Automating Modular Veriication

module (9WP :(P &RP )). In a similar way, we compute the reachability predicate RQ for Q and construct the abstract module (9WQ:(Q&RQ)). To complete the veri cation process, we then use the following rule: (9WP :(P &RP )) k (9WQ:(Q&RQ)) j= 2' P kQ j= 2' (2) Since the systems P kQ and (P &RP ) k (Q&RQ) have the same reachable states, rule (2) is sound. As we shall see, unlike the simplistic rule (1), the improved rule (2) can often be successfully applied even when the setsWP andWQ include variables that contribute to ensure the invariant '. Yet the savings in checking the premise of rule (2) are just as great as those for checking the premise of the earlier rule (1), because the same sets of variables are erased. In other words, (9WP :(P &RP )) k (9WQ:(Q&RQ)) is a more accurate but no more detailed abstraction of P kQ than is (9WP :P )k (9WQ:Q). In our experiments we shall obtain dramatic results by applying rule (2) with the simple heuristics of erasing those variables that are not involved in the communication between P and Q. While reachability information is often used in algorithmic veri cation, the novelty of rule (2) consists in the use of such information for the modular construction of abstractions. The e ectiveness of a rule such as (1) or (2) is directly related to the number of variables that can be erased in a successful application of the rule. Rule (2) improves on rule (1) by using reachability information about the individual modules in the construction of the abstractions, which usually permits the erasure of more variables. It is possible to further improve on the rule (2) by using, in addition to reachability information, also information about the controllability of the individual modules with respect to the speci cation 2'. This improvement is based on the following observation. The predicate RP used in (2) de nes the reachable states of P when P is in a completely general environment. However, the module P may exhibit anomalous behaviors in a completely general environment; in particular, more states may be reachable under a completely general environment than under the speci c environment provided by Q. Of course, we do not want to compute the reachable states of P when P is composed with Q: doing so would require the exploration of the state space of the global system P kQ, which is exactly what our modular veri cation rules try to avoid. To study the module P under a suitable con ning environment, while still avoiding the exploration of the global state space, we consider the module P in the most general environment E that ensures the invariant '; that is, E is the least restrictive module such that P kE j= 2'. In practice, we need not construct E explicitly, but compute only the predicate DP that de nes the set of reachable states of P kE. Since E is more restrictive than the completely general environment, the predicate DP is stronger than RP , and the implication DP ! RP holds. The algorithm for computingDP follows from the standard game-theoretic algorithm for computing the set of states of the module P that are controllable with respect to the invariant '; it can be implemented symbolically or enumeratively, with a time complexity that is linear in the size of the state space of P [Bee80]. 4 This leads to the following modular veri cation rule: (IP ^ IQ)! (DP ^DQ) P k (9WQ:(Q&DQ)) j= 2DP Q k (9WP :(P &DP )) j= 2DQ P kQ j= 2' (3) where WP VP and WQ VQ. The soundness of this rule depends on an inductive argument, and it will be proved in detail in the paper. Essentially, the rst premise ensures that the modules P and Q are initially in states satisfying DP ^ DQ. The second premise shows that, as long as Q does not leave the set de ned by DQ, the module P will not leave the set de ned by DP ; the third premise is symmetrical. As the implications DP ! ' and DQ ! ' hold, the three premises lead to the conclusion. The rule is in fact closely related to inductive forms of assume-guarantee reasoning [Sta85, AL95, AH96, McM97]. The use of the stronger predicates DP and DQ in the second and third premises of the rule (3) potentially enables the erasure of more variables compared to the earlier rule (2). However, in rule (3) this erasure can take place only on one side of the parallel composition operator or, in the case of multi-module systems, for all modules but