Óùòøøö¹¹üüñôðð ××× Èöööö Blockin Blockinøø × Blockinóúöý Ò

ion and Model Checking Counter Example checking and predicate discovery Concrete System Verification Condition Initial Predicates Discovered predicates Property verified Abstract Counter−example Counter−example found Fig. 1. Predi ate Abstra tion Algorithm a veri ation ondition and the on rete system des ription it rst omputes an approximate abstra t model. This abstra t model is model he ked and the abstra t system re ned appropriately if it was too inexa t. Noti e that this re nement does not hange the set of abstra tion predi ates and on entrates on using the existing predi ates more eÆ iently. Finally this pro ess terminates with either the veri ation ondition veri ed (in whi h ase nothing else needs to be done) or with an abstra t ounter-example tra e. The urrent work, represented by the lower blo k in the diagram, he ks whether a on rete ounter-example tra e orresponding to the abstra t tra e exists. If so the veri ation ondition is violated and an error is reported, otherwise new predi ates are dis overed whi h avoids this ounter-example. The new predi ates are added to the already present abstra tion predi ates and the pro ess starts anew. Sin e all the old predi ates are reused a lot of the work from previous iterations are reused. Related Work Re ently a lot of work has been done on predi ate abstra tion. The use of automati predi ate abstra tion for model he king in nite-state systems was rst presented by Graf and Sa di in 1997 [11℄. The method used monomials (monomials are onjun tions of abstra t state variables or their negations) to represent abstra t states. Parameterized systems are handled by using a ounting abstra tion [13℄. Similar work has also been proposed in [17℄ and [14℄. In 1998 [8℄, Col on and Uribe des ribes a method of onstru ting a nite abstra t system and then model he king it. The abstra tion produ ed in both methods are oarse and ould fail to prove the veri ation ondition even if all ne essary predi ates were present. By onstru ting the abstra tion in a demand driven fashion, the method of Das and Dill [9℄ is able to ompute abstra tions eÆ iently that are as pre ise as possible given a xed nite set of predi ates. This ensures that if the desired properties an be proved with the abstra tion predi ates then the method will be able to do so. The predi ate abstra tion methods des ribed so far have relied on user provided predi ates to produ e the abstra t system. Counter-example guided re nement is a generally useful te hnique. It has been used in by Kurshan et al. [2℄ for he king timed automata, Balarin et al. [3℄ for language ontainment and Clarke et al [7℄ in the ontext of veri ation using abstra tion for di erent variables in a version of the SMV model he ker. Counter-example guided re nement has even been used with predi ate abstra tion by Lakhne h et al. [12℄. Invariant generation te hniques have also used similar ideas [19, 5℄. Invariant generation te hniques generally produ e too many invariants many of whi h are not relevant to the property being proved. This an ause problems with large systems. The ounter-example guided re nement te hniques do not produ e the quanti ed predi ates that our method needs. Predi ate abstra tion is also being used for software veri ation. Devi e drivers are being veri ed by the SLAM proje t [4℄. The SLAM proje t has used on rete simulation of the abstra t ounter-example tra e to generate new predi ates. The BLAST proje t [18℄ also uses spurious ounter-examples to generate new predi ates. Predi ate abstra tion has also been used in software veri ation as a way of nding loop invariants [10℄. These systems do not deal with parameterized systems, hen e they do not need quanti ed predi ates. 2 Abstra tion Basi s As in previous work [9℄, sets of abstra t and on rete states will be represented by logi al formulas. For instan e the on rete predi ate, X represents the set of on rete states whi h satisfy, X . The main idea of predi