Combining Theorem Proving and Model

s a f e t y : t h e o r e m p r o v e r f e e d b a c k Fig. 1. S heme of proving safety statements When a safe data abstra tion is obtained, veri ation of the model against a property an start. First, the abstra t data type and fun tion de nitions are inserted into the system spe i ation substituting the on rete de nitions of the original model. Next, the abstra t model together with the property to be veri ed are run through a veri er (Fig. 2). If the answer is positive, i.e., the property holds for the abstra t model, it holds for the on rete model as well and the veri ation of this property is ompleted. If not, the model he ker gives a tra e showing a property violation. Now, the designer should he k whether this tra e represents some real behaviour of the on rete system or whether it is Combining Theorem Proving and Model Che king | A Case Study 5 a behaviour that is added with the abstra tion. In the rst ase, the on lusion of an error in the model or in the property an be drawn; after orre ting it, the model he ker an be run again (with the same data abstra tion). In the se ond ase, the abstra tion should be re ned (also proving the safety statements for the new abstra tion) and the re ned model is then modelhe ked. C O N C R E T E M O D E L A B S T R A C T M O D E L a b s t r a c t i o n r e f i n e a d a p t v e r i f i e r a n a l y s e c o u n t e r e x a m p l e y e s Fig. 2. S heme of veri ation The main problem to be solved in order to bring the des ribed approa h into pra ti e is how to simplify the pro ess of proving safety statements while hiding from the user as many te hni al details as possible. We propose to adapt a theorem prover to the spe ial kind of proofs that one needs to provide for safety obligations. Indu tive theorem provers are very appropriate for this purpose. Indeed, data types and fun tions on data are naturally de ned using a re ursive style. Hen e, one needs indu tion in proofs dealing with them. In our experiments des ribed further, we used the automati indu tive theorem-prover INKA [14℄. 3 Abstra ting the Bounded Retransmission Proto ol To evaluate the pra ti al appli ability of our approa h we applied it to a ase study, whi h was the Philips' Bounded Retransmission Proto ol (BRP) [7℄. BRP is a variant of the Alternating-Bit Proto ol, where only a bounded number of retransmissions of pa kets is allowed and time-outs are used to dete t pa ket loss. 3.1 Spe i ation Language As mentioned above, we use the INKA input language to des ribe the spe i ation of on rete and abstra t data types and operations. Finitely generated 6 Dennis Dams, Dieter Hutter, and Natalia Sidorova data types are spe i ed by the de laration of their onstru tor fun tions. Spe ial instan es of this de nition prin iple are freely generated data types satisfying the unique fa torization property, i.e. there is a unique synta ti al representation ( onstru tor term) for ea h denoted obje t. For example, stru ture 0, s(p:nat):nat spe i es the set of natural numbers based on the onstru tor fun tions 0 and s together with its sele tor fun tion p. An enumeration data type is a freely generated data type with nite domain whi h gives rise to an impli it de nition of a well-founded ordering on its denoted obje ts: enum stru ture t, f:bool INKA provides also a de nition prin iple to spe ify fun tions in a onstru tive way. Ea h soalled algorithm is a set of onditional equations (equivalen es). The sum of two numbers an be spe i ed as follows. fun tion plus(x:nat, y:nat):nat = if x = 0 then y if x = s(p(x)) then s(plus(p(x), y)) The idea is that these sets should denote on uent and Noetherian rewrite systems in order to evaluate ea h ground term into a onstru tor ground term. Using the spe i ation of plus, for instan e, we are able to al ulate ea h individual sum of two onstru tor ground terms. However in order to guarantee this property in general, the \termination" of the spe i ed algorithms have to be proved whi h is done by using a generalizion of Walther's approa h [19℄. On e INKA proved an algorithm of f to be terminating, its re ursion ordering gives rise to a new indu tion s heme. Roughly speaking, ea h base ase of f forms a base ase of the indu tive formula while