Sound Veriﬁcation Procedures for Temporal Properties of Inﬁnite-State Systems

. First-Order Linear Temporal Logic (FOLTL) is particularly convenient to specify distributed systems, in particular because of the unbounded aspect of their state space. We have recently exhibited novel decidable fragments of FOLTL which pave the way for tractable veriﬁ-cation. However, these fragments are not expressive enough for realistic speciﬁcations. In this paper, we propose three transformations to translate a typical FOLTL speciﬁcation into two of its decidable fragments. All three transformations are proved sound (the associated propositions are proved in Coq) and have a high degree of automation. To put these techniques into practice, we propose a speciﬁcation language relying on FOLTL, as well as a prototype which performs the veriﬁcation, relying on existing model checkers. This approach allows us to successfully verify safety and liveness properties for various speciﬁcations of distributed systems from the literature.


Introduction
Verifying properties of distributed protocols is a demanding endeavor. Several approaches have been proposed, ranging from verification frameworks, like Iron-Fleet [12] or Verdi [27] to tool-supported languages like TLA` [17], Event-B [1] or Ivy [20,21]. However, when systems of arbitrary size are considered, verifying properties usually requires some remarkable effort: inductive invariants must be sought and exhibited (possibly with tool support), and some manual proof effort may still be necessary. Worse, when liveness properties are checked, this effort becomes very substantial and tool support is still quite limited.
A natural setting for specification, in particular for safety and liveness properties of infinite-state systems, is (mono-and many-sorted) first-order linear temporal logic (FOLTL). However, it is highly undecidable [13,14]. In recent work [23,24], some of the present authors devised the "Geneva" fragments of FOLTL, which were shown to be decidable. More precisely, these fragments enjoy a "bounded domain property" (BDP), a form of computable finite model property over the first-order domains. Decidability is obtained by expanding first-order quantifiers over the domains (using the computed bounds) and then relying on (decidable) propositional-LTL satisfiability checking.
The Geneva fragments are rather expressive but still have limitations that thwart their use for the specification of systems. In particular, most forms of fairness assumptions, as well as frame conditions (which specify what does not change when a transition happens in a system), do not fit in the fragments. Furthermore, topological properties of systems (such as ring topologies) are hard or even impossible to specify.
In this article, we mitigate this deficiency by exhibiting three transformations that allow to map an undecidable, expressive fragment of FOLTL * " (FOLTL with equality and reflexive-transitive closure, to characterize topological properties) into decidable fragments (akin to the Geneva ones), thus allowing the automatic verification of safety and liveness properties of infinite-state systems. Then we apply these techniques to the verification of properties of various protocols.
Notice that none of the proposed transformations is complete. It is actually impossible to devise complete transformations, even assuming a procedure that would be fed additional user input. This is because FOLTL is not even semidecidable. 1 In more detail, we make the following contributions (cf. Fig. 1): -we define an undecidable, expressive specification language, called Cervino, the semantics of which is expressed in terms of FOLTL * " ; -we exhibit two fragments of many-sorted FOLTL that enjoy the BDP; -we devise three abstraction transformations that map (the semantics of) Cervino into one of the said two fragments: • the first of these transformations (called TEA) is fully automatic while the other two (TTC and TFC) must be passed additional data (in the shape of peculiar formulas); • these three transformations, as well as other minor ones, are implemented as tactics in a prototype tool [22]; • the associated theorems and lemmas are also formalized and proved correct, using Coq [22]; -we demonstrate our approach on several case studies that are often used as benchmarks in the literature.
This article is organized as follows: in Sect. 2, we illustrate our approach using an example (a leader election protocol). Section 3 introduces definitions as well as the two fragments used in the rest of the paper. In Sect. 4, we present basic techniques, which are used in some of our transformations. Then, in Sect. 5, we formalize the automatic TEA transformation. Section 6 and 7 present, respectively, the TFC and TTC transformations. In Sect. 8, we evaluate our approach on various protocols. Finally, we compare our results with related work in Sect. 9. In this section, we present the Cervino modeling language informally. Its semantics, given in terms of many-sorted FOLTL * " (FOLTL with equality and reflexivetransitive closure), is formally introduced in Sect. 3.3. This language is suitable for specifying infinite-state systems. It is undecidable but we enforce some syntactic constraints anyway, in order to ease the further application of transformations mapping into decidable fragments of logic.
Cervino is illustrated in Fig. 2 using the example of a leader election protocol [6] in a ring of unbounded size. Nodes sit in a directed ring and each node has a unique ID. There is a total order on IDs. The goal of the protocol is to elect a leader (in practice, the one with the greatest ID). A node can send to its successor in the ring the IDs it knows about, the receiver keeping those that are greater than its own ID. A node is elected if it receives its own ID.

