ON TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS

The method of invisible invariants was developed originally in order to verify safety properties of parameterized systems in a fully automatic manner. The method is based on (1) a project&generalize heuristic to generate auxiliary constructs for parameterized systems and (2) a small-model theorem, implying that it is sufficient to check the validity of logical assertions of a certain syntactic form on small instantiations of a parameterized system. The approach can be generalized to any deductive proof rule that (1) requires auxiliary constructs that can be generated by project&generalize, and (2) the premises resulting when using the constructs are of the form covered by the small-model theorem. The method of invisible ranking, presented here, generalizes the approach to liveness properties of parameterized systems. Starting with a proof rule and cases where the method can be applied almost “as is,” the paper progresses to develop deductive proof rules for liveness and extend the small-model theorem to cover many intricate families of parameterized systems.


Introduction
Uniform verification of parameterized systems is one of the most challenging problems in verification. Given a parameterized system S(N ) : P [1] · · · P [N ] and a property p, uniform verification attempts to verify that S(N ) satisfies p for every N > 1. One of the most powerful approaches to verification that is not restricted to finite-state systems is deductive verification. This approach is based on a set of proof rules in which the user This research was supported in part by NSF grant CCR-0205571, ONR grant N000140310916, the John von Neumann Minerva Center for Verification of Reactive Systems, the European Community IST project "Advance",and the Israel Science Foundation grant 106/02-1.
has to establish the validity of a list of premises in order to validate a given temporal property of the system. The two tasks that the user has to perform are: 1. Provide some auxiliary constructs that appear in the premises of the rule; 2. Use the auxiliary constructs to establish the logical validity of the premises.
When performing manual deductive verification, the first task is usually the more difficult, requiring ingenuity, expertise, and a good understanding of the behavior of the program and the techniques for formalizing these insights. The second task is often performed using theorem provers such as pvs [OSR93] or step [BBC + 95], which require user guidance and interaction, and place additional burden on the user. The difficulties in the execution of these two tasks are the main reason why deductive verification is not used more widely. A representative case is the verification of invariance properties using the proof rule inv of [MP95]: in order to prove that assertion r is an invariant of program P , the rule requires coming up with an auxiliary assertion ϕ that is inductive (i.e. is implied by the initial condition and is preserved under every computation step) and that strengthens (implies) r.
In [PRZ01,APR + 01], we introduced the method of invisible invariants, that offers a method for automatic generation of the auxiliary assertion ϕ for parameterized systems, as well as an efficient algorithm for checking the validity of the premises of inv.
The generation of invisible auxiliary constructs is based on the following idea: it is often the case that an auxiliary assertion ϕ for a parameterized system S(N ) has the form ∀i : [1..N ].q(i) or, more generally, ∀i = j.q(i, j). We construct an instance of the parameterized system taking a fixed value N 0 for the parameter N . For the finite-state instantiation S(N 0 ), we compute, using bdds, some assertion ψ that we wish to generalize to an assertion in the required form. Let r 1 be the projection of ψ on process P [1], obtained by discarding references to variables that are local to all processes other than P [1]. We take q(i) to be the generalization of r 1 obtained by replacing each reference to a local variable P [1].x by a reference to P [i].x. The obtained q(i) is our candidate for the body of the inductive assertion ϕ : ∀i.q(i). We refer to this generalization procedure as project&generalize. For example, when computing invisible invariants, ψ is the set of reachable states of S(N 0 ). The procedure can be easily generalized to generate assertions of the type ∀i 1 , . . . , i k .p(i).
Having obtained a candidate for the assertion ϕ, we still have to check the validity of the premises of the proof rule we wish to employ. Under the assumption that our assertional language is restricted to the predicates of equality and inequality between bounded-range integer variables (which is adequate for many of the parameterized systems we considered), we proved a small-model theorem, according to which, for a certain type of assertions, there exists a (small) bound N 0 such that such an assertion is valid for every N iff it is valid for all N ≤ N 0 . This enables using bdd-techniques to check the validity of such an assertion. The cases covered by the theorem are those whose premises can be written in the form ∀i∃j.ψ(i, j), where ψ(i, j) is a quantifier-free assertion that may refer only to the global variables and the local variables of P [i] and P [j] (∀∃-assertions for short).
Being able to validate the premises on S[N 0 ] has the additional important advantage that the user never sees the automatically generated auxiliary assertion ϕ. This assertion is produced as part of the procedure and is immediately consumed in order to validate the premises of the rule. Being generated by symbolic bdd-techniques, the representation of the auxiliary assertions is often extremely unreadable and non-intuitive, and it usually does not contribute to a better understanding of the program or its proof. Because the user never gets to see it, we refer to this method as the "method of invisible invariants." As shown in [PRZ01,APR + 01], embedding a ∀i.q(i) candidate inductive invariant in inv results in premises that fall under the small-model theorem. In this paper, we extend the method of invisible invariants to apply to proofs of the second most important class of propertiesthe class of response properties. Response properties are liveness properties that can be specified by the temporal formula (q → ¡ r) (also written as q = ¡ r) and guarantee that every q-state is eventually followed by an r-state. To handle response properties, we consider a certain variant of rule well [MP91], which establishes the validity of response properties under the assumption of justice (weak fairness). As is well known to users of this and similar rules, such a proof requires the generation of two kinds of auxiliary constructs: helpful assertions h i that characterize, for transition τ i , the states from which the transition is helpful in promoting progress towards the goal (r), and ranking functions, which measure progress towards the goal.
