Linking Theorem Proving and Model-Checking with Well-Founded Bisimulation

  • Panagiotis Manolios
  • Kedar Namjoshi
  • Robert Sumners
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1633)


We present an approach to verification that combines the strengths of model-checking and theorem proving. We use theorem proving to show a bisimulation up to stuttering on a potentially infinite-state system. Our characterization of stuttering bisimulation allows us to do such proofs by reasoning only about single steps of the system. We present an on-the-fly method that extracts the reachable quotient structure induced by the bisimulation, if the structure is finite. If our specification is a temporal logic formula, we model-check the quotient structure. If our specification is a simpler system, we use an equivalence checker to show that the quotient structure is stuttering bisimilar to the simpler system. The results obtained on the quotient structure lift to the original system, because the quotient, by construction, is refined by the original system.

We demonstrate our methodology by verifying the alternating bit protocol. This protocol cannot be directly model-checked because it has an infinite-state space; however, using the theorem prover ACL2, we show that the protocol is stuttering bisimilar to a small finite-state system, which we model-check. We also show that the alternating bit protocol is a refinement of a non-lossy system.


Model Check Temporal Logic Transition Relation Atomic Proposition Linear Time Temporal Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ACD90]
    R. Alur, C. Courcoubetis, and D. Dill. Model checking for real time systems. In 5th IEEE Symp. on Logic in Computer Science, 1990.Google Scholar
  2. [AJ96]
    P.A. Abdulla and B. Jonsson. Verifying programs with unreliable channels. Information and Computation, 127(2), 1996.Google Scholar
  3. [BCG88]
    M. Browne, E.M. Clarke, and O. Grumberg. Characterizing finite Kripke structures in propositional temporal logic. Theoretical Computer Science, 59, 1988.Google Scholar
  4. [BG94]
    M.A. Bezem and J.F. Groote. A correctness proof of a one bit sliding window protocol in mCRL. The Computer Journal, 1994.Google Scholar
  5. [BG96]
    B. Boigelot and P. Godefroid. Symbolic verification of communication protocols with infinite state spaces using QDD’s. In Conference on Computer Aided Verification, volume 1102 of LNCS, 1996.Google Scholar
  6. [BM79]
    R. Boyer and J. Moore. A Computational Logic. Kluwer Academic Publishers, 1979.Google Scholar
  7. [BSW69]
    K.A. Barlett, R.A. Scantlebury, and P.C. Wilkinson. A note on reliable full duplex transmission over half duplex links. In Communications of the ACM, volume 12, 1969.Google Scholar
  8. [CE81]
    E.M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Workshop on Logics of Programs, volume 131 of LNCS. Springer-Verlag, 1981.Google Scholar
  9. [CES86]
    E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic. ACM Transactions on Programming Languages and Systems, 8(2), 1986.Google Scholar
  10. [EH86]
    E. A. Emerson and J. Y. Halpern. “Sometimes” and “not never” revisited: on branching versus linear time temporal logic. JACM, 33(1):151–178, January 1986.zbMATHCrossRefMathSciNetGoogle Scholar
  11. [EN95]
    E.A. Emerson and K.S. Namjoshi. Reasoning about rings. In ACM Symposium on Principles of Programming Languages, 1995.Google Scholar
  12. [GM93]
    M. J. C. Gordon and T. F. Melham, editors. Introduction to HOL: A theorem proving environment for higher order logic. Cambridge University Press, 1993.Google Scholar
  13. [GS92]
    S. German and A.P. Sistla. Reasoning about systems with many processes. Journal of the ACM, 1992.Google Scholar
  14. [GS97]
    S. Graf and H. Saidi. Construction of abstract state graphs with PVS. In Conference on Computer Aided Verification, volume 1254 of LNCS, 1997.Google Scholar
  15. [HS96]
    K. Havelund and N. Shankar. Experiments in theorem proving and model checking for protocol verification. In Formal Methods Europe (FME), volume 1051 of LNCS. Springer-Verlag, 1996.Google Scholar
  16. [KM97]
    M. Kaufmann and J S. Moore. An industrial strength theorem prover for a logic based on Common Lisp. IEEE Transactions on Software Engineering, 23(4):203–213, April 1997.CrossRefGoogle Scholar
  17. [Lam80]
    L. Lamport. “Sometimes” is sometimes “not never”. In ACM Symposium on Principles of Programming Languages, 1980.Google Scholar
  18. [Mil90]
    R. Milner. Communication and Concurrency. Prentice-Hall, 1990.Google Scholar
  19. [MN95]
    O. Müller and T. Nipkow. Combining model checking and deduction for I/O-Automata. In Proceedings of TACAS, 1995.Google Scholar
  20. [Nam97]
    K. S. Namjoshi. A simple characterization of stuttering bisimulation. In 17th Conference on Foundations of Software Technology and Theoretical Computer Science, volume 1346 of LNCS, pages 284–296, 1997.CrossRefGoogle Scholar
  21. [QS82]
    J.P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Proc. of the 5th International Symposium on Programming, volume 137 of LNCS, 1982.Google Scholar
  22. [Wol86]
    P. Wolper. Expressing interesting properties of programs in propositional temporal logic. In Proceedings of the 13th ACM Symposium on Principles of Programming Languages, pages 184–193. ACM Press, 1986.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Panagiotis Manolios
    • 1
  • Kedar Namjoshi
    • 2
  • Robert Sumners
    • 3
  1. 1.Department of Computer SciencesUniversity of TexasAustin
  2. 2.Bell LaboratoriesLucent TechnologiesUSA
  3. 3.Department of Electrical and Computer EngineeringUniversity of TexasAustin

Personalised recommendations