Correctness by Construction: Towards Verification in Hierarchical System Development

  • Mila Majster-Cederbaum
  • Frank Salger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1885)


In many approaches to the verification of reactive systems, operational semantics are used to model systems whereas specifications are expressed in temporal logics. Most approaches however assume, that the initial specification is indeed the intended one. Changing the specification thus necessitates to find an accordingly adapted system and to carry out the verification from scratch. During a systems life cycle however, changes of the requirements and resources necessitate repeated adaptations of specifications. We here propose a method that supports syntactic action refinement (SAR) and allows to automatically obtain (a priori) correct systems by hierarchically adding details to the according specifications. More precisely, we give a definition of SAR for formulas ϕ of the Modal Mu-Calculus (denoted by \(\varphi[\alpha\leadsto Q]\)) that conforms to SAR for TCSP-like process terms P (denoted \(P[\alpha\leadsto Q]\)) in the following sense: The system induced by a process term P satisfies a specification ϕ if and only if the system induced by the refined term \(P[\alpha\leadsto Q]\) satisfies the refined specification \(\varphi[\alpha\leadsto Q]\). Model checking is used to decide, whether the initial system satisfies the initial specification. If we are not satisfied with the obtained refinement \(P[\alpha\leadsto Q]\) or \(\varphi[\alpha\leadsto Q]\) we reuse already gained verification information (P satisfies ϕ that is) as the basis for other refinement steps. This can be conceived as a method to reengineer systems. Syntactic action refinement allows to handle infinite state systems. Further, the system induced by P might be exponentially smaller that the system induced by \(P[\alpha\leadsto Q]\)). We explain how our results can thus also be exploited to enhance model checking techniques. Finally, we apply our results to an example.