Sorts, Relations and Axioms
A Cervino specification may define sorts, (first-order) sorted relations and sorted constants. An interpretation structure for such a specification is a set of infinite traces of states. Classically, a state maps a sort to a non-empty set, a constant to an element of such a set and a relation to a set of tuples, all respecting the obvious sorting and arity constraints. The interpretation of sets and constants is rigid while that of relations is flexible.
In the example, nodes and their IDs are conflated into a single sort Node; and: an elected relation represents the set of elected nodes; a succ relation represents if two nodes are successive in the ring topology; a toSend relation represents the mailbox for each node; an lte relation defines a total ordering on nodes; an lmax constant represents the highest maximal identifier among nodes.
States can be constrained by axioms, i.e. sets of formulas. The latter belong to FOLTL * " , that is they can mix first-order logic (with equality) with the "always" (G), "eventually" (F) and "next" (written as a prime symbol and only applied to atoms), as well as a reflexive-transitive closure connective (written * ). However, we enforce a syntactic constraint on axioms: after converting them to negation

.).
A binary relation r can by "tagged" (written using btw) to force r to be a function 2 and enable a special ternary relation btw[r]. Then, btw[r](x,y,z) means that there is an acyclic path between x and z passing through y. The semantics of btw[r] is given through axioms (see Definition 14) and is related to r * through the following equivalence: r * (x, y) ⇔ btw[r](x, y, y).

Events
Events specify how the system may evolve from one state to another. Events (more precisely: event schemas) are declared with a name and a list of arguments that are the only variables that can appear free in the body of the event.
The declaration of an event also features a modifies section describing which tuples of which relations may be modified by the event. Other relations or parts of relations are necessarily left unchanged. The body of an event is specified in primed FO (FO augmented with primed relation symbols representing the value of these relations in the next state) with the additional constraint that no existential quantifier may appear positively in the body.
The semantics for events is standard and comparable to the one used in TLA`or Electrum: in every state, at least one event is fired. In other words, there is a valuation for arguments of at least one event such that the body of the said event evaluates to true. More formally (and ignoring sorting constraints for the sake of readability), given event bodies φ 1 , . . . , φ n and arguments y 1 , . . . , y mi appearing as free variables in φ i , the semantics of event is given by the formula: We insist that this formula is only implicit: it cannot be input by the specifier as it is the purpose of transformations to massage it. Finally, if needed, fairness constraints must be added by the specifier .
In the example, the send event represents the fact that a node updates its successor's mailbox by adding all IDs that are larger than the successor's ID. This way, the largest ID is passed along the ring. Notice we use universal quantification: we could have defined dst and id as parameters of send, but the implicit existential quantification, although theoretically acceptable, can be costly performance-wise (as succ is a function, this is significant for the id argument only). We also specify that the event modifies the toSend relation for specific pairs of a node and an identifier, only if these satisfy a condition saying that the ID is in the sender's mailbox (or corresponds to the sender's ID) and if the node is the sender's successor (the body of the event says what happens in that case).

Commands
A check declares a command to verify whether a property holds. To do so, a command uses a certain tactic (TEA, TFC, TTC), as well as additional parameters in the case of TFC and TTC (these are presented in Sect. 5 and 6, respectively). The purpose of this article is precisely to present these transformations. We notice that a command may also be associated with additional, specific axioms in an assuming section (in the example, this section contains a fairness property, necessary to prove the liveness property).

