . . . . . . . . . . . . . . 292.3.3 MDG Basi Operators . . . . . . . . . . . . . . . . . . . . . . 322.3.4 MDG Rea hability Analysis . . . . . . . . . . . . . . . . . . . 352.4 The MDG Pa kage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362.4.1 Graph Stru ture . . . . . . . . . . . . . . . . . . . . . . . . . 362.4.2 Assembling Graphs . . . . . . . . . . . . . . . . . . . . . . . . 372.4.3 Manipulating Graphs . . . . . . . . . . . . . . . . . . . . . . . 383 Embedding the MDG Logi 403.1 MDG Sorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.2 MDG Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.3 MDG Constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.4 MDG Fun tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443.5 MDG Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.6 MDG Well-formed Terms . . . . . . . . . . . . . . . . . . . . . . . . . 463.7 Utility Fun tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48vii

4 Linking MDG and HOL 504.1 Lifted MDG Pa kage . . . . . . . . . . . . . . . . . . . . . . . . . . . 504.1.1 Modi�ed Fun tionalities . . . . . . . . . . . . . . . . . . . . . 514.1.2 New Fun tionalities . . . . . . . . . . . . . . . . . . . . . . . . 524.2 Linking MDG to HOL . . . . . . . . . . . . . . . . . . . . . . . . . . 564.2.1 HOL-MDG Intera tion . . . . . . . . . . . . . . . . . . . . . . 574.2.2 Constru ting MDGs in HOL . . . . . . . . . . . . . . . . . . . 584.2.3 Interfa ing MDG Basi Operators . . . . . . . . . . . . . . . . 594.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Embedding MDG Appli ations 615.1 Rea hability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 615.1.1 Computing Next States . . . . . . . . . . . . . . . . . . . . . . 615.1.2 Computing Outputs . . . . . . . . . . . . . . . . . . . . . . . 625.1.3 Computing Frontier Set . . . . . . . . . . . . . . . . . . . . . 625.1.4 Computing Rea hable States . . . . . . . . . . . . . . . . . . . 635.2 Invariant Che king . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645.2.1 Examining the Outputs . . . . . . . . . . . . . . . . . . . . . 645.2.2 Generating the Inputs . . . . . . . . . . . . . . . . . . . . . . 655.2.3 Renaming Substitution . . . . . . . . . . . . . . . . . . . . . . 665.2.4 Che king an Invariant . . . . . . . . . . . . . . . . . . . . . . 665.3 Model Che king in HOL . . . . . . . . . . . . . . . . . . . . . . . . . 67viii

5.4 MDG as a De ision Pro edure . . . . . . . . . . . . . . . . . . . . . . 685.4.1 Equivalen e Che king . . . . . . . . . . . . . . . . . . . . . . . 695.4.2 Tautology Che king . . . . . . . . . . . . . . . . . . . . . . . . 695.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Case Study : Island Tunnel Controller 716.1 ITC Spe i� ation using Dire ted Formulae . . . . . . . . . . . . . . . 746.2 Invariant Che king . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786.2.1 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786.2.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 817 Con lusion and Future Work 84Bibliography 88

ix

LIST OF TABLES2.1 HOL Syntax Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 196.1 Property Che king Results using InvariantChe king . . . . . . . . . . 82

x

LIST OF FIGURES2.1 The GCD State Ma hine . . . . . . . . . . . . . . . . . . . . . . . . . 252.2 Transition Relations (MDGs) of the GCD State Ma hine . . . . . . . 332.3 Example of the MDG Representation . . . . . . . . . . . . . . . . . . 376.1 The Island Tunnel Controller . . . . . . . . . . . . . . . . . . . . . . 716.2 State Transitions Diagram of the ILC . . . . . . . . . . . . . . . . . . 726.3 State Transitions Diagram of the MLC . . . . . . . . . . . . . . . . . 736.4 State Transitions Diagram of the TC . . . . . . . . . . . . . . . . . . 746.5 Transitions from the State green (ILC) . . . . . . . . . . . . . . . . . 766.6 Transitions from the State red (MLC) . . . . . . . . . . . . . . . . . . 77

xi

LIST OF ACRONYMSASM Abstra t State Ma hinesATM Asyn hronous Transfer ModeCTL Computational Tree Logi FSM Finite State Ma hineHDL Hardware Des ription LanguageHOL Higher-Order Logi ILC Island Light ControllerITC Island Tunnel ControllerLTL Linear Temporal Logi ML Meta LanguageMLC Main Land ControllerPVS Prototype Veri� ation SystemROBDD Redu ed Ordered Binary De ision DiagramRTL Register Transfer LeverSMV Symboli Model Veri�erTC Tunnel ControllerVIS Veri� ation Intera ting with SynthesisVLSI Very Large S ale Integration

xii

Chapter 1Introdu tionWhenever an error reeps into a design, time and money must be spent to lo atethe problem and orre t it, and the longer a bug evades a dete tion, the harder andmore expensive it is to �x. As design omplexity in reases, simulation times be omeprohibitive and overage be omes poor, allowing numerous bugs to slip through tolater stages of the design y le. What is needed, therefore, is a omplement to simu-lation for determining the orre tness of a design. For this reason, there has been asurge of resear h interest in formal veri� ation te hniques [22℄. In general, the formalveri� ation problem onsists of mathemati ally establishing that an implementationsatis�es a spe i� ation. The implementation refers to the system design that is tobe veri�ed and the spe i� ation refers to the property with respe t to whi h the orre tness is to be determined.Formal veri� ation methods fall into two ategories [20℄: proof-based methods,1

mainly theorem proving and state-exploration methods, mainly model he king andequivalen e he king. While theorem proving is a s alable te hnique that an handlelarge designs, model he king su�ers from the so alled state-explosion problem whi hprevents its appli ation to industrial systems [23℄. On the other hand, while model he king is fully automati , deriving proofs is a user guided te hnique that requiresa lot of expertise and hen e an be tedious and diÆ ult.Ideally, one would like to ombine the strengths of both te hniques resultingin a hopefully automati theorem prover. This is not likely to be pra ti al in theforeseeable future, so various ompromises are being explored. They an be summa-rized in either adding a layer of theorem proving on top of existing model he kers,to enable large problems to be dedu tively de omposed into smaller pie es that anbe he ked automati ally, or adding he king algorithms to theorem provers so thatsubgoals an be veri�ed automati ally and ounter-examples found.Motivated by a desire to ombine the expressiveness and s alability of theo-rem proving and the automation and eÆ ien y of state-exploration based te hniques,we developed a platform of state-exploration algorithms inside the HOL proof sys-tem [16℄. Our de ision diagram data stru ture is the Multiway De ision Graphs(MDGs) [9℄ whi h we integrate in HOL as a built-in datatype.2

1.1 Formal Veri� ation Te hniquesFormal veri� ation [20℄ onsists of formally establishing that an implementation sat-is�es a spe i� ation. To lassify the various approa hes, we �rst look at the threemain aspe ts of the problem [22℄: the implementation, the spe i� ation and therelationship between them.An implementation is a des ription of the a tual hardware design that is to beveri�ed. It usually an be des ribed at di�erent levels of abstra tion: ir uit level,swit h level, gate level or register-transfer level. Di�erent abstra tion levels oftenresult in di�erent veri� ation methods. A method that is good at one level may be- ome umbersome at another one. Another important issue with the implementationis the lass of ir uits we wish to verify, i.e., whether it is ombinational/sequential,syn hronous/asyn hronous, pipelined or parametrized hardware. These variationsmay require di�erent approa hes (though not mutually ex lusive).There are two veri� ation paradigms depending on the two di�erent kinds ofspe i� ations:1. Veri� ation of behavioral equivalen e: It intends to prove that an implemen-tation is behaviorally equivalent to the spe i� ation whi h is a des ription ofthe intended/required behavior of a hardware design. This an be applied forthe proof of impli ation.2. Property veri� ation: It intends to prove that the implementation is a model3

of the spe i� ation whi h onsists of the set of properties to be satis�ed.The above two styles of veri� ation are not mutually ex lusive, in fa t, theyare somehow omplementary. It an be useful to verify important properties as wellas to verify the behavioral equivalen e or logi al impli ation of an implementationagainst a spe i� ation.1.1.1 Theorem ProvingTheorem proving is an approa h where both the system and its desired properties areexpressed as formulae in some mathemati al logi . This logi is de�ned by a formalsystem, alled proof system or al ulus, whi h de�nes a set of axioms and a set ofinferen e rules. Theorem proving is the pro ess of deriving a proof from the basi axioms of the system. Steps in the proof appeal to the axioms and rules, and possiblyderived de�nitions and intermediate lemmas. The axioms are usually \elementary"in the sense that they apture the basi properties of the logi 's operators.Proof styles are often hara terized as \forward" or \ba kward". A forwardproof starts with the axioms and assumptions; inferen es are then applied until thedesired theorem is proven. A ba kward proof starts with the theorem as a goal andapplies the inverses of inferen es rules to redu e the theorem to simpler intermediategoals. SuÆ iently simple goals are dis harged by mat hing axioms or assumptionsor by applying built-in de ision pro edures.Many theorem-proving systems have been implemented, and many have been4

used for hardware veri� ation, in luding HOL [16℄, ISABELLE [27℄, and PVS [26℄.These systems are distinguished by, among other aspe ts, the underlying mathemat-i al logi , the way automati de ision pro edures are integrated into the system andthe user interfa e. In the next hapter, we will overview the HOL theorem provingsystem, whi h we intend to use in this thesis.1.1.2 Model Che kingModel he king is a te hnique that relies on building a model of a system and he kingthat a desired property holds in that model by exploring a state spa e sear h inthat model. Model he king is mainly used in hardware and proto ol veri� ation.Temporal model he king, is a te hnique developed in the 1980s by Clarke andEmerson [8℄ and by Queille and Sifakis [30℄. In this approa h, spe i� ations areexpressed in a temporal logi [29℄ and systems are modelled as �nite state systems.An eÆ ient sear h pro edure is used to he k if a given �nite state transition systemis a model for the spe i� ation.The model he king te hnique des ribed by Clarke [8℄ requires that the entirestate transition graph be onstru ted. Thus, the spa e requirements are at leastlinear in the size of the model's rea hable state spa e. However, the latter is oftenexponential in the number of state holding elements (e.g., lat hes) of a design. Forinstan e, a devi e with only two 32-bit registers would already have 1020 states [6℄.An alternative to expli it enumeration is to use a symboli representation.5

Binary De ision DiagramsBinary de ision diagrams (BDDs) are data stru tures for representing Boolean fun -tions. Bryant [5℄ introdu ed the BDD in its urrent popular representation, althoughthe general idea have been oating around for quite some time (e.g., as bran hingprograms in the theoreti al omputer s ien e literature).BDDs have several useful properties. First, many ommon fun tions have smallBDDs. In addition BDDs are easy to manipulate. We an evaluate a fun tion inlinear time in the number of variables. We an existentially or universally quantify(Boolean) variables of a fun tion in time quadrati in the size of the BDD. Finally,on e we �x the order in whi h the variables appear, the BDD is a anoni al represen-tation for the Boolean fun tion. Thus fun tion omparison, in luding spe ial asestautology and satis�ability, be ome trivially easy.BDDs are a pra ti ally eÆ ient representation of Boolean fun tions. Manyvariations of BDDs were proposed to avoid the state-explosion problem. MultiwayDe ision Graphs (MDG), [9℄ are a spe ial kind of de ision diagrams that subsumesBDDs and extends them by anoni ally and ompa tly representing a subset of �rst-order fun tions.Symboli Model Che kingSymboli model he king was initially explored by Coudert, Madre and Berthet [10℄,and independently by M Millan [24℄ and by Bose and Fisher [3℄. The underlying idea6

ommon to these approa hes is the use of symboli Boolean representations for thesets of states and transition fun tions (or relations) of a sequential system, in order toavoid building its global state-transition graph expli itly. EÆ ient symboli Booleanmanipulation te hniques are then used to evaluate the truth of temporal logi for-mulae with respe t to those models. Symboli representations (like BDDs) allow theregularity in state-spa e of some ir uits (e.g., datapaths) to be aptured su in tly,thus fa ilitating veri� ation of mu h larger ir uits ompared to the expli it stateenumeration te hniques, as shown by Bur h et al. [6℄.1.2 Related WorkThe quest for an eÆ ient ombination of theorem proving and model he king haslong been one of the major hallenges in the �eld of formal veri� ation. The workdes ribed here has been strongly in uen ed by the HolBdd [13, 14℄ system developedby Gordon. HolBdd onsists of a platform allowing the programming of BinaryDe ision Diagram (BDD) [5℄ based symboli algorithms in the Hol98 proof assistant.It provides intimate ombinations of dedu tion and algorithmi veri� ation. They usea small kernel of ML [17℄ fun tions to onvert between BDDs, terms and theorems.Their work was applied to perform rea hability programming in Hol98.A similar work was the pioneering work of Joy e and Seger [19℄ ombiningHOL and the symboli traje tory evaluation (STE) tool VOSS. HOL-VOSS presentsa mathemati al link between the spe i� ation language of the VOSS system and the7

spe i� ation language of HOL. A ta ti , VOSS TAC, was implemented as a remotefun tion. It alls the VOSS system as a hild pro ess of the HOL system to he kwhether an assertion, expressed as a term of higher-order logi , is true. If this isthe ase, the assertion will be turned to a HOL theorem. The early experimentwith HOL-VOSS suggested that a lighter theorem prover omponent was suÆ ient,sin e all that was needed was a way of ombining results obtained from STE. Asystem based on this idea, alled VossProver was developed. As a ontinuationof HOL-VOSS, Aagaard et al. [1℄ developed the Voss-ThmTa system ombiningthe ThmTa theorem prover with the VOSS system. Its power omes from the verytight integration of the two provers, using a single language, FL, as both the theoremprover's meta-language and its obje t language.Rajan et al. [31℄ des ribed an approa h where a BDD based model he kerfor the propositional �- al ulus has been used as a de ision pro edure within theframework of the PVS [26℄ proof he ker. They used �- al ulus as a medium for ommuni ating between PVS and the model he ker. It was formalized by usingthe higher-order logi of PVS. The temporal operators are given the ustomary �x-point de�nitions using the �- al ulus. These expressions were translated to the formrequired by the model he ker. The latter was then used to verify the subgoalsgenerated within PVS.Hurd [18℄ used PROSPER [11℄ to ombine the Gandalf �rst-order theoremprover with HOL. A HOL ta ti , GANDALF TAC, is used to enable �rst-order8