ea h re ursively de ned ase forms an indu tion step in whi h ea h re ursive all in the de nition gives rise to an indu tion hypothesis. For instan e, proving that plus terminates be ause of its rst argument, gives rise to the following indu tion s heme x = 0! (X) ^ 8x : nat (X = s(p(X))! ( (p(X))! (s(p(X))))) 8x : nat (X) (1) 3.2 Data Types and Operations in BRP In the on rete system, pa kets are lists of natural numbers. That means that the system is in nite. Therefore, in order to arrive at a nite veri ation model, a data abstra tion should be introdu ed. The operations on lists used in the model are removing the head of a list, appending an element to a list, de iding whether one list is a pre x of another one, et . De nitions of the data type and an example of a data operation in the on rete model are given below. (Note that both the data type and the operation are de ned re ursively.) Combining Theorem Proving and Model Che king | A Case Study 7 stru ture nil, ons( ar:nat, dr:list):list; fun tion t ons(p:nat, l:list):list = % t ons appends a natural p at the tail of list l. if l = nil then ons(p, nil) otherwise ons( ar(l), t ons(p, dr(l))); 3.3 Introdu ing a Data Abstra tion An essential property of the proto ol is the following: \If the sender is transmitting a list l (\the input list") and the rst element of l arrives at least on e at the re eiver, then the sequen e of elements that the re eiving lient gets (\the output list"), forms a pre x of l". It an be shown that this property holds if in a list of non-repeating naturals the following properties hold: 1. for any two values e1 and e2 on positions i and j resp. in the input list, with i < j, either e2 does not o ur in the output list, or e1 and e2 o ur in the output list on positions i0, j0 resp., with i0 < j0. 2. For any two values e1 and e2 on positions i0 and j0 resp. in the output list, with i0 < j0, e1 and e2 o ur on positions i and j resp. in the input list with i < j. That gives the following idea of an abstra tion to apply: one should distinguish two natural numbers p1; p2, whi h are abstra ted into e1, e2 respe tively, while all the other naturals are non-distinguishable and they are abstra ted into an abstra t element ne. Thus we de ne enum stru ture e1, e2, ne : anat; An arbitrary list of naturals is represented by its abstra ted head element, an abstra t representation of the whole list, where the last one is of the form epsl, e1l, e2l, e1e2l, e2e1l, error, and, furthermore, the information whether it is an empty or a one-element list. Here, error is an abstra tion for an \in orre t" list, i.e. a list with dupli ated elements (the assumption for the sender side is that only lists of non-repeating naturals are sent, but one need to assure that no repetition takes pla e at the re eiver side as well); epsl represents orre t lists where no e1 and no e2 o ur, e1l (e2l) is a representation of orre t lists where only e1 (e2 resp.) o urs; e1e2l, e2e1l represent lists where both e1 and e2 o ur, in the orresponding orders. The des ription of abstra t data types atail (abstra t representation of the list ontent) and alist (abstra t list) is as follows: enum stru ture epsl, e1l, e2l, e1e2l, e2e1l, error : atail; stru ture quad(is. ons:bool, is.one:bool, hd:anat, tl:atail) : alist; 8 Dennis Dams, Dieter Hutter, and Natalia Sidorova Given these de nitions of the data type abstra tions, we are now able to de ne the abstra tion fun tions a nat, mapping numbers to their abstra tions, and a list, mapping a on rete list to its abstra t representation, using auxiliary fun tions a ons and a tail. Note that not a re ursion but an intri ate ase analysis is used there ( ompare to the on rete ase). fun tion a_nat(a:nat) : anat = if a = p1 then e1 otherwise {if a = p2 then e2 otherwise ne} ; fun tion a_ ons(x:anat, y:atail) : atail = if x = ne then y if x = e1 and y = epsl then e1l if x = e1 and y = e2l then e1e2l if x = e2 and y = epsl then e2l if x = e2 and y = e1l then e2e1l otherwise error; fun tion a_tail(l:list) : atail = if l = nil then epsl otherwise a_ ons(a_nat( ar(l)), a_tail( dr(l))); fun tion onsP(l:list) : bool = if l = nil then t otherwise f; fun tion oneP(l:list) : bool = if l = nil then f otherwise {if dr(l) = nil then t otherwise f}; fun