Syntax and Semantics of FOLTL
The basic vocabulary of MSFOLTL (that we simply call FOLTL in the following) is defined out of a signature Σ " (S, Const, R) where S is a set of sorts, Const is the set of (sorted) constant symbols and R " (R s ) sPS ‹ ) is a family of sets of relation symbols, with R s the set of relation symbols over tuples of sort s. Definition 1 (Formulas). Given a signature Σ " (S, Const, R) and a set of variables V, FOLTL " formulas over Σ and V are defined inductively by the following grammar: Const s ) the set of variables (resp. constants) of sort s. X and F stand for the "next" and "eventually" connectives. Usually FOLTL includes the U connectives, however it is not required in this paper. We also define "always" as Gψ " F( ψ). Similarly, classical propositional connectives ∧, ⇒ and ⇔ are defined in the natural way. Additionally: for a formula ψ having x as a free variable. FOLTL(C)) the set of FOLTL " formulas (resp. FOLTL formulas without equality) in NNF containing only temporal operators from C.
We now introduce the semantics of FOLTL " . In the interpretation structures defined below, the interpretation of relations varies over time while that of function symbols does not.
The extension of C to terms, also written C, is defined in the obvious way.
Definition 4 (Satisfaction). Given a structure M " (D, σ, ρ) and an assignment C, the satisfaction relation is defined by induction on formulas, for any i P N, as follows: Definition 5 (Reflexive-Transitive Closure 3 ). We write FOLTL * " for the enrichment of FOLTL " with a reflexive-transitive closure connective. Then for any sort s P S and any binary relation symbol r P R s,s , the language of FOLTL * " is augmented with a fresh binary relation symbol : r * P R s,s , and we have: Let φ, φ be two FOLTL * " formulas. If for any structure M and any assignment C, we have M, 0, C φ iff M, 0, C φ then we say that φ and φ are logically equivalent, written φ " φ .

Bounded Domain Property
In this section we introduce the Bounded Domain Property (BDP) and present two fragments of FOLTL that enjoy the BDP. These fragments play an important role in the verification procedures presented in this article.
Definition 6 (Bounded Domain Property). A fragment Frag of FOLTL enjoys the bounded domain property (BDP) if given φ P Frag, φ is not satisfiable, or there is a domain-finite structure M s.t. M, 0 φ whose the domain size is computable from φ. Additionally, BDP implies decidability.
We now present the two fragments that are used in this paper. Both fragments are included in a larger fragment for which the BDP is established in [24].

Definition 7 (LTR fragment). A formula φ of FOLTL " is said to belong to the (multisorted) Linear-Temporal Reasoning (LTR) fragment if φ is in NNF and existential quantifiers only appear in the head of φ.
Theorem 1 ( [16,24]). Any formula φ P LTR (even with equality) enjoys the BDP. The bound of verification for each sort is the sum of the numbers of existential quantifiers and constant symbols over this sort.
where θ has the following syntax: θ:: where α is an FO formula in NNF without any existential quantifier and is a literal. Definition 9. FOLTL(X, F, @↓) is defined by the following grammar: φ:: with α an FO formula in NNF without any existential quantifier, a literal and y P V.
Definition 11. Given a formula φ P FOLTL(X, F) in NNF, we define its stride K φ as the maximal number of nested X connectives. Formally :

Semantics of Cervino
In this section, we define the semantics of a Cervino machine as an FOLTL * " formula. Notice first that, in Cervino, the next instant is referred using the prime symbol, applied to relations only: this translates to an FOLTL sub-formula using the X connective, after application of the semantics. Now, a frame condition is defined as a formula that specifies that a certain relation will not change (between the instant before and after the event occuring) for tuples satisfying some constraints.

Definition 13 (Semantics of an event). Let ev be an event of a Cervino machine declared as follows:
where each list x of variables have sorts corresponding to the profile of r.
For any binary relation r that enables btw [r], the ternary relation btw [r] stating that there exists an acyclic path between two elements passing through a third element is axiomatized in FO following [18].

Definition 14 (Semantics of between). Given a binary relation symbol r, the semantics of btw[r]
is given by adding axioms of transitivity, antisymmetry, partial totality, partial reflexivity, cycle maximality, transitivity of reachability, path consistency, taken from [18] in addition to the following axiom: The property (TC) relating btw [r] and r * can be deduced from the axioms provided that the domain of s is finite.
The semantics of a Cervino machine is then an FOLTL * " formula describing the set of its traces. But, since we aim at verifying systems, we are not only interested in the set of traces but also in the set of counterexamples of a property. This set is also described by an FOLTL * " formula which is the conjunction of the semantics of the machine and the negation of the property we aim to check.

Basic Transformations
In this section, we present basic transformations used to build the more complex TFC and TTC tactics (respectively presented in Sect. 6 and 7). These transformations are used to map (the semantics of) a system specification into a more general Geneva formula.