HOL goals to be proven by Gandalf and mirror the resulting proofs in HOL. It takesthe original goal, onverts it to the appropriate format, and sends it to Gandalf.Gandalf then parses the proof, translates it to a HOL proof and proves the originalgoal in HOL.S hneider and Ho�mann [32℄ linked the SMV model he ker [24℄ to HOL us-ing PROSPER. They embedded the linear time temporal logi (LTL) in HOL andtranslated LTL formulae into equivalent !-Automata, a form that an be reasonedabout within SMV. The translation is ompletely implemented by means of HOLrules. On su essful model he king, the results are returned to HOL and turned totheorems. The deep embedding of the SMV spe i� ation language in HOL allowsLTL spe i� ations to be manipulated in HOL.In [28℄, and later [21℄ a hybrid tool and a methodology tailored to performhierar hi al hardware veri� ation have been developed by the Hardware Veri� ationGroup of Con ordia University. They integrate the HOL theorem prover to theMDG equivalen e he ker. The work is done within the proof system but usingthe spe i� ation style of the automated veri� ation tool. The HOL-MDG tool isused to verify that a stru tural spe i� ation of hardware implementation implies itsbehavioral spe i� ation. They try to do the equivalen e he king within the MDGtool by applying a HOL ta ti MDG EQ TAC. This latter mainly generates theMDG required �les and ensures the intera tion with the MDG equivalen e he ker.If the design is large enough to ause state explosion, and sin e the des ription model9

is written in a hierar hi al way, a ta ti HIER VERIF TAC is alled to break thedesign into sub-blo ks. The same pro edure is re ursively applied if ne essary. Atany point, the goal proof an be done in HOL.An extention of the work above was done within the same group to link HOLand the MDG model he ker [25℄. The approa h adopted is similar to [21℄, however,instead of onsidering the full behavior of the system, only properties are he ked,hen e redu ing the veri� ation omplexity. To do so, they provide a way to expresstemporal properties inside the theorem prover. Besides they support the full inputlanguage of MDG by introdu ing abstra t datatypes and uninterpreted fun tions.The veri� ation is done using a HOL ta ti alled MDG MC TAC and also supportshierar hi al veri� ation and model redu tion.While [21, 25, 28℄ des ribe systems integrating two stand-alone tools, namely,HOL and an external MDG tool, the work des ribed here is not intended to use anexternal tool to verify subgoals. Instead MDGs are a built-in datatype of HOL andoperators over MDGs are available in the proof system whi h allows us to tightly ombine HOL dedu tion and MDG omputations. Besides, state-exploration algo-rithms will be written inside HOL. Thereafter, the main di�eren e between our ap-proa h and the HOL-MDG tool is that our embedding provides a se ure and generalprogramming infrastru ture to allow the users to implement their own MDG-basedveri� ation algorithms inside the HOL system.The work in [1, 18, 19, 32℄ use the same approa h as the HOL-MDG hybrid tool10

in the way they integrate the model he ker to the theorem prover. The work in [31℄uses the �- al ulus as a medium for ommuni ating between the theorem prover andthe model he ker. It is a shallow embedding of stand-alone tools language whileours is a deep embedding of the de ision diagram data stru ture and its operatorsare embedded inside the theorem prover.Obviously, the most related work to ours is that of Gordon [13, 14℄. Ourwork, however, deals with embedding MDGs rather than BDDs. In fa t, BDDs arewidely used in state-exploration methods. However they an only represent Booleanformulae. On the other hand, MDGs represent a subset of �rst-order terms allowingthe abstra t representation of data and hen e raising the level of abstra tion.1.3 S ope of the ThesisIn this thesis, we propose a platform of state-exploration algorithms, based on themultiway de ision graphs, inside a proof assistant, namely HOL. We propose toembed the logi underlying MDGs into HOL. The normal operations over HOLterms are interpreted as MDG operations. Compared to related resear h [13, 14℄we raise the level of abstra tion at whi h the problem is stated and explore state-exploration te hniques at a higher abstra tion level. Our embedding is based onabstra t des ription of state ma hines (ASM) [9℄ where a data value is representedby a single variable of abstra t type, rather than by a ve tor of boolean variables anda data operation is represented by an uninterpreted or partially interpreted fun tion11

symbol. The state explosion problem aused by des riptions of large datapaths atthe Boolean logi level is then avoided.To tightly integrate a platform of MDG based algorithms inside HOL we pro-pose to embed the MDG data stru ture as a built-in datatype of HOL. The logi underlying MDGs will be available in the HolMdgTheory. This theory provides thetools to spe ify the veri� ation problem in the logi supported by the MDGs. Thespe i� ation will onsist of a set of HOL formulae that an be represented by their orrespondent MDGs. Operations over these formulae will be viewed as MDG oper-ations over their respe tive graphs. Hen e, the lifted MDG pa kage will be used tobuild the graph representation of a HOL formula and to allow the manipulation ofgraphs rather than HOL terms.The MDG data stru ture and operators, on e available inside the theoremprover, an be used to automate parts of the veri� ation problem or even to writestate enumeration algorithms like rea hability analysis or model he king.1.4 Contributions of the ThesisThe purpose of our work is to intimately ombine the HOL proof system and impli itstate explorations using MDGs. The main ontributions we report in this thesis are:1. The embedding of the formal logi underlying the abstra t state ma hinesinside HOL. This will be used to spe ify the veri� ation problem as �rst-orderformulae that an be represented by MDGs.12

2. The introdu tion of the notion of well formed terms in HOL. This is the subsetof the terms that an be represented anoni ally by MDGs.3. The development of a lifted version of the MDG pa kage using an availableversion allowing to ommuni ate intera tively with HOL.4. The development of an ML interfa e that is responsible of alling the liftedMDG pa kage fun tions orresponding to the operations over HOL terms.5. The implementation of some state-exploration appli ations inside HOL basedon MDGs. We implemented the rea hability analysis and used it for model he king and the invariant he king pro edure.

13

1.5 Outline of the ThesisThe rest of this thesis is organized as follows:In Chapter 2, we overview the basi s of the HOL theorem prover. We alsodes ribe in more details the lass of Abstra t State Ma hines (ASM) and de isiondiagrams (MDGs) that we are using.In Chapter 3, we present the formal logi underlying MDGs and its embeddinginside HOL. Well-formedness onditions will also be dis ussed.In Chapter 4, the lifted version of the MDG pa kage will be presented andthe linking between HOL and MDG dis ussed. We will dis uss how the MDG datastru ture and its basi operators are made available in HOL.In Chapter 5, we show how our embedding an be used to implement state-exploration algorithms inside HOL. We illustrate this by implementing the rea h-ability analysis inside HOL. This is then used for appli ations like model he kingand invariant he king.In Chapter 6, we onsider the Island Tunnel Controller example as a ase studyfor whi h we spe i�ed and veri�ed a number of safety properties using the invariant he king pro edure.In Chapter 7, we on lude the thesis and outline future resear h dire tions.14

Chapter 2PreliminariesIn this hapter we will overview the HOL theorem prover as well as the Abstra tState Ma hines (ASM) and the Multiway De ision Graphs (MDG). The des riptionof ASM and MDG are based on material in [9℄ and [35℄.2.1 The HOL Theorem ProverThe HOL system [16℄ is a general purpose theorem prover based on high-order logi .It supports both forward and goal-dire ted ba kward proofs in a natural-dedu tion-style al ulus. The user intera ts with HOL through the fun tional metalanguageML. The system is guided by applying ta ti s to proof obligations. A ta ti or-responds to a high-level proof step and automati ally generates the sequen e ofelementary inferen es ne essary to justify the step.A notable aspe t of the system is that user-de�ned ta ti s annot ompromise15

the soundness of a proof be ause the basi inferen es operate on proof states. Theresults are safe and the user an have great on�den e sin e the most primitiverules are used to prove a theorem. HOL system also has automati re ursive typede�nitions, stru tural indu tion tools and rewriting tools.The set of types, type operators, onstants, and axioms available in HOL areorganized in the form of theories. There are two built-in primitive theories, booland ind, for Booleans and individuals, respe tively. Other important theories, whi hare arranged in a hierar hy, have been added to axiomatize lists, produ ts, sums,numbers, primitive re ursion, and arithmeti . On top of these, users are allowedto introdu e appli ation-dependent theories by adding relevant types, onstants, ax-ioms, and de�nitions.Veri� ation tasks in the HOL system an be set in a number of di�erent ways.The most ommon one is to prove that an implementation, des ribed stru turally,implies or is equivalent to, a behavioral spe i� ation. The appli ation of the HOLsystem an be found in hardware veri� ation, reasoning about se urity, veri� ationof fault-tolerant systems, reasoning about real-time systems, et . It is also used in ompiler veri� ation, program re�nement al ulus, software veri� ation, modelling on urren y and automata theory. HOL allows the use of hierar hi al veri� ationmethodology wherein the modules are divided in sub-modules and even the sub-modules are divided until the lowest implementation level is rea hed. Ea h sub-module is veri�ed, and its result is used to verify the other sub-modules as needed. To16

omplete a veri� ation, however, a very deep understanding of the internal stru tureof the design is required, as it is a white-box approa h.2.1.1 TypesA HOL type an be a variable, a onstant, or a ompound type, whi h is a onstantof arity n applied to a list of n types.hol_type ::= `ident (type variable)| bool (type of truth values)| ind (type of individuals)| hol_type -> hol_type (fun tion arrow)| ident (nullary type onstant)| hol_type ident (unary ompound type)| (hol_type, ..., hol_type) ident ( ompound type)Type onstants are also known as type operators. They must be alphanumeri . Typevariables are alphanumeri s written with a leading prime ('). bool is the two elementtype of truth values. The binary operator fun is used to denote fun tion types; it an be written with an in�x arrow. The nullary type onstant ind denotes an in�niteset of individuals. Thus 'a -> 'b and (bool -> 'a) -> ind are both well-formedtypes. The fun tion arrow is right asso iative.Many formalizations require the de�nition of new types. In HOL, su h typesmay be spe i�ed using the invo ation:Hol_datatype `<spe >`where <spe > should onform to the following grammar:17

spe ::= [ <binding> ; ℄* <binding>binding ::= <ident> = [ < lause> | ℄* < lause>| <ident> = <| [ <ident> : <type> ; ℄* <ident> : <type> |> lause ::= <ident> | <ident> of [<type> => ℄* <type>For example, we an de�ne a type of binary trees where the leaves are numbers as :Hol_datatype `tree = Leaf of num | Node of tree => tree`2.1.2 TermsUltimately, a HOL term an only be a variable, a onstant, an appli ation, or alambda term (to denote a fun tion).term ::= ident (variable or onstant)| term term ( ombination)| \ident. term (lambda abstra tion)In the HOL system, the usual logi al operators have already been de�ned, in ludingtruth (T), falsity (F), negation (~), equality (=), onjun tion (^), disjun tion (_),impli ation (==>), universal (!) and existential (?) quanti� ation, and an inde�nitedes ription ( hoi e) operator (�). Besides, the basis in ludes onditional, lambda,and \let" expressions. Thus the set of terms available is, in general, an extension ofthe following grammar:term ::= term : hol_type (type onstraint)| term term (appli ation)| ~term (negation)| term = term (equality)| term ==> term (impli ation)| term \/ term (disjun tion)| term /\ term ( onjun tion)| term => term | term ( onditional)| \ident ... ident. term (lambda abstra tion)18

| !ident ... ident. term (forall)| ?ident ... ident. term (exists)| �ident ... ident. term ( hoose)| ?!ident ... ident. term (exists-unique)| let ident = term[and ident=term℄* in term (let expression)| T (truth)| F (falsity)| ident ( onstant or variable)| (term) (parenthesized term)Some HOL syntax examples may be found in Table 2.1. The lexi al stru ture of termidenti�ers is mu h like that for ML: identi�ers an be alphanumeri or symboli .Variables must be alphanumeri . A symboli identi�er is any on atenation of the hara ters in the following list: \#?+*/\\=<>&%�!,:;_~-" with the ex eption of thekeywords \\\", \;", \=>" and \:". Any alphanumeri an be a onstant ex ept thekeywords \let", \in" and \of".x = T x is equal to true.!x. Person x ==> Mortal x All persons are mortal!x y z. (x==>y) /\ (y==>z) ==> x ==> z impli ation is transitive.!x. P x ==> Q x P is a subset of Q.Table 2.1: HOL Syntax Examples2.2 Abstra t State Ma hinesIn this se tion, we present a theory of abstra t des ription of state ma hines ina many-sorted �rst order logi with a distin tion of abstra t and on rete sorts.19

