Finite countermodels for safety verification of parameterized tree systems

Finite coun termo dels for safet y v e rification of parameterized tree systems Alexei Lisitsa Department of C omputer Science Universit y of Liv erp ool a.lisitsa@ liverpool.ac.uk Abstract. In this pap er we deal with verificatio n of safety prop erties of parameterized systems with a tree to p ology . The verification problem is translated to a purely logical problem of finding a fin ite countermodel for a first- order form ula, which further resolved b y a generic finite mo del finding procedure. A finite countermodel metho d is shown is at least as p o w erful as regular tree mo del chec king and as the metho ds based on monotonic abstraction and b ac kwa rds symbolic reac hability . The prac- tical efficiency of the meth od is illustrated on a set of examples taken from the literature. 1 Finite Coun termo del Metho d The development of genera l a utomated metho ds for the verification of infinite- state and para meterized systems p oses a ma jor challenge. In genera l, such pr ob- lems are undecidable, so o ne ca nnot ho pe for the ultimate solution and the developmen t should fo cus on the r estricted classe s of systems and prop erties. In this pap er we deal with a very gener al metho d for verification of safety prop erties of infinite-state sy s tems which is based o n a simple idea. If an evolu- tion of a computational system is faithfully mo deled b y a der iv ation in a classical first-order lo g ic then safety verification (non-r e a c hability o f uns a fe states) can be r e duced to the disproving o f a first-order formula. T he la tter tas k can b e (partially , a t least) tackled b y generic automated pro cedures sea r c hing for finite countermodels. Such an approach to verification was or ig inated in the resear c h on forma l ver- ification of security proto cols ([23,22,9,1 1,10]) and later has been extended to the wider classes of infinite-sta te and par ameterized verification tasks. Completeness of the appr oach for particula r classes of s ystems (lossy channel systems) and rel- ative completeness with resp ect to genera l metho d of regula r mo del chec king has bee n established in [17] and [18] resp ectively . The metho d has also be en applied to the verification of safety prop erties of general ter m r ewriting systems and its relative completeness with r espect to the tree co mpletion techniques ha s b een shown in [19]. In this pap er we contin ue inv estigatio n of applicability of the metho d and show its p o wer in the context of verification of safety pro perties of p ar ameter- ize d tr e e-like systems . W e show the rela tive completenes s of FMC metho ds with resp ect to r e gu lar tr e e mo del che cking [3] and with resp ect to the metho ds ba sed on monoto nic abstraction a nd sy mbo lic backw ards reachabilit y ana lysis [5 ]. 1.1 Preliminaries W e a s sume that the reader is familiar with the basics o f first-order logic. In par- ticular, we us e without definitions the following concepts: first-o rder predicate logic, first-o rder mo dels, interpretations o f r elational, functional a nd constant symbols, satisfaction M | = ϕ of a for m ula ϕ in a model M , s eman tical con- sequence ϕ | = ψ , deducibilit y (deriv abilit y) ⊢ in first-order lo gic. W e denote int erpr etations by square brackets, so , for example, [ f ] denotes an int erpr etation of a functiona l symbol f in a mo del. W e also use the existence of c omplete finite mo del finding pro cedures for the first- o rder predicate lo gic [7,20], which given a first-or de r sentence ϕ even tually pro duce a finite mo del fo r ϕ if such a mo del exists. 2 Regular T ree Mo del Checking Regular T ree Mo del Chec king (R TMC) is a gener al metho d for the verification of parameter ized s y stems that hav e tr ee top ology [3,6 ]. The definitions of this section a r e largely b orr o wed from [3]. 2.1 T rees A ra nke d alphab et is a pa ir ( Σ , ρ ), whe r e Σ is a finite set o f symbols a nd ρ : Σ → N at is a n arity mapping . Let Σ p denote the set of symbols in Σ of arity p . Intuitiv ely , each no de of a tree is a lab eled with a symbol fro m Σ a nd the out-degree o f the no de is the s a me as the ar it y of the s ym b ol. Definition 1. A t r e e T over a r anke d alphab et ( Σ , ρ ) is a p air ( S, λ ) , wher e – S , c al le d tr e e s t ructur e, is a finite set of fin it e se qu enc es over N at . Each se quenc e n in S is c al le d a no de of T . S is pr efix-close d set, t hat is, if S c on- tains a no de n = b 1 b 2 . . . b k , then S also c ontains the no de n ′ = b 1 b 2 . . . b k − 1 and the no des n r = b 1 b 2 . . . b k − 1 r , for r : 0 ≤ r < b k . We say that n ′ is a p ar ent of n , and t hat n is a child of n ′ . A leaf of T is a n o de n which do es not have any child. – λ is a a mapping fr om S to Σ . the numb er of childr en of n is e qual to ρ ( λ ( n )) . In p articular, if n is a le af then λ ( n ) ∈ Σ 0 . W e use T ( Σ ) to denote the set o f a ll trees over Σ . W e write n ∈ T when n ∈ S and f ∈ T denotes that λ ( n ) = f for some n ∈ T . F or a tree T = ( S, λ ) and a no de n ∈ T , a subtree of T roo ted at n is a tree T ′ = ( S ′ , λ n ), where S ′ ⊆ { b | nb ∈ S } and λ n ( b ) = λ ( nb ). Notice, tha t accor ding to this definition a subtree o f a tree T c o nsists not neces sarily all descendants o f some no de in T. F or a r ank ed a lphabet Σ let Σ • ( m ) be the ranked alphab et which contains all tuples ( f 1 , . . . , f m ) such that m ≥ 1 and f 1 , . . . , f m ∈ Σ p for some p . W e put ρ (( f 1 , . . . , f m )) = ρ ( f 1 ). F or tre e s T 1 = ( S 1 , λ 1 ) and T 2 = ( S 2 , λ 2 ) we say that T 1 and T 2 are struc- turally eq uiv alent, if S 1 = S 2 . Let T 1 = ( S, λ 1 ) , . . . , T m = ( S, λ m ) a re s tructurally equiv alent trees. The n T 1 × . . . × T m denotes the tree T = ( S, λ ) wher e λ ( n ) = ( λ 1 ( n ) , . . . , λ m ( n )). 