InfiniteState Model Checking of LTLR Formulas Using Narrowing
Abstract
The linear temporal logic of rewriting (LTLR) is a simple extension of LTL that adds spatial action patterns to the logic, expressing that a specific instance of an action described by a rewrite rule has been performed. Although the theory and algorithms of LTLR for finitestate model checking are welldeveloped [2], no theoretical foundations have yet been developed for infinitestate LTLR model checking. The main goal of this paper is to develop such foundations for narrowingbased logical model checking of LTLR properties. A key theme in this paper is the systematic relationship, in the form of a simulation with remarkably good properties, between the concrete state space and the symbolic state space. A related theme is the use of additional state space reduction methods, such as folding and equational abstractions, that can in some cases yield a finite symbolic state space.
Keywords
Model checking Infinitestate systems LTLR Narrowing1 Introduction
This paper further develops previous efforts to use rewriting logic and narrowing to perform symbolic model checking of infinitestate systems.^{1} Those efforts have gradually increased the expressiveness of the properties that can be verified, first focusing on reachability analysis [16] and then expanding the range to general LTL formulas [1, 6]. It is by now clear that statebased temporal logics are not expressive enough to deal with properties involving events, such as message sends and receives; and that the temporal logic of rewriting [14] is a perfect match—at the level of property specification—for rewriting logic—at the level of system specification—so that both can be used seamlessly as a tandem for model checking. For finitestate systems, the authors have developed model checkers that demonstrate the power and usefulness of this tandem of logics [2]. The question asked and positively answered in this paper is: can properties of a rewrite theory \(\mathcal {R}\) expressed in the linear temporal logic of rewriting (LTLR) [14] be model checked symbolically by narrowing under reasonable assumptions?
The answer to this question is nontrivial, because of a difficulty which can be best explained by briefly recalling how narrowingbased reachability analysis and LTL model checking are performed for a rewrite theory \(\mathcal {R}\). For reachability analysis, any nonvariable term \(t\), symbolically denoting a typically infinite set of concrete state instances, can be narrowed to try to reach an instance of a goal pattern term \(g\). However, for LTL model checking, not all such terms \(t\) denote states in the symbolic state space. The reason is that LTL formulas have a set \({ AP }\) of state propositions, but for a symbolic term \(t\) such propositions may not be defined: different term instances of \(t\) may satisfy different state propositions. The solution proposed in [1, 6] is to specialize \(t\) to most general instances \(t_{1},\ldots ,t_{n}\) for which all state propositions in \({ AP }\) are either true or false. If the equations defining such propositions have the finite variant property, this can be done by variant narrowing [1, 6]. Therefore, narrowingbased LTL model checking symbolically explores the state space of all such \({ AP }\)instantiated symbolic terms.
Suppose that we now want to perform not just LTL model checking but symbolic LTLR model checking, and that our formula \(\varphi \) involves both state propositions in \({ AP }\) and spatial action patterns. For example, a spatial action pattern \(l(\theta )\) can appear in \(\varphi \), stating that a rule \(l: q \longrightarrow r\) has been performed with an instantiation that further specializes the substitution \(\theta \). As part of the model checking verification of \(\varphi \) we may reach a symbolic state \(t\) where we need to check whether the action specified by \(l(\theta )\) can be performed. This check will succeed if \(t\) can be narrowed with a rule \(l\) and a substitution \(\sigma \) such that \(\theta \) is an instance of \(\sigma \). However, \(\sigma \) can be incomparable to \(\theta \) in general; that is, \(\sigma \) may have instances for which this property holds, and other instances for which it definitely fails. This is analogous to the lack of \({ AP }\)instantiation discussed above for narrowingbased LTL model checking. Let \( ACT \) be the set of spatial action patterns we are using, so that, say, \(l(\theta ) \in ACT \). Our problem is that the symbolic transitions in the LTLR state space need to be \( ACT \)instantiated, while the symbolic states are \({ AP }\)instantiated.
Having identified conditions under which the state space for narrowingbased LTRL model checking can be built, the rest of the paper develops the theoretical foundations of narrowingbased LTLR model checking. A key theme in such foundations is the systematic relationship between concrete and symbolic states. This takes the form of a simulation relation from concrete to symbolic states that preserves both state propositions and spatial action patterns. A related theme is the use of additional state space reduction methods, such as folding and equational abstractions, that can in some cases yield a finite symbolic state space. How these foundations can be used in practice to prove nontrivial LTLR properties of infinitestate systems is illustrated with a running example.
2 Preliminaries
Rewriting Logic. An ordersorted signature is a triple \(\varSigma = (S, \le , \varSigma )\) with poset of sorts \((S, \le )\) and operators \(\varSigma =\{\varSigma _{w,k}\}_{(w,k)\in S^* \times S}\) typed in \((S,\le )\). The set \({\mathcal T^{}_{\varSigma }(\mathcal {X})}_{\mathsf {s}}^{}\) denotes the set of \(\varSigma \)terms of sort \(\mathsf {s}\) over \(\mathcal {X}\) an infinite set of \(S\)sorted variables, and \(\mathcal T^{}_{\varSigma ,\mathsf {s}}\) denotes the set of ground \(\varSigma \)terms of sort \(\mathsf {s}\). We assume that \(\mathcal T^{}_{\varSigma ,\mathsf {s}} \ne \emptyset \) for each sort \(\mathsf {s}\) in \(\varSigma \). Positions in a term \(t\) represent tree positions when \(t\) is parsed as a tree, and the replacement in \(t\) of a subterm at a position \(p\) by another term \(u\) is denoted by \(t[u]_{p}\). A substitution \(\sigma : \mathcal {X}\rightarrow {\mathcal T^{}_{\varSigma }(\mathcal {X})}_{}^{}\) is a function that maps variables to terms of the same sort, and is homomorphically extended to \({\mathcal T^{}_{\varSigma }(\mathcal {X})}_{}^{}\) in a natural way. The domain of \(\sigma \) is a finite subset \( dom (\sigma ) \subseteq \mathcal {X}\), where \(\sigma x = x\) for any \(x \notin dom (\sigma )\). The restriction of \(\sigma \) to \(Y \subseteq \mathcal {X}\) is the substitution \(\sigma _Y\) such that \(\sigma _Y(x) = \sigma (x)\) if \(x \in Y\), and \(\sigma _Y(x) = x\) otherwise.