one. While automatic approaches to the construction of abstractions for model checking have been proposed, for example, in [Kur94, Dam96, GS97, CC99], these approaches do not exploit reachability and controllability information in a modular fashion. In particular, instead of the standard principle \ rst abstract, then model check the abstraction," our approach follows the more re ned principle \ rst model check the components, then use this information to abstract, then model check the compound abstraction." In this way, our modular veri cation rules are doubly geared towards automatic veri cation methods: state-space exploration is used both to compute the reachability and controllability predicates, and to check all temporal premises (those which contain the j= operator). It is worth pointing out that nontemporal premises would result in rules that are considerably less powerful. For example, suppressing variable erasures, the temporal premise (P &RP ) k (Q&RQ) j= 2' of rule (2) is weaker than the two nontemporal premises IP ^ IQ ! ' and ' ^RP ^ TP ^RQ ^ TQ ! '0 would be (here, '0 results from ' by replacing all variables with their primed versions). Similarly, the second premise of rule (3) is weaker than the two nontemporal premises IP ^ IQ ! DQ ^DP and DP ^ TP ^DQ ^ TQ ! D0 P would be. It is easy to nd examples where our temporal premises apply, but their nontemporal counterparts do not. The outline of the paper is as follows. After introducing preliminary de nitions in Section 2, we develop the technical details of the proposed modular veri cation rules in Section 3. The veri cation rules have been implemented on top of the Mocha model checker [AHM+98], using BDD-based xpoint algorithms for the computation of the reachability and controllability predicates. In Section 4 we discuss the implementation of the veri cation rules, and we describe the script language we devised in order to be able to experiment e ciently with 5 various modular veri cation techniques. In Section 5 we present experimental results for three examples: a demarcation protocol used to maintain the consistency between distributed databases [BGM92], a token-ring arbiter, and a sliding-window protocol for data communication [Hol91]. We conclude the paper with some insights gathered in the course of the experimentation with the proposed veri cation rules. 2 Modules Given a set V of typed variables with nite domain, a state s over V is an assignment for V that assigns to each x 2 V a value s[[x]]. We also denote by V0 = fx0 j x 2 Vg the set obtained by priming each variable in V. Given a predicate H over V, we denote by H 0 the predicate obtained by replacing in H every x 2 V with x0 2 V 0. Given a set A and an element x, we often write Anx for Anfxg, when this generates no confusion. A module P = (CP ; EP ; IP ; TP ) consists of the following components: 1. A ( nite) set CP of controlled variables, each with nite domain, consisting of the variables whose values can be accessed and modi ed by P . 2. A ( nite) set EP of external variables, each with nite domain, consisting of the variables whose values can be accessed, but not modi ed, by P . 3. A transition predicate TP over CP [ EP [ C0 P . 4. An initial predicate IP over CP . We denote by VP = CP [ EP the set of variables mentioned by the module. Given a state s over VP , we write s j= IP if IP is satis ed under the variable interpretation speci ed by s. Given two states s; s0 over VP , we write (s; s0) j= TP if predicate TP is satis ed by the interpretation that assigns to x 2 VP the value s[[x]], and to x0 2 V 0 P the value s0[[x]]. A module P is non-blocking if the predicate IP is satis able, i.e., if the module has at least one initial state, and if the assertion 8VP : 9C0 P : TP holds, so that every state has a successor. A trace of module P is a nite sequence of states s0; s1; s2; : : : sn 2 States(VP ), where n 0 and (sk; sk+1) j= TP for all 0 k < n; the trace is initial if s0 j= IP . Two modules P and Q are composable if CP \CQ = ;; in this case, their parallel composition P kQ is de ned as: P kQ = CP [ CQ; (EP [ EQ)n(CP [ CQ); IP ^ IQ; TP ^ TQ : Given a module P and a predicate H over VP , we denote by (P &H) = CP ; EP ; IP ^H;TP ^H the module like P , except that only transitions from states that satisfy H are allowed. Given a module P and a set W of variables, we let (9W:P ) = CPnW; EP nW; 