2.2 T ree Autom ata and T ransducers A tre e language is a set of trees. Definition 2. A tre e aut omaton over a r anke d alphab et Σ is a t riple A = ( Q, F, δ ) , wher e Q is a fin it e set of st ates, F ⊆ Q is a set of final st ates, and δ is a tr ansition r elation, r epr esente d by a finite set of rules of the form ( q 1 , . . . , q p ) → f q , wher e f ∈ Σ p and q 1 , . . . q p , q ∈ Q . A run r of A on a tree T = ( S, λ ) ∈ T ( Σ ) is a mapping fr om S to Q such tha t for each no de n ∈ T with children n 1 , . . . , n k : ( r ( n 1 , . . . , r ( n k )) → λ ( n ) r ( n )) ∈ δ . F or a state q ∈ S we deno te by T ⇒ r A q that r ia r un of A o n T such that r ( ǫ ) = q . W e say that A accepts T if T ⇒ r A q for some run r and some q ∈ F . The lang uage of tree s a ccepted by an auto maton A is defined as L ( A ) = { T | T is accepted by A } . The tree lang ua ge L is called r e gular iff there is a tree automaton A such that L = L ( A ). A tree automato n over an alphab et Σ • (2) is called tr e e tr ansduc er . Let D b e a tree tr a nsducer ov er a n alphab et Σ • (2). An one-step tr ansition rela tion R D ⊆ T ( Σ ) × T ( Σ ) is defined as R D = { ( T , T ′ ) | T × T ′ is accepted by D } . The reflexive and transitive clos ure of R D is denoted by R ∗ D . W e use ◦ to denote the comp osition of tw o binar y relatio ns defined in the standard wa y . Let R i denote the i th power of R i.e. i comp ositions of R . Then we have R ∗ = ∪ i ≥ 0 R i . F or any L ⊆ T ( Σ ) and R ⊆ T ( Σ ) × T ( Σ ) we deno te by L ⋆ R the set { y | ∃ x ( x, y ) ∈ L × T ( Σ ) ∩ R } . Regular T ree Mo del Checking de a ls with the following ba sic verification task . Pr oblem 1. Given tw o tree a uto mata A I and A U ov er an alphab et Σ and a tr ee transducer D ov er Σ • (2). Do es ( L ( A I ) ⋆ R ∗ D ) ∩ L ( A U ) = ∅ hold? In verification scenario, trees ov er Σ denote s tates of the system to b e verified, tree automata A I and A U define the sets of trees representing initial , resp ectiv ely , unsafe states. T ree transduce r D defines the tr a nsitions of the sys tem. Under such assumptions, the p ositive a ns w er to an instance o f Pr oblem 1 means the safety prop ert y is established, na mely , none of the unsafe states is r eac hable along the system trans itions fro m a ny of the initial sta tes. The verification in R TMC pro ceeds b y pr oducing a tree tra ns ducer T R ap- proximating R ∗ D from ab o ve, that is R ∗ D ⊆ L ( T R ), and showing the emptiness of the set ( L ( A I ) ⋆ L ( T R )) ∩ L ( A U ) 3 F rom R TMC to FMC In this section we show that the gene r ic r e gular tree mo del chec king question po sed in Pr oblem 1 can be reduced to a purely logical problem of finding a finite countermo del for a fir s t-order lo gic formula, which then can b e r esolved by application of generic mo del finding pro cedure. W e show als o the relative completeness o f finite countermodel metho d with resp ect to R TMC. Assume we are given an insta nce of the basic verification problem (ov er rank- ing alpha b et Σ ), that is – a tree automaton A I = ( Q I , F I , δ I ) a c cepting a re gular set of initial states; – a tree automato n A U = ( Q U , F U , δ U ) a ccepting a re gular set of unsafe s tates; – a tree tra nsducer D = ( Q D , F D , δ D ) repres en tation one-step transition r e la- tion R D . Now define a set formulae o f fir st-order predica te log ic as follows. The vo- cabulary co nsists of – consta nts for all elements o f Q I ⊔ Q U ⊔ Q D ⊔ Σ 0 ; – unary predicate symbols I nit (1) , U nsaf e (1) – binary predicate symbols I nit 2 , U nsaf e 2 , R ; – a ternary predicate symbol T ; – a p -ary functiona l symbol f θ for every θ ∈ Σ p Given any tree τ fr om T ( Σ ) define its term transla tio n t τ by induction: – t τ = c for a tree τ with one no de lab eled by c ∈ Σ 0 ; – t τ = f θ ( t τ 1 , . . . , t τ p ) for a tree τ with the ro ot lab eled by θ ∈ Σ p and children τ 1 , . . . τ p . Let Φ b e the s et of the following formulae, which are all ass umed to b e universally clo sed: 1. I nit (2) ( a, q ) for every a ∈ Σ 0 , q ∈ Q I and → a q in δ I ; 2. I nit (2) ( x 1 , q 1 ) ∧ . . . ∧ I nit (2) ( x p , q p ) → I nit (2) ( f θ ( x 1 , . . . , x p ) , q ) for ev ery ( q 1 , . . . , q p ) → θ q in δ I ; 3. ∨ q ∈ F I I nit (2) ( x, q ) → I nit (1) ( x ); 4. U nsaf e (2) ( a, q ) for every a ∈ Σ 0 , q ∈ Q U and → a q in δ U ; 5. U nsaf e (2) ( x 1 , q 1 ) ∧ . . . ∧ U nsaf e (2) ( x p , q p ) → U nsaf e (2) ( f θ ( x 1 , . . . , x p ) , q ) for every ( q 1 , . . . , q p ) → θ q in δ U ; 6. ∨ q ∈ F U U nsaf e (2) ( x, q ) → U nsaf e (1) ( x ); 7. T ( a, b, q ) for every → ( a,b ) q in δ D ; 8. T ( x 1 , y 1 , q 1 ) ∧ . . . ∧ T ( x p , y p , q p ) → T ( f θ 1 ( x 1 , . . . , x p ) , f θ 2 ( y 1 , . . . , y p ) , q ) for every ( q 1 , . . . , q p ) → θ 1 ,θ 2 q in δ D ; 9. ∨ q ∈ F D T ( x, y , q ) → R ( x, y ); 10. R ( x, x ); 11. R ( x, y ) ∧ R ( y , z ) → R ( x, z ). Prop osition 1. (ade quacy of In it and U nsafe tr anslations) If τ ∈ L ( A I ) then Φ ⊢ I nit (1) ( t τ ) If τ ∈ L ( A U ) then Φ ⊢ U nsaf e (1) ( t τ ) Pr o of. W e pr o ve only the first statement, the second one is dealt with in the same way . Lemma 1. F or any tr e e τ and any run r if τ ⇒ r A I q then Φ ⊢ I nit 2 ( t τ , q ) . Pr o of of L emma . By induction on the depth of the