tion a_list(l:list) : alist = quad( onsP(l), oneP(l), a_nat( ar(l)), a_tail(l)); Let us return to the fun tion t ons whi h atta hes an element at the tail of a list. In the following we de ne its orresponding abstra t fun tion a t ons with the help of the auxiliary fun tions a t ons1 and aux. fun tion a_t ons1(e:anat, tl:atail):atail = if e = ne then tl if e = e1 and tl = epsl then e1l if e = e1 and tl = e2l then e2e1l if e = e2 and tl = epsl then e2l if e = e2 and tl = e1l then e1e2l otherwise error; fun tion aux(e: anat, l:alist):anat = if onsP(l) = ff then e otherwise hd(l); Combining Theorem Proving and Model Che king | A Case Study 9 fun tion a_t ons(e: aelem, l:alist):alist = quad(tt, not( onsP(l)), aux(e, l), a_t ons1(e, tl(l))); Now, with the on rete and abstra t data types and operations de ned, the task is to prove that the abstra tion is safe. The pro ess of proving is the subje t of the next se tion. 4 Proving the Safety of Abstra tions To prove the safety of an abstra tion we have to guarantee that for ea h fun tion f on in the on rete spa e there is an abstra t fun tion fabs whi h mimi s f on , i.e. (f on (X)) 2 fabs( (X)) (2) In our running example, we will prove that a t ons on abstra t lists mimi s t ons on on rete lists. In this ase the abstra tion is deterministi , i.e. a list maps on rete lists into abstra t lists whi h allows us to simplify and instantiate the ondition (2) toa list(t ons(n; l)) = a t ons(a nat(n); a list(l)): (3) In order to verify the ondition (3) we have to prove properties of lists whi h gives rise to indu tive proofs. Therefore we ta kled this and similar proof obligations using the indu tive theorem prover INKA. The abstra tion we used seems to be rather simple, and one ould say that no formal proof is needed here. However, on the other hand, ase analyses arising in the de nitions on the abstra t side are sometimes rather ompli ated. That leads to errors in fun tion de nitions. Proving safety with INKA, we dis overed several errors of that type. Nevertheless, the veri ation of BRP was not our prime goal. First of all, the intention was to nd out what kind of diÆ ulties one would have in using an indu tive theorem prover for safety proofs. The BRP example showed quite a lot of them. When starting our study, INKA was not able to prove most of the non-trivial examples ompletely automati ally | in most ases appropriate indu tion s hemes or ase analyses had to be provided by the user. Examining the failures of INKA, we improved various heuristi s with respe t to omputing indu tion s hemes and generalization whi h enable INKA now to prove most of the examples without any user intera tion. In this se tion we illustrate the improvements of INKA with the help of our running example. Although these improvements were triggered by the arising proof obligations, we like to emphasize that they do not in orporate spe i appli ation knowledge but are general heuristi s whi h are also useful in other domains and are now part of the general system. 10 Dennis Dams, Dieter Hutter, and Natalia Sidorova 4.1 Proof Sear h In INKA the proof sear h is organized in various phases. In a rst phase simpli ation rules are applied to the given problem. These rules are automati ally generated by the given de nitions of fun tions and predi ates and allow the system to unfold de nitions as long as the onditions of the individual ases are satis ed. Ta kling the proof obligation (3), INKA unfolds, for instan e, the (non-re ursive) de nitions of a list and a t ons whi h results in the following formula. a tail(t ons(n; l)) = a t ons(a nat(n); a tail(l)) (4) ^ a nat( ar(t ons(n; l))) = aux(a nat(n); quad( onsP(l); oneP(l); a nat( ar(l)); a tail(l))) ^ oneP(t ons(n; l)) = not( onsP(l)) ^ onsP(t ons(n; l)) = t In a next step INKA applies rst-order theorem proving te hniques in order to prove (4) without indu tion. As these heuristi s fail, INKA ba ktra ks to (4) and spe ulates about an appropriate indu tion s heme. The presen e of an indu tion rule onstitutes an in nite bran hing point as in prin iple we may have to spe ulate an arbitrary lemma whi h has to be proven by indu tion in order to push our proof forward. To over ome this problem, INKA sele ts the simpli ed problem (e.g. (4)) as su h a lemma and formulates an appropriate indu tion formula a ording to the re ursion orderings of the o urring fun tion symbols. In the original version of INKA, the re ursion orderings of t ons and a tail suggested the use of a stru tural indu tion to prove (4). However, INKA failed to prove the step ase. The failure was aused by the presen e of a fun tion all oneP(l). Sin e oneP is non-re ursively de ned, unfolding its de nition inside the indu tion on lusion of the step ase resulted in a failure to mat h the orresponding indu tion hypothesis. 