Transforming Equality
Equality is replaced 4 by a dynamic congruence relation " s , for every sort s. The signature is therefore extended with these fresh " s relations.
Definition 17 (Equality transformation). Given a fresh binary relation " s for every sort s of a formula, the transformation of equality is defined recursively: -(the rest is just a recursive walk on formulas) Furthermore, the following set Eq " of axioms is added to the whole specification: -for any sort s: G@x : s · x " s x -for any sort s: G@x : s, y : s · x " s y ⇒ y " s x -for any sort s: G@x : s, y : s, z : s · x " s y^y " s z ⇒ x " s z -for any relation r and adequate sorts s conforming to the profile of r: is satisfiable (and does contain " anymore).
Proof. Proof validated in Coq. It is easy to see that equality is a particular case of the equivalence relation introduced by this transformation.

Restricted Skolemization
The following transformation corresponds to a form of Skolemization meant to create only new constants symbols. Its main purpose is to introduce constants that can then be used by instantiation (Sect. 4.3). Existentially-quantified variables can be substituted by fresh constants, except when under a G connective.
Definition 18 (Skolemization). Skolemization is defined by the following operation (all fresh constant symbols are added to the signature): where c is a fresh constant symbol -(the rest is just a recursive walk on formulas) Lemma 2. Given an FOLTL " formula φ, then Abs D (φ) and φ are equisatisfiable.
Proof. Proof validated in Coq. Corresponds to a usual Skolemization procedure.

Instantiation
One of the main limitations of the Geneva fragment is the prohibition of temporal operators under universal quantifiers. The solution we propose to this problem is to finitely instantiate such universal quantifiers. The following transformation formalizes this idea: all universal quantifiers over temporal formulas are replaced by a conjunction over the set of constants and existentially-bound variables.

Definition 19 (Forall instantiation). Given a set I of constant and variable symbols, we define the transformation of universal quantifiers as follows:
-Abs @,I (t 1 " t 2 ) " t 1 " t 2 and Abs @,I ( ) " -Abs @,I (Dy : s · φ) " Dy : s · Abs @,IY{y} (φ) -if φ P FO (φ does not contain temporal connectives) then Abs @,I (@x : s · φ) " @x : s · φ, otherwise Abs @,I (@x : s · φ) " cPIs Abs @,I (φ[x → c]) (where I s is the set of terms in I of sort s) -(the rest is just a recursive walk on formulas) Remark 1. There is no need to transform a universal quantifier if all temporal operators in its scope permute with it, for instance: @x · GP is equivalent to G(@x · P ) and @x · (XP ) ⇒ (XQ) is equivalent to X(@x · P ⇒ Q).
Proof. Proof validated in Coq. This operation consists in instantiating universal operators, thus preserving satisfiability.

Addressing Transitive Closure and the Between Relation
Since we target fragments of FOLTL (without transitive closure), we define the transformation Abs * (), which leaves a formula unchanged except it uninterprets the operator * , i.e., Abs * (φ) returns φ where every occurrence of r * is considered as a new relation symbol, unrelated with r.
Besides, the between relation axioms does not fit into Geneva or LTR, so we define their abstract semantics as follows.
Definition 20 (Transformation of between axioms). Given a binary relation symbol r, we define btw [r] " G btw where btw is the conjunction of the axioms from Definition

Geneva Transformation
The basic transformations introduced above are mainly used together, in a specific order.
Proof. Recall the conditions to belong to Geneva: (1) no G operator in the scope of an existential quantifier that is itself under an G connective; (2) no existential quantifier in the scope of a universal quantifier; (3) no equality; (4) no temporal quantifier in the scope of universal quantifiers; and (5) no transitive closure. Given ψ, φ satisfying the given hypotheses, let us write α " D y 1 : s 1 · (ψ^G(D y 2 : s 2 · φ)). Then, in α, existential quantifiers appear either at the head of the formula or under an G operator over the φ formula.
Since φ contains no other temporal connectives than X and F, condition (1) is met. Condition (2) is met as all existential quantifiers appear before universal quantifiers. Abs " (.) ensures that equality is not used in the final formula, thus ensuring condition (3). Abs @,Const (.) instantiates all universal quantifiers that contain temporal connectives in their scope (we assume that if such operator could have been swapped with an universal quantifier, it has been done beforehand), which ensures condition (4). Finally Abs * (.) erases the reflexive transitive closure, ensuring condition (5). Since it is obvious that none of the transformations can introduce formulas breaking any of the conditions, we conclude that Abs Gen (α) belongs to Geneva.

