Proving Ptolemy Right: The Environment Abstraction Framework for Model Checking Concurrent Systems

  • Edmund Clarke
  • Murali Talupur
  • Helmut Veith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4963)


The parameterized verification of concurrent algorithms and protocols has been addressed by a variety of recent methods. Experience shows that there is a trade-off between techniques which are widely applicable but depend on non-trivial human guidance, and fully automated approaches which are tailored for narrow classes of applications. In this spectrum, we propose a new framework based on environment abstraction which exhibits a large degree of automation and can be easily adjusted to different fields of application. Our approach is based on two insights: First, we argue that natural abstractions for concurrent software are derived from the “Ptolemaic” perspective of a human engineer who focuses on a single reference process. For this class of abstractions, we demonstrate soundness of abstraction under very general assumptions. Second, most protocols in given a class of protocols – for instance, cache coherence protocols and mutual exclusion protocols – can be modeled by small sets of compound statements. These two insights allow to us efficiently build precise abstract models for given protocols which can then be model checked. We demonstrate the power of our method by applying it to various well known classes of protocols.


  1. 1.
    Abdullah, P., Buojjani, A., Jonsson, B., Nilsson, M.: Handling Global Conditions in Parameterized System Verification. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 134–145. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    Arons, T., Pnueli, A., Ruah, S., Zuck, L.: Parameterized Verification with Automatically Computed Inductive Assertions. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, Springer, Heidelberg (2001)Google Scholar
  3. 3.
    Baukus, K., Bensalem, S., Lakhnech, Y., Stahl, K.: Abstracting WS1S Systems to Verify Parameterized Networks. In: Schwartzbach, M.I., Graf, S. (eds.) TACAS 2000. LNCS, vol. 1785, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Stahl, K., Baukus, K., Lakhnech, Y.: Parameterized Verification of a Cache Coherence Protocol: Safety and Liveness. In: Cortesi, A. (ed.) VMCAI 2002. LNCS, vol. 2294, Springer, Heidelberg (2002)Google Scholar
  5. 5.
    Browne, M.C., Clarke, E.M., Grumberg, O.: Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81, 13–31 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Chou, C.-T., Mannava, P.K., Park, S.: A Simple Method for Parameterized Verification of Cache Coherence Protocols. In: Hu, A.J., Martin, A.K. (eds.) FMCAD 2004. LNCS, vol. 3312, Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Clarke, E., Talupur, M., Veith, H.: Proving Ptolemy Right: The Environment Abstraction Framework for Model Checking Concurrent Systems,
  8. 8.
    Clarke, E., Talupur, M., Veith, H.: Environment Abstraction for Parameterized Verification. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 126–141. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Cohen, A., Namjoshi, K.: Local Proofs for Global Safety Properties. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 55–67. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Courtois, P.J., Heymans, F., Parnas, D.L.: Concurrent Control with ”Readers” and ”Writers”. Communication of the ACM 14 (1971)Google Scholar
  11. 11.
    Delzanno, G.: Automated Verification of Cache Coherence Protocols. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    German, S.M., Sistla, A.P.: Reasoning about Systems with Many Processes. Journal of the ACM 39 (1992)Google Scholar
  13. 13.
    Grinchtein, O., Leucker, M., Piterman, N.: Inferring Network Invariants Automatically. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 483–497. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Lahiri, S.K., Bryant, R.: Constructing Quantified Invariants. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Lahiri, S.K., Bryant, R.: Indexed Predicate Discovery for Unbounded System Verification. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 135–147. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    McMillan, K.L.: Verification of an implementation of tomasulo’s algorithm by compositional model checking. In: Y. Vardi, M. (ed.) CAV 1998. LNCS, vol. 1427, pp. 110–121. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  17. 17.
    McMillan, K.L.: Parameterized Verification of the FLASH Cache Coherence Protocol by Compositional Model Checking. In: Margaria, T., Melham, T.F. (eds.) CHARME 2001. LNCS, vol. 2144, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    McMillan, K.L., Qadeer, S., Saxe, J.B.: Induction in Compositional Model Checking. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 312–327. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Pnueli, A., Ruah, S., Zuck, L.: Automatic Deductive Verification with Invisible Invariants. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Pnueli, A., Xu, J., Zuck, L.: Liveness with (0,1, ∞ )-Counter Abstraction. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric Shape Analysis via 3-valued Logic. In: TOPLAS (2002)Google Scholar
  22. 22.
    Samer, M., Veith, H.: A Syntactic Characterization of Distributive LTL Queries. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, pp. 1099–1110. Springer, Heidelberg (2004)Google Scholar
  23. 23.
    Samer, M., Veith, H.: Deterministic CTL Query Solving. In: Proc. of the 12th International Symposium on Temporal Representation and Reasoning (TIME) (2005)Google Scholar
  24. 24.
    Suzuki, I.: Proving Properties of a Ring of Finite State Machines. Information Processing Letters 28, 213–214 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Talupur, M.: Abstraction Techniques for Infinite State Verification. PhD thesis, Carnegie Mellon University, Computer Science Department (2006)Google Scholar
  26. 26.
    Yahav, E.: Verifying safety properties of concurrent Java programs using 3-valued logic. In: The Proceedings of 18th Symposium on Principles of Programming Languages (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Edmund Clarke
    • 1
  • Murali Talupur
    • 2
  • Helmut Veith
    • 3
    • 4
  1. 1.School of Computer ScienceCarnegie Mellon UniversityUSA
  2. 2.Intel Strategic CAD LabsPortlandUSA
  3. 3.Fachbereich InformatikTechnische Universität DarmstadtGermany
  4. 4.Institut für InformatikTechnische Universität MünchenGermany

Personalised recommendations