trees . – Induction Base Case . Assume τ has a depth 0, that is consists of one vertex lab eled by so me a ∈ Σ 0 . Let r b e a r un such that τ ⇒ r A I q . It follows (b y the definition of r un) that → a q ∈ δ I and then I nit (2) ( a, q ) is in Φ (by clause 1 o f the definition of Φ ) and therefore Φ ⊢ I nit (2) ( a, q ) Finally notice tha t term translation t τ of τ is a . – Induction St ep Case . Ass ume τ ha s a ro ot la beled by θ ∈ Σ p and τ 1 , . . . , t p are children o f the ro ot. F or a run r on τ , assume τ ⇒ r A I q and τ 1 ⇒ r A I q 1 , . . . , τ p ⇒ r A I q n . By the de finitio n of a run we hav e ( q 1 , . . . , q p ) → θ q is in δ I . By induction assumption we have Φ ⊢ I nit (2) ( t τ 1 , q 1 ) , . . . , Φ ⊢ I nit (2) ( t τ p , q p ). By using clause 2 of the definition of Φ we get Φ ⊢ I nit (2) ( f θ ( t τ 1 , . . . , t τ p ) , q ) and Φ ⊢ I nit 2 ( t τ , q ) ✷ Returning to the proo f of the prop osition we notice that if τ ∈ L ( A I ) then there is a r un r such that τ r A I q for some q ∈ F I . By Lemma 1 Φ ⊢ ∨ q ∈ F I I nit (2) ( t τ , q ). By using cla use 3 of the definition of Φ we then get Φ ⊢ I nit (1) ( t τ ) Prop osition 2. (ade quacy of en c o ding) If τ ∈ L ( A I ) ⋆ R ∗ D then Φ ⊢ ∃ x I nit (1) ( x ) ∧ R ( x, t τ ) Pr o of. Easy induction o n the length of transition sequences. – Induction Base Case. Let τ ∈ L ( A I ) ⊆ L ( A I ) ⋆ R ∗ D . Then Φ ⊢ I ni t (1) ( t τ ) (b y Prop osition 1 ) a nd, further Φ ⊢ ∃ x I nit (1) ( x ) ∧ R ( x, t τ ) (using claus e 10). – Induction St ep Case. Let τ ∈ L ( A I ) ⋆ R n +1 D . Then there exists τ ′ such that τ ′ ∈ L ( A I ) ⋆ R n D and R ( τ ′ , τ ) holds. F urther, by the arg umen t analo gous to the pro of of Pro positio n 1, R ( τ ′ , τ ) entails Φ ⊢ ∨ q ∈ F D T ( t τ ′ , t τ , q ) and further Φ ⊢ R ( t τ ′ , t τ ) (using cla us e 9). fro m this, the clause 11 and the induction assumption Φ ⊢ ∃ x I ni t (1) ( x ) ∧ R ( x, t τ ) follows. Assume τ ∈ L ( A I ) ⋆ R ∗ D then by definition of ⋆ there exis ts τ 0 ∈ L ( A I ) such that R ∗ D ( τ 0 , τ ) holds. Corollary 1. (c orr e ctness of the verific ation metho d) If Φ 6⊢ ∃ x ∃ y ( I nit (1) ( x ) ∧ R ( x, y ) ∧ U n saf e (1) ( y ) then ( L ( A I ) ⋆ R ∗ D ) ∩ L ( A U ) = ∅ The cor ollary 1 serves as a for mal underpinning of the prop osed FCM (finite countermodel) verification metho d. In o r der to prov e sa fet y , that is ( L ( A I ) ⋆ R ∗ D ) ∩ L ( A U ) = ∅ it is sufficient to demonstrate Φ 6⊢ ∃ x ∃ y ( I nit (1) ( x ) ∧ R ( x, y ) ∧ U nsaf e (1) ( y ). In the FCM metho d we delegate this task to the g eneric finite mo del finding pro cedure, which sear c hes for the finite co un termo dels fo r Φ → ∃ x ∃ y ( I nit (1) ( x ) ∧ R ( x, y ) ∧ U nsaf e (1) ( y ). 3.1 Relativ e comp l eteness of F CM with res p e ct to R TMC In general, sear c hing for finite co untermo dels to disprove no n-v alid first-or der formulae may not always lead to s uccess, b ecause for so me formulae counter- mo dels ar e inevitably infinite. Here we show, how ever, this is not the case for the first-order enco dings of the problems which can b e p ositiv ely answered by Regular T re e Mo del Checking. It follows then that FCM is at least as powerful in establishing safety as R TMC, provided a complete finite mo del finding pro cedure is used. Theorem 1. (r elative c ompleteness of FCM) Given an instanc e of the b asic verific ation pr oblem for R TMC, that is two tre e automata A I and A U over an alphab et Σ and a tr e e tr ansduc er D = ( Q D , F D , δ D ) over Σ • (2) . If ther e exists a r e gu lar tr e e language R su ch that ( L ( A I ) ⋆ R ∗ D ) ⊆ R and R ∩ L ( A U ) = ∅ then ther e is a finite c ountermo del for Φ → ∃ x ∃ y ( I nit (1) ( x ) ∧ R ( x, y ) ∧ U nsaf e (1) ( y ) Pr o of. Let A = ( Q, F , δ ) be a deterministic tree automaton recogniz ing the tree language R , i.e. L ( A ) = R . W e take Q ∪ Q I ∪ Q U ∪ Q D ∪ { e } to b e domain of the r equired finite mo del. Here e is a distinct element not in Q ∪ Q I ∪ Q U ∪ Q D . Define interpretations as follows. – F or a ∈ Σ 0 [ a ] = q ∈ Q such that → a q is in δ ; – F or θ ∈ Σ p [ f θ ]( q 1 , . . . , q p ) = q for any ( q 1 , . . . , q p ) → θ q in δ , and [ f θ ]( . . . ) = e otherwise; – Interpretations of I nit 2 and I nit 1 are defined inductiv ely , as the least subsets of pairs, r espectively , elements o f the domain, sa tis fying the formulae (1) - (3) (a nd assuming a ll interpretations ab ov e); – Interpretations o f U nsaf e 2 and U nsaf e 1 are defined inductively , a s the least subsets of pairs, res p ectively , elements of the domain, satisfying the formulae (4) - (6) (and assuming a ll interpretations ab ov e); – Interpretation of T is defined inductively , as the least subs e ts of tr iples sat- isfying the formulae (7) - (8) (a nd assuming a ll interpretations ab ov e); – Interpretation of R and I nit 1 is defined inductively , as the least subsets of pairs, satisfying the formulae (9) - (11) (and assuming a ll int erpr etations ab o ve); Such defined a finite mo del sa tisfies Φ (b y construction). Now we check that ¬∃ x ∃ y ( I nit (1) ( x ) ∧ R ( x, y ) ∧ U nsaf e (1) ( y ) is sa tisfied in the mo del W e hav e 1. [ I nit (1) ] ⋆ [ R ] ⊆ { [ t ] | t ∈ L ( A I ) ⋆ R ∗ D } (b y the minimality co ndition on int erpr etations o f I nit (1) and R ); 2. { [ t ] | t ∈ L ( A I ) ⋆ R ast D } ⊆ F ⊆ Q (by interpretations o f terms and condition ( L ( A I ) ⋆ R ∗ D ) ⊆ R ); 3. [ I nit (1) ] ⋆ [ R ] ⊆ F (by 1 and 2); 4. [ U nsaf e (1) ] = { [ t ] | t ∈ L ( A U ) } (by definition of [ U nsaf e 1 ], in particula r by the minimality co ndition); 5. { [ t ] | t ∈ L ( A U ) } ∩ F = ∅ (by co ndition R ∩ L ( A U ) = ∅ ); 6. U nsaf e (1) ∩ F = ∅ (by 4 a nd 5); 7. [ I nit (1) ] ⋆ [ R ] ∩ U nsaf e (1) = ∅ (by 3 and 6); 4 The case study In this section we illustr a te FCM metho d by applying it to the verification of Two-w ay T o k en proto col. The system cons ists of finite-s tate pro cesses connected to for m a binary tree s tructure. Each pro cess stores a sing le bit which represents the fact that the pro cess has a token. During op eration o f the proto col the token can b e pa ssed up or down the tree. The corr ectness condition is that no tw o or more tokens ever app e a r. In parameterized verification we w ould like to e s tablish correctnes s for a ll p ossible sizes of trees. W e take R TMC-style sp ecification of Two-w ay T oken from [3]. Let Σ = { t, n, T , N } b e the alpha b et. Here t, n ∈ Σ 0 lab el pro cesses on the leaves of a tree, and T , N ∈ Σ 2 lab el pr oces s es on the inner no des of a tree. F urther, t, T lab el pro cesses with a token and n, N lab el pro cesses without to kens. The automa ton A I = ( Q I , F I , δ I ) a ccepts the initial c onfigurations of the proto col, that is the trees with ex actly o ne token. Here Q I = { q 0 , q 1 } , F I = { q 1 } and δ I consists o f the following tra nsition rules: → n q 0 → t q 1 ( q 0 , q 0 ) → T q 1 ( q 0 , q 0 ) → N q 0 ( q 0 , q 1 ) → N q 1 ( q 1 , q 0 ) → N q 1 The tree tra nsducer D = ( Q D , F D , δ D ) over Σ • (2) represents the transitions of the proto col. Here Q D = { q 0 , q 1 , q 2 , q 3 } , F = { q 2 } and δ D consists of the following transition rules: → ( n,n ) q 0 → ( t,n ) q 1 → ( n,t ) q 3 ( q 0 , q 0 ) → ( N ,N ) q 0 ( q 0 , q 2 ) → ( N ,N ) q 2 ( q 2 , q 0 ) → ( N ,N ) q 2 ( q 0 , q 0 ) → ( T ,N ) q 1 ( q 3 , q 0 ) → ( T ,N ) q 2 ( q 0 , q 3 ) → ( T ,N ) q 2 ( q 0 , q 1 ) → ( N ,T ) q 2 ( q 1 , q 0 ) → ( N ,T ) q 2 ( q 0 , q 0 ) → ( N ,T ) q 3 The automa ton A U = ( Q U , F U , δ U ) a ccepts unsa fe (ba d) configur a tions o f the pro toco l, that is the trees with at leas t tw o to k ens. Here Q U = { q 0 , q 1 , q 2 } , F U = { q 2 } and δ U consists o f the following tra nsition rules: → n q 0 → t q 1 ( q 0 , q 0 ) → N q 0 ( q 0 , q 0 ) → T q 1 ( q 0 , q 1 ) → N q 1 ( q 1 , q 0 ) → N q 1 ( q 0 , q 1 ) → T q 2 ( q 1 , q 0 ) → T q 2 ( q 1 , q 1 ) → T q 2 ( q 0 , q 2 ) → T q 2 ( q 2 , q 0 ) → T q 2 ( q 1 , q 2 ) → T q 2 ( q 2 , q 1 ) → T q 2 ( q 2 , q 2 ) → T q 2 ( q 1 , q 1 ) → N q 2 ( q 0 , q 2 ) → N q 2 ( q 2 , q 0 ) → N q 2 ( q 1 , q 2 ) → N q 2 ( q 2 , q 1 ) → N q 2 ( q 2 , q 2 ) → N q 2 The set Φ of the following formulae pres en ts a tra nslation of the verification problem. W e use the s y n tax of first-orde r logic used in Mace4 finite mo del finder [20]. T(n,n,q0). T(t,n,q1). T(n,t,q3). T(x,z,q0) & T(y,v,q0) -> T(fT(x,y),f N(z,v),q1). T(x,z,q1) & T(y,v,q0) -> T(fN(x,y),f T(z,v),q2). T(x,z,q0) & T(y,v,q1) -> T(fN(x,y),f T(z,v),q2). T(x,z,q0) & T(y,v,q0) -> T(fN(x,y),f N(z,v),q0). T(x,z,q0) & T(y,v,q2) -> T(fN(x,y),f N(z,v),q2). T(x,z,q2) & T(y,v,q0) -> T(fN(x,y),f N(z,v),q2). T(x,z,q3) & T(y,v,q0) -> T(fT(x,y),f N(z,v),q2). T(x,z,q0) & T(y,v,q3) -> T(fT(x,y),f N(z,v),q2). T(x,z,q0) & T(y,v,q0) -> T(fN(x,y),f T(z,v),q3). % Initial states automaton Init(n,q0) . Init(t,q1) . Init(x,q0) & Init(y,q0) -> Init(fT(x ,y),q1). Init(x,q0) & Init(y,q1) -> Init(fN(x ,y),q1). Init(x,q0) & Init(y,q0) -> Init(fN(x ,y),q0). Init(x,q1) & Init(y,q0) -> Init(fN(x ,y),q1). % Bad states automaton Bad(n,q0). Bad(t,q1). Bad(x,q0) & Bad(y,q0) -> Bad(fN(x,y) ,q0). Bad(x,q0) & Bad(y,q0) -> Bad(fT(x,y) ,q1). Bad(x,q0) & Bad(y,q1) -> Bad(fN(x,y) ,q1). Bad(x,q1) & Bad(y,q0) -> Bad(fN(x,y) ,q0). Bad(x,q0) & Bad(y,q1) -> Bad(fT(x,y) ,q2). Bad(x,q1) & Bad(y,q0) -> Bad(fT(x,y) ,q2). Bad(x,q1) & Bad(y,q1) -> Bad(fN(x,y) ,q2). Bad(x,q1) & Bad(y,q2) -> Bad(fT(x,y) ,q2). Bad(x,q2) & Bad(y,q1) -> Bad(fT(x,y) ,q2). Bad(x,q2) & Bad(y,q2) -> Bad(fT(x,y) ,q2). Bad(x,q1) & Bad(y,q1) -> Bad(fN(x,y) ,q2). Bad(x,q0) & Bad(y,q2) -> Bad(fN(x,y) ,q2). Bad(x,q2) & Bad(y,q0) -> Bad(fN(x,y) ,q2). Bad(x,q1) & Bad(y,q2) -> Bad(fN(x,y) ,q2). Bad(x,q2) & Bad(y,q1) -> Bad(fN(x,y) ,q2). Bad(x,q2) & Bad(y,q2) -> Bad(fN(x,y) ,q2). T(x,y,q2) -> R(x,y). R(x,y) & R(y,z) -> R(x,z). Init(x,q1) -> Init1(x). Bad(x,q2) -> Bad1(x). According to Pr opositio n 2 and Co rollary 1 to establish safety for Two-wa y T o ken pr o toco l it do es suffice to show Φ 6⊢ ∃ x ∃ y (( I nit 1( x ) ∧ R ( x, y )) ∧ B ad 1( y )). W e delegate this task to Mac e4 finite mo del finder and it finds a countermo del for Φ → ∃ x ∃ y (( I nit 1( x ) ∧ R ( x, y )) ∧ B ad 1( y )) in 0 . 03 s . The para meterized pro to col is verified. Actual Mace4 input and output ca n be found in [14]. 5 Monotonic abstraction and symbolic reac habilit y v c F CM Regular T ree Mo del Checking provides with a g eneral metho d for the verifica- tion par ameterized proto cols for tree-shap ed architectures. In [5] a light weigh t alternative to R TMC was pr opos e d. It utilizes a g eneric a pproach to safety ver- ification us ing m onotonic abstr action and s ymb olic re achabili ty applied to tree rewriting systems. This generic appro ac h has previo usly b een succ e s sfully ap- plied to the verification o f par ameterized linear system [1] (as an alternative to standard Regular Model Checking). In this section we demonstrate the flex ibilit y of the FCM appr o ac h a nd show that one can translate sa fet y verification prob- lems for par a meterized tree- s haped sys tems formulated using tree r ewriting into the pr oblem of disproving a first-order for m ulae using the sa me basic principles (reachabilit y as FO deriv abilit y). F o r defined translatio n we show the re la tiv e completeness of the FCM with resp ect to monotonic abstra ction and symbolic reachabilit y and demonstrate its pr actical efficiency . 