TEA: Transforming Existential Quantifiers
We now present the fully-automatic TEA transformation. It starts with the observation that the formula specifying events (see Definition 13) is of the shape GD x · i ev i ( x), that is, in every state, at least an event is fired. The gist of the TEA transformation is then twofold: (1) we replace these existential quantifiers by universal ones; (2) for every such existential quantifier, we add a fresh relation E, which holds only for the constant semantically associated to this quantifier. The whole resulting abstract specification lies in the LTR fragment, which enjoys the BDP (Theorem 1). The formula specifying events is however more general than the original one, because it allows more transitions to happen. The abstract system may thus violate a property holding on the original specification. But it is now decidable to check whether the property holds in the abstract system and, if so, this entails that it also holds in the original system.
Before presenting the transformation, notice that, in the following, we consider event formulas, that is primed FO " formulas of the shape φ " Dy 1 : s y1 , . . . , y n : s yn · @x 1 : s x1 , . . . , x m : s xm · ψ, where ψ is in NNF and does not contain any first-order quantifiers. These formulas naturally arise when putting the semantics of events in prenex normal form. We also suppose we have a supply of fresh relation symbols, written E i (one for every y i , 1 i n).
To devise the transformation and prove its soundness, we first introduce a formula specifying that the E relations are functional. This schema appears in the final abstract specification.
As we introduce these E relations, we also define an enrichment of the event formula accounting for the extended signature. This new formula appears as a link between the two lemmas entailing soundness.
We now present the essential part of the transformation, transforming an event formula φ into a purely universal one U φ , more general than φ. In other words, U φ allows more transitions than φ if we ignore the specification of E 1 , . . . E n . To do that, for any variable y whose corresponding fresh relation is E, we proceed with the following steps. First: equality between y and another variable is replaced with the relation E applied to the latter; and any other literal containing y is replaced by E(y) ⇒ . Once these transformation are done, it is possible to replace existential quantification over y by a universal quantification.

is either a constant or a variable in x)
where is a (possibly primed) literal and {y a1 , . . . y ai } " FV( ) X y -(the rest is just a recursive walk on formulas) Example 1. Consider the following event formula, stating that there is an event making R true in the next state for a variable y (other variables remain unchanged w.r.t. R): φ " Dy : A · R (y)^(@x : Then there is only one fresh E relation, and U φ is: Now, the following lemma states that every model of the enriched event formula is also a model for the transformed event formula.
Proof. Proof validated in Coq.
Lemma 5 applies to a formula representing a whole specification: if such a specification is satisfiable, then a certain transformed version of it is satisfiable too.
Lemma 5. Let θ be an FOLTL " formula, and φ be an event formula on the same signature. Then if θ^Gφ is satisfiable, θ^G(U y φ )^Ax E (φ) is also satisfiable.

Proof. Proof validated in Coq.
Definition 25 (Abstract semantics). Given a Cervino machine Mch such that the relations enabling btw are r1, . . . , r l , we define U Mch " φ 0Ĝ U φ tr ^φ btw , where φ 0 and φ tr are defined as in Definition 15 and φ btw " Proof. This is a direct application of Lemma 5. Proof. Directly follows from the definition of U . .

TFC: Transforming Frame Conditions
The TEA transformation has the advantage of being fully automatic but it can be inconclusive in a number of cases. For instance, the verification of a distributed system involving strong interactions between its components, which induces events with two or more parameters, is likely to be inconclusive using TEA. This is because the universal quantifiers that are introduced by TEA are abstracting these interactions (which are naturally expressed with existential quantifiers) in a too drastic way.
In this section, we present another transformation, called TFC, which overcomes these limitations but requires some intervention from the specifier.
Instead of targeting the LTR fragment, we now target the Geneva one, which allows for existential quantifiers in the scope of G, but forbids temporal formulas in the scope of a universal quantifier. As a consequence, frame conditions, which are typically of shape @x : s · ϕ cond ⇒ (r(x) ⇔ Xr(x)), are not expressible in Geneva. In order to fit into it, such universal quantifiers are instantiated over constants (see Abs @,Const (·) defined in Sect. 4.3). But then a large part of the information included in the frame conditions is lost. Therefore, we associate some particular kind of invariant properties, called stability axioms, with each event, as a finer transformation of frame conditions. Intuitively, a stability axiom is a pure FO formula that is preserved by an event. Since it is expressed in pure FO, the preservation of a stability axiom is then expressible in Geneva.

