Linking Theorem Proving and Model - Checking

We present an approach to veriication that combines the strengths of model-checking and theorem proving. We use theorem proving to show a bisimula-tion up to stuttering on a|potentially innnite-state|system. Our characterization of stuttering bisimulation allows us to do such proofs by reasoning only about single steps of the system. We present an on-they method that extracts the reachable quotient structure induced by the bisimulation, if the structure is nite. If our speciication is a temporal logic formula, we model-check the quotient structure. If our speciication is a simpler system, we use an equivalence checker to show that the quotient structure is stuttering bisimilar to the simpler system. The results obtained on the quotient structure lift to the original system, because the quotient, by construction, is reened by the original system. We demonstrate our methodology by verifying the alternating bit protocol. This protocol cannot be directly model-checked because it has an innnite-state space; however, using the theorem prover ACL2, we show that the protocol is stuttering bisimilar to a small nite-state system, which we model-check. We also show that the alternating bit protocol is a reenement of a non-lossy system.