5.1 P arameterized T ree Systems The appro ac h o f [5 ] to the verification of par ameterized tree sys tems a dopts the following viewp oin t. A config uration of the system is represented by a tree ov er a finite a lphabet, where elements of the alphab et repres en t the lo cal sta tes of the individual pr oces ses. The b eha vior s of the s ystem is sp ecified by a set of tr e e r ewriting rules, which describ e how the pro cesses p erform trans itions. T r a nsitions are enabled by the lo cal sta tes o f the pro cess together with the states o f children and parent pr ocess es. Definition 3. A t r e e T over a set of states Q is a p air ( S, λ ) , wher e – S is a tr e e stru ctur e (cf. Definition 1 ) – λ is a a mapping fr om S t o Q . Notice that tr ees over a set of states are similar to the tr e e s over ranked alphab ets (Definition 1) with the only difference is that the same s ta te can la bel the vertices with different num ber of children (e.g. leaves of the tree and internal vertices). In what follows to assume for simplicity of pr esen tation (after [5]) that all trees ar e (no mor e than) binary , that is every node has either o ne or t wo children (in ternal no de) or no children (lea f ). It is straightforward to extend all construc- tions and results to the g eneral case of not necessarily binary trees. Notice that configuratio ns of the tree systems will b e mo deled by co mplete binary trees. Incomplete binary tr ees (whic h may contain no des with one child) will app ear only in the rewrite rules. Definition 4. A p ar ameterize d t r e e syst em P is a tu ple ( Q, R ) , wher e Q is a finite set of st ates and R ⊆ T ( Q × Q ) is a finite set of r ewrite rules. F or each rule r = ( S, λ ) ∈ R we asso ciate tw o trees, called left and right trees of r . W e de fine l hs ( r ) = ( S, l hs ( λ )) and rhs ( r ) = ( S, r hs ( λ )), w he r e l hs ( r ) and rhs ( r ) ar e left, r espectively r igh t pr o jection o f λ . W e will denote (lab eled) binary trees by bracket expres sions in a s tandard wa y . Example 1. Let Q = { q 0 , q 1 , q 2 } then r = h q 0 , q 1 i ( h q 1 , q 1 i , h q 2 , q 0 i ) ∈ T ( Q × Q ) is a rew r iting rule . This r ule has • ( • , • ) as it tree structure with one ro ot a nd tw o leav es. The pairs of s ta tes h q 0 , q 1 i , h q 1 , q 1 i , h q 2 , q 0 i lab el the ro ot and tw o leaves resp ectiv ely . W e also hav e l hs ( r ) = q 0 ( q 1 , q 2 ) a nd r hs ( r ) = q 1 ( q 1 , q 0 ). Example 2. Let Q b e as ab o ve then h q 1 , q 2 i ( h q 0 , q 1 i ) is a rewr iting rule with the structure o f incomplete bina ry tree • ( • ) Given a par ameterized tree s y stem P = ( Q, R ) define one step transition relation ⇒ P ⊆ T ( Q ) × T ( Q ) as follows: τ 1 ⇒ P τ 2 iff for so me r ∈ R τ 1 con- tains l hs ( r ) a s a subtree and τ 2 obtained from τ 1 by replacing this subtr e e with rhs ( r ). Since l hs ( r ) a nd r hs ( r ) hav e the sa me tr e e str ucture, the op eration of replacement and one step transition relation are well-defined. Example 3. Let P = ( Q, R ) with Q = { q 0 , q 1 , q 2 } a nd R = {h q 0 , q 1 i ( h q 1 , q 1 i , h q 2 , q 0 i ) } . Then we hav e (with the subtrees refered to in the definition of ⇒ P inderlined): – q 0 ( q 1 , q 2 ) ⇒ P q 1 ( q 1 , q 0 ); – q 2 ( q 0 ( q 1 , q 2 ) , q 1 ) ⇒ P q 2 ( q 1 ( q 1 , q 0 ) , q 1 ); – q 0 ( q 1 ( q 1 , q 0 ) , q 2 ( q 0 , q 2 )) ⇒ P q 1 ( q 1 ( q 1 , q 0 ) , q 0 ( q 0 , q 2 )); Denote tr ansitiv e and reflex iv e closure of ⇒ P by ⇒ ∗ P . Definition 5. (emb e dding) F or τ 1 = ( S 1 , λ 1 ) and τ 2 = ( S 2 , λ 2 ) an inje ctive function f : S 1 → S 2 is c al le d emb e dding iff – s · b ∈ S implies f ( s ) · b ≤ f ( s · b ) for any s ∈ S – λ 1 ( s ) = λ 2 ( f ( s ) ) W e use τ 1  f τ 2 to denote that f is e m be dding of τ 1 int o τ 2 and write τ 1  τ 2 iff there ex is ts f such that τ 1  f τ 2 . Using embedda bilit y r e la tion ≺ a llows to describ e infinite families of trees by finitary means. W e call a set of trees T ⊆ T ( Q ) finitely b ase d iff there is a finite set B ⊆ T ( Q ) such tha t T = { τ | ∃ τ ′ ∈ B τ ′  τ } . Notice that finitely bas ed set o f trees a re up wards closed with r espect to  , that is τ ∈ T a nd τ  τ ′ implies τ ′ ∈ T . Many safety verification pro blems for par ameterized tree system ca n b e r e- duced to the following cov erability problem. Pr oblem 2. Giv en a par ameterized tree system P = ( Q, R ), a regulat tree lan- guage I nit ⊆ T ( Q ) o f initial configurations and finitely bas e d set of unsafe configuratio ns U nsaf e ⊆ T ( Q ). Do es τ 6⇒ ∗ P τ ′ hold for all τ ∈ I nit a nd all τ ′ ∈ U nsaf e ? Note 1. W e formally defined reg ular tree la nguages ov er ranked a lpha bets. Reg- ular tree languag e s over (unranked) sta tes can b e defined in a v arious wa ys. W e will fix a particula r co n ven tion in Ass umption 1 b elow. Now we briefly outline the mono tonic abstractio n a pproach [5] to verification. Given the cov erability pr oblem ab ov e [5] defines the monoto nic abstra ction ⇒ A P of the transition relation ⇒ P as follows. W e hav e τ 1 ⇒ A P τ 2 iff there exists a tree τ ′ such that τ ′  τ 1 and τ ′ ⇒ P τ 2 . It is cle ar that such defined ⇒ A P is an ov er-a pproximation of ⇒ P . T o establish the safety pro perty , i.e. to get a p ositive answer to the questio n of Pr oblem 2, [5] prop oses using a symbolic backw ard reachability algor ithm for monoto nic a bstraction. Starting with a n upwar ds close d (wrt to ≺ ) set o f unsafe configura tion U nsaf e the algo rithm pro ceeds iteratively with the computation of the set o f configuratio ns backwards reachable a long ⇒ A P from U nsaf e : – U 0 = U nsaf e – U i +1 = U i ∪ P re ( U i ) where P re ( U ) = { τ | ∃ τ ′ ∈ U ∧ τ ⇒ A P τ ′ } . Since the relation  is a wel l qu asi- or dering [13] this iterative pro cess is guara n teed to s tabilize, i.e. U n +1 = U n = U for s ome finite n . During the computation each U i is represe nted symbolically by a finite set of generato rs. Once the pro cess stabilized o n some U the chec k is preformed on whether I nit ∩ U = ∅ . If this condition is satisfied then the sa fety is established, for no bad co nfiguration can b e rea c hed from initial configuratio ns via ⇒ −P A and, a for tio ri, via ⇒ P . 