The theory provides a foundation for automated state enumeration methods, whi h omplexity is independent of the width of the datapath.2.2.1 Formal Logi SyntaxThe formal logi that we use is many-sorted �rst-order logi , with a distin tionbetween abstra t sorts and on rete sorts.Con rete sorts have enumerations, while abstra t sorts do not. An enumerationis a �nite set of onstants. A onstant that appears in the enumeration is alled anindividual onstant. Besides individual onstants, the vo abulary onsists of generi onstants, variables and fun tion symbols (also alled operators). Generi onstantsand variables ea h have one sort. An individual onstant, on the other hand, istreated as having multiple sorts, one for ea h enumeration of whi h it is a member.An n-ary fun tion symbol (n > 0) has a type �1 � :::� �n ! �n+1, where �1:::�n+1are sorts. Generi onstants an be viewed as 0-ary fun tion symbols.IfX is a set (or \ve tor") of variables, we writeX on andXabs to denote the setsof elements of X that are variables of on rete and abstra t sort, respe tively. Thedistin tion between abstra t and on rete sorts leads to a distin tion between threekinds of fun tion symbols. Let f be a fun tion symbol of type �1� :::� �n ! �n+1.If �n+1 is an abstra t sort then f is an abstra t fun tion symbol. Abstra t fun tionsymbols are used to denote data operations and are uninterpreted. If all �1:::�n+1 are20

on rete, f is a on rete fun tion symbol. Con rete fun tion symbols, and on retegeneri onstants as a spe ial ase, an always be entirely interpreted and thus beeliminated; for simpli ity, we assume that they are not used. Finally, if �n+1 is on rete while at least one of �1:::�n is abstra t, then we refer to f as a ross-operator.Semanti sAn interpretation is a mapping that assigns a denotation to ea h sort, onstantand fun tion symbol and satis�es the following onditions:1. The denotation of (�) of an abstra t sort � is a non-empty set.2. If � is a on rete sort with enumeration fa1; :::; ang then (�) = f (a1); :::; (an)gand (ai) 6= (aj) for 1 � i � j � n.3. If f is a fun tion symbol of type �1 � ::: � �n ! �n+1, then (f) is a fun -tion from the Cartesian produ t (�1) � ::: � (�n) into the set (�n+1). Inparti ular, if n = 0 (i.e., f is a generi onstant of sort �1), (f) 2 (�1).X being the set of variables, a variable assignment with domain X ompatiblewith an interpretation is a fun tion � that maps every variable x 2 X of sort � toan element �(x) of (x). We write � X for the set of - ompatible assignments tothe variables in X. The denotation of a term and the truth or falsity of a formulaunder an interpretation and a ompatible variable assignment are de�ned as usual.21

We write ; � j= P if a formula P denotes truth under an interpretation and a - ompatible variables assignment � to the variables that o ur free in P , and j= Pfor all su h ; �. Two formulae P and Q are logi ally equivalent i� j= P () Q.2.2.2 Dire ted FormulaeGiven two disjoint sets of variables U and V , a dire ted formula (DF) of type U ! Vis a formula in disjun tive normal form (DNF) su h that1. Ea h disjun t is a onjun tion of equations of the form:- A = a, where A is a ross-term of on rete sort � ontaining no variablesother than elements of U , and a is an individual onstant in the enumerationof �, or- u = a, where u 2 U is a variable of on rete sort � and a is an individual onstant in the enumeration of �, or- v = a, where v 2 V is a variable of on rete sort � and a is an individual onstant in the enumeration of �, or- v = A, where v 2 V is a variable of abstra t sort � and A is a term of type� ontaining no variables other than elements of U ;2. In ea h disjun t, the left hand sides of the equations are pairwise distin t; and3. Every variable v 2 V appears as the left hand side of an equation v = A inea h of the disjun ts 22

Intuitively, in a DF of type U ! V , the U variables play the role of independentvariables, the V variables play the role of dependent variables, and the disjun tsenumerate possible ases. In ea h disjun t, the equations of the form u = A andA = a spe ify a ase in terms of the U variables, while the other equations spe ifythe values of (some of the) V variables in that ase. The ases need not be mutuallyex lusive, nor exhaustive. The ondition that every abstra t variable v 2 V mustappear in every disjun t is less stringent than it seems. In pra ti e, one an introdu ean additional dependent variable u and add an equation v = u to a disjun t wherev is missing.A DF is said to be on retely redu ed i� every A in an equation A = a is a ross-term, and every A in an equation v = A is a on retely redu ed term. It is easy to seethat every DF is logi ally equivalent to a on retely redu ed DF, given omplete orpartial spe i� ations of the on rete fun tion symbols and on rete generi onstants;the redu tion an be a omplished by ase splitting.We use DFs for two distin t purposes: to represent relations (transition anoutput relations) and to represent sets (sets of states as well as sets of input ve torsand output ve tors).2.2.3 Abstra t Des ription of State Ma hinesA state ma hines is des ribed using a �nite set X of input variables, a �nite set Yof state variables, a �nite set Y 0 of next state variables, and a �nite set Z of output23

variables, whi h are pairwise disjoint. An abstra t des ription of the state ma hine,or an abstra t state ma hine (ASM), is obtained by letting some data input, stateor output variables be of an abstra t sort.The behavior of a state ma hine is de�ned by its transition and output relations,together with its set of initial states. Thus an abstra t des ription of a state ma hineis a tuple D = (X; Y; Z; Y 0; �; FI; FT ; FO) where:1. X, Y , and Z are, pairwise disjoint ve tors of input, state and output variables.Note that Y and Z must be disjoint. To allow for observable state variables,i.e., state variables that are also output variables, we let X and Y be the setsof all input and state variables respe tively, while Z omprises only the outputvariables other than the observable state variables; Z an be empty.2. Y 0 is the set of next-state variables, disjoint from X [ Y [ Z, and � is thefun tion that maps ea h state variable to the orresponding next-state variable.We usually obtain ea h next-state variable by priming the orresponding statevariable.3. FI is a DF of type U0 ! Y , where U0 is a set of abstra t variables disjointfrom X [ Y [ Y 0 [Z. FI is the abstra t des ription of the set of initial states.4. FT is a DF of type (X [ Y ) ! Y 0. FT is the abstra t des ription of thetransition relation.5. FO is a DF of (X [ Y ) ! Z. FO is the abstra t des ription of the output24

relation.2.2.4 ExampleWe use the traditional version of the Greatest Common Divisor (GCD) ben hmark.This version omputes the greatest ommon divisor of two positives numbers p1 andp2 by repeated subtra tion.y0=1

if (y1=y2) then y’1<−−y1, y’2<−−y2

if (x0=1) then y’1<−−x1, y’2<−−x2

if (x0=0) then

y0=0

y’1<−−y1, y’2<−−y2

y’1<−−y1−y2,y’2<−−y2

y’2<−−y2−y1,y’1<−−y1

if (y2<y1) then

if (y1<y2) thenFigure 2.1: The GCD State Ma hineThe state ma hine initializes two variables y1 and y2 with values p1 and p2,then repeatedly assigns to the variable with the highest value the di�eren e of thetwo values, until the two values are the same. When done, the value stored in thetwo variables is the greatest ommon divisor. Besides the two data state variablesy1 and y2, there is a ontrol state variable y0 whi h determines two ontrol statesy0 = 0 and y0 = 1. When y0 = 0, the ma hine waits for the two values p1 and p2to be presented at two data inputs x1 and x2, an event whi h is indi ated by the ontrol input x0 taking the value 1. Then p1 and p2 are loaded into y1 and y2, andthe ma hine goes to the ontrol state y0 = 1 where it loops until the result has been25

omputed. There is only one output: a data output z0 that takes the value 0 whilethe result is not ready, and produ es the greatest ommon divisor when it has been omputed. The graphi al representation of the GCD state ma hine is depi ted inFigure 2.2, where the ir les orrespond to the values of the ontrol state variable y0and the arrows orrespond to the ontrol transitions of the ma hine. The transitionlabels spe ify the onditions under whi h ea h transition is taken and an assignmentof values to the abstra t next state variables y01 and y02.To obtain an abstra t des ription of this state ma hine, we use a on rete sortbool with enumeration f0; 1g and an abstra t sort num intended to denote the seton n-bit numbers. The input variable x0 and the state variable y0, whi h are ontrolvariables, are of sort bool. On the other hand, the input variables x1 and x2, thestate variables y1 and y2, and the output variable z0, whi h are data variables, areof abstra t sort num. We also use three next-state variables, y00 of sort bool, and y01and y02 of sort num.To denote the subtra tion, a datapath operation, we de�ne an abstra t fun tionsymbol sub of type num� num! num. The fun tion symbol sub is uninterpreted,whi h means that we do not have to des ribe the details of the subtra tion operation.However, two pie es of information are needed: whether y1 = y2, to terminate theloop, and whether y1 < y2, to de ide whi h substra tion to make and whi h value torepla e. This feedba k from the datapath is modelled using two fun tion symbols eqand lt of type num�num! bool. Thus the transition relation of the state ma hine26

an be des ribed by the following formula:((y0 = 0) ^ (x0 = 0) ^ (y00 = 0) ^ (y01 = y1) ^ (y02 = y2))_((y0 = 0) ^ (x0 = 1) ^ (y00 = 1) ^ (y01 = x1) ^ (y02 = x2))_((y0 = 1) ^ (eq(y1; y2) = 0) ^ (lt(y1; y2) = 0) ^ (y00 = 1)^(y01 = sub(y1; y2)) ^ (y02 = y2))_((y0 = 1) ^ (eq(y1; y2) = 0) ^ (lt(y1; y2) = 1) ^ (y00 = 1)^(y01 = y1) ^ (y02 = sub(y1; y2)))_((y0 = 1) ^ (eq(y1; y2) = 1) ^ (y00 = 0) ^ (y01 = y1) ^ (y02 = y2))(2.1)

2.3 Multiway De ision Graphs2.3.1 From BDDs to MDGsBinary De ision Diagrams are used to represent, anoni ally, Boolean fun tions.Consider a BDD G with a root node labelled x and subgraphs G0 and G00. If G0 andG00 represent the formulae P 0 and P 00, respe tively, then G is viewed as representingthe formula P : ((:x) ^ P 0) _ (x ^ P 00) (2.2)However, it an also be viewed as representing the formula((x = 0) ^ P 0) _ ((x = 1) ^ P 00) (2.3)This suggests a generalization of the notion of de ision graph: there is no need for xto only range over the set f0,1g. Furthermore, there is no need for the labels of the27

edges to exhaustively denote all the possible values of x. For example, x ould rangeover fblue, green, yellow, redg, and there ould be, say, only three edges issuing fromthe root, as in the following graph:x

G G’ G"blue green redIf G, G0, and G00 represent the formulae P , P 0, and P 00, respe tively, then thisgraph ould represent the formula((x = blue) ^ P ) _ ((x = green) ^ P 0) _ ((x = red) ^ P 00): (2.4)When x denotes yellow, this formula is simply a false senten e. Finally there is noneed for the edges to be mutually ex lusive.It is then possible to let nodes range over abstra t sorts for whi h there is noenumerable set of edges, and to use non-mutually-ex lusive �rst-order terms as edgelabels. For example, if x, u, and v are variables of abstra t sort �, f is a fun tionsymbol of type � ! �, and G, G0, and G00 represent P , P 0, and P 00, respe tively,then the graph

x

G G’ G" u v f(u) represents the formula((x = u) ^ P ) _ ((x = v) ^ P 0) _ ((x = f(u)) ^ P 00): (2.5)The above observations lead to the following preliminary de�nition:28

De�nition 1 A Multiway De ision Graph (MDG) is a �nite dire ted a y li graph G where the leaf nodes are labelled by formulae, the internal nodes are labelledby terms, and the edges issuing from an internal node N are labelled by terms of thesame sort as the label of N . Su h a graph represents a formula de�ned indu tively asfollows: (i) if G onsists of a single node labelled by a formula P , then G representsP ; (ii) if G has a root node labelled A with edges labelled B1; :::; Bn leading tosubgraphs G01; :::; G0n and if ea h G0i represents a formula Pi then G represents theformula _1�i�n((A = Bi) ^ Pi).De�nition 1 is of ourse too general, a set of well-formedness onditions turnsMDGs into anoni al representations that an be manipulated by eÆ ient algorithms.2.3.2 Well-formedness ConditionsWe �rst de�ne the lass of on retely redu ed terms indu tively as omprising: theindividual onstants, the abstra t generi onstants, the abstra t variables and theterms of the form \f(A1; :::; An)" where f is an abstra t fun tion symbol and A1:::Anare on retely redu ed terms. Thus the on retely redu ed terms are those thathave no on rete sub-terms other than individual onstants, and the only on reteterms that are on retely redu ed are the individual onstants. A term of theform \f((A1; :::; An)" where f is a ross-operator and A1:::An are on retely-redu edterms, is a ross-term. Note that no on rete variables an o ur in a on retely-redu ed term or in a ross-term. 29

For BDDs to be anoni al, ertain onditions must hold. They have to beredu ed and ordered. Similarly, MDGs require ertain well-formedness onditions.De�nition 2 An MDG G is said to be well-formed i� it satis�es the followingsix onditions.1. Kinds of nodes. An internal node must be labelled by a variable of abstra tsort, with edges issuing from the node labelled by on retely-redu ed termsof that same sort; or by a variable of on rete sort, with edges labelled byindividual onstants in the enumeration of that sort; or by a ross-term, withedges labelled by individual onstants in the enumeration of the sort of the ross-term. A leaf node must be labelled by T (true), ex ept in the ase wherethe graph has only one node labelled F (false).Note that the onditions about on retely redu ed terms and ross-terms are onlysynta ti al restri tions, sin e it is possible to meet these restri tions using ase split-ting. We refer to an o urren e of a variable in a term that labels an edge or in a ross-term that labels a node as a se ondary o urren e, while an o urren e of avariable as the label of a node is a primary o urren e. Neither the edge labels, whi hare on retely redu ed-terms, nor the ross-terms, ontain on rete variables. Hen eonly abstra t variables an have se ondary o urren es. The primary variables (resp.se ondary variables) of a graph G are those that have primary (resp. se ondary)30

o urren es in G.2. Ordering. The labels of the edges issuing from a given node must appear in astandard term order, without repetitions. Along ea h path, the variables andthe ross-operators of the ross-terms that label the nodes must appear in a ustom symbol order, and ross-terms with same ross-operator must appearin the standard term order; there must be no repeated labels.The ustom symbol order is a generalization (to in lude ross-operators) of thevariable ordering used for BDDs, and plays the same role. It involves the ross-operators and those variables that may appear as node labels. It is hosen arefullyfor ea h parti ular appli ation so as to keep the MDGs of manageable size if possi-ble. The standard term ordering, on the other hand, is hosen arbitrarily on e andfor all, it needs not to be ompatible with the ustom symbol order. From thesetwo orderings we de�ne node-label ordering among the variables and ross-terms asfollows: A omes before B i� the the top symbol of A omes before the top symbolof B, or A and B are ross-terms with the same ross-operator and A omes beforeB in the standard term order. Condition 2 states that node labels must appear innode-label order along ea h path.3. Minimality. There must be no distin t isomorphi subgraphs, and no redundantnodes.In an MDG, a redundant node is a node labelled by a on rete variable or ross-term of sort �, with edges labelled by all the individual onstants in the enumeration31

of �, all leading to the same subgraph.4. No variable should have both primary and se ondary o urren es in the samegraph.5. The set of abstra t variables having primary o urren es along a path is thesame for all paths in a given graph.6. If a node N is labelled by an abstra t variable x, and an abstra t variable yparti ipating in the ustom symbol order o urs in a term A that labels one ofthe edges that issue from N , then y must ome before x in the ustom symbolorder. Similarly, if N is labelled by a ross-term A with ross-operator f , andy is an abstra t variable that o urs in A, then y must ome before f in the ustom symbol order.Figure 2.2 shows the MDG representations for the DFs des ribing the transitionrelations of the GCD state ma hine. From now on, unless otherwise stated, we shallnot make the distin tion between an MDG and the DF that it represents.2.3.3 MDG Basi OperatorsBDD operations an be manipulated using a single generi algorithm Apply [4℄. Thisis be ause the two edges that issue from a BDD node span the range of values f0; 1gand this makes it possible to reason by ases. For MDGs, a single algorithm mustbe provided for ea h operation. 32

y0

y0’

y0’ y0’ eq(y1,y2)eq(y1,y2)

x0

T

0 1

0 1 0 1

01 1 0

y0

eq(y1,y2)eq(y1,y2)

x0

T

lt(y1,y2) lt(y1,y2)