In order to apply project&generalize to the automatic generation of the ranking functions, we propose a variant of rule well. In this variant rule, called DistRank, we associate, with each potentially helpful transition τ i , an individual ranking function δ i : Σ → [0..c], mapping states to integers in a small range [0..c] for some fixed small constant c. The global ranking function can be obtained by forming the multi-set {δ i }. In most of the examples we consider, it suffices to take c = 1, which allows us to view each δ i as an assertion, and generate it automatically using project&generalize.
If, when applying rule DistRank, the auxiliary constructs h i and δ i have no quantifiers, all the resulting premises are ∀∃-premises and the small-model theorem can be used. One of the constructs required to be quantifier free are the helpful assertions that characterize the set of states from which a given transition is helpful. Many simple protocols have helpful assertions that are quantifier-free (or, with the addition of some auxiliary variables, can be transformed into protocols that have quantifier-free helpful assertions). Some protocols, however, cannot be proven with such restricted assertions.
To deal with such protocols, we extend the method of invisible ranking in two directions: • Allowing expressions such as i ± 1 to appear both in the transition relation as well as the auxiliary constructs; This is especially useful for ring algorithms, where many of the assertions have a p(i, i + 1) or p(i, i − 1) component. • Allowing helpful assertions (and ranking functions) belonging to transitions of process i to be of the form is a quantifier-free assertion; Such helpful assertions are common in "unstructured" systems where whether a transition of one process is helpful depends on the states of all its neighbors. Substituted in the standard proof rules for progress properties, these assertions lead to premises that do not conform to the required ∀∃ form, and therefore cannot be validated using the small model theorem.
To handle the first extension we prove, in Subsection 6.1, a modest model theorem. The modest model theorem establishes that ∀∃-premises containing i ± 1 subexpressions can be validated on relatively small models. The size of the models, however, is larger when compared to the small model theorem of [PRZ01].
To handle the second extension, we introduce a novel proof rule, PreRank: The main difficulty with helpful assertions of the form h(i) = ∀j.H(i, j) is in the premise that claims that every "pending" state has some helpful transition enabled on it (D3 of rule DistRank in Section 2). Identifying such a helpful transition is the hardest step when applying the rule. The new rule, PreRank (introduced in Section 7), implements a new mechanism for selecting a helpful transition based on the establishment of a pre-order among transitions in each state. The "helpful" transitions are identified as the transitions that are minimal according to this pre-order.
We emphasize that the two extensions are part of the same method, so that we can handle systems that both use ±1 and require universal helpful assertions. For simplicity of exposition, we separate the extensions here.
Overview of Paper. In Section 2 we present the general computational model of fts and the restrictions that enable the application of the invisible auxiliary constructs methods. We also review the small model theorem, which enables automatic validation of the premises of the various proof rules. In addition, we outline a procedure that replaces compassion requirements by justice requirements, which justifies our focus on proof rules that assume justice only. Section 3 introduces the new DistRank proof rule and explains how we automatically generate ranking and helpful assertions for the parameterized case. We refer to the new method as the method of invisible ranking. We use a version of the token ring protocol for an ongoing example in this section. Section 4 shows how to enhance the project&generalize method to enable the generation of invariants in the form of boolean combinations of universal assertions. This is demonstrated on a (different) version of the token ring protocol. In Section 5 we study a version of the Bakery algorithm, that seems beyond the scope of the invisible ranking method, and show how enhancing a protocol with some auxiliary variables can make it a suitable candidate for the method.
The method studied in Sections 3-5 is adequate for cases where the set of reachable states can be satisfactorily over-approximated by boolean combinations of ∀assertions, and the helpful assertions as well as individual ranking functions δ i can be represented by quantifierfree assertions. Not all examples can be handled by assertions which depend on a single parameter. In Section 6 we describe the modest model theorem, which allows handling of i ± 1 expressions within assertions, and demonstrate these techniques on the Dining Philosopher problem. In Section 7 we present the PreRank proof rule that uses pre-order among transitions, discuss how to automatically obtain the pre-order, and demonstrate the technique on the Bakery algorithm. Finally, we discuss the advantages of combining several pre-order relations, and demonstrate it on Szymanski's protocol for mutual exclusion [Szy88].
All our examples have been run on tlv [Sha00]. The interested reader may find the code, proof files, and output of all our examples in: cs.nyu.edu/acsys/Tlv/assertions.

