Fir st -or der Mu-Calculus as a Fr amewor k f or Pr ogr am Ver if - - PowerPoint PPT Presentation

KeY WS, J une 2004 1

Fir st -or der Mu-Calculus as a Fr amewor k f or Pr ogr am Ver if icat ion

Mads Dam SI CS and KTH/ I MI T Wit h cont r ibut ions by Lar s-åke Fr edlund, Dilian Gur ov, Chr ist oph Spr enger , Gennady Chugunov

KeY WS, J une 2004 2

Background

Experiment on – source level – t heorem proving – f or dist ribut ed applicat ions Source language: Mainly Erlang Execut ed at FDT lab, SI CS, 1995-2003+ Approach, experiences, and lessons

KeY WS, J une 2004 3

Theor em Pr oving – Why?

The are many int erest ing dist ribut ed programs t o verif y

– dynamic pr ocess st r uct ur es – client -ser ver applicat ions – migr at ing pr ocesses

against many int erest ing propert ies

– t empor al pr oper t ies – f unct ional pr oper t ies – as yet undet er mined mixes

There is no decidable f ramework t hat will allow t his So we need t o resort t o t heorem proving

KeY WS, J une 2004 4

I s Theorem Proving Easier Than Model Checking?

By using int elligence in proof search, can we bypass t he combinat orial dif f icult ies in model checking? Yes:

We ar e not f or ced t o br ut e f or ce st at e explor at ion when an int elligent choice of invar iant will do

No:

The combinat or ial explosion of par allellism is f or real Must t ackle, e.g., t r ue concur r ency st yle diamond pr oper t ies

Handling t he combinat orial complexit y along wit h int eract ion is t he f undament al dif f icult y!

KeY WS, J une 2004 5

The Set t ing

Need a f ramework wit h at least :

– First -or der logic t o t alk about element s, pr ocess ident if ier s, st or es, st at es, et c – I nduct ion and coinduct ion t o def ine dat a st r uct ur es, t r ansit ion r elat ions, and int er est ing pr ogr am pr oper t ies

Our proposal: Fir st -order logic + induct ion + coinduct ion = f ir st -order mu-calculus

KeY WS, J une 2004 6

Mu-Calculus

Kleene -Tarski f ixed point t heorem: Every monot one f unct ion f on a complet e lat t ice has a complet e lat t ice of f ixed point s µx.f (x): least f ixed point of f νx.f (x): great est f ixed point of f µ0x.f (x) = ; ν0x.f (x) = “all” µκ+1x.f (x) = f (µκx.f (x) νκ+1x.f (x) = f (νκ x.f (x)) µλx.f (x) = Uκ<

λµκx.f (x)

νλ x.f (x) = Iκ<

λνκ x.f (x)

Then: µx.f (x) = Uκµκx.f (x) ν x.f (x) = Iκνκ x.f (x)

KeY WS, J une 2004 7

Examples

f = λx.8 y. TransRel(x,y) ! f (y)

• µx.f (x) = AF”t erminat ed”
• νx.f (x) = t rue

f = λx. good(x) Ç 9y. TransRel(x,y) Æ f (y)

• µx.f (x): EFgood
• νx.f (x): EFgood Ç EGEXt rue

KeY WS, J une 2004 8

How t o Embed Your Favour it e Logic

• Dat a t ypes:

Nat = µX(n). n=0 Ç 9n1.n=n1+1 ...

• Language:

Pr og = µX(p). p=skip Ç 9p1,p2. ...

• St at es:

St at e(s) = (9p,t . Pr og(p) Æ St or e(t ) Æ s = (p,t )) Ç ...

• Embeddings of operat ional semant ics:

Tr ansRel = µX(s1,s2).(9t .St or e(t ) Æ s1 = (skip,t ) Æ s2 = t ) Ç ...