Definition 26 (Stability Axiom). Given a set of frame conditions C, an FO
St C denotes the set of stability axioms for C.
The specification of stability axioms is a creative step, but it can be eased with the help of a syntactic condition, which is sufficient to be a stability axiom. The idea is that a formula of the following shape is necessarily a stability axiom: ϕ hyp ⇒ ϕ, were ϕ hyp corresponds to the guard of a frame condition that leaves a relation r unchanged, and ϕ only refers to the relation r.

Example 2.
In order to illustrate the use of stability axioms, let us consider the leader election distributed system, introduced in Sect. 2. Since TEA does not succeed in proving the safety property, we can try TFC with the following stability axiom for event send: This axiom expresses that if a node x different from the successor of src has an ID y in its mailbox, then the node with the greatest ID is located between x and y (recall that a node and its ID are conflated). This means that outside the scope of the event, an ID cannot jump over the node with the greatest identifier.
Exhibiting this stability axiom requires some work. It would also be possible to proceed using an inductive invariant but, since the property to check is not inductive, doing so would also require some effort.

Example 3.
In order to illustrate the difference between stability axioms and inductive invariants, we take a toy token protocol as an example. For the sake of simplicity, we consider a property to check that is already inductive. The protocol features one token passing from nodes to nodes with only one send event send(x,y), with body: token(x) ∧ !token'(x) ∧ token'(y) ∧ frame, where frame := @ z · (z " x ∧ z " y) ⇒ (token(z) ⇔ token'(z)).
The (inductive) property to check is that there is always at most one node holding the token. To prove this property without relying on its inductiveness, we can use the following stability axiom: stab := @ z · (z " x ∧ z " y) ⇒ !token(z). Contrary to the inductive invariant, the stability axiom has free variables matching the parameters of the event (which are implicitly quantified existentially). Also the preservation of the stability axiom follows from the frame condition as frame stab ⇒ Xstab, while the preservation of the inductive invariant follows from the whole transition.

Remark 2.
Notice that this property is also true for the nodes that are in the scope of the event, i.e., src and its successor. So in this case, the stability axiom is very close to an invariant property. But this is not the case in general. A distinguishing aspect is that TFC with this stability axiom succeeds in proving the safety property, whereas it would not be possible to deduce it from the "invariant" version of this stability axiom.
The TFC transformation is performed in two phases: 1. Stability axioms, which are provided by the specifier, are added to the body of each event. At this step, the semantics of Cervino is strengthened by the transformation. The obtained formula is not in the Geneva fragment, in particular because of the frame conditions. 2. The Geneva transformation, which is presented in Sect. 4, is applied. In particular, the frame conditions are abstracted by equality transformation and instantiation, but the stability axioms are left unchanged.  Proof. Follows from Lemmas 1, 2 and 3.