ate abstra tion is to onstru t a onservative abstra tion of the on rete system. This ensures that if some property is proved for the abstra t system, then the orresponding property also holds for the on rete system. Formally the on rete transition system is des ribed by a set of initial states represented by the predi ate IC and a transition relation represented by the predi ate RC . IC(x) is true i x is an initial state. Similarly, RC(x; y) is true i y is a su essor of x. The safety property, P is the veri ation ondition that needs to be proved in the on rete system. An exe ution of the on rete system is de ned to be a sequen e of states, x0; x1; : : : xM su h that IC(x0) holds and for every i 2 [0;M), RC(xi; xi+1) holds. A partial tra e is an exe ution that does not ne essarily start from an initial state. A ounter-example tra e is de ned to be an exe ution, x0; x1; : : : xM su h that :P (xM ) holds (i.e., the ounter-example tra e ends in a state whi h violates P ). The abstra tion is determined by a set of N predi ates, 1; 2; : : : N . The abstra t state spa e is just the set of all bit-ve tors of length N . An abstra tion fun tion, maps sets of on rete states to sets of abstra t states while the on retization fun tion, does the reverse. In the following de nitions the predi ates QC and QA represent sets of on rete states and abstra t states respe tively. Then (QC) is a predi ate over abstra t states su h that (QC)(s) holds exa tly when s is an abstra tion of some on rete state x in QC . Similarly (QA)(x) holds exa tly when there exists an abstra t state, s in QA and s is the abstra tion of x. De nition 1 Given predi ates, QC and QA over on rete and abstra t states respe tively, the abstra tion and on retization fun tions are de ned as: (QC)(s) = 9x: QC(x) ^ ^ i2[1;N ℄ i(x) s(i) (QA)(x) = 9s: QA(s) ^ ^ i2[1;N ℄ i(x) s(i) Using the above de nitions, the abstra t system is de ned by the set of abstra t initial states, IA = (IC) and the abstra t transition relation, RA(s; t) = 9x; y: (s)(x)^ (t)(y)^RC (x; y). An abstra t exe ution is a sequen e of abstra t states, s0; s1; : : : sM su h that IA(s0) holds and for ea h i 2 [0;M), RA(si; si+1) holds. An abstra t ounter-example tra e is an abstra t exe ution, s0; s1; : : : sM for whi h (:P )(sM ) holds. The atomi predi ates in the veri ation ondition, P , are used as the initial set of predi ates. The abstra t system is onstru ted and the abstra t property, : (:P ) he ked for all rea hable states. If this is su essful then the veri ation ondition holds. Otherwise the generated abstra t ounter-example is analyzed to see if a on rete exe ution orresponding to the abstra t tra e exists. In that ase, a on rete ounter-example has been onstru ted. Otherwise the abstra t ounter-example is used to dis over new predi ates. Then the pro ess is repeated with the dis overed predi ates being added to the already present predi ates. An abstra t tra e is alled a real tra e if there exists a on rete tra e orresponding to it. Conversely if there are no on rete tra es orresponding to an abstra t tra e then it is alled a spurious tra e. 3 Predi ate Dis overy As des ribed in the previous se tion, the system generates a ounter-example tra e to the veri ation ondition that was to be proved. Now the system must analyze the abstra t ounter-example tra e to either on rm that the tra e is real, that is a on rete tra e orresponding to it exists, or ome up with additional predi ates whi h would eliminate the spurious ounter-example. First the tra e is minimized to get a minimal spurious tra e. A minimal spurious tra e is de ned to be an abstra t tra e whi h is 1. spurious (no orresponding on rete tra e exists.) 2. minimal (removing even a single state from either the beginning or end of the tra e makes the remainder real.) Che king the Abstra t Counter-Example Tra e There is a on rete ounter-example tra e x1; x2; : : : xL orresponding to the abstra t ounter-example tra e, s1; s2; : : : sL if these onditions are satis ed: 1. For ea h i 2 [1; L℄, (si)(xi) holds. This means that ea h on rete state xi orresponds to the abstra t state si in the tra e. 2. IC(x1) ^ :P (xL) holds. The on rete ounter-example tra e starts from a initial state and ends in a state whi h violates P . 