0 1

0 1

y1’

y1’ y1’

sub(y1,y2) y1

y1 x10 1 0

0 1

y0

eq(y1,y2)eq(y1,y2)

x0

T

lt(y1,y2) lt(y1,y2)

0 1

0 1

y2’

y2’ y2’

sub(y1,y2) y2

y2 x20 1 0

0 1Figure 2.2: Transition Relations (MDGs) of the GCD State Ma hineDisjun tionR = Disj(fPig1�i�n)Argument: A set S = fPig1�i�n of MDGs Pi. Ea h Pi other than T or F is anMDG of type Ui ! Y . (Note that all the Pi have the same set of primary abstra tvariables.)Result: An MDG R that an be F , T , or an MDG of type V ! Y , where V is theunion of the sets of variables Ui su h that:j= R () ( _1�i�nPi)Relational Produ tThe relational produ t operation is used for image omputation. It takes the on-jun tion of a olle tion of MDGs Pi, having pairwise disjoint sets of abstra t primaryvariables, and, existentially quanti�es with respe t to the variables in a set E, eitherabstra t or on rete, that have primary o urren es in at least one of the graphs.33

In addition, it an rename some of the remaining primary variables a ording to therenaming substitution �.R = RelP (fPig1�i�n; V; �)Arguments: A set S = fPig1�i�n, n � 0, of MDGs Pi, ea h being either T , or F , orof type Xi ! Yi, a set of variables V and a renaming substitution �.Result: An MDG R that an be F , T , or an MDG of type (X n Y ) ! ((Y n V ) � �)su h that j= R � ��1 () (9V )( ^1�i�nPi):Pruning By SubsumptionThe pruning by subsumption operations is used to approximate the set di�eren eoperation. Informally, it removes all the paths of a graph P from another graph Q.P 0 = PbyS(P;Q)Arguments: Two MDGs P and Q of type V ! Y , where V ontains only abstra tvariables that do not parti ipate in the ustom symbol ordering; P and Q an bothbe T or F .Result: An MDG P 0, derivable from P by pruning, su h that:j= P _ (9V )Q () P 0 _ (9V )QSin e P 0 is derivable from P by pruning, it is, like P , of type V ! Y . Moreover, ifP is of type V ! Y1, Y1 � Y , then P 0 is also of type V ! Y when it is not F .34

2.3.4 MDG Rea hability AnalysisWe show here how the analysis of the rea hable states of a state ma hine an beperformed using MDGs. The main appli ation is the invariant he king, whi h on-sists of verifying that the outputs of the ma hine satisfy a ondition C in all therea hable states. Let D = (X; Y; Z; Y 0; �; FI; FT ; FO) be an abstra t des ription of astate ma hine using MDGs. The following pseudo- ode provides an overview of therea hability analysis algorithm ReAn.ReAn(D,C)R := FI ; Q := FI ; K :=0;loopK := K +1;I := NewInputs(K);O := Outputs(I,Q,FO);if not Subset(O,C) then return failure;N := NextStates(I,Q,FT );Q := FrontierSet(N ,R);if Empty(Q) then return su ess;R := Union(R,Q);end loop;end ReAn;The pro edure NewInputs produ es an MDG representing the set of inputve tors whi h depends on the iteration number. The pro edure Outputs omputesan MDG representing the set of output ve tors that is used to he k whether the35

outputs satisfy the invariant. If this is the ase, the veri� ation algorithm ontinues.Otherwise it stops and reports failure. At the same time, a ounterexample fa ilityis initiated. The pro edure NextState omputes an MDG representing the set ofstates rea hable in one transition of the state ma hine from the previously rea hedstates. The pro edure FrontierSet omputes the set of newly rea hed stated. If thisset is empty this means that all rea hable states are already tested for the invariantand then the veri� ation su eeds. Otherwise, the algorithm ontinues.2.4 The MDG Pa kageIn this se tion, we brie y present the MDG pa kage [34℄ providing fun tions toassemble graphs and manipulate them. It was used for various MDG appli ationslike the MDG model he ker [33℄.2.4.1 Graph Stru tureThe nodes of a graph are either internal nodes or leaves.� Leaves: for well-formed MDGs, leaves are represented by T (True) or F (False).An MDG ontains only one leaf labelled T ex ept when the MDG is equal tothe leaf node F .� Internal nodes: an internal node is represented by the following stru ture:graph(TopSymbolOrder, NodeKind, NodeLabel, Id, Edges, SubGraphs, Se Vars).36

x

T

y y

0 1

0 1

Figure 2.3: Example of the MDG Representationwhere, TopSymbolOrder is the ustom order number for the top symbol of the nodelabel. NodeKind spe i�es whether the node is a on rete variable, a ross-term or anabstra t variable, respe tively. Sort being the sort of the node. NodeLabel is the termwhi h is the label of the node. Id is the unique identi�er of the graph. Edges andSubGraphs are two lists, representing the root edges and the immediate sub-graphs,respe tively. Finally, Se Vars is a sorted list that ontains all the se ondary variablesin the graph. The internal representation of the example MDG given in Figure 2.3is implemented as follows:graph(1, on var(bool),x,1,[0,1℄,[ graph(2, on var(bool),y,2,[0℄,[t℄,[ ℄),graph(2, on var(bool),y,3,[1℄,[t℄,[ ℄) ℄,[ ℄ ).2.4.2 Assembling GraphsGiven the root information, the root edges and immediate subgraphs, the fun tionassemble is used to build a graph R. It �rst he ks if the result graph already exists37

by looking up the redu tion table. If so, R points to that graph (thus a hieving graphsharing). Otherwise, a new graph stru ture is reated and entered in the graph array.The fun tion assemble is invoked as follows:assemble( RootInfo, Edges, SubGs, Method, R, G1, E1, G, E ).where, RootInfo ontains the order, kind and label of the root. Edges are the rootedges that should be of the same sort as the root, and SubGs are the immediatesubgraphs. Method spe i�es the way se ondary variables are omputed and R is theresult graph. While G1 and E1 are the urrent graph and term arrays, G, E are theupdated arrays.The se ondary variables are omputed, either by sear hing the graph or simplyby giving the ordered union of the sets of se ondary variables of the immediatesubgraphs. To onstru t the example graph in Figure 2.3, assuming that the ordersof x and y are 1 and 2, respe tively, we use the fun tion assemble as follows:assemble(rootinfo(1, on var(bool),x), [0,1℄,[ graph(2, on var(bool),y,4,[0℄,[t℄,[ ℄),graph(2, on var(bool),y,5,[1℄,[t℄,[ ℄) ℄,noop, G1, E1, G, E).2.4.3 Manipulating GraphsIn this se tion we will overview the basi MDG operators provided by the pa kage tomanipulate the MDGs. In the following, G1 and E1 are the graph and term arraysbefore applying the operators, G and E are the graph and term arrays after.38

Disjun tionMode : disj(Ps,Q,G1,E1,G,E).Arguments : Ps is a list of MDGs. Q is the result MDG.Fun tion : Q is the disjun tion of Ps.Relational Produ tMode : relp(Ps, Us, Ren, Q, G1,E1,G,E).Arguments : Ps is a list of MDGs, Us is an ordered list of symbol orders, Ren is therenaming substitution.Fun tion : Q is the onjun tion of Ps with existential quanti� ation of variables inUs, and if a node label is an argument of the renaming substitution then repla e itwith the new label.Pruning by SubsumptionMode : pbys(P ,Q,R,G1,E1,G,E).Arguments : P is the graph to be pruned by Q. R is the result graph.Fun tion : R is obtained by removing the paths in P whi h are subsumed by Q.More operators are presented in the Developer's Manual of the MDG pa kage [34℄.

39

Chapter 3Embedding the MDG Logi As in ordinary multi-sorted �rst order logi , the vo abulary of the MDG underlyinglogi onsists of sorts, onstants, variables, and fun tion symbols or operators. Inthis hapter, we show how this underlying logi of MDGs is embedded in HOL. Wewill also show how the well-formedness onditions are spe i�ed in HOL resultingin what we will all: the Well-formed MDG Terms. Finally we will present someutilities to manipulate the well-formed terms.3.1 MDG SortsThe logi underlying the MDGs deviate from the standard many-sorted �rst-orderlogi by introdu ing a distin tion between on rete or enumerated sorts, and abstra tsorts ( f. Se tion 2.2.1). This is embedded in HOL as follows:� Con rete_Sort = Con rete_Sort of string ) string list;

40

This de lares a onstru tor alled Con rete Sort that takes as arguments a sort nameand its enumeration to de�ne a on rete sort. For example, if state is a on rete sortwith [ stop, run ℄ as enumeration, then this is de lared in HOL by:val state = De�ne `state = Con rete Sort \state" [ stop; run ℄`;� Abstra t_Sort = Abstra t_Sort of 'a;To de�ne an abstra t sort of type alpha (whi h means that the sort is a tuallyabstra t and hen e an represent any HOL type) we use the Abstra t Sort onstru toras follows:val alpha = De�ne `alpha = Abstra t Sort \alpha"`;To determine whether a sort is on rete or abstra t, we use predi ates over the sorts onstru tors alled IsCon reteSort and IsAbstra tSort, where \ " means \don't are".(IsCon reteSort (Con rete Sort ) = T) ^ (IsCon reteSort = F);(IsAbstra tSort ( Abstra t Sort ) = T) ^ (IsAbstra tSort = F);These predi ates will be used for instan e to determine the sort of a variable or afun tion symbol.3.2 MDG VariablesAs mentioned before, the distin tion between sorts leads to the distin tion between on rete and abstra t variables. An abstra t variable an be either primary or ase ondary variable. In our embedding, a primary abstra t variable will be de laredusing the Abstra t Var onstru tor while a se ondary variable will be de lared using41

the Se ondary Var onstru tor.� Con rete_Var = Con rete_Var of string ) Con rete_Sort;A variable is spe i�ed by its name and sort. A on rete variable is a variable of on rete sort. For example, If x is a variable of sort state, de lared above, then thisis written in HOL as follows:val x = De�ne `x = Con rete Var \x" state`;� Abstra t_Var = Abstra t_Var of string ) Abstra t_Sort;An abstra t variable y with name \y" and sort alpha is de lared using:val y = De�ne `y = Abstra t Var \y" alpha`;� Se ondary_Var = Se ondary_Var of string ) Abstra t_Sort;The Se ondary Var onstru tor is similar to the Abstra t Var onstru tor. For ex-ample: val y1 = De�ne `y1 = Se ondary Var \y1" alpha`.We make the di�eren e, however, to avoid mixing the variables in further manip-ulations and to allow us to de lare the MDG Term onstru tor as we will see inSe tion 3.5. In this ase also, we use some predi ates to determine whether a vari-able is on rete, abstra t or se ondary. They are alled, respe tively, IsCon reteVar,IsAbstra tVar and IsSe ondaryVar.(IsCon reteVar(Con rete Var ) = T) ^ (IsCon reteVar = F);42

(IsAbstra tVar(Abstra t Var ) = T) ^ (IsAbstra tVar = F);(IsSe ondaryVar(Se ondary Var ) = T) ^ (IsSe ondaryVar = F);3.3 MDG ConstantsA onstant an be either an individual onstant or an abstra t generi onstant. Thelatter is identi�ed by its name and its abstra t sort. The individual onstants anhave multiple sorts depending on the enumeration of the sort in whi h they are. InHOL they are de lared as follows:� Individual_Const = Individual_Const of string;The enumeration of the on rete sort state is \[stop , run ℄". stop and run are twoindividual onstants that have state as their sort. They must be de�ned in order tobe able to de lare the sort state.val stop = De�ne `stop = Individual Const \stop"`;val run = De�ne `run = Individual Const \run"`;� Generi _Const = Generi _Const of string ) Abstra t_Sort;Having de lared \alpha" as abstra t sort, we an de lare generi onstants of thatsort. Say a is a generi onstant of sort alpha.val a = De�ne `a = Generi Const \a" alpha`;To he k whether a onstant is an individual onstant or an abstra t generi onstant, we use the predi ates, IsIndividualConstant and IsGeneri Constant.43