4.2 Indu tion vs. Case Analysis To over ome su h situations we improved INKA's heuristi s to sele t appropriate indu tion s hemes by onsidering also pure ase analyses. While di erent o urren es of re ursively de ned fun tions suggest indu tion s hemes, now also o urren es of non-re ursively de ned fun tions suggest ase analyses. Thus analyzing a problem like (4), INKA obtains in general a set of di erent suggested indu tion s hemes and ase analyses. Based on this omputed set, a s heme has to be omputed in order either to formulate an indu tion formula or to perform a ase analysis. Heuristi s are used to assess the suggested s hemes a ording to the probability that their use will push the proof further. In ase of indu tion s hemes this is done by analyzing the abstra t proof of the indu tion step. To des ribe these heuristi s in more detail, let us rst illustrate how INKA tries to prove indu tion steps. INKA in orporates di eren e redu tion te hniques [16℄ generalizing the idea of rippling [4℄. Synta ti al di eren es between indu tion hypothesis and indu tion on lusion are used to guide Combining Theorem Proving and Model Che king | A Case Study 11 the manipulation of the formula. Highlighting di eren es by hat hing them, the problem of su h an indu tion step has the following form l = ons( ar(l); dr(l))! ( ( dr(l))! ( ons( ar(l); dr(l)))) (5) Inside the on lusion the non-hat hed parts, the soalled skeleton, are the ommon parts of hypothesis and on lusion while hat hed ones denote the di eren es or soalled wave-fronts of both. To enable the appli ation of the hypothesis we have to move (i.e. \ripple") these wave fronts outside until we obtain the following formula l = ons( ar(l); dr(l))! ( ( dr(l))! ( ( dr(l)))): (6) This is done by using spe i rewrite rules whi h allow us to monitor how the di eren es between hypothesis and on lusion will hange when applying su h a rule. Therefore the di eren es of leftand right-hand side of a rule are hat hed, like for instan e in t ons(X; ons(Y; Z )) = ons(Y; t ons(X;Z)) (7) Mat hing hat hed parts of the rewrite rule only with hat hed parts of the onlusion we an easily determine how the di eren es of on lusion and hypothesis will hange when applying this rule. In parti ular, we are interested at whi h positions | relative to the skeleton | wave-fronts o ur. We assume to make progress in the proof sear h if we su eed to move wave-fronts outside. Rippling allows for a hierar hi al proof planning if we abstra t from the on rete shape of wave fronts and onsider only their position relative to the skeleton ( f. [15, 17℄ for details). To prove an indu tion step we have to move the wave-fronts lo ated at the o urren es of the indu tion variables towards the top level of the on lusion1. If we abstra t from the on rete form of the di eren es and denote o urren es of di eren es only by a then we obtain the following \abstra t proof": (f1(: : : fn( (x) )))! (f1(: : : (fn(x)) ))! : : :! ( (f1(: : : fn(x)))) : (8) The abstra ted rewrite rules, used in this proof, have the following form fi( (x) ) = (fi(x)) (9) In order to determine the eÆ ien y of an indu tion s heme, INKA performs the proof of the orresponding indu tion steps on this abstra t level. The analysis of how wave fronts an be moved around within the on lusion reveals information about appropriate indu tion variables and thus, about appropriate ombinations of available indu tion s hemes. In our example, the re ursive de nitions of t ons 1 There are also other s hemes how to prove indu tion steps in the presen e of universally or existentially quanti ed, non-indu tion variables (see [15℄ for details) 12 Dennis Dams, Dieter Hutter, and Natalia Sidorova and a tail suggest possible (stru