• Embedding of logic:

{φ}p{ψ} = 8s. St at e(s) Æ φ(s) ! (νX(s). (Ter minal(s) Æ ψ(s)) Ç (9

• sn. Tr ansRel(s,sn) Æ X(sn)))(s)

KeY WS, J une 2004 9

Pr oof Syst em

Key innovat ion: Mechanism f or lazy handling of induct ion Main component s:

• Gent zen-t ype proof syst em f or FOMuC
• Explicit ordinal approximat ions
• Loop discharge mechanism

KeY WS, J une 2004 10

Sequent Calculus f or FOMuC

Sample goal: ) AFgood(p k q) (p and q are message-passing processes) Obs: Modularit y f or f ree! No f ree lunch: Need a proof syst em + know how t o use it ! ) AFgood(p k q) ) subspec(p) subspec(x) ) AFgood(x k q) subspec(p) ) AFgood(p k q)

KeY WS, J une 2004 11

Result s

Theorem-proving basics:

– Or dinal appr oximat ions, soundness and complet eness of dischar ge (Dam, Gur ov, Spr enger )

Language embedding f ramework:

– Gener al, composit ional ver if icat ion (Simpson-95,Dam- 95,Fr edlund-01) – I nst ant iat ions – CCS, Er lang, pi-calculus, J avaCar d (Paper s by Dam, Fr edlund, Gur ov, Chugunov a.o.) – Complet eness f or cont ext -f r ee + pushdown cases (Simpson- Schoepp)

Case st udies

– Er lang (Ar t s-Dam), J avaCar d (Huisman-Gur ov-Bart he)

Tools

– www.sics.se/ f dt / ver icode (Fr edlund)

KeY WS, J une 2004 12

I ssues

I . Theorem-proving f ramework I I . P rogramming language embeddings I I I .Logic and proof syst em embeddings I V. Case st udies V. Tool support VI . Relat ed work

KeY WS, J une 2004 13

I . Theor em-Pr oving Fr amewor k

Mot ivat ion: Tableau-based model checking Let P = a.P + b.P I nduct ion principle: I nduct ion on derivat ion lengt h Works f or f init e st at e processes P:AG(< a> t rue / \ < b> t rue) * P:< a> t rue / \ < b> t rue / \ [a]AG(< a> t rue / \ < b> t rue) / \ ... P:[a]AG(< a> t rue / \ < b> t rue) [ P :AG(< a> t rue / \ < b> t rue) ] * ... ... ...

KeY WS, J une 2004 14

”Count er -example”

Let ’s t ry t o do t he same f or an inf init e st at e process! Let P = up.(down| P) Can we rescue t he set -up? P :AG[up]< down> down| P :AG[up]< down> P :[up]< down> ... down2| P :AG[up]< down> ... 0| P:AG[up]< down> )

KeY WS, J une 2004 15

Use a Cut !

Recall P = up.(down| P ) Let F = AG[up]< down> (= νX.[up]< down> Æ [down]X Æ [up]X)

P:F + down| P:F

...

[ P:F ] + [x:F ⇒ down| x:F] * x:F ⇒ 0| x:F Anot her induct ion... x:F ⇒ down| x:[up]< down> x:F ⇒ down| x:F * x:F ⇒ down| x:[down]F

... ...

x:F,x:[down]F ⇒ down| x:[down]F

KeY WS, J une 2004 16

How t o Make This Wor k?

• 1. Use mu-calculus
• 2. How t o handle f ixed point s?

– Alt er nat ing f ixed point s pr oblemat ic – As f or model checking (⇒ P:F) – Her e also dir ect int er f er ence (coming up) – Sol’n 1: Ter r ible mess (Dam’95) – Sol’n 2: Explicit or dinal appr oximant s (DG’00)

• 3. How t o embed t he operat ional semant ics?

– Need r ules t o r ef lect local behaviour of pr ocess connect ives – Sol’n 1: Sor t of ad-hoc (Dam’95) – Sol’n 2: Use t r ansit ion r elat ion embedding (Simpson’95) – Sol’n 3: Use 1st -or der mu-calculus (Fr edlund’01)

KeY WS, J une 2004 17

How t o Do I nduct ion, 1?