We also require \(\mathcal {R}= (\varSigma , E, R)\) being topmost for narrowingbased methods. That is, there is sort \(\mathsf {State}\) at the top of one of the connected component of \((S,\le )\) such that: (i) for each rule \(l: q \longrightarrow r \in R\), both \(q\) and \(r\) have the top sort \(\mathsf {State}\); and no operator in \(\varSigma \) has \(\mathsf {State}\) or any of its subsorts as an argument sort. This ensures that all rewrites with rules in \(R\) must take place at the top of the term. In practice, many concurrent systems, including objectoriented systems and communication protocols, can be specified by topmost rewrite theories [16].
We can associate to \(\mathcal {R}\) a corresponding Kripke structure for LTL model checking. A Kripke structure is a \(4\)tuple \({\mathcal {K}}= (S, { AP }, \mathcal {L}, \longrightarrow _{\mathcal {K}})\) with \(S\) a set of states, \({ AP }\) a set of atomic state propositions, \(\mathcal {L} : S \rightarrow \mathcal {P}({ AP })\) a statelabeling function, and \({\longrightarrow _{\mathcal {K}}} \subseteq S \times S\) a total transition relation in which every state \(s \in S\) has a next state \(s' \in S\) with \(s \longrightarrow _{\mathcal {K}}s'\). A state proposition is defined as a term of sort \(\mathsf {Prop}\), whose meaning is defined by equations using the auxiliary operator \(\mathtt \_ \models \mathtt \_ : \mathsf {State}\ \mathsf {Prop} \rightarrow \mathsf {Bool}\). By definition, \(p \in \mathcal T^{}_{\varSigma /E,\mathsf {Prop}}\) is satisfied on a state \([t]_E\) iff \((t \models p) =_{E} true \). We assume that sort \(\mathsf {Bool}\) has two constants \( true \) and \( false \) with \( true \not =_{E} false \) and any \(t \in \mathcal T^{}_{\varSigma ,\mathsf {Bool}}\) is provably equal to either \( true \) or \( false \).
Definition 1
Given \(\mathcal {R}= (\varSigma , E, R)\) and a set \({ AP }\subseteq \mathcal T^{}_{\varSigma /E,\mathsf {Prop}}\) defined by \(E\), the corresponding Kripke structure is \({\mathcal {K}}(\mathcal {R})_{ AP }= (\mathcal T^{}_{\varSigma /E,\mathsf {State}}, { AP }, \mathcal {L}_E, \longrightarrow _{\mathcal {R}})\),^{2} where \(\mathcal {L}_E([t]_E) = \{p \in { AP }\mid (t \models p) =_{E} true \}\).
Spatial action patterns describe properties of onestep rewrites by defining a set of matching onestep proof terms. For example, a pattern \(l\) describes that a rule with label \(l\) is applied, and a pattern \(l(\theta )\) describes that a rule with label \(l\) is applied and the related variable instantiation is a further instantiation of the substitution \(\theta \) [2, 14]. In a similar way that state propositions of LTL are defined by equations, the matching relation \(\models \) between a onestep proof term \(\gamma \) and a spatial action pattern \(\delta \) can be defined by equations using the auxiliary operator \(\mathtt \_ \models \mathtt \_ : \mathsf {ProofTerm}\ \mathsf {Action} \rightarrow \mathsf {Bool}\), where \(\gamma \models \delta \iff (\gamma \models \delta ) =_{E} true \).
The semantics of an LTLR formula is defined on a labeled Kripke structure (LKS), an extension of a Kripke structure with transition labels [2, 3]. An LKS is a \(5\)tuple \({\bar{{\mathcal {K}}}}= (S, { AP }, \mathcal {L}, ACT , \longrightarrow _{\bar{{\mathcal {K}}}})\) with \(S\) a set of states, \({ AP }\) a set of state propositions, \(\mathcal {L} : S \rightarrow \mathcal {P}({ AP })\) a statelabeling function, \( ACT \) a set of spatial action patterns, and \({\longrightarrow _{\bar{{\mathcal {K}}}}} \subseteq S \times \mathcal {P}( ACT ) \times S\) a total labeled transition relation. A path \((\pi , \alpha )\) is a pair of functions \(\pi : \mathbb {N} \rightarrow S\) and \(\alpha : \mathbb {N} \rightarrow \mathcal {P}( ACT )\) such that Open image in new window , and \((\pi ,\alpha )^k\) denotes the suffix of \((\pi ,\alpha )\) beginning at position \(k\) such that \((\pi ,\alpha )^k = (\pi \circ s^k ,\alpha \circ s^k)\) with \(s\) the successor function.