9W : IP ; 9W;W 0 : TP be the module obtained by erasing the variables W in P . Note that the module (P &H) can be blocking even if module P is non-blocking. On the other hand, 6 the parallel composition of non-blocking modules is non-blocking, and a module obtained from a non-blocking module by erasing variables is also non-blocking. A state of a module P is reachable if it appears in some initial trace of P . We denote by Reach(P ) the predicate de ning the reachable states of P ; this predicate can be compute using standard state-space exploration techniques [CES83]. Given a module P and a predicate ', the relation P j= 2' holds i the implication Reach(P ) ! ' is valid. In this paper, we present modular techniques for verifying whether the relation P1 k kPn j= 2' holds, where P1, P2, : : : , Pn are composable modules, for n > 0, and where ' is de ned over the set of variables Sni=1 VPi . This veri cation problem is known as the invariant veri cation problem, and it is one of the most basic problems in formal veri cation. 3 Modular Rules for Invariant Veri cation In this section, we present three modular rules for the veri cation of invariants; the rules are presented in order of increasing sophistication, and of increasing ability of successfully erasing variables. The rst rule is a standard rule based on the construction of abstract modules: (9W1:P1) k k (9Wn:Pn) j= 2' P1 k kPn j= 2' (4) The second rule is derived from the above rule, by using in the construction of the abstract modules also information about the reachable states of the concrete modules. The third rule constructs the abstract modules using both reachability and controllability information about the concrete modules. 3.1 Reachability-based abstractions In order to improve the ability of rule (4) to successfully erase variables, we construct the abstract modules using reachability information about the concrete modules. Hence, we formulate the following modular veri cation rule: (9W1:(P1&Reach(P1))) k k (9Wn:(Pn&Reach(Pn))) j= 2' P1 k kPn j= 2' (5) This rule is sound. The rule is also complete, since whenever the conclusion holds, the premise also does, with the choice W1 = = Wn = ;. Our experiments indicated that rule (5) is often surprisingly e ective in enabling the successful erasure of variables, leading to dramatic savings in the space and time requirements of veri cation. We illustrate this with an example. Example 1 This example is a simpli ed version of the token-ring example presented in Section 5. Consider a system composed of two modules P and Q that circulate a token through a 4-phase handshake protocol. The module P has controlled variables CP = fgrant1; ack1; x1; y1; c1g and external variables 7 EP = fgrant2; ack2g. All variables are boolean, except for c1 that has domain f0; 1; 2; 3g. The module Q is de ned similarly, except that the subscripts 1 and 2 are exchanged. Intuitively, grant2 and ack1 form the handshake that passes a token from Q to P . Once the token arrives into P , it is stored rst in x1, then in y1. The handshake variables grant1 and ack2 are used to pass the token back to Q. The variable c1 is an auxiliary variable that records the number of tokens in P . The initial condition of P is IP : :ack1 ^ :grant1 ^ x1 ^ :y1 ^ (c1 = 0); the initial condition of Q is IQ : :ack2 ^:grant2 ^:x2^:y2 ^ (c2 = 0), so that the token is initially in x1. We present the transition predicate of P in guardedcommands notation, with the convention that the values of the variables not mentioned in the assignments are not modi ed, and that the command to be executed is chosen nondeterministically among those whose guards are true: [] grant2 ^ :ack1 ^ :x1 ! ack 01 := t; x01 := t; c01 := (c1 + 1) mod 4 [] :grant2 ^ ack1 ! ack 01 := f [] x1 ^ :y1 ! x01 := f; y0 1 := t [] :grant1 ^ :ack2 ^ y1 ! grant 01 := t; y0 1 := f; c01 := (c1 1) mod 4 [] grant1 ^ ack2 ! grant 01 := f [] t ! The transition predicate of Q is identical, except that the subscripts 1 and 2 are exchanged. The invariant is ' : [(c1 + c2) mod 4 < 2], and states that there is at most one token. To verify that P kQ j= 2', we can apply rule (5) with sets of erased variables WP = fx1; y1g and WQ = fx2; y2g. Hence, we are able to erase all the variables that are not used for communication, and that do not appear in the invariant. The intuition is that, once the value of c1 is known, the predicate Reach(P ) : c1 = 0 ^ :x1 ^ :y1 _ c1 = 1 ^ (x1 6 y1) _ c1 = 2 ^ x1 ^ x2 provides su cient information about the possible values of the erased variables x1 and y1 to enable an accurate computation of the successor states. In contrast, rule (4) does not enable the erasure of any variables. 