tural) indu tion s hemes on l. However, the abstra t proof of the orresponding indu tion step fails be ause there is no abstra t wave rule of the form oneP( (l) ) = (oneP(l)) inside the axiomatization. Analyzing the o urren es of the non-re ursively de ned fun tions oneP and onsP in (3) suggest ase analyses on l. The ase analysis of oneP subsumes the one of onsP, i.e. ea h ase of the de nition of oneP is overed by exa tly one ase of the de nition of onsP. Sin e these o urren es of oneP and onsP also blo k the rippling pro ess, INKA sele ts a ase analysis on oneP(l) instead of an indu tion on l. The rational behind this de ision is that after performing the ase analysis and simplifying the resulting formula, these symbol o urren es will disappear sin e the system is now able to unfold the de nitions of oneP and onsP. We obtain three ases onsidering l = nil, l = ons( ar(l); nil) and l = ons( ar(l); dr(l)) ^ dr(l) = ons( ar( dr(l)); dr( dr(l))). While the rst two ases an be easily proved without indu tion, indu tion is needed in order to prove the third ase. In general, INKA performs expli it ase analyses for various reasons: { to unblo k the rippling pro ess as des ribed in our example, { to remove o urren es (by unfolding their de nitions) of fun tions whi h are maximal with respe t to the de nition ordering (i.e. f is less than g if the algorithm of g relies on the algorithm of f), or { to identify di erent alls of the same fun tion by applying its (re ursive) de nition (e.g. when proving 8x; n :nat 8y :list x 2 y ! x 2 ons(n; y)). 4.3 Generalization As mentioned above, proving theorems by indu tion usually requires the spe ulation of intermediate lemmata. To guide this spe ulation, generalization te hniques (see e.g. [3℄ for an introdu tion) are used to reformulate (and simplify) problems before applying an indu tion s heme. Instead of proving a formula like 8x; y : S (x; f(y)) we may also prove a generalized formula like 8x : S 8z : S0 (x; z) by indu tion. INKA uses generalization te hniques, for instan e, to repla e sele tor terms like ar(l) or dr(l) by new variables provided the property l = ons( ar(l); dr(l)) an be derived from the given formula. Thus, a formula 8l :list ( ar(l); dr(l); l) is generalized to 8m :nat 8n :list (m;n; ons(m;n)). The reason for this heuristi s is that in this ase the resulting \generalized" formula is equivalent to the original one and we do not have to ba ktra k this generalization. This idea is formalized by a generalized notion of overing ( f. [10℄): A term t(X) of a sort S is overing wrt. S if 8y :S 9X :S t(X) = y holds in the given theory. Obviously, both ar(l) and dr(l) are overing wrt. nat and list respe tively. Now, given a formula whi h ontains overing terms t1(X); : : : ; tn(X) and no variables in X o ur elsewhere in , it is safe to generalize by repla ing ea h o urren e ti(X) by a orresponding fresh (8-quanti ed) variable zi. Applying Combining Theorem Proving and Model Che king | A Case Study 13 this te hnique to the simpli ed third ase of our problem results in the formula: a ons(a nat(i); a ons(a nat(j); a tail(t ons(n; k)))) (10) = a t ons1(a nat(n); a ons(a nat(i); a ons(a nat(j); a tail(k)))) To improve the behavior of INKA, we in orporated heuristi s to dete t overing terms of the form f(X) with f being a fun tion with nite range. Using these te hniques, INKA automati ally re ognizes that a term like a nat(i) is overing and an be safely generalized. As a onsequen e, formula (10) is generalized to2: a ons(x; a ons(y; a tail(t ons(n; k)))) = a t ons1(a nat(n); a ons(x; a ons(y; a tail(k)))) (11) Applying stru tural indu tion on k, suggested by the de nition of t ons, we obtain the following indu tion hypothesis a ons(X; a ons(Y; a tail(t ons(N; dr(k))))) = a t ons1(a nat(N); a ons(X; a ons(Y; a tail( dr(k))))) whi h orresponds to the orresponding indu tion on lusion a ons(x; a ons(y; a tail(t ons(n; ons( ar(k); dr(k)))))) = a t ons1(a nat(n); a ons(x; a ons(y; a tail( ons( ar(k); dr(k)))))): Rewriting this formula with the help of wave-rules from the de nition of a tail and t ons results in a ons(x; a ons(y; a ons(a nat( ar(k)); a tail(t ons(n; dr(k)))))) = a t ons1(a nat(n); a ons(x; a ons(y; a ons(a nat( ar(k)); a tail( dr(k)))))) whi h allows us to apply