Parameterized verification of leader/follower systems via first-order temporal logic

We introduce a framework for the verification of protocols involving a distinguished machine (referred to as a leader) orchestrating the operation of an arbitrary number of identical machines (referred to as followers) in a network. At the core of our framework is a high-level formalism capturing the operation of these types of machines together with their network interactions. We show that this formalism automatically translates to a tractable form of first-order temporal logic. Checking whether a protocol specified in our formalism satisfies a desired property (expressible in temporal logic) then amounts to checking whether the protocol’s translation in first-order temporal logic entails that property. Many different types of protocols used in practice, such as cache coherence, atomic commitment, consensus, and synchronization protocols, fit within our framework. First-order temporal logic also facilitates parameterized verification by enabling us to model such protocols abstractly without referring to individual machines.


Introduction
Parameterized verification is becoming increasingly important nowadays, with technologies like the Internet of Things (IoT), sensor networks, robot swarms, and satellite constellations becoming widespread. Systems involving large numbers of communicating components are commonly deployed, increasing the need for scalable verification techniques to ensure that such systems operate as expected.
Parameterized verification via first-order temporal logic [13,16,18] is an approach to parameterized verification, proposed as an alternative to regular model checking for parameterized and infinite-state systems [1,2] and constraint-based verification using counting abstractions [10,11,14]. The model checking approach has been applied to several scenarios verifying safety properties and some liveness properties, but is in general incomplete. Constraint-based approaches do provide complete procedures for checking safety properties, but these procedures have non-primitive recursive upper bounds, and they usually lead to undecidability when applied to liveness properties. On the other hand, while first-order temporal logic is incomplete [29] and generally undecidable [22], a certain syntactic restriction to it, referred to as monodic first-order temporal logic, is finitely axiomatizable [31] and (if one restricts its first-order part to a decidable fragment of first-order logic) decidable [22]. Roughly speaking, a first-order temporal logic formula ϕ is said to be monodic if every sub-formula of ϕ appearing within the scope of a temporal operator has at most one free variable.
As shown in [13,16], monodic first-order temporal logic is expressive enough to specify various types of systems commonly appearing in practice. In particular, [13,16] show how to encode in said logic an abstract protocol model, first appearing in [10,11], for networks of arbitrarily many, identical finite-state machines communicating via broadcast messages. Using this approach, one is able to automatically translate any suitable protocol to a monodic first-order temporal formula that encapsulates its behaviour. One is then able to check whether that protocol has a certain property by checking whether said formula logically entails the property. (Of course the property must be expressible in monodic first-order temporal logic.) In this work, we introduce a new abstract model that encapsulates the one appearing in [10,11,13,16], but can be applied to a wider class of protocols, such as cache coherence, atomic commit, consensus, and synchronization protocols. Sect. 5 provides three examples of protocols specified in this model.
Our model applies to settings in which a distinguished finite-state machine (referred to as a leader) orchestrates the operation of arbitrarily many, identical finite-state machines (referred to as followers). As an example of such a setting, consider a simple consensus protocol in which the leader asks the followers whether they agree on a certain parameter change by broadcasting to them an "agree?" message, to which they reply with either a "yes" (when they agree) or a "no" message (when they do not agree), and, if they all agree, the leader changes the parameter. We assume that message delivery is guaranteed, but each message can take arbitrarily long to arrive to each recipient and may arrive multiple times.
The setting in the above example is different to the setting in [10,11,13,16] in two main ways. First, only the leader broadcasts to the followers: each follower can only message the leader (and not other followers). Second, unlike the followers, which react to individual messages, the leader reacts to collections of messages. For example, an individual "yes" message does not generally convey any information to the leader, apart from the possibility of a consensus in the future (assuming the leader has not received any "no" messages). To Fig. 1 A simple protocol in which the leader (a 0 ) has to record the messages it receives from its followers (a 1 , a 2 , a 3 ) be able to make a decision about the consensus in the future, the leader has to maintain a persistent record of individual messages together with an identifier for their sender.
To incorporate such functionality, our model introduces the concept of an inbox. Inboxes provide a way for the leader to organize incoming messages and record their sender. For the above setting, the leader maintains an inbox for "yes" messages and an inbox for "no" messages, and, upon delivery of a message, the sender's identifier is recorded in the inbox. See Fig. 1 for a possible execution in that setting. (Each inbox is represented by a box; dotted arrows represent the flow of time; regular arrows represent messages.) Then, consensus is achieved if the "yes" inbox contains the identifiers of all followers. For different protocols, we enable the leader to react to different conditions upon its inboxes. (For example, the leader can react to an inbox having exactly one element or to an inbox having more than one element.) For symmetry, each follower is also equipped with an inbox, which is simply a record of ingoing messages (all ingoing messages to a follower come from the leader, so the sender need not be recorded). Our model can be considered as a generalization of the model in [10,11,13,16] since follower broadcasts can be emulated using the leader as a network relay that broadcasts all its ingoing messages (see, for example, the leader in Sect 5.1).
The plan of this paper is as follows. In Sect. 2 we review some relevant concepts from first-order temporal logic. In Sect. 3 we give a formal definition of our model. In Sect. 4 we show how our model automatically translates to (monodic) first-order temporal logic. In Sect. 5 we specify with our framework three protocols appearing in practice, namely the FloodSet protocol [28], the two-phase commit [6,19], and Control-MAC [7]. In Sect. 6 we discuss related work.
If ϕ is an FOTL-formula, we denote its length by ϕ . FOTL-formulae are interpreted in first-order temporal structures, i.e. sequences M = A 0 , A 1 , . . . of first-order structures over the same domain A. That is, given a non-empty set A, A n = A, I n (n ∈ N), where is I n an interpretation of predicate and constant symbols over A, assigning to each predicate symbol P a relation P A n on A of the same arity as P (if P is a nullary predicate, P A n is simply one of the propositional constants or ⊥), and to each constant symbol c an element c A n of A. We require that the interpretation of constants be rigid, i.e. I n (c) = I m (c), for all n, m ∈ N. An assignment a in A is a function from the set of variables {x 0 , Fig. 2. We say that a formula ϕ is true in M if there exists an assignment a such that A 0 | a ϕ. A formula is satisfiable if it has a model and valid if it is true in any temporal structure under any assignment. A formula is called monodic if any subformula of ϕ of the form ψ, ♦ψ, ψ, ψ 1 U ψ 2 , or ψ 1 W ψ 2 has at most one free variable. For example, the formulae ∀x(P(x) → Q(x)) and ∀x ♦∃y P(x, y) are monodic, while the FOTL is incomplete (not recursively axiomatizable) [29] and undecidable [22]. In contrast, MFOTL is finitely axiomatizable [31], and, if its first-order part is restricted to a decidable fragment of first-order logic, decidable [22]. Of particular interest to us are the monadic fragment and the two-variable fragment of MFOTL, both decidable and EXPSPACE-complete [21]. (Most of the formulas we require can be written in monadic MFOTL. As we shall see later on, if some form of counting is required, two variables are necessary.) Two automated theorem provers are available for MFOTL: TeMP [23] and TSPASS [26,27]. These provers implement a form of temporal resolution called fine-grained resolution [8,24]. (See [12,15] for some applications of TeMP and [3][4][5]20] for TSPASS.) It should be noted that these provers use (for technical reasons) so-called expanding domain semantics. (The semantics that we provided above are constant domain semantics. With expanding domain semantics, the domains of the structures in a temporal model M = A 0 , A 1 , . . . are expanding, i.e. A n = A n , I n , where A n ⊆ A n+1 (n ∈ N) and I n is an interpretation over A n ; with constant domains, A n = A n+1 = A.) It is known that satisfiability over expanding domains reduces to satisfiability over constant domains [30]. [24,Sec. 7] discusses how to enforce constant domains in finegrained temporal resolution (which uses expanding domain semantics). This is useful for applications using TeMP or TSPASS that require constant domains. Various applications may also require finite domains. In this connection, [17,25] report on characterizing finite domains using MFOTL. In particular, [17] reports that each of the following three axioms enforces finite domains (and is derivable from each of the other two): ( is interpreted as "sometime in the past".) [17] also reports that for classes of protocols satisfying a certain "stabilization principle" (FloodSet in Sect. 5.1 and the two-phase commit in Sect. 5.2 both satisfy this principle, but Control-MAC in Sect. 5.3 does not), satisfiability over finite domains coincides with satisfiability over arbitrary domains. Thus, (F1)-(F3) need not be used to enforce finiteness for such protocols.
Adding either equality or function symbols to MFOTL leads to the loss of recursive enumerability [9,31]. This is a limitation that affects applications (such as the Control-MAC protocol in Sect. 5.3) that require the counting quantifiers ∃ =1 x P(x) and ∃ >1 x P(x) ("there exists exactly one x such that P(x)" and "there exist more than one x such that P(x)" respectively), which we use as shorthands for ∃x P(x) ∧ ∀x∀y((P(x) ∧ P(y)) → x = y) and ∃x∃y(P(x) ∧ P(y) ∧ ¬(x = y)) respectively, where P(·) is a unary predicate. (We also use ∃ ≥1 x P(x) in place of ∃x P(x) sometimes for emphasis.) Due to the aforementioned limitation, ∃ =1 x P(x) and ∃ >1 x P(x) cannot be input to TeMP or TSPASS. To address this issue, one option is attempting to specify equality axiomatically. In a non-temporal setting, equality can be axiomatized as a congruence relation, i.e. as a binary relation E(·, ·) satisfying axioms (E1)-(E4) below: . , x n ) → P(y 1 , . . . , y n )) In a temporal setting, one needs in addition axiom (E5) below, enforcing the condition that equal objects remain equal across time: The problem with this approach is that formula (E5) is not monodic. As a result, one is left only with axioms (E1)-(E4). Now, suppose that one wishes to check whether a monodic formula χ containing equality is valid. (For our purposes, χ will be of the form ϕ → ψ, where ϕ describes a protocol and ψ a correctness condition for that protocol.) It should be clear that if EqAx → [χ] E is valid, where EqAx is the conjunction of formulas (E1)-(E4) and [χ] E is the result of replacing in χ all occurences of x = y with E(x, y), then χ is valid. (Any proof of χ in the axiomatic system (E1)-(E4) is trivially a proof of χ in the axiomatic system (E1)-(E5), and the latter system fully captures equality.) Thus, one is left with a correct but incomplete approach to check the validity of a monodic formula χ containing equality: one uses TeMP or TSPASS to check whether EqAx → [χ] E is valid; if the prover concludes that it is, then one knows that χ is valid; if the prover concludes that EqAx → [χ] E is not valid, then the validity of χ remains unknown.