3. For ea h i 2 [1; L), RC(xi; xi+1). For every i, xi+1 is the su essor of xi. The onditions (1) and (3) determine that a on rete tra e orresponding to the abstra t tra e exists and ondition (2) determines that the tra e starts from the set of on rete initial states and ends in a state that violates the veri ation ondition. To write the logi on isely the logi for the initial state has been disregarded. In the implementation, an initial totally un onstrained state is added to the tra e and it is assumed that the initial rule produ es the initial state of the system. Sin e all the atomi predi ates of P are present among the abstra tion predi ates the ondition :P (xL) is implied by (sL)(xL). Hen e, if the formula L̂ i=1 (si)(xi) ^ L 1̂ i=0 RC(xi; xi+1) is satis able then the abstra t ounter-example tra e is real. Otherwise there is no satisfying assignment and the abstra t ounter-example tra e is spurious. To simplify the presentation it shall be assumed that the same transition relation, RC an be used for ea h of the on rete steps in luding the rst where RI is a tually used. In our implementation the rst step is handled spe ially and RI is used instead of RC . The test for spuriousness is ompletely a property of the transition relation and the tra e itself and does not depend either on the initial states or the veriation ondition. So we will generalize the de nition of spuriousness to partial tra es. A partial tra e is spurious if the above formula is unsatis able. Predi ate Dis overy To understand predi ate dis overy we must rst understand when predi ate abstra tion produ es a spurious ounter-example. Assume that in Figure 2 the whole abstra t tra e s1; s2; : : : sL is spurious but the partial tra e s2; s3; : : : sL is real. So there are two kinds of on rete states in (s2): 1. Su essor states of states in (s1). 2. States (like x2) that are part of some on rete tra e orresponding to s2; : : : sL. It must be the ase that the above two types of states are disjoint. Otherwise it would be possible to nd a on rete tra e orresponding to the whole tra e thereby making it real. If predi ates to distinguish the two kinds of states were added then the spurious ounter-example would be avoided. In the method des ribed here, the dis overed predi ates will be able to hara terize states of the se ond type above. On e it has been determined that the abstra t ounter-example is spurious, states are removed from the beginning of the tra e while still keeping the remainder spurious. When states an no longer be removed from the beginning, the same pro ess is arried out by removing states from the end of the tra e. This will eventually produ es a minimal spurious tra e. &% '$&% '$&% '$ &% '$ v v &% '$ &% '$&% '$ v v v v v v v v AAAAAA predi ate to re ne s2 (s1) (s2) (s3) (sL) x1 x2 Fig. 2. Abstra tion Re nement Now onsider the minimal spurious tra e, s1; s2; s3; : : : sL shown in Figure 2. Here the ir les representing (s1), (s2) et . are sets of on rete states while the bla k dots inside the sets represent individual on rete states. Sin e the tra e s2; s3 : : : sL is real, Q0 = L̂ i=2 (si)(xi) ^ L 1̂ i=2 RC(xi; xi+1) is satis able for some on rete states, x2; x3; : : : xL. Now CVC is queried about the satis ability of Q0. This returns a nite onjun tion of formulas, 1(x2)^ 2(x2)^: : : K(x2)^ (x3; : : : xL) whi h implies Q0. So the i's are onditions that any x2 must satisfy for it to be the rst state of the on rete tra e orresponding to s2; s3; : : : sL. Now it must be the ase that, (s1)(x1) ^ RC(x1; x2) ^ K̂ i=1 i(x2) ^ (x3; : : : xL) is unsatis able. Otherwise it would be possible to nd a on rete tra e orresponding to s1; s2; : : : sL! More spe i ally, if the predi ates 1; 2; : : : K are added to the set of abstra tion predi