(IsIndividualConstant( Individual Const ) = T) ^ (IsIndividualConstant = F);(IsGeneri Constant( Generi Const ) = T) ^ (IsGeneri Constant = F);3.4 MDG Fun tionsMDG fun tions an be either on rete, abstra t or ross-operators. As mentionedbefore on rete fun tions are not used sin e they an be eliminated by ase split-ting. Cross-fun tions are those that have at least one abstra t argument. But whenwe fo us on terms that are on retely redu ed, all the sub-terms of a ompoundterm (abstra t/ ross fun tion) have to be abstra t. In addition they are se ondaryvariables.� Cross_Fun tion = Cross_Fun tion of string ) Se ondary_Var list )Con rete_Sort;In general, a fun tion is identi�ed by its name, the sorts of its arguments and its sort.In this ase we spe ify the variables rather than sorts be ause we fo us on ross-termsor abstra t terms instead of the orrespondent symbols. If equal is a fun tion that he ks if two abstra t variables are equal, then, equal is a ross-fun tion.val bool = De�ne `bool = Con rete Sort "bool" ["0";"1"℄`;val y1 = De�ne `y1 = Se ondary Var \y1" alpha`;val y2 = De�ne `y2 = Se ondary Var \y2" alpha`;val equal = De�ne `equal = Cross Fun tion "equal" [y1;y2℄ bool`;44

� Abstra t_Fun tion=Abstra t_Fun tion of string) Se ondary_Var list) Abstra t_Sort;If max is a fun tion that takes two abstra t variables as arguments and returns thegreater one, then max is an abstra t fun tion.val max = De�ne `max = Abstra t Fun tion \max" [y1;y2℄ alpha`;The predi ates IsAbstra tFun tion and IsCrossFun tion are used to determinethe nature of a ompound term.(IsAbstra tFun tion(Abstra t Fun tion ) = T) ^ (IsAbstra tFun tion = F);(IsCrossFun tion(Cross Fun tion ) = T) ^ (IsCrossFun tion = F);3.5 MDG TermsMDG terms are the individual onstants, generi onstants, on rete and abstra tvariables, ross and abstra t fun tion symbols. We provide a onstru tor alledMDG Term that is used every time a new term is de lared. The single onstru toris used so that terms will have the same type and hen e an be used in equalities. Infa t if x is de lared using the Con rete Var onstru tor and stop using the Individ-ual Const onstru tor, we will not be able to write an equation of the form x = stopdue to type mismat hing. However, su h an equation is possible if both are de laredusing the same onstru tor.Hol_datatype `MDG_Term =Individual_Const of string => Con rete_Sort| Generi _Const of string => 'a Abstra t_Sort| Con rete_Var of string => Con rete_Sort45

| Abstra t_Var of string => 'a Abstra t_Sort| Cross_Fun tion of string=>('a Se ondary_Var)list=> Con rete_Sort| Abstra t_Fun tion of string=>('a Se ondary_Var)list=>'a Abstra t_Sort`3.6 MDG Well-formed TermsWell-formed terms are those that an be represented by well-formed MDGs, whi hare the dire ted formulae. Having embedded the notion of an MDG term in HOL,we should now spe ify the set of formulae that an be used to spe ify the MDGveri� ation appli ations. To do so, we have to he k, �rst, if a term or formulais well-formed before onstru ting its orrespondent MDG. A well-formed term isa tually a DF (more pre isely, a on retely-redu ed DF).For a term to be a DF, onditions 1 to 3 of Se tion 2.2.2 must be satis�ed.Condition 1 states that the term must be a formula in disjun tive normal form, inwhi h, every disjun t is a onjun tion of equations. The equations must respe t therules of Se tion 2.2.2. Condition 2 requires that the left hand sides of the equationsare pairwise distin t and �nally Condition 3 states that every abstra t variable mustappear in every disjun t.Condition 2 and 3 must be respe ted by the user when spe ifying the veri�- ation problem. The ondition 3 is less stringent than it seems. In pra ti e, one an introdu e an additional dependant variable u and add an equation v = u to adisjun t where an abstra t v is missing.Condition 1 is embedded in HOL using an ML fun tion alledWell formedTerm46

that uses the previously mentioned predi ates to determine the nature of ea h equa-tion in the term and returns true if the term is a dire ted formula. Well formedTermis a re ursive fun tion that splits the term in disjun ts and he ks that every dis-jun t is well-formed. It uses an intermediate predi ate Well formedEQ that he ksthe well-formedness of an equation.For every equation, we he k if the left hand side and the right hand siderespe t one of the four allowed forms. For example, if an equation eq : l = r, thenthe main he k is the following:fun Well_formedEQ eq =(^(eval_IsCon reteVar l) /\ ^(eval_IsCon reteC r)) \/(^(eval_IsCrossF l) /\ ^(eval_IsCon reteC r)) \/(^(eval_IsAbstra tVar l )/\ ^(eval_IsAbstra tF r)) \/(^(eval_IsAbstra tVar l )/\ ^(eval_IsAbstra tVar r)) \/(^(eval_IsAbstra tVar l )/\ ^(eval_IsGeneri C r)) \/^(eval_IsBool l);This means that eq is well-formed, if for example, l is a on rete variable and r is a on rete onstant.3.7 Utility Fun tionsIn order to make use of the MDG embedding mentioned above, we provide variousutility fun tions to fa ilitate the further manipulation of the MDG terms. For in-stan e, to retrieve the label of a term, we use the fun tion name. For example, if xis an individual onstant de�ned by : val x = Individual Constant \stop", then thelabel \stop" of the term is given by \name(x)".47

The fun tion name is de�ned as follows:Define `( name ( Con rete_Var n _ ) = n) /\( name ( Abstra t_Var n _ ) = n) /\( name ( Individual_Const n _ ) = n) /\( name ( Generi _Const n _ )= n) /\( name ( Cross_Fun tion n _ _ ) = n) /\( name ( Abstra t_Fun tion n _ _ ) = n)`;fun name t =let val th = EVAL (--`name ^t`--)val res = rhs( on l(th))in stringSyntax.fromHOLstring resend;Similarly, we de�ne the following main utility fun tions:� sort: determines the sort of a term. If y1 is a se ondary variable as de�ned inSe tion 3.4, sort y1 returns alpha;� enum: determines the enumeration of a on rete variable, e.g., enum bool re-turns f0; 1g;� ross term: determines the arguments of a ompound term (a ross-term orabstra t fun tion). For example, if equal is a ross-fun tion as de�ned in Se -tion 3.4, ross term equal returns [y1; y2℄.3.8 SummarySo far, we have embedded the logi underlying the multiway de ision graphs intoHOL. We made the distin tion between on rete and abstra t sorts. We de�ned the48

MDG terms inside HOL then we de�ned the subset of �rst-order terms that an berepresented by well-formed graphs. This subset is the so alled Dire ted Formulae.We also introdu ed the onstraints over HOL formulae to be well-formed. This anbe he ked before future manipulation with their orrespondent MDGs. Finally, weprovided a number of utility fun tions to further manipulate the MDG terms1. Inthe next hapter, we will present the new version of the MDG pa kage that we haveimplemented to provide various utilities to onstru t MDGs and manipulate them.

1A omplete des ription of all MDG embedding and utility fun tions an be found inhttp://hvg.e e. on ordia. a/Resear h/MDGHOL/Embedding.html.49

Chapter 4Linking MDG and HOLBased on the embedding of the logi underlying the MDGs in HOL, in this hapterwe dis uss an interfa e that links the theorem prover to a lifted version of the MDGpa kage.4.1 Lifted MDG Pa kageThe MDG pa kage [34℄, provides tools for assembling graphs and manipulating them.However, these fun tionalities are not suitable to work intera tively with HOL. Infa t, as it is implemented, the MDG pa kage allows the developer to write MDGbased appli ations that take input �les, pro ess them, and return the result of theveri� ation. In our ase, we need fun tions that, for example, build the graph ofa dire ted formula and return the resulting graph to be used afterwards. Besides,when leaving the MDG environment ba k to HOL, we need to save the graph and50

term arrays. For this purpose, we developed a lifted version of the MDG pa kagethat inherits the fun tionalities of the former pa kage and provides new ones neededin our embedding.4.1.1 Modi�ed Fun tionalitiesTo allow the intera tion between HOL and MDG we modi�ed the MDG operators.Besides, we modi�ed the fun tion assemble, responsible for building a graph repre-sentation, given the root information, the edges and the immediate sub-graphs, toremove redundant nodes.Building GraphsWe modi�ed the main fun tion assemble to remove redundant nodes when assemblinga graph. This is done by, �rst, he king that the immediate subgraphs are not equaland are issuing from all the onstants appearing in the enumeration of the root nodesort. If this is the ase, assemble ontinues the onstru tion. Otherwise, the resultgraph is the immediate subgraph itself (they are all equal).MDG OperatorsWe have modi�ed the MDG operators so that we do not have to pass the graphand term arrays as arguments to the operators. This is very pra ti al be ause whenswit hing from HOL to MDG and vi e-versa it is very in onvenient to arry thesearrays as arguments espe ially when they get big.51

To do so, The di�erent operators use the arrays stored in the MDG environ-ment, perform the operation over the graphs or terms and then update the arrays.All this work is done inside MDG and the result graph is returned ba k to HOL. Forevery operator, we provide two versions, the �rst takes graphs or terms as argumentsand the se ond takes their IDs, instead.4.1.2 New Fun tionalitiesThe lifted MDG pa kage provides fun tions to build the graph of a well-formed HOLterm and other fa ilities needed for the rea hability analysis pro edure.Assembling the Graph of an EquationUsing the fun tion assemble, we will de�ne now the fun tions that are used to buildthe graph of an equation of the form x = . The graph of su h an equation willhave a root node labelled by x with an edge labelled by leading to T (true). If, forexample, x is a on rete variable with order number 1, sort state, is an individual onstant, then the graph of x = isgraph(1, on var(state),x,Id,[ ℄,[T ℄,[ ℄).To build the graph of an equation, many ases are to be onsidered depending onthe kind of the left hand side (LHS) and the right hand side (RHS) of the equation.If the LHS is a on rete variable x and the RHS is an individual onstant , then52

the graph of the equation is built using the fun tion mdg . It takes as input x and and returns the result R.mdg (x, ,R):-g(Id1,G1),t(Id2,E1),signal(x,Sort), on _sort(Sort,_),find_order( on var(_),x,Order),RootInfo = rootinfo(Order, on var(Sort),x),assemble(RootInfo,[ ℄,[T℄,noop,R,(Id1,G1),(Id2,E1),G,E).The �rst two lines of this Prolog ode retrieve the graph and term arrays and their orrespondent sizes. The third line determines the sort of x whi h is he ked in thefourth line if it is on rete. Then in the �fth line the order of is determined. Inline 6, we set the information of the node labelled by x in the RootInfo stru ture.Finally, the information is gathered and the fun tion assemble is alled to build thegraph.Similarly, we use the following fun tions, depending on the kind of the sides ofthe equation:� Cross-term - Con rete Constant : we use the fun tion mdgx. In this ase, the ross-term has to be built in advan e;� Abstra t Variable - Generi Constant : we use the fun tion mdga ;� Abstra t Variable - Abstra t Variable: we use the fun tion mdgav;� Abstra t Variable - Abstra t fun tion: the fun tion used is mdga. The abstra tfun tion must be assembled and and added to the term array in advan e.53

Assembling the Graph of a Dire ted FormulaA dire ted formula is a disjun tion of onjun tions of equations. To build its graphwe need to build the MDGs of every equation and then perform the orrespondentoperations ( onjun tion, disjun tion). The main fun tion to all is mdg whi h willuse the previous fun tions and the disjun tion (disj) and onjun tion onj operators.To build the graph of a dire ted formula, we represent the formula as a listof lists, where every internal list ontains the di�erent equations of a disjun t. Forexample if: f = [(x1= 1) ^ (x2= 2)℄ _ [(eq(y1,y2)= 3) ^ (x4= 4)℄then the mentioned list would be [[x1= 1,x2= 2℄,[eq= 3,x4= 4℄℄. This is in turn splitinto two lists ontaining the LHSs and the RHSs of the equations:[[x1,x2℄,[eq,x4℄℄, [[ 1, 2℄,[ 3, 4℄℄If a term is ompound then the arguments are spe i�ed in another list otherwise the orrespondent element will be \ ". This list for the previous example is the following:[[ , ℄ , [[y1,y2℄, ℄℄These three lists of lists are passed to the fun tion mdg whi h returns the graph ofthe dire ted formula.mdg([[x1,x2℄,[eq,x4℄℄,[ [ , ℄ , [[y1,y2℄, ℄ ℄, [[ 1, 2℄,[ 3, 4℄℄,Result).54

Generating Input GraphsThe fun tion inputs allows to build a one-path graph that will be used as the inputgraph during the rea hability analysis.Mode: inputs(Xs,J,G).Arguments: Xs is a list of abstra t variables, J is an integer, G is the result graphFun tion: For every abstra t variable x in the list Xs, builds an MDG of the equationx = x#j (input value asso iated to x in the jth iteration) and then returns the onjun tion of all the MDGs obtained. The result graph will serve as the inputgraph during the rea hability analysis.Filtering Abstra t VariablesWhen generating the input graph, only abstra t inputs are onsidered. To extra tthem we use the fun tion �lter abs.Mode: �lter abs(L1; L2).Arguments: L1 is a list of variables. L2 is the result listFun tion: pi ks the abstra t variables of L1 and inserts them in L2.Renaming SubstitutionThe renaming substitution fun tion is used by the relational produ t operator.Mode: modify ren(S,NS,Ren).Arguments: S is a list of state variables and NS a list of their orresponding next-states. Ren is the result renaming substitution.55

Fun tion: Generates the renaming substitution for a list of state variables. First, theorders of the variables are retrieved. Then the maximum order is determined (usedto optimize the relational produ t algorithm). Finally the renaming substitution isgenerated in the form ren(Name, LO, Substitution). Name being the name of thesubstitution, LO, the maximum order of the list and Substitution is a list of 3-tuples(Label, NewLabel, NewOrder).Retrieving GraphsMode: get mdg from logarr(Id,G).Arguments: Id is an ID, G is the graph orresponding to ID.Fun tion: Retrieve a graph from the graph array a ording to its ID. This fun tionis used every time we all the MDG pa kage to assemble a graph or to manipulategraphs. It returns the resulting graph. It is also used internally used by the pa kageto perform operations over graphs.4.2 Linking MDG to HOLIn Se tion 4.1 we presented a lifted version of the MDG pa kage to manipulate theMDGs. In this se tion we will dis uss the way we link HOL and the MDG pa kageto solve the veri� ation problem.56