Distributed machines
In the following setting we have a collection of k + 1 (k > 0) finite-state machines in a network, k of which are replicas of each other and the remaining machine is a distinguished machine orchestrating the operation of the replicas. Each replica is referred to as a follower, the distinguished machine is referred to as a leader, and the whole network of these k + 1 machines is referred to as a distributed machine.
Communication in the network occurs via the exchange of the following types of messages: (a) broadcast messages from the leader to the followers; and (b) individual messages from a follower directed to the leader. (A follower can theoretically broadcast a message to the followers by using the leader as a relay; see, for example, Sect. 5.1.) Delivery of messages in the network is guaranteed. (See Rem. 1 for a technicality about guaranteed delivery in synchronous networks.) Depending on the application, delivery of messages can occur within one time unit (synchronous network) or it can take arbitrarily long (asynchronous network). In the latter case, a broadcast message (by the leader) can arrive to different followers at different times; and each message can arrive to its recipient (be it the leader or a follower) multiple times. The leader has a separate inbox for each message it is meant to receive. Upon delivery of a message, an identifier for the message's sender (i.e. a follower) is added to the appropriate inbox. Every follower has an inbox of messages and, upon delivery, each message to a follower is added to the follower's inbox.
The leader's transitions correspond to three types of actions: (a) reacting to one of its inboxes; (b) broadcasting a message to the followers; and (c) local (not related to the network). Specifically, in type (a) transitions the leader reacts to an inbox (i) being empty; (ii) having exactly one element; (iii) having one or more elements; (iv) having more than one element; or (v) being full, i.e. containing the identities of all followers in the network. Type (a)(ii)-(v) transitions for the leader delete the contents of the corresponding inbox. Each follower's transitions correspond to three types of actions: (a) reacting to a message in the follower's inbox; (b) sending a message to the leader; and (c) local (not related to the network). Type (a) transitions for each follower delete the corresponding message from the follower's inbox.
We stress at this point that receiving a message and reacting to a message or a message's inbox are different things: receiving a message is a network action (simply registering the message to the recipient) and is independent of the recipient's operation; reacting to a message (in the follower's case) or a message's inbox (in the leader's case) is an action in which the recipient takes a transition relevant to that message. The recipient of a message need not react to it (in the follower's case) or to its corresponding inbox (in the leader's case), neither at the time of its receipt nor at any future time.
We now proceed to define the above concepts formally.

Notation for messages and transitions
In the sequel, we adopt the following convention regarding messages: to emphasize that a message μ (where μ is an arbitrary label) is ingoing, we write μ with a left-pointing arrow on top ( μ); and to emphasize that μ is outgoing, we write μ with a right-pointing arrow on top ( μ). The leader's inbox corresponding to a message μ is denoted by I μ .
To distinguish the leader's three different types of transitions (reacting to an inbox, broadcasting a message, and local) we introduce the following notation. Transitions in which the leader reacts to an inbox I μ are denoted with the message μ followed by a quantifier, i.e. =0 , =1 , ≥1 , >1 , or all (written as a superscript). Thus, we write: (i) μ =0 for a transition that occurs on condition that I μ is empty; (ii) μ =1 for a transition that occurs on condition that I μ has exactly one element; (iii) μ ≥1 for a transition that occurs on condition that I μ has one or more elements; (iv) μ >1 for a transition that occurs on condition that I μ has more than one element; and (v) μ all for a transition that occurs on condition that I μ is full. The above quantifiers are enough for our purposes, but our framework can be easily extended with more quantifiers, depending on the application. Any quantifier expressible in first-order logic can be added by including the quantifier in the set T L in (Sect. 3.2) and updating the persl and enbl τ formulas (Sect. 4.1) with the quantifier's semantics in first-order logic. Proofs carry over with minor adjustments. (Note that quantifiers requiring equality to be exressed in first-order logic affect the completeness of our framework as discussed in Sect. 6.) Transitions in which the leader broadcasts a message are simply denoted with that message (employing the above convention for outgoing messages): μ denotes the transition in which the leader broadcasts μ. Local transitions are simply denoted with a plain label (no arrow on top). Similar notation is used for followers reacting to a message ( μ) and sending a message to the leader ( μ), as well as for their local transitions (no arrow on top).
For examples using the above notation see Sect. 5 and figures therein.