3.2 Controllability and reachability-based abstractions Consider an instance P1 k kPn j= 2' of the invariant veri cation problem, for n 1. As mentioned in the introduction, the predicate Reach(Pi) de nes the reachable states of module Pi when the module Pi is in a completely arbitrary environment, for 1 i n. However, a module may have many more reachable states when composed with a completely arbitrary environment, than when composed with the other modules of the system. To obtain more precise predicates, we consider the states of Pi that are reachable under the most general environment under which Pi satis es the speci cation 2', for 1 i n. The idea is that, if the system has been properly designed, then the actual environment of Pi is a special case of this most general environment. 8 An environment for a module P is a non-blocking module E composable with P . Given a module P and a predicate ', we denote by Envs(P ) the set of all environments of P , and we let Envs'(P ) = fE 2 Envs(P ) j P kE j= 2'g the set of environments of P under which the speci cation 2' holds. We de ne CR(P; ') = WE2Envs'(P ) 9(VEnVP ) :Reach(P kE) with the convention that CR(P; ') = f if Envs'(P ) = ;. The predicate CR(P; ') de nes the set of states of P that can be reached when P is composed with an environment under which 2' holds. Denote by V' the variables occurring in '. The following proposition gives some additional properties of the predicate CR(P; '). Proposition 1 Given a non-blocking module P and a predicate ', the following assertions hold. 1. There is an environment E 2 Envs'(P ) with VE = VP [ V' such that CR(P; ') 9(V'nVP ) :Reach(P kE). 2. The implications CR(P; ')! 9(V'nVP ) :' and CR(P; ')! Reach(P ) hold. Regarding the second assertion, note that in the introduction we implicitly assumed V' VPi for 1 i n for the sake of simplicity, while here we are only assuming the weaker V' Sni=1 VPi . We can then formulate the veri cation rule: Vni=1 IPi ! Vni=1 CR(Pi; ') Pi k kj2f1;:::;ngni (9Wj:(Pj &CR(Pj; '))) j= 2CR(Pi; ') 1 i n P1 k kPn j= 2' (6) In the second premise of this rule, for 1 i n, we cannot erase variables of Pi. In fact, the predicate CR(Pi; ') on the right hand side of j= involves most of the variables in Pi, preventing their erasure. In the experiments described in Section 5, the systems were composed of two modules, and rule (5) performed better than rule (6), since in rule (5) the variables could be erased in both the composing modules. In systems composed of many modules, it is conceivable that the advantage derived from using the stronger predicates of rule (6) in all modules but one, thus possibly erasing more variables, outweighs the disadvantage of not being able to erase variables in one of the modules. Proposition 2 Rule (6) is sound. If P1, : : : , Pn are non-blocking, rule (6) is also complete: if the conclusion holds, then the premises also hold for W1 = =Wn = ;. Proof. It su ces to consider the case W1 = = Wn = ;. To show that the rule is sound, we assume that its premises hold, and we prove by induction on k 0 that, if s0; s1; : : : ; sk is an initial trace of P1 k kPn, then si j= CR(Pj ; ') for all 0 i k and 1 j n. The base case follows from the rst premise of (6). For the induction step, assume that the assertion holds for k, and consider 9 the assertion for k + 1 for any j, with 1 j n. The trace s0; s1; : : : ; sk; sk+1 is an initial trace of Pj k kl2f1;:::;ngnj (Pj &CR(Pj ; ')) Hence, we have that sk+1 j= CR(Pj; '), completing the induction step. From V' Sni=1 VPi and from Proposition 1, part 2, we have that the implication (Vni=1 CR(Pi; '))! ' holds. This implication, together with the conclusion of the induction proof, leads to the desired result. The completeness of the rule follows by noticing that if P1 k kPn j= 2', then by de nition of CR( ; ') we have P1 k kPn j= 2(CR(P1; ') ^ ^CR(Pn; ')). To compute the predicate CR(P; ') given P and ', we proceed in two steps. First, we compute the predicate Ctr(P; ') de ning the set of states from which P is controllable with respect to the safety property 2'. The predicate Ctr(P; ') can be computed with a standard controllability algorithm [TW68, Bee80, RW87]. Algorithm 1 Input: Module P and predicate '. Output: Predicate Ctr(P; ') over VP . Initialization: Let F = V'nVP and U0 = 9F : '. Repeat: For k 0, let Uk+1 = Uk ^ 9(E 0 P [ F 0) : 8C0 P : (TP ! (U 0 k ^ '0)). Until: Uk+1 Uk. Return: Uk. The algorithm computes a sequence U0; U1; U2; : : : of increasingly strong predicates. For k 0, predicate Uk de nes the states from which it is possible to control P to satisfy predicate ' for at least k+1 steps; note that the implication Uk ! 