We can associate to a rewrite theory \(\mathcal {R}\) a corresponding LKS \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) for LTLR model checking, provided that the state propositions \({ AP }\) and the spatial action patterns \( ACT \) are defined by its equations.
Definition 2

\({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models p\) iff \(p \in \mathcal {L}(\pi (0))\)

\({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \delta \) iff \(\delta \in \alpha (0)\)

\({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \lnot \varphi \) iff \({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \not \models \varphi \)

\({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \varphi \wedge \varphi '\) iff \({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \varphi \text{ and } {\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \varphi '\)

\({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \bigcirc \varphi \) iff \({\bar{{\mathcal {K}}}}, (\pi , \alpha )^{1} \models \varphi \)

\({\bar{{\mathcal {K}}}}, (\pi , \alpha ) \models \varphi \,\mathbf {U}\, \varphi '\) iff \(\exists k \ge 0.\; {\bar{{\mathcal {K}}}}, (\pi , \alpha )^{k} \models \varphi '\), \(\forall 0 \le i < k.\; {\bar{{\mathcal {K}}}}, (\pi , \alpha )^{i} \models \varphi \).
where natural numbers are modeled as multisets of \(s\) with the multiset union operator Open image in new window (empty syntax) and the empty multiset 0 (e.g., \(0 = \mathtt 0 \), and \(3 = \mathtt s \,\mathtt s \,\mathtt s \)).
3 NarrowingBased LTLR Model Checking
Narrowing [10, 11] generalizes term rewriting by allowing free variables in terms and by performing unification instead of matching. An \(E\) unifier of \(t = t'\) is a substitution \(\sigma \) such that \(\sigma t =_{E} \sigma t'\) and \( dom (\sigma ) \subseteq vars (t)\cup vars (t')\), and \(\textit{CSU}_{E}({t = t'})\) denotes a complete set of \(E\) unifiers in which any \(E\)unifier \(\rho \) of \(t = t'\) has a more general substitution \(\sigma \in \textit{CSU}_{E}({t=t'})\), i.e., \((\exists \eta )\; \rho =_{E} \eta \circ \sigma \). We assume that there exists a finitary \(E\)unification procedure to find a finite complete set \(\textit{CSU}_{E}({t=t'})\) of \(E\)unifiers (e.g., there exists a finitary \(E\)unification procedure if \(E\) has the finite variant property as explained in [5, 7]).
Definition 3
Given a topmost rewrite theory \(\mathcal {R}= (\varSigma ,E,R)\), each rewrite rule \(l : q \longrightarrow r \in R\) specifies a topmost narrowing step \(t \rightsquigarrow _{l, \sigma ,\mathcal {R}} t'\) (or \(t \rightsquigarrow _{\mathcal {R}} t'\)) iff there exists an \(E\)unifier \(\sigma \in \textit{CSU}_{E}({t = q})\) such that \(t'=\sigma r\).
OneStep Proof Terms for Narrowing. Spatial action patterns for rewriting define their matching onestep proof terms, representing the corresponding onestep rewrites. For a topmost rewrite theory \(\mathcal {R}= (\varSigma ,E,R)\), onestep proof terms have the form \(l(\theta )\), indicating that a rule \(l: q \longrightarrow r \in R\) has been applied with a substitution \(\theta \) (at the top position of the term), where \( dom (\theta ) \subseteq vars (q) \cup vars (r)\).
In order to define spatial action patterns for narrowing steps, we also need to have an appropriate notion of onestep proof terms for narrowing. Consider a topmost narrowing step \(t \rightsquigarrow _{l,\sigma ,\mathcal {R}} t'\) using a rule \(l : q \longrightarrow r\). Intuitively, the rule label \(l\) and the restriction of the substitution \(\sigma \) to the variables in the rule^{3} give the onestep proof term for the narrowing step \(t \rightsquigarrow _{l,\sigma ,\mathcal {R}} t'\).
Definition 4
Given a topmost rewrite theory \(\mathcal {R}= (\varSigma ,E,R)\), for a topmost narrowing step \(t \rightsquigarrow _{l,\sigma ,\mathcal {R}} t'\) using a rule \(l : q \longrightarrow r\), its onestep proof term is given by \(l(\sigma _{ vars (q) \cup vars (r)})\), often denoted by \(l(\sigma _l)\).
The following lemma implies that a onestep proof term \(l(\sigma _l)\) for narrowing faithfully captures its corresponding onestep proof terms \(l(\theta )\) for rewriting, in the sense that \(\theta =_{E} \eta \circ \sigma _l\) for some substitution \(\eta \). This lemma is adapted from the soundness and completeness results of topmost narrowing in [16].