ates, and the veri er rerun, this parti ular spurious abstra t ounter-example will not be generated. So, we have an automati way of dis overing new abstra t predi ates. However it is possible to redu e the number of additional abstra tion prediates. In fa t it is quite likely that all of the predi ates 1; : : : K are not needed to avoid the spurious ounter-example. The satis ability of the above formula is he ked after leaving out the 1(x2) expression. If the formula is still unsatis able then it is dropped altogether. The same pro edure is repeated with the other i's till an essential set of predi ates remain (dropping any one of them makes the formula satis able). Noti e that there may be multiple essential sets of predi ates that make the above formula unsatis able. This method nds one su h set. Now onsider the e e t that the abstra tion re nement has on the abstra t system. The original abstra t state, s2 will be split into two { in one part all the added predi ates hold while in the other part at least one of the assertions does not hold. Also, in the abstra t transition relation, the transition from the state s1 to the rst partition of s2 is removed. It is still possible that there is a path from s1 to s3 through the other partition of s2. However the re ned abstra tion will never generate a spurious ounter-example in whi h a on rete state orresponding to s1 has a su essor whi h satis es all the assertions 1; 2; : : : K . Parameterized rules and quanti ed predi ates When proving properties of parameterized systems, quanti ed predi ates are needed. These quanti ed predi ates annot be found either from the system des ription or by existing predi ate dis overy te hniques. Invariant generation methods do nd quanti ed invariants whi h may be useful in some ases. But the problem there is that a lot of invariants are generated and there is no good way of de iding whi h ones are useful. In the presen e of parameterized rules, the predi ate dis overy works exa tly as des ribed above. But the parameters (whi h are expli itly not part of the onrete state) in the rules may appear in the predi ates nally generated. Re all that the predi ates dis overed hara terize the set of states like x2 (in Figure 2) that are part of a real abstra t tra e. Appearan e of a rule parameter in these expressions implies that the parameter must satisfy some onditions in the onrete ounterpart of the abstra t tra e. Any other value of the parameter whi h satis es the same onditions ould produ e another on rete tra e. Naturally, an existential quanti er wrapped around these expressions would nd a prediate that is onsistent with all possible behaviors of the (possibly unbounded) parameter. state N: positive integer status : array [N ℄ of enum fGOOD, BADg error : boolean initialize status := All values are initialized to GOOD error := false /* No error initially */ rule(p : subrange [1..N℄) (status[p℄ = BAD) ) error := true property :error Fig. 3. Quanti ed predi ate example Quanti er s ope minimization is arried out so that smaller predi ates may be found. In some ases the existential quanti ers an be eliminated all together. Often predi ates of the form, 9x: Q(x) ^ (x = a) where a is independent of x, are dis overed. Heuristi s were added so that this predi ate would be simpli ed to Q(a). To illustrate the way quanti ed predi ates are dis overed automati ally, a really trivial example is presented in Figure 3. In the example system we want to prove that error is always false. So the initial abstra tion predi ate hosen will be just the atomi formulas of the veri ation ondition, in this ase the predi ate: B1 error. With this abstra tion the property an not be proved and an abstra t ounter-example tra e, :B1; B1 is returned. Sin e the initialization rule is handled like any other rule (only with impli it guard true) the abstra t ounter-example that shall be analyzed is, true;:B1; B1. Using the test for spuriousness des ribed earlier, the ounter-example is shown to be a minimal