the indu tion hypothesis on its left-hand side using a substitution X y; Y a nat( ar(k)); N n. a ons(x; a t ons1(a nat(n); a ons(y; a ons(a nat( ar(k)); a tail( dr(k)))))) = a t ons1(a nat(n); a ons(x; a ons(y; a ons(a nat( ar(k)); a tail( dr(k)))))) Noti e however, that we an not apply the indu tion hypothesis on the righthand side of the on lusion be ause we were not able to ripple out its wave front a ons(x; : : :). This gives rise to the spe ulation of a lemma whi h will allow us to deal with this blo ked wave front. To formulate this lemma INKA generalizes the skeleton inside the blo ked wave front a ons(y; a ons(a nat( ar(k)); a tail( dr(k)))) to a fresh variable u. Sin e a nat(n) is overing and n does not o ur elsewhere after this generalization, also a nat(n) is repla ed by a new fresh variable v whi h nally results in the spe ulated lemma a ons(x; a t ons1(v; u)) = a t ons1(v; a ons(x; u)): (12) This lemma is easily proven by INKA using a ase analysis suggested by a ons and a t ons1. 2 Noti e, that although a nat(k) is overing, its generalization is impossible be ause k o urs also inside t ons(k; z). 14 Dennis Dams, Dieter Hutter, and Natalia Sidorova 4.4 Nested Indu tion and Case Analysis The approa h we sket hed above allows for an arbitrary nesting of appli ations of indu tion or ase analysis. In order to prove our example, INKA started with a ase analysis, then applied indu tion in these ases and nally formulated a lemma in the step ase whi h was proven with the help of a ase analysis. Obviously we need some tie-breaking rules to avoid in nite looping if INKA is not able to prove all arising subproblems. Therefore we use the (partial) de nition ordering < on fun tion symbols mentioned above. INKA uses an extension of the orresponding multi-set ordering of < to ompare two arbitrary formulas. A nested indu tion is only allowed if the formula under onsideration is less than the formula ausing the previous appli ation of the indu tion rule. Summing up, the ase study on verifying abstra tions revealed that most of the problems are aused by the fa t that these proofs require a sophisti ated nesting of indu tion and ase analysis. While indu tion is needed to reason about re ursively de ned fun tions, ase analyses are used to unfold the de nition of non-re ursive fun tions. With the help of the improved heuristi s, INKA is able to prove our example and other similar problems without any user intera tion and without any lemmata spe ulated by the user. The overall time ne essary to verify our running example was about 10 se onds on an Intel ma hine (PII, 266Mhz). 5 Con lusions and Future Work We have presented a ase study demonstrating the use of the indu tive theorem prover INKA in order to verify the orre tness of data abstra tions. Su h abstra tions arise in the pra ti e of model he king, when building a veri ation model of a system that is too large to be dire tly submitted to the he ker. While model he kers are typi ally su essful in handling omplexity related to ontrol and intera tion, data types need to be repla ed by abstra t versions in order to avoid the state explosion. This abstra tion step is usually an informal a tivity. Pra ti al experien e however has shown that it is error-prone, although (or maybe: be ause) in many ases it is simple. In the methodology that we advo ate, the justi ation of data abstra tions is subje ted to the s rutiny of formal methods. In order to he k the safety of a parti ular data abstra tion, the on rete data type, its abstra ted version, and the safety statement are spe i ed in the INKA input format, and INKA's indu tive powers are then invoked to try and dismiss the proof obligation and any generated sublemmata. This way, the spe i ation of abstra tions appears as a programming a tivity, and the re nement of abstra tions in ase they are too oarse is a matter of debugging. We see this as a methodologi al advantage whi h ould endorse the integration of this approa h into model he kers. Data abstra tions as used in he king the Bounded Retransmission Proto ol have been veri ed this way. Our initial experiments required manual intera tion, but also indi ated at whi h points INKA's strategies fell short. In parti ular, the Combining Theorem Proving and Model