Lemma 1
Proof
\((\Rightarrow )\) Suppose that \(l(\theta ) : \rho u \longrightarrow _\mathcal {R}t'\) for a topmost rule \(l: q \longrightarrow r\), where \( dom (\theta ) \subseteq vars (q) \cup vars (r)\). Then, \(\theta q =_{E} \rho u\) and \(t' = \theta r\). Since no variable in \(u\) appears in \(l: q \longrightarrow r\), we have \( dom (\theta ) \cap vars (u) = \emptyset \). Thus, we can define the substitution \(\theta \cup \rho _{ vars (u)}\) with domain \( dom (\theta ) \cup vars (u)\) such that \((\theta \cup \rho _{ vars (u)})_{ dom (\theta )} = \theta \) and \((\theta \cup \rho _{ vars (u)})_{ vars (u)} = \rho _{ vars (u)}\). Since \(\theta \cup \rho _{ vars (u)}\) is an \(E\)unifier of \(q = u\), there exist substitutions \(\sigma \in \textit{CSU}_{E}({u = q})\) and \(\eta '\) satisfying \((\theta \cup \rho _{ vars (u)})_{ vars (q) \cup vars (u)} =_{E} \eta ' \circ \sigma \) with domain \( vars (q) \cup vars (u)\). Therefore, \(u \rightsquigarrow _{l, \sigma ,\mathcal {R}} u'\) for \(u' = \sigma r\). Next, let \(\eta \) be the extended substitution such that \(\eta x = \eta ' x\) if \(x \in vars (q) \cup vars (u)\), and \(\eta x = \theta x\) otherwise. Then, \(\rho _{ vars (u)} =_{E} (\eta \circ \sigma )_{ vars (u)}\) and \(\theta =_{E} (\eta \circ \sigma )_{ dom (\theta )}\), since \( dom (\theta ) \cap vars (u) = \emptyset \) and \( dom (\theta ) \subseteq vars (q) \cup vars (r)\). Furthermore, \(t' = \theta r =_{E} (\eta \circ \sigma ) r = \eta u'\). \((\Leftarrow )\) Suppose that \(u \rightsquigarrow _{l, \sigma ,\mathcal {R}} u'\) and \(\rho _{ vars (u)} =_{E} (\eta \circ \sigma )_{ vars (u)}\). Then, for a topmost rule \(l: q \longrightarrow r\), \(\sigma \in \textit{CSU}_{E}({u = q})\) and \(u'=\sigma r\). Since \(\sigma u =_{E} \sigma q\) and \(( vars (q) \cup vars (r)) \cap vars (u) = \emptyset \), we have \(l(\sigma _{ vars (q) \cup vars (r)}) : \sigma u \longrightarrow _\mathcal {R}u'\). Thus, we have \(l(\eta \circ \sigma _{ vars (q) \cup vars (r)}) : (\eta \circ \sigma ) u \longrightarrow _\mathcal {R}\eta u'\), where \((\eta \circ \sigma ) u =_{E} \rho u\), since rewrites are stable under substitutions. \(\square \)

each state of the LKS \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) is a term in which the truth of every state proposition is decided into either true or false; and

a transition of \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) is specified by a topmost narrowing step \(\rightsquigarrow _{\mathcal {R}}\), but further instantiated into possibly several transitions so that the truth \(b_i\) of each state proposition \(p_i\), \(1 \le i \le n\), and the truth \(b_{n+j}\) of each spatial action pattern \(\delta _j\), \(1 \le j \le m\), are decided into either true or false.
Definition 5

\([t]_E \in N(\mathcal {R})_{ AP }\) iff \([t]_E \in {\mathcal T^{}_{\varSigma /E}(\mathcal {X})}_{\mathsf {State}}^{} \!\!\!\! \mathcal {X}\), and for every state proposition \(p \in { AP }\), either \((t \models p) =_{E} true \) or \((t \models p) =_{E} false \).
 Open image in new window iff there exist a term \(u\), a substitution \(\zeta \), and Boolean values \(b_1, \ldots , b_{n+m} \in \{ true , false \}\) such that$$\begin{aligned}&t \rightsquigarrow _{l, \sigma , \mathcal {R}} u \;\;\wedge \;\; t' = \zeta u, \;\;\wedge \;\; A = \{ \delta \in ACT \mid (\zeta (l(\sigma _l)) \models \delta ) =_{E} true \} \;\;\wedge \\&\quad \quad \textstyle \zeta \in \textit{CSU}_{E}\big ( {\bigwedge _{1 \le i \le n}} (u \models p_i) = b_i \,\wedge \, {\bigwedge _{1 \le j \le m}} (l(\sigma _l) \models \delta _j) = b_{n+j} \big ) \end{aligned}$$
A narrowingbased LKS \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) captures any behavior of the related concrete LKS \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\), in terms of a simulation relation. In the following definition we extend the usual notion of a simulation for Kripke structures to one for LKSs, which also takes into account spatial action patterns.
Definition 6
Given two LKS \({\bar{{\mathcal {K}}}}_i = (S_i, { AP }, \mathcal {L}_i, ACT , \longrightarrow _{{\bar{{\mathcal {K}}}}_i})\), \(i = 1, 2\), a binary relation \(H \subseteq S_1 \times S_2\) is a simulation from \({\bar{{\mathcal {K}}}}_1\) to \({\bar{{\mathcal {K}}}}_2\) iff: (i) if \(s_1 \,H\, s_2\), then\(\mathcal {L}_1(s_1) = \mathcal {L}_2(s_2)\), and if \(s_1 \,H\, s_2\) and Open image in new window , there exists \(s_2' \in S_2\) such that \(s_1' \,H\, s_2'\) and Open image in new window . A simulation \(H\) is a bisimulation iff \(H^{1}\) is also a simulation, and is total iff for any \(s_1 \in S_1\) there exists \(s_2 \in S_2\) such that \(s_1 \,H\, s_2\).
As expected, if an LKS \({\bar{{\mathcal {K}}}}_2\) simulates \({\bar{{\mathcal {K}}}}_1\), then each infinite path in \({\bar{{\mathcal {K}}}}_1\) has a corresponding path in \({\bar{{\mathcal {K}}}}_2\), as shown in the following lemma.