Opt ion 1: Fixed point induct ion a la LCF: Dif f icult t o use in pract ice Doesn’t f it well wit h t he Gent zen-t ype f ramework F[µx.F/ x] ⇒ µx.F

• µx.F ⇒ G

F[G/ x] ⇒ G

KeY WS, J une 2004 18

Opt ion 2: Unique naming (St irling), t agging (Winskel) Excellent f or model checking Doesn’t f it well wit h t he Gent zen-t ype f ramework

How t o Do I nduct ion, 2?

⇒ P :F[νx.{P }UA.F/ x] ⇒ P : νx.A.F

• ⇒ P

: νx.{P }UA.F

KeY WS, J une 2004 19

Schemat ically Let F = µX1.νX2.< a> X2 / \ < b> X1 G = µY1.νY2.< a> Y1 / \ < b> Y2 Discharge not sound! (Not easy t o handle using const ant s or t agging) α’< α,β’< β ⇒ < a> X2(α’)/ \ < b> X1, < a> Y1/ \ < b> Y2(β’) ⇒ X2(α),Y2(β) *

Fixed Point I nt erf erence

⇒ X1,Y1 α’< α ⇒ X2(α’), Y1 β’< β ⇒ X1,Y2(β’) [α’< α ⇒ X2(α’), Y2(β’’)]* [β’< β ⇒ X2(α’’), Y2(β’)]*

KeY WS, J une 2004 20

Opt ion 3: Well-f ounded induct ion Use Kleene-Tarski t hrough: + Kleene-Tarski = t he canonical proof met hod f or mu- calculus

• Use of explicit ordinal arit hmet ic
• ”Eager” solut ion t o int erf erence problem

How t o Do I nduct ion, 3?

Γ, ∀k’< k.F[k’/ k] ⇒ F, ∆ Γ ⇒ ∀k.F, ∆

KeY WS, J une 2004 21

Opt ion 4: Lazy induct ion (here) Unf olding + Global check of int erf erence f reedom + Lazy handling of int erf erence

• Use of explicit ordinal arit hmet ic
• Global check can be problemat ic

How t o Do I nduct ion, 4?

KeY WS, J une 2004 22

Mu-Calculus Wit h Explicit Ordinal Approximat ions*

Synt ax: FOL + (approximat ed) f ixed point s F ::= FOL f ormula | FX(t ) FX ::= X | µX(y).F | µkX(y).F Remarks:

– t t erm – I ndividual, pr edicat e, or dinal var iables – Bot h X and y bound in µX(y).F and µkX(y).F – Usual synt act ic monot onicit y condit ion applies – No or dinal ar it hmet ic

KeY WS, J une 2004 23

Semant ics

Model M = (A,e)

– A f ir st -or der st r uct ur e – e valuat ion

Let H = λP.λa.| | F| | e[P/ X][a/ y] Then

– | | µX(y).F | | e = µH – | | µkX(y).F | | e = µe(k)H

Proposit ion:

– µH = supα µαH – µαH = supβ<

αH(µβH)

KeY WS, J une 2004 24

Sequent s, Validit y

Sequent s: Γ ⇒O ∆ where O f init e part ial order on ordinal variables Validit y: Γ ⇒O ∆ valid, if ∧Γ ⇒O ∨∆ t rue in all models t hat respect O:

• whenever k <

O k’ t hen e(k) <

e(k’)

KeY WS, J une 2004 25

Local Pr oof Rules

4 basic rules + symmet ric version f or ν if needed Γ, (µkX(y).F)(t ) ⇒O’ ∆ Γ, (µX(y).F)(t ) ⇒O ∆ µ-L Γ ⇒O ∆, F[(µX(y).F)/ X,t / y] Γ ⇒O ∆, (µX(y).F)(t ) µ-R O’ = OU{k} Γ, F[µk’X(y).F/ X,t / y] ⇒O’ ∆ Γ, (µkX(y).F)(t ) ⇒O ∆ µk-L O’ = OU{k’< k} Γ ⇒O ∆, F[(µk’X(y).F)/ X,t / y] Γ ⇒O ∆, (µkX(y).F)(t ) µk-R (k’ <