9F : ' holds for k 0. At each iteration k 0, the algorithm lets Uk+1 de ne the set of states from which the environment can choose the next value for the external variables, so that for all choice of the controlled variables, the successor states of the transitions satisfy Uk. The following algorithm computes the predicate CR(P; '), using the previous algorithm as a subroutine. Algorithm 2 Input: Module P and predicate '. Output: Predicate CR(P; ') over VP . Initialization: Let F = V'nVP , and V0 = IP ^9F :8CP : IP ! (Ctr(P; ')^') . Repeat: For k 0, let V 0 k+1 = V 0 k _ 9VP : Vk ^ TP ^ 9F 0 : 8C0 P : TP ! (Ctr 0(P; ') ^ ') : Until: Vk+1 Vk. Return: Vk. For each k 0, the predicate Vk over VP de nes the set of states of P that can be reached in k or less steps when P is composed with an environment E such that P kE j= 2'. To understand how this predicate is computed, note that the predicate 8CP : (IP ! (Ctr(P; ') ^ ')) de nes the set of initial valuations for the variables in EP [F that are safe for the environment: if one such valuation 10 is chosen by the environment, the system will start in a controllable state that satis es ', regardless of the valuation for the controlled variables in CP chosen by the module P . The iteration step follows a similar idea. If Vk de nes the set of current states, then the formula K1 : 9VP : (Vk ^ TP ) over C0 P de nes the valuations for the controlled variables that can be chosen by P for the following state. The environment must choose a valuation for the variables in E 0 P [ F 0 that ensures that, regardless of the valuation for C0 P chosen by the module, the successor state satis es Ctr 0(P; ')^'. If Vk de nes the set of current states, the set of such valuations for E 0 P [ F 0 is de ned by the formula K2 : 9VP : 8C0 P : (Vk ^ TP )! (Ctr 0(P; ') ^') : It is then easy to see that the iteration step of Algorithm 2 can be written simply as V 0 k+1 = K1^9F 0:K2, so thatK1 constrains the next valuation of the controlled variables, and 9F 0 : K2 constrains the next valuation of the external variables. Algorithms 1 and 2 can be implemented enumeratively or symbolically, and they have running time linear in jStates(VP [ V')j. In the next example, we see how rule (6) can enable the erasure of variables that could not be erased with rule (5). Example 2 Consider the veri cation problem P1 kP2 j= 2', where the invariant is ' : :z1 ^ :z2. The modules have variables CPi = fxi; yi; zig and EPi = fx2 i; z2 ig, for 1 i 2; all the variables are boolean. Module P1 has initial predicate IP1 : :x1 ^ :y1 ^ :z1, and has transition predicate TP1 : [x01 z2] ^ [(:x1 ^ :x2) ! (y0 1 y1)] ^ [:y1 ! (z0 1 z1)]. Module P2 is de ned in a symmetrical fashion. Informally, module P1 behaves as follows. Initially, all variables are false. At each step, the new value for x1 is the old value of z2. If x1 _ x2 holds, then y1 can change value; otherwise, it retains its previous value. If y1 is true, then z1 can change value; otherwise, it retains its previous value. It is easy to check that P1 kP2 j= 2' holds. Consider module P1. The states where z1 = t or z2 = t are obviously not controllable. The states where y1=t are also not controllable, since from these states module P1 can reach a state where z1=t regardless of the values of the external variables x2 and z2. Likewise, the states where x1=t or x2=t are not controllable, since from these states the module can reach a state where y1=t regardless of the values of the external variables. The only controllable (and reachable) state of P1 is thus de ned by the predicate CR(P1; ') : :x1 ^ :y1 ^ :z1 ^ :x2 ^ :z2. Predicate CR(P2; ') is de ned in a symmetrical fashion. The reachability predicates are given simply by Reach(P1) : t and Reach(P2) : t. Rule (6) can be applied by takingW1 =W2 = fy1; y2g. In fact, the