5.2 P arameterized T ree systems to FCM Here we s ho w how to tr anslate the cov erability problem (Pro blem 2) into the ta s k of disproving a first-or der for m ula a nd demonstra te the r elative c ompleteness o f the FCM metho d with r espect to monotonic a bstraction approa c h. Assume we are given a n instance of the cov era bilit y pro blem, that is – a parameter iz e d tree system P = ( Q, R ), – a r egular tree langua ge I nit of initial configuratio ns , given by a tree automa- ton A I = ( Q I , F, δ ), and – finitely ba sed set of unsafe co nfigurations U nsaf e g iv en by a finite set of generator s U n ⊆ T ( Q ). F or a set of states Q let F Q = { f (2) q | q ∈ Q } ∪ { e } be the set of co rresp onding binary functiona l symbols ex tended with a distinct functional symbol e of arity 0 (consta n t). F or any c omplete binary tree τ ∈ T ( Q ) define its term tra nslation t τ in vocabular y F Q inductively: – t τ = f q ( e, e ) if τ is a tree with one no de lab eled by a state q ; – t τ = f q ( t τ 1 , t τ 2 ) if the ro ot of τ has t wo children and τ = q ( τ 1 , τ 2 ); F or any not necessa rily complete binar y tree τ ∈ T ( Q × Q ) define inductively its tr anslation s τ as a set of pairs o f terms in vo cabulary F Q : – s τ = {h f q 1 ( e, e ) , f q 2 ( e, e ) i} if τ is a tree with o ne no de la b eled with states ( q 1 , q 2 ); – s τ = {h f q 1 ( ρ 1 , ρ 2 ) , f q 2 ( ρ 3 , ρ 4 ) i | h ρ 1 , ρ 3 i ∈ s τ 1 , h ρ 2 , ρ 4 i ∈ s τ 2 } if the r oot of τ is lab e le d by ( q 1 , q 2 ) and it ha s tw o children τ 1 and τ 2 , i.e. if τ = ( q 1 , q 2 )( τ 1 , τ 2 ); – s τ = {h f q 1 ( ρ 1 , e ) , f q 2 ( ρ 2 , e ) i | h ρ 1 , ρ 2 i ∈ s τ 1 }∪{h f q 1 ( e, ρ 1 ) , f q 2 ( e, ρ 2 ) i | h ρ 1 , ρ 2 i ∈ s τ 1 } if the r oot of τ is lab eled by ( q 1 , q 2 ) and it ha s one c hild τ 1 , i.e. if τ = ( q 1 , q 2 )( τ 1 ). F or h ρ 1 , ρ 2 i ∈ s τ we denote by ρ gen 1 (b y ρ gen 2 ) a gene r alized term obtained by re- placement of all o ccurences o f constant e in ρ 1 (in ρ 2 , res pectively ,) with distinct v a r iables. Now w e define firs t-order translation of the set of rule s R as the following set Φ R of first-o rder formulae, which ar e all as s umed to b e universally clos e d: 1. R ( ρ gen 1 , ρ gen 2 ) for all r ∈ R and h ρ 1 , ρ 2 i ∈ s r rewriting axioms 2. R ( x, x ) reflexivit y axiom 3. R ( x, y ) ∧ R ( y , z ) → R ( x, z ) transitivit y axiom 4. R ( x, y ) ∧ R ( z , v ) → R ( f q ( x, z ) , f q ( y , v )) for all q ∈ Q congruence axioms In 1) we a dditionally requir e that gener alizations ρ gen 1 and ρ gen 2 should b e consistent, that means the v ariables used in the generaliz a tions are the same in the sa me po sitions. Now for simplicity we make the following Assumption 1 An automaton A I = ( Q I , F I , δ I ) is given over ra nke d alphab et F Q . W e define the tra nslation of A I as the set Φ I of fir st-order formulae 5. I θ ( f q ( e, e )) fo r all → e θ ′ and ( θ ′ , θ ′ ) → f q θ in δ I ; 6. I θ 1 ( x ) ∧ I θ 2 ( y ) → I θ 3 ( f q ( x, y )) for all ( θ 1 , θ 2 ) → f q θ 3 ) in δ I . 7. ∨ θ ∈ F I I θ ( x ) → I nit ( x ) Let A U = ( Q U , F U , δ U ) is a tree automa ton rec o gnizing finitely base d set U nsaf e . Then its tra ns lation Φ U defined a nalogously to the tr anslation of A I : 8. U θ ( f q ( e, e )) fo r all → e θ ′ and ( θ ′ , θ ′ ) → f q θ in δ U ; 9. U θ 1 ( x ) ∧ U θ 2 ( y ) → U θ 3 ( f q ( x, y )) for all ( θ 1 , θ 2 ) → f q θ 3 ) in δ U . 10. ∨ θ ∈ F U U θ ( x ) → U nsaf e ( x ) Prop osition 3. ( A de quacy of enc o ding) F or an instanc e of the c over ability pr ob- lem and the t r anslation define d ab ove the fol lowing holds t rue: 1. F or any τ 1 , τ 2 ∈ T ( Q ) if τ 1 ⇒ ∗ P τ 2 then Φ R ⊢ R ( t τ 1 , t τ 2 ) 2. F or any τ ∈ I nit Φ I ⊢ I nit ( t τ ) ; 3. F or any τ ∈ U nsaf e Φ U ⊢ U nsaf e ( t τ ) Pr o of. pro ceeds by straig htforward insp ection o f definitions. Corollary 2. (safety verific ation) If Φ R ∪ Φ I ∪ Φ U 6⊢ ∃ x ∃ y I nit ( x ) ∧ U nsaf e ( y ) ∧ R ( x, y ) then the c over ability pr oblem has a p ositive answer, that is τ 6⇒ ∗ P τ ′ holds for al l τ ∈ I nit and al l τ ′ ∈ U nsaf e . Theorem 2. (r elative c ompleteness) Given a p ar ameterize d t r e e syst em P = ( Q, R ) , the tr e e r e gular language of initial c onfigur ations I nit , finitely b ase d set of u nsafe c onfigur ations U nsaf e . Ass ume the b ackwar d symb olic r e achabil ity al- gorithm for monotonic abstr action describ e d ab ove terminates with the fix e d-p oint U = U n +1 = U n for some n and I nit ∩ U = ∅ . Then ther e exists a finite mo del for Φ R ∧ Φ I ∧ Φ U ∧ ¬ ( ∃ x ∃ y I nit ( x ) ∧ U nsaf e ( y ) ∧ R ( x, y )) . Pr o of. First we obse r v e that since the fixed- p oint U has a finite set o f g enerators it is a r egular tree la nguage. Let A U ∗ = ( Q U ∗ , F U ∗ , δ U ∗ ) b e a deterministic tree automaton r