Che king | A Case Study 15 alternation of ase distin tion and indu tion was problemati | not only in the ase of the BRP but for safety proofs of data abstra tions more generally, we believe. Consequently, INKA was equipped with a number of improved heuristi s designed spe i ally to deal with su h situations. As a result, all safety proofs went through automati ally. Currently, we are applying the same strategy to prove safety of data-abstra tions for di erent examples, and initial results show that the tuned version of INKA also performs well for those. Data types and abstra tions that are typi al for ertain lasses of systems (like queues and \order-preservation" abstra tions, as used in this paper, for ommuni ation proto ols), on e proven orre t, may be stored so as to develop libraries of reusable abstra tions. The spe i ations of our ase study are available on http://www.i s.ele.tue.nl/~dennis/SafetyProving/. A knowledgments Several dis ussions with Kai Baukus, Leszek Holenderski, Mi hael Siegel, Karsten Stahl, and Martin Ste en have helped us in the early stages of this work. Referen es 1. The Bandera proje t. See http://www. is.ksu.edu/santos/bandera/. 2. S. Bensalem, Y Lakhne h and S. Owre, InVeSt : A Tool for the Veri ation of Invariants, In Conferen e on Computer Aided Veri ation CAV'98, LNCS 1427, Springer Verlag, 1998. 3. R.S. Boyer, J S. Moore, A Computational Logi , A ademi Press, New York, 1979 4. A. Bundy, A. Stevens, F. van Harmelen, A. Ireland, and A. Smaill, Rippling: a heuristi for guiding indu tive proofs, Arti ial Intelligen e, North Holland, 62:185{ 253, 1993. 5. P. Cousot, R. Cousot, Abstra t Interpretaion: A Uni ed Latti e Model for Stati Analysis of Programs by Constru tion or Approximation of Fixpoints, In 4th POPL, Los Angeles, CA, ACM, January 1977. 6. D. Dams, Abstra t Interpretation and Partition Re nement for Model Che king, PhD Thesis, Eindhoven University of Te hnology, 1996. 7. D. Dams, R. Gerth, The Bounded Retransmission Proto ol Revisited (extended abstra t), In Faron Moller, editor, Se ond International Workshop on Veri ation of In nite State Systems (In nity'97), volume 9 of Ele troni Notes in Theoreti al Computer S ien e. Elsevier S ien e Publishers B.V. (North-Holland), 1997. 8. S. Graf, Veri ation of a Distributed Ca he Memory by Using Abstra tions, In Workshop on Computer-Aided Veri ation, CAV'94, Stanford, Springer Verlag, LNCS 818, 1994. 9. S. Graf, H. Saidi, Constru tion of abstra t state graphs with PVS, In Conferen e on Computer Aided Veri ation CAV'97, Springer Verlag, LNCS 1254, 1997. 10. B. Gramli h, Uni om: a re ned ompletion based indu tive theorem prover., In M. Sti kl (ed.), 10th Int. Conf. on Automated Dedu tion (CADE 90), Springer Verlag, LNAI 449, 1990. 11. G. J. Holzmann, Design and Validation of Communi ation Proto ols, Prenti e Hall, 1991. Also: http://netlib.bell-labs. om/netlib/spin/whatispin.html 16 Dennis Dams, Dieter Hutter, and Natalia Sidorova 12. G. J. Holzmann,Designing Exe utable Abstra tions. Keynote address, Pro . Formal Methods in Software Pra ti e, Mar h 1998. 13. G. J. Holzmann, M. H. Smith Software Model Che king Extra ting Veri ation Models from Sour e Code, In Formal Methods for Proto ol Engineering and Distributed Systems, Kluwer A ademi Publ., O tober 1999. 14. D. Hutter, C. Sengler, INKA The Next Generation, In M. M Robbie J. Slaney (ed), 13th International Conferen e on Automated Dedu tion (CADE 96), Springer Verlag, LNAI 1104, 1996. 15. D. Hutter, Synthesizing Indu tion Orderings for Existen e Proofs, In A. Bundy (ed), 12th International Conferen e on Automated Dedu tion (CADE 94), Springer Verlag, LNAI 814, 1994 16. D. Hutter, Coloring terms to ontrol equational reasoning, In Journal of Automated Reasoning, Vol. 18, pp. 399-442, 1997. 17. D. Hutter, Annotated Reasoning, to appear in: Annals of Mathemati s and Artiial Intelligen e (AMAI). Spe ial issue on Strategies in Automated Dedu tion, 2000 18. C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, S. Bensalem, Property Preserving Abstra tions for the Veri ation of Con urrent Systems, In Formal Methods in System Design, Kluwer A ademi Publ., 6, 1-36, 1995. 19. C. Walther: On Proving the Termination of Algorithms by Ma hine. Arti ial Intelligen e, 71(1):101-157, 1994.