Leaders and their execution
Let . . , μ s }, and T L local = { 1 , . . . , t } be sets of symbols (note that μ and μ are different symbols); let  reacts to an inbox; T L out is the set of all possible outgoing messages from the leader, and, also, the set of all available labels for transitions in which L broadcasts a message; and T L local is the set of L's local actions, and, also, the set of all available labels for L's local transitions. The transition idle is a special transition the leader takes when it is unable to take any other transition. We define the size of L, denoted L , to be the quantity |Q L | + |T L | + |δ L |. For some example leaders see Sect. 5.
We describe the execution of a leader as a sequence of certain configurations in the context of a (non-empty) set A, whose elements are to be viewed as representing followers in the leader's network. Let L be a leader as above and A = {a 1 , . . . , a k } (k > 0) be a set (the set of L's followers). An l-configuration (short for leader configuration) over A is an (r + 1)tuple q, . Intuitively, q is L's state at a given moment of time and is to be viewed as a record of those followers (elements of A) from which L has received a message μ i since the last time L reacted to I μ i . (Recall that reacting to a non-empty inbox deletes its content.) If c = q, I μ 1 , . . . , I μ r is an l-configuration, σ (c) denotes the state q and ι(c) denotes the r -tuple I μ 1 , . . . , I μ r .
If c = q, I μ 1 , . . . , I μ r is an l-configuration, we denote by enb(c) (short for enabled) the set of transitions τ ∈ T L \ {idle} such that q, τ, q ∈ δ L , for some q ∈ Q L , and either τ ∈ T L out ∪ T L local or one of the following holds: in ) and I μ = A. We shall refer to a transition τ ∈ enb(c) as an enabled transition. Intuitively, τ ∈ enb(c) if τ is one of the available transitions for L when L's configuration is c. Thus, all transitions in which a message is broadcast and all local transitions are enabled, whereas transitions in which the leader reacts to an inbox are enabled only if the inbox's corresponding cardinality constraints are satisfied.
Given our intended view of inboxes as records of followers from which the leader has a specific message, we wish to enforce at each moment of time a form of persistence, i.e. that each inbox can grow (when new messages arrive) but never loses its content, unless the leader takes a transition deleting that content. To this end, for each τ ∈ T L , we define the relation τ over r -tuples I 1 , . . . , is an l-configuration and τ n ∈ T L (n ∈ N), such that: ; for all n ∈ N, ι(c n ) τ n ι(c n+1 ) (persistence); and, for all n ∈ N, Intuitively, a run describes a valid execution for L: L starts at an initial state with all its inboxes empty, and, at each moment of time, chooses an enabled (at that time) transition or becomes idle if none exists. Inboxes can grow at any moment of time as a result of new messages arriving, except when their content is being deleted.
The following simple lemma should be clear from the above. It will be useful when proving that the logical formula in Sect. 4.1 describing the leader's execution is correct.

Followers and their execution
Let . . , t } be sets of symbols (note that μ and μ are different symbols). A follower is a quadruple Intuitively, the sets T F in , T F out , and T F local are respectively the sets of all possible ingoing messages, possible outgoing messages, and local actions of F; thus, according to the notational conventions in Sect. 3.1, T F in , T F out , and T F local are respectively the sets of labels for the transitions in which F reacts to a message in its inbox, sends a message to the leader, and the set of F's local actions. The transition idle is a special transition each follower takes when it is unable to take any other transition. We define the size of F, denoted F , to be the quantity |Q F | + |T F | + |δ F |. For some example followers see Sect. 5.
We describe the execution of a follower as a sequence of certain configurations. Let F be a follower as above. An f-configuration (short for follower configuration) is a pair q, I , where q ∈ Q F and I ⊆ T F in . Intuitively, q is F's state at a given moment of time and I ⊆ T F in is its inbox at that moment of time. At any moment of time, I is to be viewed as a record of messages (from the leader) to which F has not yet reacted. If c = q, I is an f-configuration, we denote by enb(c) (short for enabled) the set of transitions τ ∈ T F \ {idle} such that q, τ, q ∈ δ F , for some q ∈ Q F , and either (a) if τ is one of the available transitions for F when F's configuration is c. Thus, all transitions in which a message is sent and all local transitions are enabled, whereas transitions in which the follower reacts to a message are enabled only if the corresponding message is present in I.
As in the leader's case, we want to enforce at each moment of time a form of persistence for the inbox I, i.e. that I can grow (when a new message arrives from the leader) but no message is lost, unless the follower reacts to that message (in which case the message is deleted). To this end, for each τ ∈ T F , we define the relation τ over sets I , J ⊆ T F in as follows: A run for F is a sequence R = { c n , τ n } n∈N , where c n = q n , I n (n ∈ N) is an f-configuration and τ n ∈ T F (n ∈ N), such that: q 0 ∈ Q F init , I 0 = ∅; for all n ∈ N, I n τ n I n+1 (persistence); and, for all n ∈ N, (a) τ n ∈ enb(c n ) and q n , τ n , q n+1 ∈ δ F ; or (b) enb(c n ) = ∅, τ n = idle, and q n = q n+1 .
Intuitively, a run describes a valid execution for F: F starts at an initial state with its inbox empty, and, at each moment of time, chooses an enabled (at that time) transition or becomes idle if none exists. Messages persist in F's inbox, unless explicitly deleted when a transition in T F in is taken.
The following simple lemma should be clear from the above. It will be useful when proving that the logical formula in Sect. 4.2 describing the followers' execution is correct.

Distributed machines and their execution
In the ensuing part, we employ the following notation: for any two sets T 1 = { μ 1 , . . . , μ i } and T 2 = { μ 1 , . . . , μ j }, we write T 1 T 2 when the sets T 1 and T 2 are equal modulo removing the arrows, i.e.
(The latter two constraints are to ensure that each message μ broadcast by the leader is a valid ingoing message μ to the followers and for each message μ sent by a follower, the leader has a corresponding inbox. The one before the latter two is to avoid ambiguities in the logical translation presented in Sect. 4.) Let M = L, F be a distributed machine and is a run for F, such that the following conditions hold: , there exists n < n such that τ i n = μ. Intuitively, (A1) states that if the leader broadcasts a message μ, a message μ will eventually appear in each follower's inbox; and if a message μ is in a follower's inbox, a message μ has been broadcast by the leader at some point in the past. Similarly, (A2) states that if a follower a ∈ A sends a message μ to the leader, a will eventually appear in the inbox I μ ; and if a ∈ I μ , a message μ has been sent by a to the leader at some point in the past.
Conditions (A1) and (A2) describe an asynchronous network (i.e. a network in which message delivery takes an arbitrary amount of time). For a synchronous network (assuming message delivery takes one time step), conditions (A1) and (A2) above should be replaced with the following two conditions: To distinguish a distributed machine whose runs satisfy conditions (A1) and (A2) above from a distributed machine whose runs satisfy conditions (S1) and (S2) above, we shall refer to the former type of machine as an asynchronous distributed machine and to the latter type as a synchronous distributed machine. We say that a distributed machine M = L, F (asynchronous or synchronous) is runnable if there is a run for M over some universe A = {a 1 , . . . , a k } (k > 0).