4.2.1 HOL-MDG Intera tionTo let HOL ommuni ate with the lifted MDG pa kage, we use the SML libraryPro ess [17℄. This library provides a fun tion alled system allowing HOL to allexternal pro esses. In our ase, the external pro ess will be the lifted MDG pa kage ompiled as a stand-alone program.The lifted MDG pa kage is invoked by HOL fun tions using a s ript �le, inwhi h, we spe ify the di�erent manipulations to be done in MDG. For every HOLfun tion, that needs to all the lifted MDG pa kage, we provide a fun tion thatgenerates automati ally the orresponding s ript �le. If, for example, we want toperform the onjun tion of a list of terms using the ML fun tion Conj, an inter-mediate fun tion alled MakeConjS ript is invoked to generate a s ript �le. In this�le, we will �nd a all to the MDG fun tion onj to perform the onjun tion of the orresponding graphs, and a all to the MDG fun tion get graphId to retrieve the IDof the resulting graph.The HOL fun tion passes the s ript �le to the MDG pa kage using the systemfun tion mentioned above. The MDG pa kage omputes the result and then writesit in a �le \mdghol. h". Using the fun tion ReadMdgOutput, the result is returnedto HOL.57

4.2.2 Constru ting MDGs in HOLTo onstru t the graph representing a HOL term we use the fun tion termToMdg.This fun tion uses the MDG fun tion mdg ( f. Se tion 4.1.2) by passing a s ript �lein whi h all the ne essary data are spe i�ed.Before alling the MDG pa kage, termToMdg invokes Well formedTerm to he k if the term if well-formed. It either raises an ex eption when this is not the ase or begins gathering the information to all the pa kage.The �rst step is to determine the sorts of all the sub-terms using the fun -tion ToMdgSorts. If a sub-term is of on rete sort Sort, it is de lared as \ on- rete sort(Sort,Enum)", where Enum is the enumeration of Sort. When an abstra tsort, say alpha, is en ountered, then it is de lared by \abs sort(alpha)". For example,if a term A in ludes a on rete variable of sort bool and an abstra t variable of sortalpha, then ToMdgSorts returns the following list:[\ on sort(bool,[0,1℄).","abs sort(alpha)."℄.The se ond step is to de lare all the variables, fun tions and generi onstants used inthe term. A variable is de lared by \signal(label,sort)". A generi onstant is de laredby \gen onst(label,sort)". When a fun tion is en ountered, both the se ondaryvariables and the fun tion symbol must be de lared. The fun tion symbol is de laredas \fun tion(f,[sorts℄,sort)". sorts are the sorts of the se ondary variables, argumentsto the fun tion symbol f . sort is its target sort.Thereafter, termToMdg writes the variables order list in the s ript �le and then58

alls the fun tion header responsible for retrieving the list of the LHSs and RHSs ofthe equations in the term whi h will be the parameters of the mdg fun tion. Thelatter is then alled and the result is retrieved using the readMDGOutput fun tion.Instead of returning the whole graph stru ture, we return only its ID whi h will beused to map the term to its MDG representation.4.2.3 Interfa ing MDG Basi OperatorsAs mentioned before, the MDG operators are interfa ed to HOL using s ript �les.The same names will be given to MDG fun tions and their orresponding HOLfun tions. The manipulation of HOL terms, resolves to the manipulation of theirMDG representations. This means that the operators all termToMdg to build theMDG representations and then all the orresponding MDG fun tions to omputethe result. termToMdg returns the ID of a graph. This explains the introdu tion oftwo versions of the same operator.� Conj : onjun tion of HOL terms using their graph representations;� ConjId : onjun tion of HOL terms using their graph representations IDs;� Disj : disjun tion of HOL terms using their graph representations;� DisjId : disjun tion of HOL terms using their graph representations;� Relp : relational produ t using the graph representations;� RelpId : relational produ t using the graph representations IDs;� PbyS : pruning by subsumption using the graph representations;� PbysID : pruning by subsumption using the graph representations IDs.59

4.3 SummaryIn this hapter we presented a lifted MDG pa kage providing fun tions to buildand manipulate graphs and allowing to perform the operations intera tively. Wealso showed the way HOL and MDG ommuni ate1. HOL alls the lifted MDGpa kage via s ript �les that are generated by the alling fun tions. To build thegraph representing a well-formed term, we use the ML fun tion termToMdg whi hreturns the ID of the graph as a result. Finally, the MDG operators are linked toML fun tions allowing the manipulation of HOL terms by manipulating their graphrepresentations, instead.

1A detailed des ription of the lifted MDG pa kage and MDG-HOL linking fun tions an befound in http://hvg.e e. on ordia. a/Resear h/MDGHOL/Embedding.html.60

Chapter 5Embedding MDG Appli ationsIn this hapter we will show how to use our embedding to implement MDG appli a-tions inside HOL. We will illustrate this by di�erent appli ations like the rea habilityanalysis to perform invariant he king and sequential equivalen e he king.5.1 Rea hability AnalysisThe rea hability analysis is embedded using the MDG operators interfa ed to HOL.We show here the di�erent steps to ompute the set of the rea hable states of anabstra t state ma hine.5.1.1 Computing Next StatesLet I, B and R be, respe tively, a set of inputs, a set of initial states of a ma hineand its transition relation. The ML fun tion ComputeNext representing the set ofnext states, omputed from B with respe t to R, is de�ned by:61

ComputeNext(GI GB GR) = RelP(GI GB GR Q �).where, GI ; GB and GR are the MDG representations for I; B and R, respe tively. Qis the set of input variables and state variables over whi h the MDG is quanti�ed. �is the renaming substitution. B an be the set of initial states as well as the set ofstates already rea hed by the ma hine.5.1.2 Computing OutputsThe set of outputs orresponding to a set of initial states and inputs, with respe tto an output relation O, is represented by the ML fun tion ComputeOutputs below,where GO is the MDG representation of O.ComputeOutputs(GI GB GO) = RelP(GI GB GO Q) \ ".For every state of the ma hine, and a set of data inputs, orresponds a set of outputvalues. These will be used to he k an invariant.5.1.3 Computing Frontier SetThe frontier set is the set of newly visited states. If V represents the set of statesalready visited, Vn = ComputeNext(GI V GR) is the set of next states rea hed fromV . In this ase the frontier set is Vn n V whi h is represented by the ML fun tionComputeFrontier. ComputeFrontier(Vn V ) = PbyS(Vn V ).62

The frontier set is used to he k if all the states rea hable by the ma hine are alreadyrea hed. If this is the ase (the frontier set is empty), then the rea hability analysisterminates and the set of rea hable states is returned. If the frontier set is notempty, then new states were visited during the last iteration. In this ase, theanalysis ontinues until rea hing the �x-point (set).5.1.4 Computing Rea hable StatesThe set of rea hable states is the set of all the states of a ma hine, starting froman initial state, for a ertain set of inputs. For abstra t state ma hines, the statespa e an be in�nite. Hen e, the set of rea hable states may not exist1. Using thesolutions proposed in [2℄, the set of rea hable states is omputed and represented bythe fun tion, ComputeRea hable, de�ned by2:ComputeRea hable G_I G_B G_R =K = 0, S = G_BloopK = K+1N = ComputeNext G_Ik G_B G_Rif ComputeFrontier N S = F then return su essG_B = ComputeFrontier N SS = Disj N Send loopend; ComputeRea hable omputes the set of rea hable states S of a state ma hinedes ribed by its transition relation, starting from an initial state and for a ertain1This is alled the non-termination problem whi h was ta kled in [2℄ using various heuristi s.2For the sake of larity, this is just a simpli�ed version of the algorithm63

data input. S is initialized to B (the initial state), and the sets of next-states are omputed until rea hing a �x-point hara terized by an empty frontier set.5.2 Invariant Che kingInvariant he king is a dire t appli ation of the rea hability analysis algorithm. It onsists of he king that a property or an invariant holds on the outputs of a statema hine in every rea hable state. First, the invariant is he ked in the initial state.This is done by omputing the outputs orresponding to that state and then usingthe MDG operators to he k that these outputs satisfy the invariant. After that,next-states are omputed and for every state rea hed, the invariant is he ked onthe outputs. In a given iteration, if the outputs of the ma hine satisfy the invariant,then the pro edure ontinues for the next-state. If, on the other hand, the invariantdoes not hold, the analysis terminates and a failure is reported. A ounterexample an be generated to tra e the error.5.2.1 Examining the OutputsFor a ertain state of the ma hine and a ertain set of inputs, the set of outputs is omputed and represented by an MDG Os. Similarly, the invariant is given by itsMDG representation C. To verify that the invariant holds on these outputs, we usethe MDG operator PbyS with Os and C as arguments. The pruning by subsumptionoperation returns the graph resulting from removing the paths of Os assumed by C64

(i.e, the paths of C). If the resulting graph is equal to the MDG F (false), then all thegraphs of Os are assumed by C. This ensures that the outputs of the ma hine satisfythe invariant and then the new outputs are omputed and he ked until rea hingall the states of the ma hine or �nding outputs that do not satisfy the invariant.However, if the graph resulting from pruning the invariant from the outputs is notthe false MDG, then there exists some outputs where the invariant does not hold.In this ase, the pro edure terminates and an error is reported.5.2.2 Generating the InputsThe rea hability pro edure requires a supply of fresh input variables. Whenever anabstra t variable x is used as input, a fresh variable uxk is generated in every iterationk of the pro edure to serve as the symboli value of x. In pra ti e, we onstru t uxk by on atenating the identi�er x, the symbol # and the de imal representation of thenumber k, i.e., uxk is \x#k". The fun tion NewInputs onstru ts a linear (one-path)MDG representing the formula Vx (x = uxk).The fun tion NewInputs, �rst, retrieves the abstra t variables from the set ofthe inputs using the fun tion FilterAbs and then onstru ts the MDG representingthe inputs using the fun tion GenerateInputs. The latter takes the list of the abstra tinput variables and the iteration number as arguments and alls the MDG fun tioninputs ( f. Se tion 4.1.2) to onstru t the graph.65

5.2.3 Renaming SubstitutionDuring the rea hability analysis, we have to use the renaming substitution operationwhi h renames the next-state variables to their orresponding urrent-state variables.For example, if s is a state variable, omputing the next-state of the ma hine willintrodu e the next-state variable s0 of the variable s. Before pro eeding to the nextiteration we need to rename s0 to s. To generate the renaming substitution fun tion� we use the ML fun tion GenerateRenaming whi h in turn alls the MDG fun tionmodify ren des ribed in Se tion 4.1.2.5.2.4 Che king an InvariantUsing the previously mentioned fun tions, the invariant he king algorithm is imple-mented in HOL as an ML fun tion InvariantChe king whi h takes as arguments:� TR: the transition relation spe i�ed as a list of dire ted formulae;� OR: the output relation spe i�ed by a dire ted formula;� IN : the initial state spe i�ed by a dire ted formula;� Inputs: the input variables list;� States: the state variables list;� NxStates: the next-state variables list orresponding to States.� Inv: the invariant to be he ked spe i�ed as a dire ted formula.The fun tion InvariantChe king, �rst, builds the graphs of the transition relation,output relation, the initial state and the invariant using the fun tion termToMdg.66

Then, generates the input graph. After that, the outputs are omputed usingNewOutputs and then the invariant is he ked. If the invariant holds, the next-statevariables are omputed using ComputeNext. Che king the frontier set will ause thetermination of the analysis or another iteration.InvariantChe king Tr Or In Inputs States NxStates Inv =// builds the MDG representations// generates the renaming substitution fun tionK = 0, S = G_In, R = G_InloopK = K+1// generates the input graph G_IKO_s = ComputeOutputs G_Or R G_IKif (PbyS O_s G_Inv) != F return failureN = ComputeNext G_Ik R G_Trif ComputeFrontier N S = F then return su essR = ComputeFrontier N SS = Disj N Send loopend InvariantChe king;5.3 Model Che king in HOLChe king that a property, des ribed as a temporal logi formula, holds on a model ofa system is the essen e of model he king. Using the rea hability analysis embedding,we implemented a ertain number of MDG temporal operators [33℄ inside HOL. Theproperty templates that we onsidered are the following:� AG P: P holds on all the states of every path;� AF P: In all paths, P eventually holds;67

� A P : In all paths, P holds in all the states rea hed in at least n transitions.In the following we present how the property AF P is embedded in HOL.Che k_AF Tr In Inputs States NxStates P =// builds the MDG representations G_Tr, G_In, G_P// generates the renaming substitution fun tionK = 0, Sigma = F, C = G_In// Sigma ontains sets of states not satisfying PloopQ = ComputeFrontier C G_P// removes states satisfying Pif Q = F then return su essif ComputeFrontier Sigma Q != Sigma then return failureSigma = Disj Sigma QK = K+1C = ComputeNext G_In Q G_Trend loopend Che k_AF;5.4 MDG as a De ision Pro edureThe multiway de ision graphs are a anoni al representation of the dire ted formulae.Two dire ted formulae are equivalent if and only if they are represented by the samegraph for a �xed order. This property an be used to prove automati ally theequivalen e of HOL terms or to he k that a formula is a tautology in ase it isrepresented by the MDG T .

68

5.4.1 Equivalen e Che kingWe provide here a de ision pro edure that enables us to verify automati ally theequivalen e of a ertain subset of �rst-order HOL terms. This is performed using theML fun tion equivChe k.fun equivChe k order t1 t2 =let val s1 = termToMdg order t1val s2 = termToMdg order t2in (s1=s2)end;Using equivChe k we write an ora le that builds a theorem stating the equiv-alen e between terms. The theorem is not derived from axioms and inferen e ruleswhi h will endanger the se urity provided by the HOL reasoning style. Theorems reated using the ora le are tagged so that an error an be tra ed whenever it o urs.This kind of de ision pro edures are widely used to introdu e some automation tothe theorem provers.5.4.2 Tautology Che kingA formula is a tautology if it is represented by the MDG T . This makes the he kvery easy for the subset we onsider whi h are the dire ted formulae. We use theML fun tion tautology.fun tautology order t =let val s = termToMdg order tin isTrue send; 69

5.5 SummaryIn this hapter, we have embedded the rea hability analysis inside HOL using theMDG embedding des ribed in Chapter 3 and the lifted MDG pa kage displayed inSe tion 4.1. We used the rea hability analysis to implement the model and invari-ant he king pro edures allowing to perform property he king for abstra t statema hines spe i�ed in HOL. We have also implemented fun tions to he k, automat-i ally, the equivalen e of HOL terms and perform tautology he king3. This showsthe importan e of our embedding to provide some automation to the HOL theoremprover. Another appli ation of the rea hability analysis would be the sequentialequivalen e he king of abstra t state ma hines. This is, somehow, similar to theinvariant he king pro edure as we will onsider the produ t of the state ma hines,the invariant stating the equivalen e of their orrespondent outputs.