Lemma 2
Given a simulation \(H\) from an LKS \({\bar{{\mathcal {K}}}}_1\) to \({\bar{{\mathcal {K}}}}_2\), if \(s_1 \,H\, s_2\), then for each path \((\pi _1, \alpha )\) of \({\bar{{\mathcal {K}}}}_1\) beginning at \(s_1\), there exists a corresponding path \((\pi _2, \alpha )\) beginning at \(s_2\) such that \(\pi _1(i)\,H\,\pi _2(i)\) for each \(i \in \mathbb {N}\).
Proof
We construct \(\pi _2\) by induction. Let \(\pi _2(0) = s_2\). Clearly, \(\pi _1(0)\,H\,\pi _2(0)\). Next, suppose that \(\pi _1(k)\,H\,\pi _2(k)\) for some \(k \in \mathbb {N}\). Since \(\pi _1(k)\,H\,\pi _2(k)\) and Open image in new window , there exists a state \(s_2'\) such that \(\pi _1(k+1) \,H\, s_2'\) and Open image in new window . Then, we choose \(\pi _2(k+1) = s_2'\). \(\square \)
Suppose that \(s_0^1 \,H\, s_0^2\) for a simulation \(H\) from \({\bar{{\mathcal {K}}}}_1\) to \({\bar{{\mathcal {K}}}}_2\). If there exists a counterexample \((\pi _1, \alpha _1)\) in \({\bar{{\mathcal {K}}}}_1\) starting from \(s_0^1\), then by the above lemma, there exists a corresponding counterexample \((\pi _2, \alpha _2)\) in \({\bar{{\mathcal {K}}}}_2\) starting from \(s_0^2\) such that \(\mathcal {L}_1(\pi _1(i)) = \mathcal {L}_2(\pi _2(i))\) and \(\alpha _1(i) = \alpha _2(i)\) for each \(i \in \mathbb {N}\). Therefore:
Corollary 1
Given a simulation \(H\) from an LKS \({\bar{{\mathcal {K}}}}_1\) to \({\bar{{\mathcal {K}}}}_2\), if \(s_0^1 \,H\, s_0^2\), then for any LTLR formula \(\varphi \), \({\bar{{\mathcal {K}}}}_2, s_0^2 \models \varphi \) implies \({\bar{{\mathcal {K}}}}_1, s_0^1 \models \varphi \). In particular, if \(H\) is a bisimulation, then \({\bar{{\mathcal {K}}}}_2, s_0^2 \models \varphi \) iff \({\bar{{\mathcal {K}}}}_1, s_0^1 \models \varphi \).
For a narrowingbased LKS \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\), each logical state is clearly related to a concrete state in \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) in terms of the \(E\)subsumption relation. The \(E\)subsumption \(t \preccurlyeq _{E} t'\) holds iff there exists a substitution \(\sigma \) with \(t =_{E} \sigma t'\), meaning that \(t'\) is more general than \(t\) modulo \(E\).
Lemma 3
Given a topmost rewrite theory \(\mathcal {R}= (\varSigma ,E,R)\) and sets \({ AP }\) and \( ACT \) defined by \(E\), \(\preccurlyeq _{E}\) is a total simulation from \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) to \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\).
Proof
Suppose that Open image in new window and \(t \preccurlyeq _{E} u\) for \(u \in N(\mathcal {R})_{ AP }\). Given \({ AP }= \{p_1,\ldots ,p_n\}\) and \( ACT = \{\delta _1,\ldots ,\delta _m\}\), fix \(b_1, b_2, \ldots , b_{n+m} \in \{ true , false \}\) such that \(b_i =_{E} (t' \models p_i)\) for \(1 \le i \le n\) and \(b_{n+j} =_{E} (l(\theta ) \models \delta _j)\) for \(1 \le j \le m\). By definition, there is an onestep rewrite \(l(\theta ) : t \longrightarrow _\mathcal {R}t'\). By Lemma 1, there is a narrowing step \(u \rightsquigarrow _{l, \sigma ,\mathcal {R}} u'\) such that \(t' =_{E} \eta u'\) and \(\theta =_{E} (\eta \circ \sigma ) _{ dom (\theta )}\). Thus, there exists \(\zeta \in \textit{CSU}_{E}( {\bigwedge _{1 \le i \le n}} (u' \models p_i) = b_i \;\wedge \; {\bigwedge _{1 \le j \le m}} (l(\sigma _l) \models \delta _j) = b_{n+j})\). By definition, Open image in new window . Notice that \({\bigwedge _{1 \le i \le n}} \eta \big ((u' \models p_i) =_{E} b_i\big )\) and \({\bigwedge _{1 \le j \le m}} \eta \big ((l(\sigma _l) \models \delta _j) =_{E} b_{n+j}\big )\). Therefore, \(\eta \preccurlyeq _{E} \zeta \), and \(t' =_{E} \eta u \preccurlyeq _{E} \zeta u'\). \(\square \)
By Corollary 1, this lemma implies that any LTLR formula \(\varphi \) satisfied in a narrowingbased LKS \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) from a logical state \(t\) is also satisfied in the concrete LKS \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) from each ground instance of \(t\).
In general, \(\preccurlyeq _{E}\) is not a bisimulation between \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) and \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\). For the bakery example, although \(\mathtt 0\,;\,0\,;\,[I,wait(0)] \preccurlyeq _{E} \mathtt N\,;\,M\,;\,PS _{1}\) holds, there exists the transition Open image in new window in \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) with the substitution \(\mathtt PS _1 \backslash \, \mathtt PS _{2}\,\mathtt [0,idle] \), but no corresponding transition exists from 0 ; 0 ; [I,wait(0)] in \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\). However, any finite path in \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) can be instantiated to a corresponding concrete path in \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) (e.g., the above transition can be instantiated as the transition Open image in new window in \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\)).