O k)

KeY WS, J une 2004 26

Derivat ion Trees and Pre-Proof s

Derivat ion t ree D = (N,E,L) sequent -labelled Repeat : Condit ion:

• ∃subst it ion σ. Γσ ⊆ Γ’, ∆σ ⊆ ∆’, Oσ ⊆ O’
• N is called r epeat node, M is companion

Pr e-proof graph:

• Each leaf is a r epeat , add back edges

M: Γ ⇒O ∆ N: Γ’ ⇒O’ ∆’ ... ... ... Leaf σ

KeY WS, J une 2004 27

Runs –Semant ic Dischar ge

Run of pr e-proof : Root ed pat h of pre-proof , labelled by valuat ions: Π = (N0,e0) ... (N i,ei) ... Labels: ei respect s Oi Tree edges: (Ni,Ni+1) ∈ E implies t hat ei+1 agrees wit h ei

• n variables common t o N i and N i+1

Repeat : (Ni+1,Ni,σ) repeat implies ei+1 = ei • σ

KeY WS, J une 2004 28

Semant ic Dischar ge, I I

Pr oof : Pr e-proof f or which all runs are f init e

• Pr oof = pr e-pr oof + well-f oundedness
• Ref er ence dischar ge condit ion t o which ot her s ar e compar ed

Theorem: I f t here is a proof of Γ ⇒O ∆ t hen Γ ⇒O ∆ is valid

KeY WS, J une 2004 29

Synt act ic Dischar ge

Trace: Root ed pat h of pre-proof , labelled by ordinal const raint s: Π = (N0,(k0,k0’)) ... (Ni,(ki,ki’)) ... Labels: ki’ ≤Oi ki Tree edges: (Ni,Ni+1)∈E implies k i’ = ki+1 Repeat : (Ni+1,Ni,σ) repeat implies k i’= σ(ki+1)

KeY WS, J une 2004 30

Synt act ic Dischar ge, 2

Example: Corresponding t race f ragment :

(N0,(k0,k1)) (N1,(k2,k3)) (N2,(k3,k4)) (N3,(k4,k4)) (N4,(k5,k5)) repeat companion repeat companion

k0 k1 k2 k3 k2 k3 k4 k2 k3 k4 k5 k6

σ1 σ2

KeY WS, J une 2004 31

Synt act ic Dischar ge, 3

Progress: Trace: Pr ogr ess at i: k i’ <

Oi ki

Pr ogr essive – pr ogr esses i.o. Pat h: Exist s pr ogr essive t r ace along suf f ix Synt act ical dischar ge condit ion: All inf init e pat hs of pr e-pr oof gr aph ar e pr ogr essive Theor em: Synt act ic and semant ic dischar ge ar e equivalent

KeY WS, J une 2004 32

Normal Traces

Observat ion: Any t race can be convert ed int o normal t race Only progress at repeat s:

(N0,(k0,k1)) (N1,(k2,k2)) (N2,(k2,k2)) (N3,(k2,k4)) (N4,(k5,k5)) r epeat companion r epeat companion

k0 k1 k2 k3 k2 k3 k4 k2 k3 k4 k5 k6

σ1 σ2

KeY WS, J une 2004 33

Aut omat a-Theor et ic Dischar ge

Const ruct t wo Buchi aut omat a B1 and B2 over repeat s:

• B1 r ecognises t r aver sed sequences of r epeat s
• B2 r ecognises r epeat s pot ent ially connect ed t hr ough a nor mal

t r ace

Aut omat a-t heoret ic discharge condit ion: L(B1) ⊆ L(B2)

KeY WS, J une 2004 34

Aut omat a-Theor et ic Dischar ge, 2

Aut omat on B2:

