Return-Path: Delivery-Date: Received: from leopard.cs.byu.edu (no rfc931) by swan.cl.cam.ac.uk with SMTP (PP-6.5) outside ac.uk; Wed, 29 Nov 1995 00:24:19 +0000 Received: by leopard.cs.byu.edu (1.37.109.15/16.2) id AA246032453; Tue, 28 Nov 1995 16:47:33 -0700 Sender: info-hol-request@lal.cs.byu.edu Errors-To: info-hol-request@lal.cs.byu.edu Precedence: list Received: from bunsen.cs.byu.edu by leopard.cs.byu.edu with ESMTP (1.37.109.15/16.2) id AA246002452; Tue, 28 Nov 1995 16:47:32 -0700 Received: from mail.barrnet.net (mail.barrnet.net [131.119.246.7]) by bunsen.cs.byu.edu (8.6.9/8.6.9) with ESMTP id QAA02843 for ; Tue, 28 Nov 1995 16:45:39 -0700 Received: from fujitsu1.fujitsu.com (fujitsu1.fujitsu.com [133.164.254.1]) by mail.barrnet.net (8.7.1/MAIL-RELAY-LEN) with SMTP id PAA11290 for ; Tue, 28 Nov 1995 15:47:23 -0800 (PST) Received: from fla.fujitsu.com (cad) by fujitsu1.fujitsu.com (4.1/SMI-4.1) id AA07493; Tue, 28 Nov 95 15:49:02 PST Received: from iq.fla.fujitsu.com by fla.fujitsu.com (4.1/SMI-4.1) id AA23134; Tue, 28 Nov 95 15:47:28 PST Date: Tue, 28 Nov 95 15:47:28 PST From: ctchou@fla.fujitsu.com (Ching-Tsun Chou \(Post_Doctorate\)) Message-Id: <9511282347.AA23134@fla.fujitsu.com> Received: by iq.fla.fujitsu.com (4.1/SMI-4.1) id AA13237; Tue, 28 Nov 95 15:46:27 PST To: info-hol@cs.byu.edu Subject: Paper available The following paper is available via anonymous ftp. Your comments will be appreciated! Best regards, - Ching Tsun URL: ftp://ftp.cs.ucla.edu/pub/chou/por.ps TITLE: Formal Verification of a Partial-Order Reduction Technique for Model-Checking AUTHORS: Ching-Tsun Chou & Doron Peled ABSTRACT: {\em Mechanical theorem proving\/} and {\em model checking\/} are the two main methods of formal verification, each with its own strengths and weaknesses. Mechanical theorem proving is completely general, but requires intensive human guidance. Model checking is automatic, but is applicable to only certain types of problems. Clearly, these two methods should be combined so that their strengths and weaknesses complement each other. Prior research in this direction has focused on how to decompose a verification problem into parts each of which is manageable by one of the two methods. In this paper we explore another possibility: we use mechanical theorem proving to formally verify a {\em metatheory\/} of model checking. As a case study, we use the mechanical theorem prover HOL to verify the correctness of a {\em partial-order reduction\/} technique for cutting down the amount of state search performed by model checkers. We choose this example for two reasons. First, this reduction technique has been implemented in the protocol analysis tool SPIN to significantly speed up the analysis of many practical protocols, hence its correctness has important practical consequences. Second, the correctness arguments involved use nontrivial mathematics about sequences, relations, Mazurkiewicz traces, deterministic transition systems, and their interactions, whose formal versions we hope will become the basis of a formal metatheory of many model checking algorithms and techniques. Our formalization led to a nontrivial generalization of the original informal theory. We also discuss the lessons, both encouraging and discouraging, learned from this exercise.