Model Check Temporal Logic Operational Semantic Process Expression Process Term 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AE89]
    Attie, P.C., Emerson, E.A.: Synthesis of concurrent systems with many similar sequential processes (extended abstract). In: ACM (ed.) POPL 1989. Proceedings of the sixteenth annual ACM symposium on Principles of programming languages, Austin, TX, January 11-13, pp. 191–201. ACM Press, New York (1989)Google Scholar
  2. [AH91]
    Aceto, L., Hennessy, M.: Adding action refinement to a finite process algebra. In: Leach Albert, J., Monien, B., Rodríguez-Artalejo, M. (eds.) ICALP 1991. LNCS, vol. 510, pp. 506–519. Springer, Heidelberg (1991)Google Scholar
  3. [AHR98]
    Alur, R., Henzinger, T.A., Rajamani, S.K.: Symbolic exploration of transition hierarchies. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 330–344. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [BBR90]
    De Roever, W.P., Rozenberg, G., De Bakker, J.W. (eds.): REX 1989. LNCS, vol. 430. Springer, Heidelberg (1990)Google Scholar
  5. [BLO98]
    Bensalem, S., Lakhnech, Y., Owre, S.: Computing abstractions of infinite state systems compositionally and automatically. In: Y. Vardi, M. (ed.) CAV 1998. LNCS, vol. 1427, pp. 319–331. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. [Bry86]
    Bryant, R.E.: Graph-Based Algorithms for Boolean Function Manipulation. IEEE Transactions on Computers C-35(8), 677–691 (1986)CrossRefGoogle Scholar
  7. [BS92]
    Bradfield, J., Stirling, C.: Local model checking for infinite state spaces. Theoretical Computer Science 96(1), 157–174 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  8. [CAV]
    International Conf. on Computer-Aided Verification. LNCS, vol. 407 (1989), vol. 531 (1990), vol. 575 (1991), vol. 663 (1992), vol. 697 (1993), vol. 818 (1994), vol. 939 (1995), vol. 1102 (1996), vol. 1254 (1997), vol. 1427 (1998), vol. 1633 (1999). Springer, New York Google Scholar
  9. [CC92]
    Cousot, P., Cousot, R.: Abstract interpretation frameworks. Journal of Logic and Computation 2(4), 511–547 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  10. [CE81]
    Clarke, E.M., Emerson, E.A.: Design and Synthesis of Synchronization Skeletons using Branching Time Temporal Logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  11. [CFJ93]
    Clarke, E.M., Filkorn, T., Jha, S.: Exploiting symmetry in temporal logic model checking. In: Courcoubetis, C. (ed.) Proceedings of The Fifth Workshop on Computer-Aided Verification, (June/July 1993)Google Scholar
  12. [CGL94]
    Clarke, E., Grumberg, D., Long, D.: Model Checking and Abstraction. ACM Transactions on Programming Languages and Systems 16(5), 1512–1542 (1994)CrossRefGoogle Scholar
  13. [Cle93]
    Cleaveland, R.: The concurrency workbench: A semantics-based verification tool for the verification of concurrent systems. ACM Transactions on Programming Languages and Systems 15(1), 36–72 (1993)CrossRefGoogle Scholar
  14. [CMP87]
    Castellano, L., De Michelis, G., Pomello, L.: Concurrency vs interleaving: an instructive example. Bulletin of the European Association for Theoretical Computer Science 31, 12–15 (1987); Technical ContributionsGoogle Scholar
  15. [Cou96]
    Cousot, P.: Abstract interpretation. In: Symposium on Models of Programming Languages and Computation, ACM Computing Surveys, June 1996, vol. 28(2), pp. 324–328 (1996)Google Scholar
  16. [Dam94]
    Dam, M.: CTL* and ECTL* as fragments of the modal μ-calculus. Theoretical Computer Science, 126(1),77–96, April 1994Google Scholar
  17. [EL86]
    Emerson, E.A., Lei, C.L.: Efficient model checking in fragments of the propositional μ-calculus. In: Symposium on Logic in Computer Science (LICS 1986), Washington, D.C., USA, June 1986, pp. 267–278. IEEE Computer Society Press, Los Alamitos (1986)Google Scholar
  18. [ES93]
    Emerson, E.A., Sistla, A.P.: Symmetry and model checking. In: Courcoubetis, C. (ed.) Proceedings of The Fifth Workshop on Computer-Aided Verificaton (June/July 1993)Google Scholar
  19. [GGR94]
    Goltz, U., Gorrieri, R., Rensink, A.: On syntactic and semantic action refinement. LNCS, vol. 789, pp. 385–404 (1994)Google Scholar
  20. [GR99]
    Gorrieri, R., Rensink, A.: Action refinement. Technical Report UBLCS- 99-9, University of Bologna (Italy), Department of Computer Science (April 1999)Google Scholar
  21. [Gra94]
    Graf, S.: Verification of distributed cache memory by using abstractions. In: Dill, D.L. (ed.) CAV 1994. LNCS, vol. 818, pp. 207–219. Springer, Heidelberg (1994)Google Scholar
  22. [Huh96]
    Huhn, M.: Action refinement and property inheritance in systems of sequential agents. In: Sassone, V., Montanari, U. (eds.) CONCUR 1996. LNCS, vol. 1119, pp. 639–654. Springer, Heidelberg (1996)Google Scholar
  23. [Hun94]
    Hungar, H.: Local model checking for parallel compositions of context-free processes. LNCS, vol. 836, pp. 114–128. Springer, Heidelberg (1994)Google Scholar
  24. [Koz83]
    Kozen, D.: Results on the propositional mu -calculus. Theoretical Computer Science 27(3), 333–354 (1983)zbMATHCrossRefMathSciNetGoogle Scholar
  25. [LBC+94]
    Long, D.E., Browne, A., Clarke, E.M., Jha, S., Marrero, W.R.: An improved algorithm for the evaluation of fixpoint expressions. In: Dill, D.L. (ed.) CAV 1994. LNCS, vol. 818, pp. 338–350. Springer, Heidelberg (1994)Google Scholar
  26. [Mil80]
    Milner, R.: A Calculus of Communicating Systems, 1st edn. Springer, Heidelberg (1980)zbMATHGoogle Scholar
  27. [MW84]
    Manna, Z., Wolper, P.: Synthesis of communicating processes form temporal logic specifications. ACM Transactions on Programming Languages and Systems 6, 68–93 (1984)zbMATHCrossRefGoogle Scholar
  28. [Pel98]
    Peled, D.: Ten years of partial order reduction. In: Y. Vardi, M. (ed.) CAV 1998. LNCS, vol. 1427, pp. 17–28. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  29. [PR89]
    Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: ACM (ed.) POPL 1989. Proceedings of the sixteenth annual ACM symposium on Principles of programming languages, New York, NY, USA, January 11-13, 1989, pp. 179–190. ACM Press, New York (1989)Google Scholar
  30. [PT87]
    Paige, R., Tarjan, R.E.: Three partition refinement algorithms. SIAM Journal on Computing 16(6), 973–989 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  31. [SS99]
    Saïdi, H., Shankar, N.: Abstract and model check while you prove. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 443–454. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  32. [Sti95]
    Stirling, C.: Local model checking games (extended abstract). In: Lee, I., Smolka, S.A. (eds.) CONCUR 1995. LNCS, vol. 962, pp. 1–11. Springer, Heidelberg (1995)Google Scholar
  33. [Sti96]
    Stirling, C.: Modal and temporal logics for processes. In: Moller, F., Birtwistle, G. (eds.) Logics for Concurrency. LNCS, vol. 1043, pp. 149–237. Springer, Heidelberg (1996)Google Scholar
  34. [SW91]
    Stirling, C., Walker, D.: Local model checking in the modal mu-calculus. Theoretical Computer Science 89(1), 161–177 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  35. [vGG89]
    van Glabbeek, R., Goltz, U.: Equivalence notions for concurrent systems and refinement of actions. In: Kreczmar, A., Mirkowska, G. (eds.) MFCS 1989. LNCS, vol. 379, pp. 237–248. Springer, Heidelberg (1989)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Mila Majster-Cederbaum
    • 1
  • Frank Salger
    • 1
  1. 1.Fakultät für Mathematik und InformatikUniversität MannheimMannheimGermany

Personalised recommendations