Remark 1
The behaviour of a synchronous distributed machine when the delivery of a message from a follower to the leader coincides with the leader deleting the content of the corresponding inbox or when the delivery of a message from the leader to a follower coincides with the follower reacting to it and thus deleting it (the message could already be present in the follower's inbox due to an earlier delivery) is undefined. It should be clear that the set of all runs of a synchronous distributed machine captures all well-defined (i.e. not undefined) behaviour. In case of undefined behaviour the reader can imagine, for example, the network "dying" and the distributed machine terminating abruptly, or it being left in an inconsistent state, for example, not deleting or not delivering a message when it should.

Translation to logic
Given an asynchronous distributed machine M, we can (automatically) construct an MFOTL- is defined over the signature M comprising a nullary predicate sl q for each state q ∈ Q L ; a unary predicate sf q (·) for each state q ∈ Q F ; the symbols in T L in and T F in as unary predicates; for each symbol μ ∈ T L out , a nullary predicate past μ ; for each symbol μ ∈ T F out , a unary predicate past μ (·); a nullary predicate tl τ for each τ ∈ T L ; and a unary predicate tf τ (·) for each τ ∈ T F . For each q ∈ Q L , sl q (short for state leader) is to be viewed as stating that the leader is at state q. For each q ∈ Q F , sf q (a) (short for state follower) is to be viewed as stating that follower a is at state q. For each μ ∈ T L in , μ(a) is to be viewed as stating that there is a message μ to the leader originating from follower a (i.e. a ∈ I μ ). For each μ ∈ T F in , μ(a) is to be viewed as stating that there is a message μ to follower a originating from the leader (i.e. μ is in a's inbox). For each μ ∈ T L out , past μ is to be viewed as stating that the leader has in the past broadcast a message μ. For each μ ∈ T F out , past μ (a) is to be viewed as stating that follower a has in the past sent a message μ to the leader. For each τ ∈ T L , tl τ (short for transition leader) is to be viewed as stating that the leader takes transition τ . For each τ ∈ T F , tf τ (a) (short for transition follower) is to be viewed as stating that follower a takes transition τ .
We now proceed to write the constituent parts of Spec(M).

The leader's execution
We first write a collection of formulas describing the execution of the leader. The following two formulas (short for unique state leader and unique transition leader respectively) state that the leader's states and transitions are unique: The next formula (short for initial leader) describes the initial conditions for the leader's execution, i.e. that the leader starts at an initial state with all its inboxes empty: The next formula (short for persistence leader) is the persistence condition for the leader's inboxes: inboxes do not lose their content (although they can grow due to the arrival of new messages), except when a transition τ = μ =1 , μ ≥1 , μ >1 , or μ all ( μ ∈ T L in ) (which deletes the content of its corresponding inbox) is taken. In the following definition we slighty abuse the notation tl τ (τ ∈ T L ) for brevity: we write tl τ 1 ,...,τ j (τ 1 , . . . , τ j ∈ T L ) as a shorthand for tl τ 1 ∨ · · · ∨ tl τ j . Let The next family of formulas (short for enabled leader) describe the necessary conditions for a transition to be enabled. They are part of the formulas that describe the step-by-step execution of the leader. For each τ ∈ T L \ {idle}, let The next formula (short for step leader) describes the step-by-step execution of the leader: at each moment of time the leader takes an enabled transition or becomes idle if none exists. Let stepl be the logical disjunction of the following two formulas: Finally, the formula describes the leader's whole operation. It is clear that leader = O( L 2 ).

The followers' execution
Next, we write a collection of formulas describing the execution of each follower.
The following formulas (short for unique state follower and unique transition follower respectively) state that the states and transitions of follower x are unique: The next formula (short for initial follower) describes the initial conditions for the execution of follower x, i.e. that follower x starts at an initial state with its inbox empty: The next formula (short for persistence follower) is the persistence condition for the inbox of follower x: the inbox does not lose any messages (although it can grow due to the arrival of new ones), except when a transition τ ∈ T F in (which deletes the corresponding message) is taken. Let The next family of formulas (short for enabled follower) describe the necessary conditions for a transition to be enabled. They are part of the formulas that describe the step-by-step execution of a follower x. For each τ ∈ T F , let The next formula (short for step follower) describes the step-by-step execution of follower x: at each moment of time follower x takes a feasible transition or becomes idle if none exists. Let stepf(x) be the logical disjunction of the following two formulas: Finally, the formula describes the leader's whole operation. It is clear that follower(x) = O( F 2 ).

The distributed machine's execution
Next, we write a collection of formulas describing the network of the leader and its followers, and, combining these formulas with the ones in the previous two subsections, we form Spec(M).
The following two formulas enforce the intended semantics for the predicates past μ ( μ ∈ T L in ) and past μ (·) ( μ ∈ T F in ). Recall from the beginning of this section that past μ ( μ ∈ T L in ) is to be read as "a message μ has in the past been broadcast by the leader" and past μ (x) ( μ ∈ T F in ) as "follower x has in the past sent a message μ to the leader". Thus, past μ must be false until (and when) the leader takes transition tl μ (if it ever does) and true thereafter; and likewise for past μ (x) and tf μ (x). Let pastm (short for past messages) be the logical conjunction of the following two formulas: The following two formulas specify the conditions for message delivery when the leader broadcasts a message to the followers (bcastla, short for broadcast leader asynchronous) and when a follower sends a message to the leader (sendfa, short for send follower asynchronous).
(Recall that the network is asynchronous.) They correspond to conditions (A1) and (A2) respectively from Sect. 3.4.
Notice that, since T L out T F in (resp. T F out T L in ), the symbol μ ∈ T F in (resp. μ ∈ T L in ), and, thus, the predicate μ(·) appearing in the first conjunct of bcastla (resp. sendfa) exists. Likewise, the nullary predicate past μ (resp. unary predicate past μ (·)) appearing in the second conjunct of bcastla (resp. sendfa) exists.
Finally, the following formula neta (short for network asynchronous) describes the operation of the asynchronous network comprising the leader and its followers:

It is clear that neta
We are now ready to give a full logical description of M. Let

Remark 2
The assumption that each message can be delivered multiple times is natural (as it applies to many common protocols), but also favourable because it simplifies the network encoding. Indeed, to enforce the condition that if a message μ is sent then a message μ is received (by the intended recipient(s)) at some point in the future (possibly at different times by different recipients), we simply state that if tl μ or tf μ (x) (for any follower x) holds true at any moment then ♦ μ(x) holds true next. That μ can be received multiple times is simply a consequence of the semantics of the operator ♦. In some cases this behaviour may be unwanted. (For example, consider a scenario, such as an asynchronous version of the Control-MAC protocol in Sect. 5.3, in which a follower awaits a ← − go or a ←−− nogo message to enter or not enter respectively a critical section, and, at a given round of the protocol, it receives both a ← − go and a ←−− nogo message, the first being the intended message and the second being a re-delivery from a previous round, leaving the follower in an inconsistent state.) At the time of writing, the authors know of no way of enforcing delivery of messages exactly once within the current approach. One possibility could be to parameterize each message delivery to a recipient x with an identifier y. Then, one could state that a delivery with identifier y to any recipient x is followed by no delivery with identifier y. (In the absence of identifiers for deliveries, a similar condition would block future deliveries of a message, even if the message were re-sent. In contrast, in the presence of identifiers, a re-sent message could still be delivered using a new identifier.) Unfortunately, this approach results in formulas that are not monodic.