3A full des ription of the MDG appli ations embedding an be found inhttp://hvg.e e. on ordia. a/Resear h/MDGHOL/Embedding.html.70

Chapter 6Case Study : Island TunnelControllerIn this hapter we will show how the invariant he king pro edure des ribed in Se -tion 5.2 is used to verify a range of properties on the Island Tunnel Controller (ITC)as a ase study example. The ITC was originally introdu ed by Fisler and John-son [12℄. It ontrols the vehi les traÆ in a one-lane tunnel onne ting the mainlandto a small island, as shown in Figure 6.1(a). At ea h end of the tunnel, there is���������������������������������������������������������������

���������������������������������������������������������������

ie

mx

ix

ix

Island

Mainland

mglmrl

iglirl

ie

ix

igl

irlmrl

mgl

me

mx

Mainland LightController

(MLC)

TunnelController

( TC )

Island LightController

( ILC )

iu

ir

ig

iymy

mg

mr

mu

Island Counter Tunnel Counter

ic ic+ ic− mtc−tc itc+ mtc+itc−

(a)(b)Figure 6.1: The Island Tunnel Controller71

irl = T

red

irl = T

ix

itc−

ix

ie

ig

ir

FF

T

T

T F

exiting

F

green

iu = Tigl = T

iy

ie

itc+ ic−

entering

iu = Tigl = T

ie

FF

T

F T

T

T

Figure 6.2: State Transitions Diagram of the ILCa traÆ light. There are four sensors for dete ting the vehi les: one at the tunnelentran e (ie) and one at the tunnel exit on the island side (ix), and one at the tunnelentran e (me) and one at the tunnel exit on the mainland side (mx). It is assumedthat all ars are �nite in length, that ars annot enter the tunnel on red light, thatno ar gets stu k in the tunnel, that ars do not exit the tunnel before entering thetunnel, and that there is suÆ ient distan e between two ars su h that the sensors an distinguish the ars.The ITC is spe i�ed using three ommuni ating ontrollers and two ounters asshown in Figure 6.1(b). The state transition diagram of the Island Light Controller(ILC) is shown in Figure 6.2. The ILC has four states: green, entering, red andexiting. The output igl and irl ontrol the green and red lights on the island side,respe tively; iu indi ates that the ars from the island side are urrently using thetunnel, and ir indi ates that the island is requesting the tunnel. The input iyrequests the island to yield ontrol of the tunnel, and ig grants ontrol of the tunnel.72

mrl = T

red

mrl = T

mx

mtc−

mx

me

mg

mr

FF

T

T

T F

exiting

F

entering

my

me

ic<n

mtc+ ic+

mu = Tmgl = T

me

F

F

TT

F

F T

mu = T

green

mgl = T

Figure 6.3: State Transitions Diagram of the MLCA similar set of signals is de�ned for the Mainland Light Controller (MLC) as shownin Figure 6.3.The state transition diagram of the the Tunnel Controller (TC) is depi tedin Figure 6.4. The TC pro esses the requests for a ess issued by the ILC andMLC. The Island Counter and the Tunnel Counter keep tra k of the numbers of ars urrently on the island and in the tunnel, respe tively. At ea h lo k y le, the ountt of the tunnel ounter is in reased by 1 depending on signals it + and mt +, orde remented by 1 depending in it � and mt �, unless it is already 0. The island ounter operates in a similar way, ex ept that the in rement and de rement signalsare i + and i �, respe tively.73

ir

mr

ic < 0

iu

iuse

iy = T

iu tc = 0

iclear

tc = 0 mg

tc = 0

tc = 0mumuse mclear

my = T

mu

ig

F

F

F F

F

F F

F

FF

F

T T

T

T

T T

T T

dispatch

Figure 6.4: State Transitions Diagram of the TC6.1 ITC Spe i� ation using Dire ted FormulaeLet is, ms and ts be the ontrol state variables of the three ontrollers ILC, MLCand TC, respe tively, and let n is, n ms and n ts be the orresponding next statevariables. We de�ne a on rete sort mi sort having the �nite enumeration fgreen,red, entering, exitingg .val mi_sort = Define`mi_sort=Con rete_Sort "mi_sort"["green";"red";"exiting";"entering"℄`;val green = Define`green = CONCRETE_CONST "green" mi_sort`;val red = Define`red = CONCRETE_CONST "red" mi_sort`;val exiting = Define`exiting = CONCRETE_CONST "exiting" mi_sort`;val entering = Define`entering = CONCRETE_CONST "entering" mi_sort`;The variables is and ms and their next state variables are assigned to be of this sort.val is = Define` is = Con rete_Var "is" mi_sort`;val n_is = Define` n_is = Con rete_Var "n_is" mi_sort`;val ms = Define` ms = Con rete_Var "ms" mi_sort`;val n_ms = Define` n_ms = Con rete_Var "n_ms" mi_sort`;Similarly, we let ts and n ts to be of sort ts sort whi h has the enumeration fdispat h,iuse, muse, i lear, m learg. 74

val ts_sort = Define` ts_sort = Con rete_Sort "ts_sort"["dispat h";"iuse";"muse";"i lear";"m lear"℄`;All other ontrol signals (ie; ix;me;mx; et ) are of sort bool with the enumerationf0; 1g. The ondition \i < n" is represented by the ross-term lessn(i ), where theuninterpreted ross-fun tion lessn of type wordn ! bool represents the operation\< n". wordn is a default abstra t sort for n-bit words.val bool = Define` bool = Con rete_Sort "bool" ["0";"1"℄`;val wordn = Define` wordn = Abstra t_Sort "wordn"`;val ie = Define` ie = Con rete_Var "ie" bool`;val ix = Define` ix = Con rete_Var "ix" bool`;val me = Define` me = Con rete_Var "me" bool`;val mx = Define` mx = Con rete_Var "mx" bool`;val lessn = Define` lessn = Cross_Fun "lessn" [i ℄ bool`;Both the island and the tunnel ounters have ea h only one ontrol state, ready,hen e no ontrol state variable is needed. An abstra t state variable i (t ) representsthe urrent ount number. At ea h lo k y le, the ount is updated a ording tothe ontrol signals. In this abstra t des ription, the ount i (t ) is of sort wordn.val wordn = Define` wordn = Abstra t_Sort "wordn"`;val i = Define` i = Abstra t_Var "i " wordn`;val n_i = Define` n_i = Abstra t_Var "n_i " wordn`;val t = Define` t = Abstra t_Var "t " wordn`;val n_t = Define` n_t = Abstra t_Var "n_t " wordn`;The ontrol signals (i +,i -,et .) are of sort bool. The uninterpreted fun tion in of type wordn ! wordn denotes the operation of in rement by 1, and de of thesame type denotes de rement by 1. The ross-term equz(t ) represents the ondition\t =0" and models the feedba k from the ounter to the ontrol ir uitry; equz is a ross-fun tion symbol of type wordn! bool.75

irl = T

red

green

iu = Tigl = T

iy

ie

itc+ ic−

entering

iu = Tigl = T

FF

T

T

Figure 6.5: Transitions from the State green (ILC)val i _plus = Define` i _plus = Con rete_Var "i _plus" bool`;val i _min = Define` i _min = Con rete_Var "i _min" bool`;val equz = Define` equz = Cross_Fun "equz" [t ℄ bool`;val de = Define` de = Abstra t_Fun "de " [t ℄ wordn`;val in = Define` in = Abstra t_Fun "in " [t ℄ wordn`;On e the above algebrai spe i� ations are de�ned, the state transition dia-grams an be easily transformed into a set of dire ted formulae. First, let us onsiderthe formula representing the transition relation for the ILC. The transitions from thestate green are given by the Figure 6.5, and spe i�ed by the formula:( (is=green) /\ (iy=zero) /\ (ie=zero) /\ (n_is=green)) \/( (is=green) /\ (iy=zero) /\ (ie=one) /\ (n_is=entering)) \/( (is=green) /\ (iy=one) /\ (n_is=red))Similarly, we onsider the di�erent states of the ILC, to extra t the formula repre-senting the state variable is. The transition relation of the ILC is then spe i�ed bythe formula t0 below.val t0 =( (is=green) /\ (iy=zero) /\ (ie=zero) /\ (n_is=green)) \/( (is=green) /\ (iy=zero) /\ (ie=one) /\ (n_is=entering)) \/76

green

mu = Tmgl = T mrl = T

red

mrl = T

mtc−

mx

meF

T

exiting

Fmg

T

F

Figure 6.6: Transitions from the State red (MLC)( (is=green) /\ (iy=one) /\ (n_is=red)) \/( (is=entering) /\ (ie=zero) /\ (n_is=green)) \/( (is=entering) /\ (ie=one) /\ (n_is=entering)) \/( (is=red) /\ (ig=zero) /\ (ix=zero) /\ (n_is=red)) \/( (is=red) /\ (ig=one) /\ (ix=zero) /\ (n_is=green)) \/( (is=red) /\ (ix=one) /\ (n_is=exiting)) \/( (is=exiting) /\ (ix=zero) /\ (n_is=red)) \/( (is=exiting) /\ (ix=one) /\ (n_is=exiting));The transition relation of the MLC (Figure 6.3) is translated to the formula t1. Ifwe onsider the state red, the possible transitions are spe i�ed in the Figure 6.6 andare represented by the following formula.( (ms=red) /\ (mg=zero) /\ (mx=zero) /\ (n_ms=red) ) \/( (ms=red) /\ (mg=one) /\ (mx=zero) /\ (n_ms=green) ) \/( (ms=red) /\ (mx=one) /\ (n_ms=exiting) )The relation between ms and its next-state variable is spe i�ed by the formula below.val t1 =( (ms=green) /\ (lessn=zero) /\ (n_ms=red) ) \/( (ms=green) /\ (my=zero) /\ (me=zero) /\(lessn=one) /\ (n_ms=green) ) \/( (ms=green) /\ (my=zero) /\ (me=one) /\(lessn=one) /\ (n_ms=entering) ) \/77

( (ms=green) /\ (my=one) /\ (lessn=one) /\(n_ms=red) ) \/( (ms=entering) /\ (me=zero) /\ (n_ms=green) ) \/( (ms=entering) /\ (me=one) /\ (n_ms=entering) ) \/( (ms=red) /\ (mg=zero) /\ (mx=zero) /\(n_ms=red)) \/( (ms=red) /\ (mg=one) /\ (mx=zero) /\(n_ms=green) ) \/( (ms=red) /\ (mx=one) /\ (n_ms=exiting) ) \/( (ms=exiting) /\ (mx=zero) /\ (n_ms=red) ) \/( (ms=exiting) /\ (mx=one) /\ (n_ms=exiting) );6.2 Invariant Che kingWe list below some examples properties that we veri�ed. For all the propertiesveri�ed, the initial state of ILC and MLC, if not expli itly stated, is given by thefollowing formula.val initial = (is=red) /\ (ms=red);6.2.1 PropertiesProperty 1Our ITC model must respe t the safety property stating that the lights on the islandside and the mainland side annot be green at the same time. This is spe i�ed bythe following invariant.val P1 = ( (igl = one) /\ (mgl=zero) ) \/( (igl = zero) /\ (mgl=one) ) \/( (igl = zero) /\ (mgl=zero) );78

To verify this property we used the embedded invariant he king pro edure of Se -tion 5.2. The transition relation to be used is the onjun tion of the transitionrelations of ILC and MLC. The output relation is the formula spe ifying the behav-ior of igl and mgl whi h is the onjun tion of the following formulae.( (is=red) /\ (igl=zero) ) \/( (is=green) /\ (igl=one) ) \/( (is=exiting) /\ (igl=zero) ) \/( (is=entering) /\ (igl=one) );( (ms=red) /\ (mgl=zero) ) \/( (ms=green) /\ (mgl=one) ) \/( (ms=exiting) /\ (mgl=zero) ) \/( (ms=entering) /\ (mgl=one) );Property 2Property 2 states that the a ess to the tunnel is not granted by the tunnel ontrollerto the island and the mainland at the same time.val P2 = ( (ig = one) /\ (mg=zero) ) \/( (ig = zero) /\ (mg=one) ) \/( (ig = zero) /\ (mg=zero) );Property 3Property 3 states that the light on the island side is never set to green if no grant isre eived from the ontroller. This is spe i�ed by the following.val P3 = ( (igl=zero) );val initial = ( (is=red) /\ (ig=zero) );79