Lemma 4
For a finite path Open image in new window of \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\), there is Open image in new window in \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\) with \(t_i \preccurlyeq _{E} u_i\), \(1 \le i \le ~n\).
Proof
Since Open image in new window , by definition, there are substitutions \(\sigma _1\) and \(\zeta _1\) such that \(u_1 \rightsquigarrow _{l_1, \sigma _1, \mathcal {R}} u_2'\) by a topmost rule \(l_1 : q_1 \rightarrow r_1 \in R\) and \(u_2 = \zeta _1 u_2'\). Since \(\sigma u_1 =_{E} \sigma q_1\) and \(u_2 = \zeta _1 u_2' = (\zeta _1 \circ \sigma _1) r_1\), \((\zeta _1 \circ \sigma _1) u_1 \longrightarrow _\mathcal {R}u_2\). Similarly, \((\zeta _2 \circ \sigma _2) u_2 \longrightarrow _\mathcal {R}u_3\), etc. By composing them, \((\zeta _{n1} \circ \sigma _{n1} \circ \cdots \circ \zeta _2 \circ \sigma _2 \circ \zeta _1 \circ \sigma _1) u_1 \longrightarrow _\mathcal {R}\cdots \longrightarrow _\mathcal {R}(\zeta _{n1} \circ \sigma _{n1}) u_{n1} \longrightarrow _\mathcal {R}u_n\). Let \(\rho \) be a ground substitution instantiating every variable in the path. Then, \((\rho \circ \zeta _{n1} \circ \sigma _{n1} \circ \cdots \circ \zeta _2 \circ \sigma _1) u_1 \longrightarrow _\mathcal {R}\cdots \longrightarrow _\mathcal {R}(\rho \circ \zeta _{n1} \circ \sigma _{n1}) u_{n1} \longrightarrow _\mathcal {R}\rho u_n\) gives the desired path. \(\square \)
Recall that counterexamples of safety properties are characterized by finite sequences [4]. Therefore, the above lemma guarantees that \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) does not generate spurious counterexamples for safety properties, since any finite counterexample in \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) has a corresponding real counterexample in \({\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }\). Together with Corollary 1 and Lemma 3, we have:
Theorem 1
Given a topmost rewrite theory \(\mathcal {R}= (\varSigma , E,R)\), and finite sets \({ AP }\) and \( ACT \) defined by \(E\), for a safety LTLR formula \(\varphi \) and a pattern \(t \in N(\mathcal {R})_{ AP }\): \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }, [t]_E \models \varphi \;\iff \; (\forall \theta : \mathcal {X}\rightarrow \mathcal T^{}_{\varSigma })\;\; {\bar{{\mathcal {K}}}}(\mathcal {R})_{{ AP }, ACT }, [\theta t]_E \models \varphi \).
4 Abstract NarrowingBased LTLR Model Checking
A narrowingbased LKS \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) often has an infinite number of logical states (e.g., Fig. 2). For narrowingbased LTL model checking, the paper [1] has proposed two abstraction methods to reduce an infinite narrowingbased Kripke structure, namely, folding abstractions and equational abstractions. This section extends those abstraction techniques to narrowingbased LTLR model checking for trying to reduce an infinite narrowingbased LKS to a finite one.
Folding Abstractions. Given a transition system \(\mathcal {A} = (A, \longrightarrow _\mathcal {A})\) with a set of states \(A\) and a transition relation \({\longrightarrow _\mathcal {A}} \subseteq A^2\), we can reduce it by collapsing each state \(a\) into a previously seen state \(b\), while traversing \(\mathcal {A}\) from a set of initial states \(I \subseteq A\), whenever \(b\) is more general than \(a\) according to a folding relation \(a \preccurlyeq b\) [6]. For a set of states \(B \subseteq A\), let \({ Post ^{}_{\mathcal {A}}}(B) = \{a \in A \mid \exists b \in B.\; b \longrightarrow _\mathcal {A} a\}\) (i.e., the successors of \(B\)) and \({ Post ^{*}_{\mathcal {A}}}(B) = \bigcup _{i \in \mathbb {N}} ( Post _{\mathcal {A}})^i(B)\).
Definition 7
If a folding relation \({\preccurlyeq }\) is a total simulation from \(\mathcal {A}\) to \(\mathcal {A}\), then \(\mathcal {R}each^{\preccurlyeq }_\mathcal {A}(I)\) simulates the reachable subsystem \(\mathcal {R}each_\mathcal {A}(I) = ({ Post ^{*}_{\mathcal {A}}}(I), \longrightarrow _\mathcal {A} \cap \, { Post ^{*}_{\mathcal {A}}}(I)^2 )\) that only contains reachable states from \(I\) (i.e., \({\preccurlyeq }\) is a total simulation from \(\mathcal {R}each_\mathcal {A}(I)\) to \(\mathcal {R}each^{\preccurlyeq }_\mathcal {A}(I)\)) [1]. Indeed, \(\preccurlyeq _{E}\) for a topmost rewrite theory \(\mathcal {R}\) is a total simulation from \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) to \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) (which can be proved in a similar way to Lemma 3). Therefore, \(\preccurlyeq _{E}\) defines a total simulation from \(\mathcal {R}each_{{\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }}(I)\) to \(\mathcal {R}each^{\preccurlyeq _{E}}_{{\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }}(I)\). Consequently, by Corollary 1:
Theorem 2
For an LTLR formula \(\varphi \) and a pattern \(t \in N(\mathcal {R})_{ AP }\), we have that \(\mathcal {R}each^{\preccurlyeq _{E}}_{{\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }}(\{[t]_E\}), [t]_E \models \varphi \) implies \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }, [t]_E \models \varphi \).