spurious tra e. Also the partial tra e, :B1; B1 is real (that is a on rete ounterpart exists) when status[p0℄ = BAD holds (p0 is the spe i value of the parameter hosen). However the initialization rule spe i ally sets all the elements of the status array to GOOD. Hen e the predi ate dis overed will be, status[p0℄ = BAD. But noti e that the parameter appears in the predi ate. Hen e the new predi ate will be, B2 9q: status[q℄ = BAD. Now the abstra tion will be re ned with the extra predi ate. The additional bit will be initialized to false. Also the transition rule will now be enabled only when the new bit is true. Sin e that never happens the rule is never enabled and the desired property holds. 4 Appli ation to AODV As an appli ation of this method we shall onsider a simpli ed version of the Ad Ho On-demand Distan e Ve tor (AODV) routing proto ol [15, 16℄. The simpli ation was to remove timeouts from the proto ol sin e we ould not nd a way of reasoning about them in our system. The proto ol is used for routing in a dynami environment where networked nodes are entering and leaving the system. The main orre tness ondition of the proto ol is to avoid the formation of routing loops. This is hard to a omplish and bugs have been found [6℄. Finite instan es of the proto ol has been analyzed with model he kers and a version of the proto ol has been proved orre t using manual theorem proving te hniques. Brie y the proto ol works as follows. When a node needs to nd a route to another, it broad asts a route request (RREQ) message to its neighbors. If any of them has a route to the destination it replies with a route reply (RREP) message. Otherwise it sends out a RREQ to its neighbors. This ontinues till the destination node is rea hed or some node has a route to the nal destination. Then the RREP message is propagated ba k to the node requesting the route. When a node re eives a RREQ message it adds a route to the original sender of the message, so that it an propagate the RREP ba k. Also nodes will repla e longer paths by shorter ones to optimize ommuni ation. The routing tables are modeled by the three two-dimensional arrays route p, route and hops. Given nodes i and j, route p[i℄[j℄ is true i i has a route to j, route[i℄[j℄ is the node to whi h i forwards pa kets whose nal destination is j and hops[i℄[j℄ is the number of hops that i believes are needed for a pa ket to rea h j. The message queue is modeled as an unbounded array of re ords. Ea h re ord has type, sr , dst, from, to and hops elds. The sr and dst elds are the original sour e and nal destination of the urrent request (or reply). The from and to elds are the message sour e and destination of the urrent hop. The eld hops is an integer whi h keeps tra k of the number of hops the message has traversed. As explained before, for every route that a node has, it keeps tra k of the number of hops ne essary to get to the destination. Consider three arbitrary but distin t nodes: a, b and . The node a has a route to and its next hop is b. In this situation the proto ol maintains the invariant that b has a route to and a's hop ount to is stri tly greater than b's hop ount to . This makes sure that along a route to the destination the hop ount always de reases. Thus there an not be a y le in the routing table. This is the property that was veri ed automati ally. In the a tual proto ol, where links between nodes an go down, the age of the routes is tra ked with a sequen e number eld. The ordering relation is more omplex in that ase. To simplify the system for the sake of dis ussion here the sequen e numbers have been dropped. The simpli ed version is des ribed in Figure 4 and 5. The atomi predi ates in the the veri ation ondition are used as the initial set of predi ates. The initial predi ates are, B1 route p[a℄[ ℄, B2 route[a℄[ ℄ = b, B3 route p[b℄[ ℄ and B4 hops[a℄[ ℄ > hops[b℄[ ℄. The abstra t type ell index type : subrange(1..N) msg index type : subrange(1..in nity) msg sort : enum of [INVALID, RREQ, RREP℄ msg type : re ord of [type : msg type; from,to,sr ,dst : ell index type; hops : integer℄; state route p : array [N℄[N℄ of boolean route : array [N℄[N℄ of ell queue : array [in nity℄ of msg type a, b, : msg index type initialize msg queue := all messages have type INVALID route p := all array elements are false /* Generate RREQ */ rule (msg : msg index type; sr ,dst : ell index type;) queue[msg℄.type = INVALID ^ : route p[sr ℄[dst℄ ) queue[msg℄ := [# type = RREQ; sr = sr ; dst = dst; from = sr ; hops = 0 #℄ /* Re eive RREP */ rule (in, out: msg index type;) queue[in℄.type = RREP ^ queue[out℄.type = INVALID ) /* Add route to immediate neighbor */ route p[queue[in℄.to℄[queue[in℄.from℄ := true route[queue[in℄.to℄[queue[in℄.from℄ := queue[in℄.from hops[queue[in℄.to℄[queue[in℄.from℄ := 1 /* Add route to RREP sour e if this is a better route */ if hops[queue[in℄.to℄[queue[in℄.sr ℄>queue[in℄.hops _ : route p[queue[in℄.to℄[queue[in℄.sr ℄ then route p[queue[in℄.to℄[queue[in℄.sr ℄ := true route[queue[in℄.to℄[queue[in℄.sr ℄ := queue[in℄.from hops[queue[in℄.to℄[queue[in℄.sr ℄ := queue[in℄.hops + 1 end /* Forward RREP */ if queue[in℄.to 6= queue[in℄.dst ^ route p[queue[in℄.to℄[queue[in℄.dst℄ then queue[out℄ := [# type=RREP; sr =queue[in℄.sr ; dst=queue[in℄.dst; from=queue[in℄.to; to=route[queue[in℄.to℄[queue[in℄.dst℄ hops=hops[queue[in℄.to℄[queue[in℄.sr ℄ #℄ end Fig. 4. AODV proto ol /* Re eive RREQ */ rule (in, out: msg index type;) queue[in℄.type = RREQ ^ queue[out℄.type = INVALID ) /* Add route to immediate neighbor */ route p[queue[in℄.to℄[queue[in℄.from℄ := true route[queue[in℄.to℄[queue[in℄.from℄ := queue[in℄.from hops[queue[in℄.to℄[queue[in℄.from℄ := 1 /* Add route to RREQ sour e if this is a better route */ if hops[queue[in℄.to℄[queue[in℄.sr ℄>queue[in℄.hops _ : route p[queue[in℄.to℄[queue[in℄.sr ℄ then route p[queue[in℄.to℄[queue[in℄.sr ℄ := true route[queue[in℄.to℄[queue[in℄.sr ℄ := queue[in℄.from hops[queue[in℄.to℄[queue[in℄.sr ℄ := queue[in℄.hops + 1 end /* RREQ has rea hed nal destination */ if queue[in℄.dst = queue[in℄.to then queue[out℄ := [# type=RREP; sr =queue[in℄.dst; dst=queue[in℄.sr ; from=queue[in℄.to; to=queue[in℄.from; hops=0 #℄ /* The RREQ re eiver has a route to nal destination */ elsif route p[queue[in℄.to℄[queue[in℄.dst℄ then queue[out℄ := [# type=RREP; sr =queue[in℄.dst; dst=queue[in℄.sr from=queue[in℄.to; to=queue[in℄.from; hops=hops[queue[in℄.to℄[queue[in℄.dst℄ #℄ /* Forward RREQ */ else queue[out℄ := [# type=RREQ; sr =queue[in℄.sr ; dst=queue[in℄.dst from=queue[in℄.from; hops=queue[in℄.hops+1 #℄ end property (route p[a℄[ ℄ ^ route[a℄[ ℄ = b)! (route p[b℄[ ℄ ^ hops[a℄[ ℄ > hops[b℄[ ℄) Fig. 5. AODV proto ol ( ontd.) system generates a ounter-example of length one where a re eives a RREQ and adds a route to through b while b does not have a route to . The predi ate dis overy algorithm dedu es that this annot happen sin e in the initial state there are no RREQs present. So the predi ate, 9x: queue[x℄:type = RREQ is added and the new abstra tion is model he ked again. Now a two step ounterexample is generated. In the rst step an arbitrary ell generates an RREQ. In the next step a re eives an RREQ from b originally requested by and sets it routing table entry for node to b. Sin e b does not have a routing table entry to this violates the desired invariant. Again the predi ate dis overy algorithm dedu es that su h a message annot exist. So the predi ate 9x: ( queue[x℄:type = RREQ ^ queue[x℄:from = b ^ queue[x℄:sr = ^ queue[x℄:to = a) is dis overed. Continuing in this manner in the next iteration the predi ate, 9x: ( queue[x℄:type = RREQ ^ queue[x℄:from = b ^ queue[x℄:sr = ^ queue[x℄:to = a ^ hops[b℄[ ℄ > queue[x℄:hops) is dis overed. This is exa tly the predi ate that is required to prove the desired invariant. While verifying the a tual proto ol, similar predi ates are dis overed for the RREP bran h of the proto ol as well. The predi ates needed to prove the a tual proto ol are di erent from the predi ates listed here but are of the same avor. The program requires thirteen predi ate dis overy y les to nd all the ne essary predi ates. Referen es 1. David L. Dill Aaron Stump, Clark W. Barrett. CVC: a ooperating validity he ker. In Conferen e on Computer Aided Veri ation, Le ture notes in Computer S ien e. Springer-Verlag, 2002. 