Correspondence between runs and models
We now show that an asynchronous distributed machine M is runnable if and only if Spec(M) is satisfiable.

Lemma 3 Let M = L, F be an asynchronous distributed machine and Spec(M) as above. If M is runnable, then Spec(M) is satisfiable over a finite domain.
. Let M be as in the beginning of this section. We construct from R a sequence M = {A n } n∈N , where each A n (n ∈ N) is a M -structure with universe A, such that Spec(M) is true in M. For each n ∈ N, let A n be such that: (a) for each q ∈ Q L , sl A n q = if q = q 0 n , otherwise sl A n q = ⊥; (b) for each μ ∈ T L in , μ A n = I μ n ; (c) for each μ ∈ T L out , past A n μ = if τ 0 n = μ for some n < n, otherwise past A n μ = ⊥; We now show that leader, ∀x follower(x), and neta are all true in M. It then follows that Spec(M) is true in M.

n+1
. Further, it is straightforward to establish from the definition of enbl τ 0 n and (b) that A n | enbl τ 0 n . Consequently, A n | sl q 0 n ∧ enbl τ 0 n ∧ tl τ 0 n ∧ sl q 0 n+1 and A n satisfies the first disjunct of stepl. If enb(c 0 n ) = ∅, we have τ 0 n = idle and q 0 n = σ (c 0 n ) = σ (c 0 n+1 ) = q 0 n+1 . Thus, from (a) and (d), A n | sl q 0 n , A n | tl idle , and A n | sl q 0 n . Further, it is straightforward to establish from the definition of enbl τ (τ ∈ T L \{idle}) and (b) that A n | q 0 n ,τ,q ∈δ L ¬enbl τ . (The latter still holds when the conjunction is empty, in which case it evaluates to by convention.) Consequently, A n | sl q 0 n ∧ q 0 n ,τ,q ∈δ L ¬enbl τ ∧tl idle ∧ sl q 0 n and A n satisfies the second disjunct of stepl. In any case, A n | stepl. As a result of the above, leader is true in M.
Moving to the followers, it is easily obtained from the definition of a run for F together with (e), (f), and (h) that, for all a i ∈ A, A 0 | initf(a i ) and, for all n ∈ N, for all a i ∈ A, A n | ustatef(a i ) and A n | utransf(a i ). To show that, for all n ∈ N, for all a i ∈ A, A n | persf(a i ), let τ = μ ∈ T F in . If A n | tf τ (a i ), then, from (h), τ i n = τ , which implies that μ / ∈ I i n+1 (from the definition of a run for F), which, in turn, implies due to (f) that A n | ¬ μ(a i ); and if A n | ¬tf τ (a i ), then, from (h), τ i n = μ, which by Lemma 2 implies that if μ ∈ I i n then μ ∈ I i n+1 , which, in turn, implies due to (f) that is then evident. To show that, for all n ∈ N, for all a i ∈ A, A n | stepf(a i ), we consider two cases. If enb(c i n ) = ∅, we have τ i n ∈ enb(c i n ). Thus, from (e) and (h) above, A n | sf q i n (a i ), A n | tf τ i n (a i ), and A n | sf q i n+1 (a i ). Further, it is straightforward to establish from the definition of enbf τ i n (a i ) and (f) that A n | enbf τ i n (a i ). Consequently (a i ) and A n satisfies the first disjunct of stepf(a i ). If enb(c i n ) = ∅, we have τ i n = idle and q i n = q i n+1 . Thus, from (e) and (h) above, A n | sf q i n (a i ), A n | tf idle (a i ), and A n | sf q i n (a i ). Further, it is straightforward to establish from the definition of enbf τ (a i ) (τ ∈ T F \{idle}) and (f) that A n | q 0 n ,τ,q ∈δ F ¬enbf τ (a i ). (The latter still holds when the conjunction is empty, in which case it evaluates to by convention.) Consequently, A n | sf q i n (a i )∧ q i n ,τ,q ∈δ F ¬enbf τ (a i )∧tf idle (a i )∧ sf q i n (a i ) and A n satisfies the second disjunct of stepf(a i ). In any case, A n | stepf(a i ). As a result of the above, for all n ∈ N, for all a i ∈ A, A n | follower(a i ), from which we obtain the truth of ∀x follower(x) in M.
Moving to neta, we first show that pastm is true in M. For the first conjunct of pastm, let μ ∈ T L out . If τ 0 n = μ for all n ∈ N, then, from (d), A n | ¬tl μ for all n ∈ N, and, from (c), A n | ¬past μ for all n ∈ N. It follows that A 0 | ¬past μ , thus A 0 | ¬past μ W tl μ , and, as a result, A 0 | ¬past μ ∧ ¬past μ W tl μ . Further, for all n ∈ N, A n | (¬past μ ∧ ¬tl μ ∧ tl μ ) → ¬past μ and A n | tl μ → past μ trivially. Therefore, the first conjunct of pastm is true in M. Otherwise, let t be the smallest number such that A t | tl μ . Thus, from (d), A n | ¬tl μ for all n < t. From (c), A n | ¬past μ for all n ≤ t, and A n | past μ for all n > t. Now, for all n ∈ N, we claim A n | (¬past μ ∧ ¬tl μ ∧ tl μ ) → ¬past μ . Indeed, the latter holds trivially for all n if t = 0, and for all n = t − 1 if t > 0; further, if t > 0, we have A t−1 | ¬past μ ∧ ¬tl μ ∧ tl μ and A t | ¬past μ , thus it holds for n = t − 1 as well. Finally, it is clear that A n | tl μ → past μ for all n ∈ N. Therefore, the first conjunct of pastm is true in M. The argument for the second conjunct is completely analogous. Thus, pastm is true in M. It is straightforward to show that bcastla and sendfa are true in M.