St at es {(k1,R,k2)| R = (M,N,σ), σ(k2) ≤ON k1} Accept ing {{(k1,R,k2)| σ(k2) <

ON k1}

Tr ansit ions (k1,R,k2) -> (k2,R’,k3)

Example:

k0 k1 k2 k3 k2 k3 k4 k2 k3 k4 k5 k6

σ1 σ2

KeY WS, J une 2004 35

Discharge, Result s

Theorem: The semant ic, synt act ic, and aut omat a-t heoret ic discharge condit ions are equivalent The aut omat a-t heoret ic DC can be checked in t ime 2O(n3log n) where n is number of nodes Subsumes earlier Rabin-like condit ions by Schöpp- Simpson and DFG+DG

• Obt ained by r est r ict ing B2 t o (k,R,k)
• Complexit y dr ops t o 2O(n2log n)
• Ar e t hese condit ions complet e?

KeY WS, J une 2004 36

Relat ed Work

Sprenger -Dam, ESOP’03: Equivalence of well-f ounded (local) and lazy (global) induct ion By explicit proof conversion

KeY WS, J une 2004 37

I I . Pr ogr amming Language Embeddings

Example: CCS P ::= 0 | a.P | P + P | P| P TransRel = µX(p,a,q).(p=a.q) \ / (∃p1,p2.p=p1+p2 / \ TransRel(p1,a,q)) \ / (∃p1,p2.p=p1+p2 / \ TransRel(p2,a,q)) \ / (∃p1,p2,q1,q2.p=p1| p2 / \ q=q1| p2 / \ TransRel(p1,q1)) \ / (...symmet ric case))

St ick t o merge | | f or simplicit y

KeY WS, J une 2004 38

Embedding HML

Def ine p:< a> F = (< a> F)(p) = ∃q.TransRel(p,a,q) / \ F(q) p:[a]F = ([a]F)(p) = ∀q. TransRel(p,a,q) ⇒ F(q) Can derive: Γ ⇒O TransRel(p,a,q),F(q),∆ Γ ⇒O p:< a> F,∆ Γ, TransRel(p,a,x), F(x) ⇒O ∆ Γ, p:< a> F ⇒O ∆ X f resh

KeY WS, J une 2004 39

Simpson’s Embedding

Can derive also: Γ ⇒O TransRel(p1,a,q1),∆ Γ ⇒O TransRel(p1| p2,a,q1| p2),∆ Γ[y| p2/ x],TransRel(p1,a,y) ⇒O ∆[y|p2/ x] Γ,TransRel(p1| p2,a,x) ⇒O ∆ Γ[p1| y/ x],TransRel(p2,a,y) ⇒O ∆[p1|y/ x]

KeY WS, J une 2004 40

Composit ional Pr oof Rules

Can derive also composit ional rules in st yle of Dam, St irling, Winskel: Γ ⇒O p1:< a> F’,∆ Γ ⇒O p1| p2: < a> F,∆ Γ,x:F’ ⇒O x| p2:F,∆ Γ ⇒O p1:[a]F1,∆ Γ ⇒O p1| p2: [a]F,∆ Γ,x:F1 ⇒O x| p2:F,∆ Γ ⇒O p2:[a]F2,∆ Γ,y:F2 ⇒O p1| y:F,∆

KeY WS, J une 2004 41

I I I Logic and Pr oof Syst em Embeddings

• Temporal logic, f init e st at e model checking
• Cont ext -f ree and pushdown processes (Schöpp-

Simpson)

• Hoare logic, composit ional Owicki-Gries
• Pi-calculus
• ...

KeY WS, J une 2004 42

I V Case St udies

Main exercise so f ar:

• EVT (now Ver iCode, VCPT) – Er lang Ver if icat ion Tool
• 1996-2001+
• Developed ever yt hing: Fr amewor k, Er lang semant ics,

algor it hms, pr oof syst em, t act ics, case st udies, document at ion,...