TTC: Transforming Reflexive-Transitive Closure
We now present a simple, effective transformation technique to approximate reflexive-transitive closure (which is present in Cervino and its FOLTL * " semantics). This technique has shown to be useful to prove some liveness properties.
As is well known, transitive closure cannot be fully specified in pure FO. On the other hand, it can be specified in pure FOLTL, but the axiomatization we are aware of does not fit in the fragments considered here. However, it is possible to define an interesting approximation that does fit in the Geneva fragment.
Informally, the crux of our technique relies on the following observation: any property propagating along a binary relation will eventually propagate to the reflexive-transitive closure thereof. This is proved (see Theorem 8 below) by following the definitions of the transitive closure and of the eventually connective.
Definition 30 (Propagation schema). Given binary relations r and t on a sort s, given a formula P with k`1 free variables (k 0), the first of which (of sort s) is distinguished in the following. Given k variables x of appropriate typing, we define the propagation and closure schemas as follows: Proof. Proof validated in Coq. The proof sketch is the following : we consider the set of element to which the property eventually propagates. Then we use the hypothesis that the property propagates along a binary relation r to show that this set is closed under the relation r. Then as the transitive closure from some element is the smallest set closed under the relation r, we know that the property propagates to any element in the transitive closure.
We prove that under the Propagates[r, P, x] hypothesis, for any u, the set of v's satisfying G (P [u, x] ⇒ FP [v, x]) is included in the set of v's that are reachable from u along r. Let M be a structure and C an assignment s.t. M, C Propagates[r, P, x]. We assume that there is an instant i such that P [u, x] holds (otherwise the satisfaction of the axiom is trivial). Then M, i, C FP [u, x]. Also, Given this theorem, the technique we propose consists in replacing the reflexive-transitive closure of a relation (which fits in Cervino and FOLTL * " ) by an uninterpreted relation satisfying the closure schema shown above, for some property P that depends on the sort of the considered binary relation as well as, possibly, other arguments. Remark that finding such a property P requires creativity: the specifier must come up with a relevant propagating property.
Example 4. In the case of the leader election example, we use TTC to check that a leader will be elected at some point. The property we use is propagation along succ of having a given ID in one's mailbox (Propagates[succ, toSend , id ]).
Definition 31 (Abstract semantics). Let Mch be a Cervino machine, such that r j1 , . . . , r j l are binary relations enabling btw, and r k1 , . . . , r km are binary relations whose reflexive-transitive closure is used in Mch. Now, given formulas P 1 , . . . , P , where for every 1 i m, FV(P i ) " {x, x 1 , . . . , x ni } (with x the distinguished free variable), we define the transitive closure transformation as: where φ 0 and φ tr are defined as in Definition 15 and φ btw " We also define T Mch φ " Abs Gen (T Mch ^ φ) (notice that, due to the application of the Geneva transformation, the r * i relations become uninterpreted).

Evaluation
To evaluate the relevance of our three tactics, we applied them to several models of distributed protocols. Our research questions were (1) to check that our methods were applicable to real models; (2) to check whether our approach was efficient enough; and (3) to assess the effort for the specifier to come up with parameters for TFC and TTC. Our strategy was always first to apply the TEA tactic. If TEA failed, then in the case of safety properties, we devised stability axioms in order to apply TFC. Otherwise, for liveness properties and for systems relying on transitive closure, we relied on TTC.
The Cervino prototype takes a Cervino specification as input and generates Electrum models which are then fed to the Electrum Analyzer [4], which itself calls a complete procedure in nuXmv [5]. On a general note, efficiency can be compromised in the case of the TTC and TFC tactics due to larger inferred bounds than for TEA. Furthermore, the size of LTL formulas generated by Electrum for nuXmv grows quickly as the tool merely unfolds quantifiers into conjunction and disjunctions, depending on the bounds. For this reason, we leveraged some properties of the Geneva fragment to end up with smaller models: (1) the size of each domain is an exact bound rather than just an upper one; (2) all constants are distinct; (3) existential quantifiers can be unfolded on a limited part of the domain. This is the case because the proof of the BDP for the Geneva fragment [24] shows that, if there is a model of a Geneva formula, there is a model satisfying these properties. The specifications we evaluated are of moderate complexity but are not just toy models: TLB shootdown The TLB Shootdown algorithm [3] is part of the Mach operating system. Processors keep a cache of page tables in a Translation Look-aside Buffer (TLB). The safety property we prove is that whenever the protocol ensures that the page table is updated, the corresponding update will be flushed by either the initiator or the responder. Dining philosophers This classic protocol features an unbounded number of philosophers sharing forks. We prove a mutual exclusion property, that is that a fork cannot be simultaneously held by two different philosophers.
Lock server We present a simple lock server protocol studied in Verdi [27] and Ivy [21]. The protocol features a single server and an unbounded number of clients willing to hold a lock. The safety property we verify is that two different clients cannot simultaneously hold the lock. Gset and 2Pset Conflict-free Replicated Data Types (CRDTs) are a family of concurrent protocols where a data structure is replicated in a network and where the replicas can be independently and concurrently updated. We model the Grow-only Set (G-Set) [26] and the 2-Phase Set [26] CRDTs. In both cases, we prove that any update is eventually delivered to all replicas. Leader election The leader election protocol, presented in Sect. 2, is inspired by [6]. We notice however that a node sends all the contents of its mailbox at once, which is a strong simplification. Token ring Token Ring is a classic protocol where a token is passed through nodes with mailboxes in a ring. We prove a safety and a liveness property.
In the first case, we use the TFC tactic with 2 stability axioms, one for each event, which basically state that if there is no token apart from the one transferred, then no token can appear on unmodified nodes during the event.
The TTC parameter says that the property of holding the token is the one that should propagate, under strong fairness. FIFO This protocol is a simple mutual exclusion protocol based on a FIFO strategy. We prove a liveness property using TTC, stating that for any integer i, being in the i-th position of the list is a propagating property.
Our conclusion to these case studies is the following (Fig. 3). First the TEA tactic is only efficient for models involving few interactions, which can be attributed to the loss of precision when using universal quantifiers. Regarding TFC, the effort required to find stability axioms seems to be similar to finding an inductive invariant. For TTC, all propagating properties were very simple. Finally, we noticed that, for more complex systems, TTC and TFC can lead to problems that are too large for the model-checker to answer in time (e.g. 1 h.)