As a result, neta is true in M.
For the converse of Lemma 3, we require the following two auxiliary lemmas:  N, (a) if A n | past μ , there exists n < n such that A n | tl μ ; and (b) if A n | ¬past μ , then A n | ¬tl μ for all n < n.
Proof For (a), let n ∈ N such that A n | past μ . Because pastm is true in M, it follows from its first conjunct that A 0 | ¬past μ , A 0 | ¬past μ W tl μ , and, for all m ∈ N, Thus, let n be the smallest number such that A n | tl μ . A n | past μ implies, then, that n ≤ n. It also follows that A n −1 | ¬past μ ∧ ¬tl μ ∧ tl μ . Since A m | (¬past μ ∧ ¬tl μ ∧ tl μ ) → ¬past μ for all m ∈ N, we must have A n | ¬past μ , thus n < n.
For (b), let n ∈ N such that A n | ¬past μ . As in the previous case, it follows from the first conjunct of pastm that A 0 | ¬past μ , A 0 | ¬past μ W tl μ , and, for all m ∈ N, In the former case, since A m | tl μ → past μ for all m ∈ N, it follows that A 0 | ¬tl μ , and, as a result, A n | ¬tl μ for all n < n. In the latter case, let n be the smallest number such that A n | tl μ . Since A m | tl μ → past μ for all m ∈ N, n ≤ n . It follows that A n | ¬tl μ for all n < n. N) is a M -structure with universe A, be a model of Spec(M); and let past μ (·) be the unary predicate in M corresponding to the symbol μ ∈ T F out . Let a ∈ A. For all n ∈ N, (a) if A n | past μ (a), there exists n < n such that A n | tf μ (a); and (b) if A n | ¬past μ (a), then A n | ¬tl μ (a) for all n < n.

Lemma 5 Let M = L, F be a distributed machine; let A be a finite, non-empty set; let
Proof Completely analogous to the proof of Lemma 4, using the second conjunct of pastm instead of the first.
We now proceed to the converse of Lemma 3.

Lemma 6 Let M = L, F be an asynchronous distributed machine and Spec(M) as above. If Spec(M) is satisfiable over a finite domain, then M is runnable.
Proof Let A = {a 1 , . . . , a k } (k > 0) and let M = {A n } n∈N be a sequence, where each A n (n ∈ N) is a M -structure ( M as in the beginning of this section) with universe A, such that Spec(M) is true in M. We construct from M a run R = R 0 , R 1 , . . . , R k for M over A. That is, we construct R such that R 0 = { c 0 n , τ 0 n } n∈N is a run for L over A and each is a run for F over A. In the ensuing part, we assume that T L in = { μ 1 , . . . , μ r }. For each n ∈ N: (a) set c 0 n = q 0 n , I μ 1 n , . . . , I μ r n , such that A n | sl q 0 n and I It is a consequence of the assumption that Spec(M) is true in M that for all n ∈ N, A n | ustatel and A n | utransl; and, for all n ∈ N, for all i (1 ≤ i ≤ k), A n | ustatef(a i ) and A n | utransf(a i ). Thus q 0 n and τ 0 n above, as well as q i n and τ i n (1 ≤ i ≤ k), are well-defined. We next show that R 0 is a run for L over A. Since A 0 | initl we have from (a) that q 0 n ∈ Q L init and I μ i 0 = ∅ (for all 1 ≤ i ≤ r ). Now, it is a consequence of the assumption that Spec(M) is true in M that A n | persl and A n | stepl, for all n ∈ N. To show that ι(c 0 n ) τ 0 n ι(c 0 n+1 ), for all n ∈ N, we consider two possibilities: For the former case, it follows from (a) that q 0 n = q and q 0 n+1 = q , and from (b) that τ 0 n = τ ; and, for the latter case, it follows from (a) that q 0 n = q 0 n+1 = q and from (b) that τ 0 n = idle. That is, σ (c 0 n ), τ 0 n , σ (c 0 n+1 ) = q 0 n , τ 0 n , q 0 n+1 = q, τ, q ∈ δ L or τ 0 n = idle and σ (c 0 n ) = q 0 n = q 0 n+1 = σ (c 0 n+1 ). It is straightforward to show from A n | enbl τ (a consequence of the assumption that A n | sl q ∧ enbl τ ∧ tl τ ∧ sl q ) and (a) that τ 0 n (= τ ) ∈ enb(c 0 n ); and from A n | q,τ,q ∈δ L ¬enbl τ (a consequence of the assumption that A n | sl q ∧ q,τ,q ∈δ L ¬enbl τ ∧ tl idle ∧ sl q ) and (a) that enb(c 0 n ) = ∅. Thus, we have established that τ 0 n ∈ enb(c 0 n ) and σ (c 0 n ), τ 0 n , σ (c 0 n+1 ) ∈ δ L , or enb(c 0 n ) = ∅, τ 0 n = idle, and σ (c 0 n ) = σ (c 0 n+1 ), for all n ∈ N. We next show that R i (for all 1 ≤ i ≤ k) is a run for F over A.
It is a consequence of the assumption that Spec(M) is true in M that A n | persf(a i ) and A n | stepf(a i ), for all n ∈ N. To show that I i n τ i n I i n+1 , for all n ∈ N, we consider two possibilities: if τ i n / ∈ T F in , which, due to (d), implies that A | ¬tf μ (a i ) for all μ ∈ T F in , then, because A n | persf(a i ), in , which, due to (c), implies that I i n ⊆ I i n+1 ; and if τ i n = μ ∈ T F in , which, due to (d), implies that A n | tf μ (a i ) and (because A n | utransf(a i )) A n | ¬tf ν (a i ) for all ν ∈ T F in \ { μ}, then, because A n | persf(a i ), A n | ¬ μ(a i ) and A n | ν(a i ) → ν(a i ) for all ν ∈ T F in , whence, due to (c), μ / ∈ I i n+1 and The required condition follows. Finally, given that A n | stepf(a i ), it follows that A n | sf q (a i ) ∧ enbf τ (a i ) ∧ tf τ (a i ) ∧ sf q (a i ), for some q, τ, q ∈ δ F , or A n | sf q (a i ) ∧ q,τ,q ∈δ F ¬enbf τ (a i ) ∧ tf idle (a i ) ∧ sf q (a i ), for some q ∈ Q F . For the former case, it follows from (c) that q i n = q and q i n+1 = q , and from (d) that τ i n = τ ; and, for the latter case, it follows from (c) that q i n = q i n+1 = q and from (d) that τ i n = idle. It is straightforward to show from A n | enbf τ (a i ) (a consequence of the assumption that A n | sf q (a i ) ∧ enbf τ (a i ) ∧ tf τ (a i ) ∧ sf q (a i )) and (c) that τ i n (= τ ) ∈ enb(c i n ); and from A n | q,τ,q ∈δ F ¬enbf τ (a i ) (a consequence of the assumption that A n | sf q (a i ) ∧ q,τ,q ∈δ F ¬enbf τ (a i ) ∧ tf idle (a i ) ∧ sf q (a i )) and (c) that enb(c i n ) = ∅. Thus, we have established that τ i n ∈ enb(c i n ) and q i n , τ i n , q i n+1 ∈ δ F , or enb(c i n ) = ∅, τ i n = idle, and q i n = q i n+1 , for all n ∈ N. Finally we establish that conditions (A1) and (A2) from Sect. 3.4 hold for R. For (A1), we first show that if τ 0 n = μ (n ∈ N), then, for each i (1 ≤ i ≤ k), there exists n > n, such that μ ∈ I i n . Let n ∈ N and suppose τ 0 n = τ = μ. From (b), it must be A n | tl τ . Further, from A n | bcastla (a consequence of the assumption that Spec(M) is true in M), we have A n | tl τ → ∀x ♦ μ(x), and, as a result, A n | ∀x ♦ μ(x). It is then straightforward to show from the semantics of MFOTL and (c) above that, for each i (1 ≤ i ≤ k), there exists n > n, such that μ ∈ I i n . Now, for each i (1 ≤ i ≤ k), supposing μ ∈ I i n (n ∈ N), we have from (c) above that A n | μ(a i ), thus, from A n | bcastla again, A n | μ(a i ) → past μ , and, as a result, A n | past μ , whence, from Lemma 4, A n | tl μ , or, due to (b) (in this proof), τ 0 n = μ, for some n < n. Thus we establish that, for each i (1 ≤ i ≤ k), if μ ∈ I i n (n ∈ N), then there exists n < n such that τ 0 n = μ. In combination with the above, it follows that condition (A1) from Sect. 3.4 holds. Condition (A2) from Sect. 3.4 can be obtained in a similar manner, using (d), (a), sendfa, and Lemma 5.
Combining Lemma 3 and 6 , we have proved:

Execution in a synchronous setting
If N = L, F is a synchronous distributed machine, we can (automatically) construct an MFOTL-sentence Spec (N ) (with Spec (N ) quadratic in N ) such that N is runnable if and only if Spec (N ) is satisfiable. Spec (N ) is defined over the signature N comprising a nullary predicate sl q for each state q ∈ Q L , a unary predicate sf q (·) for each state q ∈ Q F , the symbols in T L in and T F in as unary predicates, the symbols in T F out as unary predicates, a nullary predicate tl τ for each τ ∈ T L , and a unary predicate tf τ (·) for each τ ∈ T F . The intended meaning for each symbol in N is the same as the corresponding symbol in M .
As discussed earlier, a synchronous machine differs from an asynchronous machine in that runs of the former satisfy conditions (S1) and (S2) from Sect. 3.4, whereas runs of the latter satisfy conditions (A1) and (A2) from Sect. 3.4. Thus, the parts of Spec (N ) describing the operation of the leader and each follower are the same as in the asynchronous case. The only thing that changes is the description of the network.
We now proceed to define the formulas describing N 's network. The following two formulas (short for broadcast leader synchronous and send follower synchronous respectively) are a translation of conditions (S1) and (S2) respectively from Sect. 3.4: As in the definition of bcastla and sendfa, the symbol μ ∈ T F in (resp. μ ∈ T L in ), and, thus, the predicate μ(·) appearing in bcastls (resp. sendfs) exists because T L out T F in (resp. T F out T L in ). The following formula (short for network synchronous) describes the operation of the synchronous network comprising the leader and its followers:

Remark 4
Similar to the asynchronous case, it should be clear that if all runs of a runnable synchronous machine N have a property P (expressible in MFOTL) then Spec (N ) ∧ ¬ϕ P , where ϕ P is the formula (over N ) expressing P in MFOTL, is unsatisfiable over finite domains. Relevant to Rem. 1, it should also be clear that for an arbitrary (not necessarily runnable) synchronous distributed machine N = L, F and a property P expressed in MFOTL (over N ) by the formula ϕ P , if Spec (N ) ∧¬ϕ P is unsatisfiable over finite domains then either N is not runnable or (N is runnable and) all its runs have property P. N can fail to be runnable if the definition of L and/or F is such that the behaviour of the machine in each possible execution is undefined, as discussed in Rem. 1. We stress that it is upon the designer to ensure that any such machine N specified within our framework cannot give rise to undefined behaviour during its execution, and, as a result, from the unsatisfiability of Spec (N ) ∧ ¬ϕ P one can conclude that all runs of N satisfy P.  N), for each follower x. One then enforces the condition that μ(x) holds true whenever T μ m (x) holds true and if ¬ μ(x), μ(x) hold true at times n, n + 1 respectively then T μ m (x) also holds true at time n + 1 (n ∈ N), for each follower x.

Specification of protocols
In this section we demonstrate the applicability of our framework in practice by formally specifying three protocols.

FloodSet
We consider a variant of the FloodSet algorithm with alternative decision rule [28,p. 105] that appeared in [13]. The setting is as follows. There are k processes, each having an input bit and an output bit. The processes communicate via broadcast messages, guaranteed to be delivered with an arbitrary delay, and may also arrive to each recipient multiple times. Informally, the protocol works as follows: • At the first round of computations, every process broadcasts its input bit.
• At every round the (tentative) output bit is set to the minimum value ever seen so far.
The correctness criterion for this protocol is that, eventually, the output bits of all processes will be the same.
We now give a formal specification of the above protocol as a network of a leader and followers. Intuitively, each follower corresponds to one of the aforementioned k processes. Since our model does not allow follower broadcasts we shall use the leader as a network relay: the leader remains idle until it receives one or more "0" messages and/or one or more "1" messages; if it does, it broadcasts a "0" and/or "1" accordingly, and keeps broadcasting while new messages arrive; otherwise it returns to its initial state. The leader is fair, in the sense that it does not neglect to broadcast "1" messages (if any) after broadcasting "0" messages, and vice versa.
Towards defining the leader, let Fig. 3.  Fig. 4. Recall that to form a distributed machine out of L and F we must satisfy the constraints T L in ∩ T F in = ∅, T L in T F out and T F in T L out . To satisfy the first restriction we could have typeset either T L out or T F in with a different font, but we refrained from that for simplicity. The other constraints are satisfied.
Finally, let M FS = L, F be the asynchronous state machine comprising the leader L and (an arbitrary number of replicated) followers F. Let Spec(M FS ) be the FOTL-sentence such that M FS is runnable if and only if Spec(M FS ) is satisfiable. According to the informal correctness criterion stated above, we need to verify that the following FOTL-sentence is unsatisfiable over finite domains:

Two-phase commit
We consider the two-phase commit as described in [19], with minor simplifications. In this setting, k followers ("resource managers") coordinated by a leader ("transaction manager") collectively perform a transaction. The transaction is aborted if one or more followers abort, otherwise it is committed.
Initially, the leader and each follower are in a working state. The protocol starts with the leader broadcasting a prepare message to the followers, signalling that a decision is about to be made on committing/aborting the transaction. The leader then enters a waiting state and remains there until it has received a response from each follower-either prepared (signalling that a follower is prepared to receive a command to commit or abort) or aborted (signalling that a follower has chosen to abort). Upon receipt of a prepare message from the leader, each follower enters a preparing state. In this state the follower can choose to (a) abort the transaction (for its own reason); or (b) prepare to receive (from the leader) a command to commit or abort. If the follower aborts, it sends an aborted message to the leader and enters an aborted state. If the follower prepares to receive a command, it sends a prepared message to the leader and enters a prepared state. When in a prepared state, the follower cannot abort on its own volition: it will perform the leader's command (whether it be to commit or to abort). Thus, while in a prepared state, if the follower receives a commit message, it enters a committed state, and if it receives an abort message, it enters an aborted state. While in the waiting state, if the leader receives an aborted message from one or more followers it enters an aborting state; otherwise (if it receives a prepared message from all k followers) it enters a committing state. When in an aborting state, the leader broadcasts an abort message to the followers and enters an aborted state; and while in a committing state, it broadcasts a commit message to the followers and enters a committed state. (Similar to [19], we could allow the leader ("transaction manager") to arbitrarily abort when in a working, waiting, or committing state, but we will refrain from that for simplicity.) The correctness criterion for this protocol is that, eventually, either all followers are in a commited state or all are in an aborted state.
We now give a formal description of the above protocol. Towards defining the leader, Let L = Q L , Q L init , T L , δ L . L is depicted in Fig. 5. For the followers, let Fig. 6. Notice that T L in ∩ T F in = ∅, T L in T F out and T F in T L out . Finally, let M 2PC = L, F be the asynchronous state machine comprising the leader L and (an arbitrary number of replicated) followers F. Let Spec(M 2PC ) be the FOTL-sentence such that M 2PC is runnable if and only if Spec(M 2PC ) is satisfiable. According to the informal correctness criterion stated above, we need to verify that the following FOTL-sentence is