Property 4If the light on the island side is green, it stays green as long as the tunnel is notrequested from the mainland.val P4 = ( (igl=one) );val initial = ( (is=green) /\ (iy=zero) );Property 5If the light in the mainland side is green, it stays green as long as the tunnel is notrequested from the island. This is a faulty behavior sin e the number of allowed arson the island side is limited. Che king this property returns false and a ounter-example an be generated.val P5 = ( (mgl=one) );val initial = ( (ms=green) /\ (my=zero) );Property 6This property orre ts property 5 by adding the island apa ity onstraint. If thelight on the mainland side is green, it stays green as long as the tunnel is not requestedfrom the the island and the number of allowed ars is not ex eeded.val P6 = ( (mgl=one) );val initial = ( (ms=green) /\ (my=zero) /\ (lessn=one) );Property 7Property 7 states that the island ounter is never signalled to in rement and de re-ment simultaneously. This is spe i�ed by:80

val P7 = ( (i _min=one) /\ (i _plus=zero) ) \/( (i _min=zero) /\ (i _plus=one) ) \/( (i _min=zero) /\ (i _plus=zero) );Property 8The tunnel ounter is never signalled to in rement simultaneously by ILC and MLC.whi h is written as follows.val P8 = ( (it _plus=one) /\ (mt _plus=zero) ) \/( (it _plus=zero) /\ (mt _plus=one) ) \/( (it _plus=zero) /\ (mt _plus=zero) );Property 9The green light must be o� if there is a ar exiting the tunnel.val P9 = (ix=zero) \/ (igl=zero);In this ase, the transition relation we onsider is the one of ILC.6.2.2 Experimental ResultsTo verify the mentioned properties, we used the invariant he king pro edure ofSe tion 5.2. For ea h property we used only the transition relations and the variablesinvolved in the property (spe i�ed manually). This redu es the veri� ation problemand promotes hierar hi al veri� ation. In fa t, every module of the design an betreated separately. Thus, enhan ing a lot the performan e of the veri� ation task byredu ing the CPU time and the memory usage.The fun tion InvariantChe king, �rst, builds the graphs of the transition re-lations, the initial states and the invariant. Then generates the input graph and81

the renaming substitution fun tion. The outputs are omputed and he ked for theinvariant for all the rea hable states of the system. The veri� ation results, run onan Ultra2 Sun workstation with 296Mhz CPU and 768MB memory, are reported inTable 6.1. A \*" beside a property means that this latter failed in the invariant he king. Property CPUs (system) CPUs (runtime) MemoryMByteProperty1 0.32 101.9 0.220Property2 0.060 72.0 0.058Property3 0.060 44.8 0.035Property4 0.010 44.3 0.020*Property5 0.005 52.8 0.013Property6 0.050 54.9 0.077Property7 0.065 63.9 0.039Property8 0.065 64.2 0.039Property9 0.060 45.4 0.035Table 6.1: Property Che king Results using InvariantChe kingThe memory usage statisti s were retrieved from the MDG pa kage in terms ofthe addition of the memory used to build the di�erent graphs, while the CPU time isretrieved using spe i� ML fun tions. The statisti s for the CPU time represent boththe time to perform the rea hability analysis (CPU system) and the time to translatethe HOL spe i� ation to MDG �les (CPU runtime). It is lear that the veri� ationis mu h faster than doing the proof intera tively with HOL. Our approa h maybe slower than using model he king but only for examples that an be handledautomati ally. Hen e, our approa h proves its importan e for large systems thatrequire ombination of theorem proving and model he king. To summarize, we82

are not on erned with performan e, instead, we fo us on broadening the lass ofsystems that an be veri�ed.Using HOL to spe ify the problem gives the user more apabilities to handle theveri� ation task by using the available fa ilities su h as dedu tion. After interpretingthe results returned using the MDG embedding, respe tive HOL theorems an be reated.

83

Chapter 7Con lusion and Future WorkExpertise and user guidan e need is a major problem for applying theorem provingon, even, the most trivial systems. On the other hand, state-exploration te hniquessu�er from the state spa e explosion problem, whi h limits their appli ations toindustrial designs. An alternative to these te hniques would be to ombine the ad-vantages of both in a hybrid approa h that will lead to a hopefully, automati orsemi-automati te hnique that an handle large designs. In this thesis we proposedan approa h that allows ertain veri� ation problems, spe i�ed in the HOL theoremprover, to be veri�ed totally or in part using state-exploration algorithms. Our ap-proa h onsists of an infrastru ture of de ision diagrams data stru ture and operatorsmade available in HOL, whi h will allow the user to develop his own state-explorationalgorithms in the HOL proof system. The data stru ture we onsidered in our workis the multiway de ision graphs. MDG is an extension to the well-known binaryde ision diagrams in that it eliminates the state explosion problem introdu ed by84

the datapath.The MDGs are embedded in HOL as a built-in datatype. Operations over theMDGs are interfa ed to HOL fun tions allowing the manipulation of graphs ratherthen their orrespondent HOL terms. Using the embedding of the logi underlyingthe multiway de ision graphs in HOL, the veri� ation problem is spe i�ed as a setof well-formed dire ted formulae that an be represented anoni ally by well-formedMDGs. This is made possible thanks to the lifted MDG pa kage that we providedand interfa ed to HOL resulting in a platform of fun tions to represent terms bytheir orrespondent MDGs and manipulate them.The platform, we provide, allowed us to develop state-exploration algorithmsinside HOL like the rea hability analysis, model he king and the invariant he kingpro edures. The transition and output relations are written as HOL terms. They aretranslated to their orresponding MDGs and then rea hability analysis is performed.The state ma hines we onsider are the abstra t state ma hines whi h raises thelevel of abstra tion of the problem spe i� ation. We also developed de ision pro e-dures based on the multiway de ision graphs allowing the equivalen e he king andtautology he king of a ertain subset of HOL terms automati ally.Finally we illustrated our approa h by onsidering the Island Tunnel Controllerexample for whi h we veri�ed a number of safety properties.85

Future Resear h Dire tionsThe embedding of the MDGs in HOL opens the way to the development of a widerange of new veri� ation appli ations ombining the advantages of state-explorationte hniques and theorem proving. There are many opportunities for further work onthis embedding and using it for formal veri� ation:� Optimizing the pa kage: The MDG pa kage we provide is written in Prologwhi h is the language of fast prototyping. Garbage olle tion is not used inthe pa kage and the graph array annot fully exploit stru ture sharing. Hen ethe pa kage an be optimized if written in C or Java. Besides, interfa ing toML will be, in this ase, faster;� HOL terms simpli� ation: The multiway de ision graphs represent anoni allywell-formed terms. This an be used to provide ta ti s that simplify HOLterms by building their MDGs whi h will be redu ed by onstru tion and thenretrieving the dire ted formula that is represented by the graph. The obtainedformula will be redu ed be ause the redundant nodes of the graph are elimi-nated and the graph ensures stru ture sharing;� Model redu tion: While he king the properties, we spe ify only the transitionrelations (DFs) of the model under veri� ation that are involved in the prop-erties. This is done manually. The idea here is to write a s ript whi h willautomati ally extra t the transition relations based on the variables used in86

the properties to he k;� Using LCF style: The Fully Expansive LCF style [16℄ of HOL means thattheorems an be derived only by using axioms and inferen e rules. This anbe applied for our embedding when onstru ting the MDGs. Hen e, an MDGrepresentation for a HOL term annot be onstru ted by using the termToMdgfun tion, instead, it is derived from inferen e rules, orresponding to MDGoperators, and the trivial MDGs representing simple equations. This restri tsthe s ope of soundness to single operators whi h are easy to get right [15℄;� Formal proof of the soundness of the MDG algorithms: Our embedding ofthe MDG data stru ture and operators, would allow the formal spe i� ationand veri� ation in HOL of MDG appli ations and algorithms su h as model he king. A similar work was done in [7℄ to verify a SPIN model he kingalgorithm.

87

Bibliography[1℄ Mark D. Aagaard, Robert B. Jones, and Carl-Johan H. Seger. Lifted-FL: APragmati Implementation of Combined Model Che king and Theorem Proving.In Theorem Proving in Higher-Order Logi s, volume 1690 of LNCS, pages 323{340. Springer-Verlag, 1999.[2℄ O. Ait Mohamed, X. Song, and E. Cerny. On the Non-termination of MDG-Based Abstra t State Enumeration. Theoreti al Computer S ien e, 300:161{179,August 2003.[3℄ S. Bose and A. L. Fisher. Automati Veri� ation of Syn hronous Cir uits usingSymboli Simulation and Temporal Logi . In Pro . of the IFIP InternationalWorkshop on Applied Formal Methods for Corre t VLSI Design, pages 759{764,Leuven, Belgium, November 1990.[4℄ R. Bryant. Graph-based Algorithms for Boolean Fun tion Manipulation. IEEETransa tions in Computers, 35(8):677{691, August 1986.

88

[5℄ R. Bryant. Symboli boolean manipulation with ordered binary-de ision dia-grams. ACM Computing Surveys, 24(3):293{318, 1992.[6℄ J. R. Bur h, E. M. Clarke, and K. L. M Millan. Symboli model he king: 1020states and beyond. In Pro . of IEEE Symposium on Logi in Computer S ien e,pages 1{33, Washington, D.C., USA, June 1990.[7℄ C.-T. Chou and D. Peled. Verifying a Model- he king Algorithm. In Toolsand Algorithms for the Constru tion and Analysis of Systems, volume 1055 ofLNCS, pages 241{257. Springer-Verlag, 1996.[8℄ E. M. Clarke and E. A. Emerson. Design and Synthesis of Syn hronizationSkeletons using Bran hing Time Temporal Logi . In Logi s of Programs, volume131 of LNCS, pages 52{71. Springer-Verlag, May 1981.[9℄ F. Corella, Z. Zhou, X. Song, M. Langevin, and E. Cerny. Multiway De i-sion Graphs for Automated Hardware Veri� ation. Formal Methods in SystemDesign, 10(1):7{46, 1997.[10℄ O. Coudert, J. C. Madre, and C. Berthet. Verifying Temporal Properties ofSequential Ma hines without Building Their State Diagrams. In Computer AidedVeri� ation, volume 531 of LNCS, pages 23{32. Springer-Verlag, June 1990.[11℄ L. A. Dennis, G. Collins, M. Norrish, R. Boulton, K. Slind, G. Robinson, M. Gor-don, and T. Melham. The PROSPER Toolkit. In Tools and Algorithms for the89

Constru tion and Analysis of Systems, volume 1785 of LNCS, pages 78{92,Berlin, Germany, April 2000. Springer-Verlag.[12℄ K. Fisler and S. Johnson. Integrating Design and Veri� ation EnvironmentsThrough A Logi Supporting Hardware Diagrams. In Pro . of IFIP Conferen eon Hardware Des ription and Their Appli ations, Chiba, Japan, August 1995.[13℄ M. Gordon. Combining Dedu tive Theorem Proving with Symboli State Enu-meration. 21 Years of Hardware Formal Veri� ation, De ember 1998. RoyalSo iety Workshop to mark 21 years of BCS FACS.[14℄ M. Gordon. Rea hability Programming in HOL98 Using BDDs. In Theo-rem Proving and Higher Order Logi s, volume 1869 of LNCS, pages 179{196.Springer-Verlag, August 2000.[15℄ M. Gordon. Holbddlib Version 2, Do umentation. Te hni al report, ComputerLaboratory, Cambridge University, U.K., Mar h 2002.[16℄ M. Gordon and T. F. Melham. Introdu tion to HOL: A theorem proving envi-ronment for higher order logi . Cambridge University Press, 1993.[17℄ R. Harper. Introdu tion to Standard ML. S hool of Computer S ien e, CarnegieMellon University, Pittsburgh, USA, 1993.[18℄ J. Hurd. Integrating Gandalf and HOL. In Theorem Proving in Higher Order,volume 1690 of LNCS, pages 311{321. Springer-Verlag, April 1999.90

[19℄ J. Joy e and C. Seger. The HOL-Voss System: Model-Che king inside a Gen-eral Purpose Theorem-Prover. In Higher Order Logi Theorem Proving and ItsAppli ations, volume 780 of LNCS, pages 185{198. Springer-Verlag, 1994.[20℄ C. Kern and M. Greenstreet. Formal Veri� ation in Hardware Design: A Survey.ACM Transa tions on Design Automation of Ele troni Systems, 4:123{193,1999.[21℄ S. Kort, S. Tahar, and P. Curzon. Hierar hi al Formal Veri� ation Using aHybrid Tool. Software Tools for Te hnology Transfer, 4(3):313{322, May 2003.[22℄ T. Kropf. Introdu tion to Formal Hardware Veri� ation. Springer Verlag, 1999.[23℄ R. P. Kurshan. Formal Veri� ation in a Commer ial Setting. In Pro . of DesignAutomation Conferen e, pages 258{262, Anaheim, California, USA, June 1997.[24℄ M. M Millan. Symboli Model Che king. Kluwer, 1993.[25℄ R. Mizouni. Linking HOL Theorem Proving and MDG Model Che king. Mas-ter's thesis, Ele tri al and Computer Engineering Department, Con ordia Uni-versity, Canada, 2002.[26℄ S. Owre, J. M. Rushby, and N. Shankar. PVS: A Prototype Veri� ation System.In Automated Dedu tion, volume 607 of LNCS, pages 748{752. Springer-Verlag,1992.[27℄ L. C. Paulson. Isabelle: A Generi Theorem Prover. Springer-Verlag, 1994.91

[28℄ V. Pisini. Integration of HOL and MDG for Hardware Veri� ation. Master'sthesis, Ele tri al and Computer Engineering Department, Con ordia University,Canada, 2000.[29℄ A. Pnueli. A Temporal Logi of Con urrent Programs. Theoreti al ComputerS ien e, 13(1):45{60, January 1981.[30℄ J. Queille and J. Sifakis. Spe i� ation and Veri� ation of Con urrent Systemsin CAESAR. In Programming, volume 137 of LNCS, pages 337{351. Springer-Verlag, 1982.[31℄ S. Rajan, N. Shankar, and M. K. Srivas. An Integration of Model Che kingwith Automated Proof Che king. In Computer Aided Veri� ation, volume 939of LNCS, pages 84{97. Springer-Verlag, 1995.[32℄ K. S hneider and D. Ho�mann. A HOL Conversion for Translating Linear TimeTemporal Logi to !-automata. In Theorem Proving in Higher Order Logi s,volume 1690 of LNCS, pages 255{272. Springer-Verlag, 1999.[33℄ Y. Xu. Model Che king for a First-Order Temporal Logi Using Multiway De- ision Graphs. PhD thesis, Computer S ien e Department, University of Mon-treal, Canada, 1999.[34℄ Z. Zhou. MDG Tools (V1.0) Developer's Manual. Computer S ien e Depart-ment, University of Montreal, Canada, 1996.92

[35℄ Z. Zhou. Multiway De ision Graphs and Their Appli ations in Automati For-mal Veri� ation of RTL Designs. PhD thesis, Computer S ien e Department,University of Montreal, Canada, 1996.

93