composite module P1 k (9W2:(P2&CR(P2; '))) admits only the initial traces consisting of repetitions of the state [x1=f; y1=f; z1=f; x2=f; z2=f]. This shows that the rst premise holds; the case for the second premise is symmetrical. On the other hand, no variable can be successfully erased using rule (5). In fact, if we erase variable y2, then the right hand side exhibits the initial trace s0; s1, where s0 : [x1=f; y1=f; z1=f; x2=f; z2=f] and s1 : [x1=f; y1=f; z1=f; x2=f; z2=t]. This trace is possible because the state t0 : [x1= f; z1= f; x2= f; y2=t; z2= f] over VP2 is reachable, and hence it satis es Reach(P2), and agrees with s0 on 11 the shared variables. The trace is then a consequence of the transition from t0 to t1 : [x1=f; z1=f; x2=f; y2=t; z2=t] in P2. A similar argument shows that it is not possible to erase the variable x2. 4 Implementation of the Veri cation Rules We have implemented the algorithms described in this paper in the veri cation tool Mocha [AHM+98]. Mocha is an interactive veri cation environment and it enables, among other things, the veri cation of invariants using both enumerative and symbolic techniques; for the latter, it relies on the BDD package and image computation engine provided by VIS [BHSV+96], which we used in our implementation. One important technique we use in the implementation of the rules is that, instead of computing the abstract modules explicitly, we compute them implicitly. The idea is as follows: suppose we are computing the reachable states of (9WP :P )k (9WQ:Q). A straight-forward algorithm would be to rst compute the two abstract modules, and then compute the reachable states of their composition. This is very ine cient in terms of the usage of space. Transition relations are usually presented as a list of conjuncts rather than as a single, larger conjunct. The explicit computation of the abstract modules would imply conjoining all the transition relations and building a monolithic one: if represented as a BDD, such a monolithic conjunct would often be prohibitively large. Instead, we quantify away the erased variables of the abstract modules only when necessary, as for example in the computation of the reachable states. For instance, we use the following symbolic algorithm to compute the reachable states of the parallel composition of two abstract modules: Algorithm 3 Input: Modules P and Q, and variables WP VP nCQ and WQ VQnCP . Output: Reach((9WP :P )k (9WQ:Q)). Initialization: Let U0 = 9(WP [WQ) : (IP ^ IQ). Repeat For k 0, let U 0 k+1 = U 0 k _ 9(VP [ VQ [W 0 P [W 0 Q) : (Uk ^ TP ^ TQ). Until Uk+1 Uk. Return: Uk. In the body of the loop, we rely on the early quanti cation algorithm in VIS to keep the intermediate BDDs small. With this scheme, a monolithic transition relation is never built. In particular, our implementation represents abstract modules as pairs consisting of a concrete module and of a list of variables that have been erased from it; such pairs are called extended modules. In order to experiment with the veri cation rules proposed in this paper, we implemented a simple script language, called sl, built on top of Mocha and based on the Tcl/Tk API. The algorithms and methodologies described in this paper provide the theoretical basis of the commands provided by sl. The 12 veri cation rules proposed in this paper can be implemented as sl scripts, and the language sl provides invaluable exibility for experimenting with alternative forms of the rules. An example of script is the following, which veri es the correctness of the demarcation protocol using rule (5) (the demarcation protocol is described in Section 5.1). read_module demarc.rm sl_em P Q Spec sl_reach phi em_Spec s sl_reach rp em_P s sl_restrict Prest rp em_P sl_erase Pabs Prest P/xw P/xr P/req1 P/grant1 P/req2 \ P/grant2 P/xlupd1 P/xlupd2 P/busy sl_reach rq em_Q s sl_restrict Qrest rq em_Q sl_erase Qabs Qrest Q/xw Q/xr Q/req1 Q/grant1 Q/req2 \ Q/grant2 Q/xlupd1 Q/xlupd2 Q/busy sl_compose Rabs Pabs Qabs sl_checkinv Rabs phi s The command read module parses the le demarc.rm, containing the declarations of the modules P and Q, composing the protocol, and Spec, whose reachable states constitute the invariant. The command sl em P Q Spec builds the extended modules em P, em Q, and em Spec from P, Q, and Spec; of course, these extended modules have empty sets of erased variables. The command sl reach