Control-MAC
We consider a simplified version of the Control-MAC protocol [7], used to enforce a form of mutual exclusion in certain sensor networks. The original protocol involves a degree of randomness, which we are unable to model in our framework and first-order temporal logic in general. The simplifications made here address this limitation while staying faithful to the core ideas behind the protocol.
The setting is as follows. There are k sensors and a gateway. The sensors sense a physical phenomenon and each sensor wants to send to the gateway its sense data when a certain threshold is met. The gateway has a limited number of transmission slots, say m (m < k), and if more than m sensors transmit at the same time there will be data corruption. For simplicity we shall take m = 1, i.e. the gateway has only one transmission slot. The protocol is synchronous and evolves in rounds. At the beginning of each round, the gateway waits for bids for the transmission slot from the sensors that have data to transmit; at the same time, each sensor that has data to transmit bids for the transmission slot, otherwise it waits. If the gateway receives exactly one bid it broadcasts a go message; if it receives two or more bids it broadcasts a nogo message; and, for symmetry, if it receives no bid it broadcasts a nogo message. If a sensor that has bid for the transmission slot receives a go message, it sends its data and moves to its initial state; otherwise, if it receives a nogo message simply moves to its initial state. If a sensor that has not bid for the transmission slot receives either a go or a nogo message, it moves to its initial state. In the original protocol, when a sensor that has bid for the transmission slot receives a nogo message, it waits for a random number of rounds before it bids again. This random number depends on the contention in the system (i.e. on how many sensors have bid up to that point) and its specific properties are of no concern to us. What is important to us is that it is calculated in such a way that if two sensors bid for the transmission slot at the same time, the probability of them biding again at the same time in the future is very low. Seeing as we cannot model randomness, we shall assume that probability to be zero. Thus, we shall assume that if a sensor bids for the transmission slot at the same time with other sensors, there will be a time in the future when the sensor bids on its own. The correctness criterion for this protocol is that every sensor that has data to send, or, in other words, has bid for the transmission slot, will eventually send its data to the gateway.
We now give a formal description of the above protocol. Towards defining the leader, let   δ F = { q 0 , − → bid, q 1 , q 0 , wait, q 2 , q 1 , ← − go, q 3 , q 1 , ← − − nogo, q 4 , q 2 , ← − go, q 5 , q 2 , ← − − nogo, q 6 , q 3 , sending, q 0 , q 4 , ε, q 0 , q 5 , ε, q 0 , q 6 , ε, q 0 , }. Fig. 8. Notice that T L in ∩ T F in = ∅, T L in T F out and T F in T L out . Finally, let N MAC = L, F be the synchronous state machine comprising the leader L and (an arbitrary number of replicated) followers F. Let Spec (N MAC ) be the FOTL-sentence such that N MAC is runnable if and only if Spec (N MAC ) is satisfiable. According to the informal correctness criterion stated above, we need to verify that the following FOTL-sentence is unsatisfiable over finite domains: ∧ ∀x((tf− → bid (x) ∧ ∃y(x = y ∧ tf− → bid (y))) → ♦(tf− → bid (x) ∧ ¬∃y(x = y ∧ tf− → bid (y)))) ∧ ¬ ∀x(tf− → bid (x) → ♦tf sending (x)) 6 Related work [1] presents an approach in which the states and transitions of a parameterized or infinite-state system are represented as words over a finite alphabet and properties of a system are specified and checked using automata-theoretic techniques. Because working with these automatatheoretic techniques can be difficult in practice, [1] introduces LTL(MSO), a mixture of LTL (linear temporal logic) and MSO (monadic second-order logic), enabling the specification of systems and their properties at a higher level of abstraction. The verification problem for LTL(MSO) reduces to whether some Büchi regular transition system has accepting runs. [1] reports that this problem is in general undecidable, but goes on to verify safety properties and some liveness properties (also see [2] for liveness) for various real-world protocols. In [10,11] and [14], the state of a parameterized system is represented using certain numerical abstractions. An abstract, parameterized, cache-coherence (in [10,11]) or broad-cast (in [14]) protocol for such systems is then translated to numerical constraints pertaining to said numerical abstractions. This approach reduces model-checking safety properties to a reachability problem, which can be attacked using common methods for infinite-state model-checking, working over integer or real arithmetics. The latter methods have in general non-elementary worst-case complexity. [14] reports that model-checking liveness properties for their abstract broadcast protocol is undecidable.
By utilizing MFOTL, our approach achieves similar expressiveness to LTL(MSO) (if no second-order quantifiers are used, formulas of LTL(MSO) can be straightforwardly translated to monadic MFOTL) and approximates to some extent the expressiveness of approaches based on numerical abstractions (the latter are more flexible in expressing properties involving complex numerical constraints, but MFOTL can express simple numerical constraints, possibly sacrificing completeness for constraints requiring equality). At the same time, MFOTL remains decidable (sacrificing completeness when it comes to properties requiring equality) and has relatively low worst-case computational complexity. The decidability and computational complexity of MFOTL are not affected by the type of property one wants to check (i.e. safety, liveness, fairness, or other), and, as a result, MFOTL is particularly useful for checking liveness properties, which present difficulties for the above formalisms. The abstract model that we introduce can emulate the protocol model in [10,11] and has similarities with the one in [14]. For protocols that include ingoing transitions of the form μ =1 , μ >1 , or any other ingoing transitions added in the future whose translation in first-order logic requires the use of equality, our framework is correct (a protocol does have a given property if the protocol's translation logically entails that property) but incomplete (a protocol may have a given property even if the protocol's translation does not logically entail that property). For example Control-MAC in Sect. 5.3 is affected by this limitation, but neither FloodSet in Sect. 5.1 nor the two-phase commit in Sect. 5.2 are affected by it.

Conclusions
We have introduced a framework that simplifies the verification of protocols involving a distinguished machine (leader) orchestrating an arbitrary number of identical machines (followers). Our framework provides a high-level formalism based on finite-state machines and encapsulating their network interactions. We have shown that protocols specified in this framework can automatically be translated into monodic first-order temporal logic, maintaining their semantics. Automated theorem provers for said logic can then be used to check whether that translation (and thus the original protocol) satisfies a property of interest. Thus, our framework constitutes a flexible, high-level approach to parameterized verification. To demonstrate the applicability of our framework, we have specified in it three protocols used in real settings. The implementation of our framework and its incorporation with the provers is the subject of ongoing and future work.

Data Availibility Statement Data sharing not applicable.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.