• Main f ocus on dynamic pr ocess net wor ks
• Art s-Dam: Par t of dist r ibut ed dat abase lookup manager
• Fredlund-Dam: Billing agent
• Noll-Art s: Generic server

KeY WS, J une 2004 43

Erlang

• Funct ionally f lavoured programming language f or

concurrent and dist ribut ed applicat ions, developed at Ericsson Comput er Science Lab

• Act or -like, f irst -order, call-by-value
• Asynchronous buf f ered message passing
• Dynamic process creat ion
• Error det ect ion and recovery – wit hin a process -

bet ween processes

• Ot her f eat ures, modules, dist ribut ion, int erf acing t o

non-Erlang code, hot module replacement - not yet considered

• I n product ion use (AXD, Engine)

KeY WS, J une 2004 44

Example 1 – Simple 2-Pr ocess Syst em

s ys - > Pi d = s e l f ( ) , s pa wn( a na l yz e r , [ Pi d, K, L] ) , r e c e i ve {ok, B} - > . . . ; e r r or - > . . . ; a f t e r 12 - > . . . e nd. a na l yz e r ( Fr om , N, M ) - > c a s e a na l ys e ( N, M ) of

• k - > Fr om

! {ok, l e q( N, M ) } ; _ - > Fr om ! e r r or e nd.

KeY WS, J une 2004 45

Example 2 – RPC

s e r ve r - > r e c e i ve {Cl i e nt , {a ppl y, F, Ar gs }} - > s pa wn( r e pl y, [ Cl i e nt , F, Ar gs ] ) , s e r ve r r e pl y( Cl i e nt , F, Ar gs ) - > Cl i e nt ! ( a ppl y( F, Ar gs ) )

Obs: Dynamic pr ocess cr eat ion!

s e r ve r @ P1 - > . . . s e r ve r @ P1 | | P2! ( a ppl y( f , a r gs ) ) @ P3 - > . . . s e r ve r @ P1 | | P2! ( a ppl y( f , a r gs ) ) @ P3 | | P4! ( a ppl y . . . ) @ P5 - > . . .

KeY WS, J une 2004 46

Erlang Operat ional Semant ics

Sequent ial pr ocess st at e: < E, P,Q>

• E: Erlang t erm under elaborat ion
• P: Process ident if ier (pid)
• Q: P' s mailbox/ input queue

Pr ocess conf igur at ions: C ::= {E,P,Q} | C | | C Tr ansit ion r ule f lavour : < E_1,P,Q> =alpha=> < E_1’,P’,Q’> < (E_1,E_2),P,Q> =alpha=> < (E_1' ,E_2),P' ,Q' > < E,P,Q> =spawn(f ,A,P' ' )=> < E' ,P' ,Q' > {E,P,Q} =t au=> {P' ' ,P' ,Q' } | | {f A,P' ' ,empt y}

KeY WS, J une 2004 47

Specif icat ion Logic

Types (t er ms, pids, queues, st at es, conf igur at ions) FOMuC wit h a number of (now) def ined pr edicat es:

• value(pid) = t
• unevaluat ed(t )
• queue(t 1) = t 2
• local(t )
• ... ot hers ...

KeY WS, J une 2004 48

Specif icat ion Logic - Example

nat (T) < = T=0 \ / exist s X.T=X+1 / \ nat (X) ; ground(T) = nat (T) \ / t uple(T) \ / ... ; gr oundt er m(Pid) = exist s X.value(Pid)=X / \ ground(X) ; t erminat ing(Pid) < = groundt erm(Pid) \ / ((< > t rue \ / exist s X,Y.< X!Y> t r ue) / \ []t erminat ing(Pid) / \ f orall X,Y.[X!Y]t erminat ing(Pid) / \ f or all X,Y.[X?Y]sor t _of _t er minat ing(Pid)) ; sor t _of _t er minat ing(Pid) => t erminat ing(Pid) / \ f or all X,Y.[X?Y]sor t _of _t er minat ing(Pid) ;