For the bakery example, the liveness property \(\Diamond in.crit (0)\) under the fairness assumption \(\Diamond \Box enabled.wake (0) \rightarrow \Box \Diamond wake (0)\) holds in the folding abstraction Open image in new window of Fig. 3, because any infinite paths continuously staying in the first row violate the fairness assumption. Hence, this property is also satisfied for any related concrete system.
Given a rewrite theory \(\mathcal {R}= (\varSigma , E, R)\), by adding a set of equations \(G\) such that \( true \not =_{E \cup G} false \), we define an equational abstraction \(\mathcal {R}/ G = (\varSigma , E \cup G, R)\) [15]. It specifies the quotient abstraction \({\bar{{\mathcal {N}}}}(\mathcal {R}/G)_{{ AP }, ACT }\) by the equivalence relation \(\equiv _G\) on states, namely, \([t]_{E} \equiv _G [t']_{E}\) iff \(t =_{E\cup G} t'\). Provided that a set of state propositions \({ AP }\) and a set of spatial action patterns \( ACT \) are defined by \(E\), the condition \( true \not =_{E \cup G} false \) ensures that any two states with \(t =_{E\cup G} t'\) satisfy the same set of state propositions. Similarly, any two onestep proof terms with \(l(\sigma _l) =_{E\cup G} l'(\sigma _{l'})\) satisfy the same set of spatial action patterns.
Similar to the cases of LTL model checking [1, 15], an equational abstraction \({\bar{{\mathcal {N}}}}(\mathcal {R}/G)_{{ AP }, ACT }\) simulates the narrowingbased LKS \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\).
Lemma 5
Given a topmost rewrite theory \(\mathcal {R}= (\varSigma ,E,R)\), finite sets \({ AP }\) and \( ACT \) defined by \(E\), and a set \(G\) of equations, if \( true \not =_{E \cup G} false \), then there exists a total simulation from \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) to \({\bar{{\mathcal {N}}}}(\mathcal {R}/G)_{{ AP }, ACT }\).
Proof
Let \(H_G = \{([t]_E, [t]_{E \cup G}) \mid t \in N(\mathcal {R})_{ AP }\}\). Suppose that Open image in new window and \(t =_{E \cup G} u\). By definition, there are \(\sigma \) and \(\zeta \) such that \(t \rightsquigarrow _{l, \sigma , \mathcal {R}} t''\) by a rule \(l : q \longrightarrow r \in R\) and \(t' = \zeta t''\), where \(\sigma \in \textit{CSU}_{E}({t = q})\), \(t'' = \sigma r\), and \(\zeta \in \textit{CSU}_{E}( {\bigwedge _{1 \le i \le n}} (t'' \models p_i) = b_i \;\wedge \; {\bigwedge _{1 \le j \le m}} (l(\sigma _l) \models \delta _j) = b_{n+j})\) for some \(b_1, \ldots , b_{n+m} \in \{ true , false \}\), given \({ AP }= \{p_1,\ldots ,p_n\}\) and \( ACT = \{\delta _1,\ldots ,\delta _m\}\). Since \(\sigma \in \textit{CSU}_{E}({t = q}){}\), \(\exists \sigma ' \in \textit{CSU}_{E\cup G}({u = q}){}\) such that \(\sigma =_{E \cup G} \sigma '\). Then, \(u \rightsquigarrow _{l, \sigma ', \mathcal {R}/G} u'\) using the same rule \(l : q \longrightarrow r\), where \(u' = \sigma ' r =_{E\cup G} \sigma r = t''\). Notice that \((t'' \models p_i) =_{E\cup G} (u' \models p_i)\) and \((l(\sigma _l) \models \delta _j) =_{E\cup G} (l(\sigma '_l) \models \delta _j)\). Thus, \(\exists \zeta ' \in \textit{CSU}_{E\cup G}( {\bigwedge _{1 \le i \le n}} (u' \models p_i) = b_i \;\wedge \; {\bigwedge _{1 \le j \le m}} (l(\sigma '_l) \models \delta _j) = b_{n+j})\) with \(\zeta =_{E\cup G} \zeta '\). Thus, Open image in new window , where \(\zeta ' u' =_{E\cup G} \zeta t'' = t'\). Since \( true \not =_{E \cup G} false \), \([t']_E\) and \([\zeta ' u']_{E\cup G}\) satisfy the same state propositions. Therefore, \(H_G\) is a total simulation from \({\bar{{\mathcal {N}}}}(\mathcal {R})_{{ AP }, ACT }\) to \({\bar{{\mathcal {N}}}}(\mathcal {R}/G)_{{ AP }, ACT }\). \(\square \)
we have the folded abstract narrowingbased LKS in Fig. 5, provided with the extra spatial action pattern \( wake \) that holds if the wake rule is applied.