phi em Spec s computes the predicate phi = Reach(em Spec). The parameter s of this and other commands means \silent", i.e., no diagnostic information is printed. The rest of the script checks that em Pk em Q j= 2phi using rule (5). First, the commands sl reach and sl restrict are used to compute rp = Reach(em P) and Prest = (em P& rp). Then, the command sl erase erases a speci ed list of variables from Prest, producing the extended module Pabs. As discussed earlier, the command sl erase performs no actual computation, but simply adds the speci ed variables to the list of erased variables. The extended module Qabs is constructed in an analogous fashion. Finally, the command sl compose composes Pabs and Qabs into a single extended module Rabs, which is checked against the speci cation 2phi by command sl checkinv. Apart from these commands, we also have implemented commands including sl wcontr and sl contrreach, which together compute the predicate CR(P; ') given a module P and a predicate '. 5 Experimental Results To demonstrate the e ectiveness of the proposed approach to modular veri cation, we compare the time and memory requirements of global state-space exploration with those of rule (5) and rule (6). We do not compare our approach with other modular veri cation approaches, since these approaches involve user 13 intervention for the construction of the environments. By manually constructing the environments or the abstractions it is possible to improve on our results. We consider three examples: a demarcation protocol used in distributed databases, a token-ring arbiter, and a sliding-window protocol for data communication. All experiments have been run on a 233 MHz Pentiumr II PC with 128MB memory running Linux. We report the memory usage by giving the maximumnumber of BDD nodes used in any xpoint computation or predicate; this is essentially the maximum number of BDD nodes used at any single time during veri cation. We also report the total CPU time; this time does not include swap activity (swap activity was in any case very limited for all examples reported). The automatic variable reordering heuristics ofMocha were enabled during the experiments. We remark that di erences in time or memory usage of up to a factor of 2 are not signi cant, since they can easily be produced by a variation in the automatic choice of variable ordering. 5.1 Demarcation protocol The demarcation protocol is a distributed protocol aimed at maintaining numerical constraints between data residing in distributed copies of a database, while minimizing the communication requirements [BGM92]. We consider an instance of the protocol that ensures that two databases, residing at sites 1 and 2, never sell more than the maximum available number of seats m aboard a plane. The variables x1 and x2 indicate the number of seats that have been sold at sites 1 and 2. Each site can both sell seats, and receive seats returned due to cancellations. In order to minimize the communication between two sites, each site i = 1; 2 maintains a variable xli indicating the maximum number of seats it can sell autonomously. If a site wishes to sell more seats than this limit allows, the site can send a request to the other site for more seats. Depending on the number of unsold seats, the other site has the option of rejecting the request, or of granting it in part or in full. We model each site i = 1; 2 by a module Pi; the speci cation is 2[(x1 xl1) ^ (x2 xl2) ^ (xl1 + xl2 m)]. Each of P1 and P2 controls 20 variables, of which 8 are used for communication with the other module or appear in the invariant, and 12 are internal. Rule (5) enable the erasure of 9 of these 12 variables in each of P1 and P2; all of these variables are in the cone of in uence of the speci cation. The table below compares the time and space requirements of global state space exploration with those of rules (5) and (6), for various values of m. To check the robustness of rule (5) against changes in the system model, we also wrote an alternative, somewhat more complex model for the demarcation protocol. For m = 4, the veri cation of the alternative model required 136156 BDD nodes and 2009 seconds with the global approach, and 18720 BDD nodes and 211 seconds with rule (5). 14 Global Rule (5) Rule (6) m BDD nodes seconds BDD nodes seconds BDD nodes seconds 4 20881 97 2847 25 8695 75 6 64345 439 3338 4