KeY WS, J une 2004 49

Specif icat ion of s e r ve r

Pr oper t y of

{s e r ve r , p1, e ps } :

Suppose {p2, {a ppl y, f , v}} is r eceived by p1 Suppose p1=/ =p2 I f {f v, p, q}: qui e t / \

t e r m i na t i ng( p) f or all p

and q Then e ve nt ua l l y( e xi s t s

v' . <p2! v' >t r ue ) I n ot her words:

s e r ve r s pe c ( P1) = f or a l l P2, F, V. [ P1? {P2, {a ppl y, F, V}}] P1=/ =P2 i m pl i e s ( f or a l l P, Q. {F V, P, Q}: qui e t / \ t e r m i na t i ng( P) ) i m pl i e s e ve nt ua l l y( e xi s t s V' . <P2! V' >t r ue )

KeY WS, J une 2004 50

Pr oof of s e r ve r

Out line: | - {s e r ve r , P1, e ps }: s e r ve r s pe c ( P1) ⇑ P2=/ =P1, f or a l l P, Q. {F V, P, Q}: qui e t / \ t e r m i na t i ng( P) | - {P2! ( F V) , P, e m pt y}| | {s e r ve r , P1, e m pt y} : e ve nt ua l l y( e xi s t s V' . <P2! V' >t r ue ⇑ P2=/ =P1, f or a l l P, Q. {X, P, Q}: qui e t / \ t e r m i na t i ng( P) | - {P2! X, P, e m pt y}| | {s e r ve r , P1, e m pt y} : e ve nt ua l l y( . . . ) ⇑ (by 2 pr ocess cut s)

KeY WS, J une 2004 51

Proof cont ’d

f or a l l P, Q. {X, P, Q}: qui e t / \ t e r m i na t i ng( P) | - {P2! X, P, e m pt y} : e ve nt ua l l y . . . / \ ` ` onl y out put t o P2' '

and

P2=/ =P1 | - {s e r ve r , P1, e m pt y} : ` ` no out put a nd onl y i nput t o P1' '

and

P2=/ =P1, C1: e ve nt ua l l y . . . / \ ` ` onl y out put t o P2' ' , C2: ` ` no out put a nd onl y i nput t o P1' ' | - C1| | C2 : e ve nt ua l l y . . .

KeY WS, J une 2004 52

Exper iences wit h EVT

Pr oof of concept – it act ually wor ks The et er nal t r ut h of sof t war e ver if icat ion: I t ’s all about f inding t he r ight invar iant The et er nal t r ut hs of (t heor em-pr oving) t ool building I t ’s a lot of wor k I t ’s not f or beginner s Wit h mor e r esour ces we could have built a r eally usef ul t ool ;-) The et er nal half -t rut h of mu-calculus I t is t r icky (But expr essing complex pr oper t ies of inf init e t r ees is f ar more so)

KeY WS, J une 2004 53

V The Ver iCode Tool

Feat ur es:

• Tradit ional int eract ive t heorem prover EXCEPT
• Pr over manipulat es gr aphs, not t r ee f r ont ier s
• Discharge + subsumpt ion
• Tact ics and t act icals as usual
• Tact ic applicat ions gr ow t he gr aph
• Tact ics + scr ipt ing language: SML
• Theory f acilit y:

I nput your f avor it e oper at ional semant ics, and pr est o...

• Logical variables
• URL: ht t p:/ / www.sics.se/ f dt / pr oj ect s/ ver icode/ vcpt .ht ml

KeY WS, J une 2004 54

VI Relat ed Work

Simpson’95: Composit ionalit y via cut -eliminat ion

• For HML and GSOS

Spat ial logic (Caires,Cardelli, Gordon):

• Spat ial connect ives f or st r uct ur al congr uence
• Modal ops f or r educt ion/ t r ansit ion
• Fixed point s/ monadic second or der quant if icat ion f or

r ecur sive pr oper t ies

Earlier work on composit ional verif icat ion (St irling, Winskel, Andersen)