5 Related Work and Conclusions
A number of infinitestate model checking methods have been developed based on symbolic and abstraction techniques; see [1, 6] for an overview and comparison with narrowingbased model checking. To the best of our knowledge, our work proposes the first symbolic model checking method to verify LTLR properties of infinitestate systems. For finitestate systems the paper [2] presents various model checking algorithms for LTLR properties. LTLR is a sublogic of \( TLR ^*\) that generalizes the statebased logic \( CTL ^*\) (see [14] for related work). On the topic of complement patterns, the most closely related work is [8, 9, 12]. We plan to use their ideas, as well as ongoing work by Skeirik and Meseguer on the concept of \(B\)linear terms in ordersorted signatures, which are pattern terms whose syntactic structure guarantees the existence of complements modulo \(B\), to automate the full equational definition of satisfaction of spatial action patterns.
In conclusion, this work should be understood as a contribution that increases the expressive power of infinitestate model checking methods. Specifically, the expressive power of narrowingbased infinitestate logical model checking has been extended form LTL to LTLR, allowing temporal properties that can use both state propositions and spatial action patterns. This extension is nontrivial because of the need for building a symbolic transition system where states are \({ AP }\)instantiated and transitions are \( ACT \)instantiated.
All the necessary theoretical foundations are now in place for embarking into a future implementation of a narrowingbased LTLR model checker in Maude in the spirit of the similar LTL tool described in [1]. As done in [1], for the LTLR tool we will be able to rely on the extensive body of work on efficient LTLR model checking algorithms described in [2]. Beyond these goals, the integration of constraints and SMT solving within the planned narrowingbased LTLR model checker, as well as the study of more flexible “stuttering” \({ AP }/ ACT \)simulations, are also exciting possibilities.
Footnotes
 1.
The temporal logics that can be verified by infinitestate model checking techniques are generally less expressive than those supported by finitestate model checkers.
 2.
Since \(\longrightarrow _{\mathcal {R}}\) needs to be total, we also assume that \(\mathcal {R}\) is deadlockfree. Note that \(\mathcal {R}\) can be easily transformed into an equivalent deadlockfree theory [15].
 3.
Since onestep proof terms for rewriting only contain variables in rules, we restrict onestep proof terms for narrowing in the same way.
 4.
 5.
Generally, to define the negative cases for \(k \in \mathbb {N}\), we can define \(k+2\) subsorts \(\mathsf {Nat0}, \ldots , \mathsf {Nat}{ k}, \mathsf {N}{ k}\mathsf {Nat}\) of sort \(\mathsf {Nat}\), where \(\mathsf {N}\) k \(\mathsf {Nat}\) denotes a number greater than \(k\).
Notes
Acknowledgments
This work has been supported in part by NSF Grant CNS 1319109 and AFOSR Grant FA87501120084.
References
 1.Bae, K., Escobar, S., Meseguer, J.: Abstract logical model checking of infinitestate systems using narrowing. In: RTA, LIPIcs, vol. 21, pp. 81–96 (2013)Google Scholar
 2.Bae, K., Meseguer, J.: Model checking linear temporal logic of rewriting formulas under localized fairness. Sci. Comput. Program (2014). http://dx.doi.org/10.1016/j.scico.2014.02.006 (To appear)
 3.Chaki, S., Clarke, E.M., Ouaknine, J., Sharygina, N., Sinha, N.: State/eventbased software model checking. In: Boiten, E.A., Derrick, J., Smith, G.P. (eds.) IFM 2004. LNCS, vol. 2999, pp. 128–147. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 4.Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press (2001)Google Scholar
 5.ComonLundh, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 6.Escobar, S., Meseguer, J.: Symbolic model checking of infinitestate systems using narrowing. In: Baader, F. (ed.) RTA 2007. LNCS, vol. 4533, pp. 153–168. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 7.Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and optimal variant termination. J. Algebraic Logic Program. 81, 898–928 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
 8.Fernández, M.: AC complement problems: satisfiability and negation elimination. J. Symb. Comput. 22(1), 49–82 (1996)CrossRefzbMATHGoogle Scholar
 9.Fernández, M.: Negation elimination in empty or permutative theories. J. Symb. Comput. 26(1), 97–133 (1998)CrossRefzbMATHGoogle Scholar
 10.Hullot, J.M.: Canonical forms and unification. In: Bibel, W., Kowalski, R. (eds.) 5th Conference on Automated Deduction Les Arcs. LNCS. Springer, Heidelberg (1980)Google Scholar
 11.Jouannaud, J.P., Kirchner, C., Kirchner, H.: Incremental construction of unification algorithms in equational theories. In: Diaz, J. (ed.) ICALP. LNCS, pp. 361–373. Springer, Heidelberg (1983)CrossRefGoogle Scholar
 12.Lassez, J.L., Marriott, K.: Explicit representation of terms defined by counter examples. J. Autom. Reasoning 3(3), 301–317 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
 13.Meseguer, J.: Conditional rewriting logic as a unified model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)CrossRefzbMATHMathSciNetGoogle Scholar
 14.Meseguer, J.: The temporal logic of rewriting: a gentle introduction. In: Degano, P., De Nicola, R., Meseguer, J. (eds.) Concurrency, Graphs and Models. LNCS, vol. 5065, pp. 354–382. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 15.Meseguer, J., Palomino, M., MartíOliet, N.: Equational abstractions. Theor. Comput. Sci. 403(2–3), 239–264 (2008)CrossRefzbMATHGoogle Scholar
 16.Meseguer, J., Thati, P.: Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols. HigherOrder Symbolic Comput. 20(1–2), 123–160 (2007)CrossRefzbMATHGoogle Scholar