ecognizing U . W e take Q U ∗ as a domain o f the req uired mo del. Int erpr etations o f all functiona l symbols from F Q are given by δ U ∗ : – [ f q ]( θ 1 , θ 2 ) = θ 3 iff ( θ 1 , θ 2 ) → f q θ 3 is in δ U ∗ – [ e ] = θ , where → e θ is in δ U ∗ . Int erpr etations of predicates R, I θ , I nit, U θ , U nsaf e are defined inductiv ely as the least s e ts of tuples, or elements of the domains satisfying the axioms 1- 4, 5-7, 8- 1 0, re s pectively . That co ncludes the definition of the mo del which we denote by M . W e hav e M | = Φ R ∧ Φ I ∧ Φ U by construction. Now we chec k that M | = ¬ ( ∃ x ∃ y I nit ( x ) ∧ U nsaf e ( y ) ∧ R ( x, y )) is satisfied in the mo del. W e have 1. [ I nit ] ⋆ [ R ] ⊆ { [ τ ] | ∃ τ ′ ∈ I nit τ ′ ⇒ ∗ P τ } (by the minimality conditions on int erpr etations o f I nit a nd R ) 2. { [ τ ] | ∃ τ ′ ∈ I nit τ ′ ⇒ ∗ P τ } ⊆ ¯ F U ∗ = Q − F U ∗ (b y assumption U ∩ I nit = ∅ ) 3. [ U nsaf e ] ⊆ F U ∗ (b y U nsaf e ⊆ U ); 4. ([ I nit ] ⋆ [ R ]) ∩ [ U nsaf e ] = ∅ (by 1- 3 ). 5.3 The case study , I I In this section we illustrate the discussed v aria tio n o f the FCM metho d by ap- plying it again to the verification o f Two-wa y T oken Proto col, but s pecified differently . The sp ecification of this proto col using trees ov er states a nd tr ee rewriting is taken fro m [5]. The set of states Q = { n, t } , wher e n and t denote lo cal states ‘no token’ a nd ‘to ken’, resp ectiv ely . The set of R of rewriting rules consists o f the following r ule s : – h t, n i ( h n, t i ); – h n, t i ( h t, n i ); The s e t I nit of initial configura tions cons is ts all c omplete binary trees ov er Q with exa ctly one token. The set U nsaf e of unsa fe co nfiguration c onsists of all complete binary trees ov er Q with at least t wo tokens. The set of the for m ulae Φ b elow is a first- o rder translation (in Mace4 syntax) of the verification task. % rewritin g rules R(ft(fn(y, z),x),fn(ft(y,z ),x)). R(ft(x,fn( y,z)),fn(x,ft(y ,z))). R(fn(ft(y, z),x),ft(fn(y,z ),x)). R(fn(x,ft( y,z)),ft(x,fn(y ,z))). % reflexiv ity R(x,x). %congruenc e (R(x,y) & R(z,v)) -> R(fn(x,z),f n(y,v)). (R(x,y) & R(z,v)) -> R(ft(x,z),f t(y,v)). % transiti vity (R(x,y) & R(y,z)) -> R(x,z). % Initial states automaton I1(fn(e,e) ). (I1(x) & I1(y)) -> I1(fn(x, y)). (I1(x) & I1(y)) -> Init(ft( x,y)). (Init(x) & I1(y)) -> Init(fn(x,y )). (I1(x) & Init(y)) -> Init(fn(x,y )). % Unsafe states automaton B1(ft(x,y) ). B1(x) -> B1(fn(x,y )). B1(y) -> B1(fn(x,y )). B1(x) -> Unsafe(ft (x,y)). B1(x) -> Unsafe(ft (y,x)). B1(x) & B1(y) -> Unsafe(fn( x,y)). B1(x) & B1(y) -> Unsafe(ft( x,y)). Unsafe(x) -> Unsafe(fn( x,y)). Unsafe(x) -> Unsafe(fn( y,x)). Unsafe(x) -> Unsafe(ft( x,y)). Unsafe(x) -> Unsafe(ft( y,x)). Now, in order to es tablish safety , it is sufficient to show that Φ 6⊢ ∃ x ∃ y I nit ( x ) ∧ R ( x, y ) ∧ U nsaf e ( y ). Finite mo del finder Mace4 finds a mo del for Φ ∧¬ ( ∃ x ∃ yI nit ( x ) ∧ R ( x, y ) ∧ U nsaf e ( y )) in 0 . 04 s . 6 Exp erimen tal results W e hav e applied b oth pres e n ted versions of FMC metho d to the verification of several pa rameterized tr ee-shap ed systems. The tasks sp ecified in R TMC tra- dition were taken from [3] a nd the first transla tion was use d. T o co mpare with monotonic abstraction bas ed metho ds we us ed the second translation for the tasks fr om [5]. In the exp eriments we used the finite mo del finder Mace4[20] within the pack age Prov er9 -Mace4, V er sion 0.5 , Dece mber 200 7 . T he sys tem configur ation used in the exp eriments: Mic r osoft Windows XP Professio nal, V er sion 2002 , Int el(R) Core(TM)2 Duo CP U, T7100 @ 1.8Ghz 1 .79Ghz, 1.00 GB of RAM. The time measurements are done by Mace4 itself, up on co mpletion of the mo del search it communicates the CPU time used. The table b elow lists the par a meterized tree proto cols and shows the time it to ok Mace4 to find a countermodel and verify a safety pr oper t y . The time shown is an average o f 10 a ttempts. W e a lso show the time r eported on the verification of the same proto cols by a lternative metho ds. 6.1 F CM vs R TMC Proto col Time Time r epor ted in [6] ∗ T o ken 0.02s 0.06s Two-w ay T o k en 0.03 s 0.09s ∗ the system co nfiguration used in [6] was In tel Centrino 1.6GHZ with 768MB of R AM Notice that [6 ] discuss e s different metho ds for e nhancemen t of R TMC within the abs tract-chec k-refine para digm and w e inc luded in the table the be st times rep orted in [6] fo r each verification pro blem. 6.2 F CM vs monotonic Abs traction Proto col Time Time r epor ted in [5] ∗ T o ken 0.02s 1s Two-w ay T o k en 0.03 s 1s Percolate 0.02s 1s Leader Electio n 0 .03s 1s T r e e-arbiter 0.02s 37s IEEE 13 94 0.04s 1h15m25 s ∗ the system configuratio n used in [5] was dual Opter on 2.8 GH Z with 8 GB of R AM All spe c ifications used in the exp eriments and Ma c e4 o utput ca n b e found in [14]. 