Liveness by Invisible Invariants ⋆ Yi Fang 1 , Kenneth L. McMillan 2 , Amir Pnueli 3 , and Lenore D. Zuck 4 1 Microsoft, Redmond, Washington yfang@microsoft.com 2 Cadence Design Systems, Berkeley, California mcmillan@cadence.com 3 New York University, New York, New York amir@cs.nyu.edu 4 University of Illinois at Chicago lenore@cs.uic.edu Abstract. The method of Invisible Invariants was developed in order to verify safety properties of parametrized systems in a fully automatic manner. In this pa- per, we apply the method of invisible invariant to “bounded response” properties, i.e., liveness properties of the type p = ⇒ q that are bounded – once a p-state is reached, it takes a bounded number of rounds (where a round is a sequence of steps in which each process has been given a chance to proceed) to reach a q-state – thus, they are essentially safety properties. With a “liveness monitor” that observes certain behavior of a system, estab- lishing “bounded response” properties over the system is reduced to the verifica- tion of invariant properties. It is often the case that the inductive invariants for systems with “liveness monitors” contain assertions of a certain form that the original method of invisible invariant is not able to generate, nor to check inductiveness. To accommodate invariants of such forms, we extend the techniques used for invariant generation, as well as the small model theorem for validity check. 1 Introduction Uniform verification of parameterized systems is one of the most challenging problems in verification. Given a parameterized system S(N ): P [1] ‖···‖ P [N ] and a property p, uniform verification attempts to verify that S(N ) satisfies p for every N> 1. One of the most powerful approaches to verification that is not restricted to finite-state systems is deductive verification. This approach is based on a set of proof rules in which the user has to establish the validity of a list of premises in order to validate a given temporal property of the system. The two tasks that the user has to perform are: 1. Provide some auxiliary constructs that appear in the premises of the rule; 2. Use the auxiliary constructs to establish the logical validity of the premises. When performing manual deductive verification, the first task is usually the more dif- ficult, requiring ingenuity, expertise, and a good understanding of the behavior of the ⋆ This research was supported in part by NSF grant CCR-0205571 and ONR grant N00014-99- 1-0131. E. Najm et al. (Eds.): FORTE 2006, LNCS 4229, pp. 356–371, 2006. c  IFIP International Federation for Information Processing 2006