2. R. Alur, A. Itai, R.P. Kurshan, and M. Yannakakis. Timing veri ation by su essive approximation. Information and Computation 118(1), pages 142{157, 1995. 3. F. Balarin and A. L. Sangiovanni-Vin entelli. An iterative approa h to language ontainment. In 5th International Conferen e on Computer-Aided Veri ation, pages 29{40. Springer-Verlag, 1993. 4. Thomas Ball and Sriram K. Rajamani. The SLAM proje t: debugging system software via stati analysis. In Pro eedings of the 29th ACM SIGPLAN-SIGACT symposium on Prin iples of programming languages, pages 1{3. ACM Press, 2002. 5. Saddek Bensalem, Yassine Lakhne h, and Sam Owre. InVeSt: A tool for the veriation of invariants. In 10th International Conferen e on Computer-Aided Veriation, pages 505{510. Springer-Verlag, 1998. 6. Karthikeyan Bhargavan, Davor Obradovi , and Carl A. Gunter. Formal veri ation of standards for distan e ve tor routing proto ols, August 1999. Presented in the Re ent Resear h Session at Sig omm 1999. 7. Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstra tion re nement. In Computer Aided Veri ation, pages 154{169. Springer-Verlag, 2000. 8. Mi hael A. Col on and Tom as E. Uribe. Generating nite-state abstra tions of rea tive systems using de ision pro edures. In Conferen e on Computer-Aided Veri ation, volume 1427 of Le ture Notes in Computer S ien e, pages 293{304. Springer-Verlag, 1998. 9. Satyaki Das and David L. Dill. Su essive approximation of abstra t transition relations. In Pro eedings of the Sixteenth Annual IEEE Symposium on Logi in Computer S ien e, pages 51{60. IEEE Computer So iety, 2001. June 2001, Boston, USA. 10. C. Flanagan and S. Qadeer. Predi ate abstra tion for software veri ation. In Pro eedings of the 29th ACM SIGPLAN-SIGACT Symposium on Prin iples of Programming Languages. ACM Press, 2002. 11. Susanne Graf and Hassen Sa di. Constru tion of abstra t state graphs with PVS. In Orna Grumberg, editor, Conferen e on Computer Aided Veri ation, volume 1254 of Le ture notes in Computer S ien e, pages 72{83. Springer-Verlag, 1997. June 1997, Haifa, Israel. 12. Yassine Lakhne h, Saddek Bensalem, Sergey Berezin, and Sam Owre. In remental veri ation by abstra tion. In T. Margaria and W. Yi, editors, Tools and Algorithms for the Constru tion and Analysis of Systems: 7th International Conferen e, TACAS 2001, pages 98{112, Genova, Italy, 2001. Springer-Verlag. 13. D. Lessens and Hassen Sa di. Automati veri ation of parameterized networks of pro esses by abstra tion. Ele troni Notes of Theoreti al Computer S ien e (ENTCS), 1997. 14. Z. Manna and A. Pnueli. Temporal Veri ation of Rea tive Systems: Safety. Springer-Verlag, 1995. 15. Charles E. Perkins and Elizabeth M. Royer. Ad Ho On-Demand Distan e Ve tor (AODV) Routing. In Workshop on Mobile Computing Systems and Appli ations, pages 90{100. ACM Press, February 1999. 16. Charles E. Perkins, Elizabeth M. Royer, and Samir Das. Ad Ho On-Demand Distan e Ve tor (AODV) Routing. Available at http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-05.txt, 2000. 17. A. P. Sistla and S. M. German. Reasoning with many pro esses. In Symp. on Logi in Computer S ien e, Itha a, pages 138{152. IEEE Computer So iety, June 1987. 18. Rupak Majumdar Thomas A Henzinger, Ranjit Jhala and Gregoire Sutre. Lazy abstra tion. In Pro eedings of the 29th ACM SIGPLAN-SIGACT Conferen e on Prin iples of Programming Languages. ACM Press, 2002. 19. A. Tiwari, H. Rue , H. Saidi, and N. Shankar. A te hnique for invariant generation. In Tiziana Margaria and Wang Yi, editors, TACAS 2001 Tools and Algorithms for the Constru tion and Analysis of Systems, volume 2031 of Le ture Notes in Computer S ien e, pages 113{127, Genova, Italy, apr 2001. Springer-Verlag.