7 Related w ork As mentioned Sectio n 1 the a pproach to verification using the mo deling o f proto col exe cutions by first-o rder deriv ations and together with count ermo del finding for disproving was intro duced within the r esearch on the for ma l ana lysis of c ryptographic proto cols ([23],[2 2],[9], [11], [10]). This work co ntin ues the exploration o f the F CM approach pr esen ted in [14,15,16,17,18,19]. In [1 7](whic h is an extended version of [15]) it was s ho wn that FCM pr o vides a decis ion pro cedure for safety verification for lo ssy channel systems, a nd that FCM can b e used for e fficie nt verification of para meterised cache coherence pro tocols . The rela tive co mpleteness of the FCM with re s pect to regular mo del chec king and metho ds based on mono to nic abstr action for lin- ear pa rameterized sy stems was es tablished in [1 8](whic h is an extended version of the abstr act [16]). The relative completeness of the FCM with resp ect to tree completion techniques for genera l ter m r e writing systems is shown in [19]. Our tre a tmen t o f tree rewriting in 5.1 ca n b e seen as a particular case o f term rewriting considered in [19 ] with slightly different translatio n o f tree a utomata. Detailed compariso n a nd/or unified trea tmen t of FCM vs T ree Co mpletion vs R TMC vs Mono tonic Abstra ction to b e given elsewher e. Here we notice only that the rea son for FCM to succeed in verification of safety o f v arious classes s of infinite-state and parameterize d s y stems is the presence of r e gular sets of co nfig- urations (in v ariants) covering all reachable co nfigurations a nd disjoint with the sets of unsafe configura tions. In a mo re gener a l context, the work w e present in this pa p er is related to the concepts of pr o of by c onsistency [1 2], and inductionless induction [8] a nd can b e seen as a n in vestigation into the p ow er of these c o ncepts in the par ticular s etting of the verification of par a meterized tree s ystems via finite countermo del finding. 8 Conclusion W e have shown how to apply generic finite mo del finders in the parameterize d verification o f tre e -shaped systems, hav e demonstra ted the r elativ e co mpleteness of the metho d with r espect to r egular tree mo del chec king and to the methods based on mo notonic a bstraction and have illustra ted its practica l efficiency . F u- ture w or k includes the inv estigation of scala bilit y o f FCM, and its applications to softw are verification. Ac kno wledgmen ts The author is gr ateful to ano nymous re ferees of FMCAD 20 11 conference who provided with many helpful comments o n the previous version of this pap er. References 1. Ab dulla, P .A., Delzanno G., H enda, N .B., & Rezine, A ., (2009a), Monotonic Ab- straction: on Efficient V erification of Parameterized S ystems. I nt. J. F ound. Comput. Sci. 20(5): 779-801 2. Ab dulla, P .A., Jonsson, B., (1996) V erifying programs with un reliable channels. Information and Computation , 127(2):91-101, 1996. 3. Ab dulla, P arosh Aziz and Jonsson, Bengt and Mahata, Pritha and d ’Orso, Julien, Regular T ree Mo del Checking, in Pro ceedings of the 14th International Conference on Computer Aided V erification, CA V ’02, 2002, 555–568 4. Ab dulla, P .A., Jonsson,B., Nilsson, M., & Saksena, M., (2004) A Su rvey of Regular Model Chec king, In Pro c. of CONCUR ’04, volume 3170 of LNCS, pp 35–58, 2004. 5. Paros h Aziz Ab dulla, N oomene Ben Henda, Giorgio Delzanno, F rdric Haziza and Ahmed Rezine, Para meterized T ree S y stems, in FORMAL TECHNIQUES FOR NETW OR K ED AND DIS TR I BUTED SYSTEMS F OR TE 2008, Lecture Notes in Computer Science, 2008, V olume 5048/2008, 69-83. 6. A. Boua jjani, P . Hab ermehl,A. Rogalewicz, T. V o jnar, Abstract Regular T ree Mo del Chec king, Electronic Notes in Theoretical Computer Science, 149, (2006), 37–48. 7. Caferra, R., Leitsch, A., & Peltie r, M., (2004) Automate d Mo del Buildi ng , Ap plied Logic S eries, 31, Kluw er, 2004. 8. Comon, H ., (1994), Ind uctionless induction. In R. David, ed. 2nd Int. Conf. in L o gic for Computer Scienc e: Automate d De duction. L e ctur e Notes , Chamb ery , Uni de Savo ie, 1994. 9. Goubault-Larrecq, J., (2010), Finite Mod els for F ormal Security Proofs, Journal of Computer Se curity , 6: 1247–12 99, 2010. 10. Gut t man, J., (2009) Security Theorems via Model Theory , Proceedings 16th In- ternational W ork sh op on Expressiveness in Concurrency , EXPRESS, EPTCS, vol. 8 (2009) 11. Jurjens, J., & W eb er, T., (2009), Finite Mo dels in FOL-Based Crypto-Proto col V erification, P . Degano and L. Vigan‘o (Eds.): AR S P A- WITS 2009, LNCS 5511, pp . 155-172, 2009. 12. Kap u r, D., & Musser, D.R., (1987), Pro of by consistency . Artificial Intel ligenc e , 31:125– 157, 1987. 13. Kru sk al, J.B., (1960), W ell-Quasi-Ordering, th e T ree Theorem, and V azso nyi’s Conjecture, T r ansactions of the Amer ic an Mathematic al So ciety , 95,2:210– 225, 1960. 14. Lisitsa, A., (2009a), V erfication via countermod el finding http://www .csc.liv.ac.uk/ ~alexei/countermodel/ 15. Lisitsa, A., (2009b), Reachabilit y as deducibility , fi n ite countermo d els and verifi- cation. I n preProceedings of A VOCS 2009, T echnical Rep ort of Computer Science, Swa nsea Universit y , CSR-2-2009, pp 241-243. 16. Lisitsa, A., (2010a), Finite countermodels as inv ariants. A case study in verification of parameterized mutual exclusion proto col. In Proceedings of WING 2010, 1pp 17. Lisitsa, A., (2010b), Reachabilit y as deducibility , fi n ite countermo d els and verifi- cation. In Pro ceedings of A TV A 2010, LNCS 6252, 233–244 18. Lisitsa, A ., (2010c), Finite mo del find ing for parameterized verification, CoRR abs/1011. 0447: (2010) 19. Lisitsa, A., (2011), Finite mo dels v s tree automata in safety verification, CoRR abs/1107. 0349: (2011) . 20. McCune, W., Prov er9 and Mace4 http://www.cs .unm.edu/~mccune/mace4/ 21. N ilss on, M., (2005) Regular Mo del Checking. Acta Un iv ersitatis Upsaliensis. U p - psala Dissertations from t h e F aculty of Science and T echnolog y 60. 149 pp. Uppsala. ISBN 91-554-6137-9, 2005. 22. S elinger, P ., (2001), Mo dels for an adversary-centric protocol logic. Electr. Notes Theor. Comput. Sci. 55(1) (2001) 23. W eiden bach, C., (1999), T ow ards an Automatic Analysis of Security Proto cols in First-Order Logic, in H. Ganzinger (Ed.): CADE-16, LN AI 1632, pp . 314–328, 1999.