Related Work
The usual way to check a safety property is to exhibit an inductive invariant for the system. The TEA tactic is completely automatic and can handle safety properties but remains quite limited. In our experiments, the TFC tactic showed to be as flexible as an invariant to prove safety properties. Finding stability axioms or an inductive invariant appear similar in difficulty. However, once found, checking an inductive invariant is quicker in computation time than checking the abstract system obtained with stability axioms. On the other hand, stability axioms allow to check complex temporal properties.
Regarding liveness properties, important approaches are based on exhibiting a variant or using the Liveness-to-Safety reduction method proposed in [19]. For the simple examples done with TEA, such methods would allow to prove the properties with little efforts, if done right, but are not fully automatic contrary to the TEA tactic. In both case the computation time is really low.
With the TTC approach, we do not need to exhibit any sort of invariant and the propagating property to exhibit has always been straightforward. To our knowledge there is no easiest method to prove some of the examples we presented. For example, the liveness property of the leader election protocol requires to exhibit a variant and an invariant and both are harder to exhibit than the propagating property. The Liveness-to-Safety reduction method also applies here, but it requires to find an invariant on the system obtained by reduction, as well as finding an axiomatization of the reflexive-transitive closure preserving the Liveness property (while this axiomatization is embedded in TTC tactic). However, despite being more immediate in our examples, the TTC tactic is less flexible than these two alternatives since it applies for liveness properties based on the reflexive-transitive closure.
Our approach can also be compared with the specification of parameterized systems. Cubicle [7][8][9][10] is an SMT-based model-checker for the verification of safety properties on parameterized systems. Cubicle is efficient for challenging systems but, contrary to our techniques, it enforces strict syntactic constraints on guards and on the checked property. Others techniques based on labelled proof systems have also been proposed [2]. In [15], the safety of the TLB Shootdown algorithm is proved using such a technique. The user must exhibit the correct invariant for the proof system to conclude; while the TEA tactic is automatic. Also, some methods, such as invisible invariants [25], rely on finding automatically a candidate for being an inductive invariant and then checking if this is the case without needing any input from the user. Such an approach is automatic and efficient but only applies to Bounded-Data Parameterized Systems while our methods applies to a wider context. While most work on parameterized systems focuses on safety properties, [11] addresses liveness properties, but remains essentially theoretical. We remark that the techniques mainly used for parameterized systems are mostly orthogonal to those presented in this paper, and a combination of both could be fruitful.

Conclusion
We devised three original, sound (but incomplete) transformations, that allow to check that a state machine specification, expressed in a rather expressive fragment of FOLTL * " , enjoys a temporal property, expressed in the same setting, whatever the bounds on domains (associated with sorts) are. The transformations were proved correct in Coq. We evaluated our approach on several case studies and found that the transformations were effective and, for the semiautomatic ones, demanded an effort comparable to other approaches. A drawback is that the computed bounds can sometimes grow too much for modelchecking to be feasible with the back-end tools we used. Notice that our approach is orthogonal to the main other approaches (for instance, inference of invariants) and could certainly be combined with some of them. Once a universally quantified inductive invariant Inv is found, such a combination would be possible by adding an axiom of the form G Inv to our abtract specification. This refines the abstraction while fitting in both LTR and Geneva. This is left for future work.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.