Related
Work. This is the full version of [FPPZ04b,FPPZ04a]. See [ZP04] for a survey on the method of invisible constructs and an earlier version of invisible ranking. The problem of uniform verification of parameterized systems is undecidable [AK86]. One approach to remedy this situation, pursued, e.g., in [EK00], is to look for restricted families of parameterized systems for which the problem becomes decidable. Unfortunately, the proposed restrictions are very severe and exclude many useful systems such as asynchronous systems where processes communicate by shared variables.
Another approach is to look for sound but incomplete methods. Representative works of this approach include methods based on: explicit induction [EN95], network invariants that can be viewed as implicit induction [LHR97], abstraction and approximation of network invariants [CGJ95], and other methods based on abstraction [GZ98]. Other methods include those relying on "regular model-checking" (e.g., [JN00]) that overcome some of the complexity issues by employing acceleration procedures, methods based on symmetry reduction (e.g., [GS97]), or compositional methods (e.g., ([McM98]), combining automatic abstraction with finiteinstantiation due to symmetry. Some of these approaches (such as the "regular model checking" approach) are restricted to particular architectures and may, occasionally, fail to terminate. Others, require the user to provide auxiliary constructs and thus do not provide for fully automatic verification of parameterized systems.
Most of the mentioned methods only deal with safety properties. Among the methods dealing with liveness properties, we mention [CS02], which handles termination of sequential programs, network invariants [LHR97], and counter abstraction [PXZ02].

Preliminaries
In this section we present our computational model, the small model theorem, and the procedure that allows to remove compassion (strong fairness). We assume that the reader is familiar with LTL, CTL, first-order logic, and fixpoint operators.

Fair Transition Systems
As our computational model, we take a fair transition system (fts) [MP95] S = V, Θ, T , J , C , with: • V = {u 1 , . . . , u n } -A finite set of typed system variables. A state s of the system provides a typeconsistent interpretation of the system variables V , assigning to each variable v ∈ V a value s[v] in its domain. Let Σ denote the set of all states over V . An assertion over V is a first-order formula over V . A state s satisfies an assertion ϕ, denoted s |= ϕ, if ϕ evaluates to t by assigning s[v] to every variable v appearing in ϕ. We say that s is a ϕ-state if s |= ϕ.
• Θ -The initial condition: An assertion characterizing the initial states. A state is called initial if it is a Θ-state. • T -A finite set of transitions. Every transition τ ∈ T is an assertion τ (V, V ) relating the values V of the variables in state s ∈ Σ to the values V in an S-successor state s ∈ Σ. Given a state s ∈ Σ, we say that s ∈ Σ is a τ -successor of s if s, s |= and v as s [v]. We say that transition τ is enabled in state s if it has some τ -successor, otherwise, we say that τ is disabled in s. Let En(τ ) denote the assertion ∃V .τ (V, V ) characterizing the set of states in which τ is enabled, and let ρ denote the disjunction of all transitions, i.e. ρ = τ ∈T τ . The assertion ρ represents the total transition relation of S. • J ⊆ T -A set of just transitions (also called weakly fair transitions). Informally, τ ∈ J rules out computations where τ is continuously enabled, but taken only finitely many times. • C ⊆ T -A set of compassionate transitions (also called strongly fair transitions). Informally, τ ∈ C rules out computations where τ is enabled infinitely many times, but taken only finitely many times.
For technical reasons, and with no loss of generality, we assume that T always contains the idling transition τ 0 : V = V , which preserves the values of all system variables. Taking such a transition is often described as a stuttering step. We also require that the idling transition is taken to be a just transition. Let σ : s 0 , s 1 , s 2 , . . ., be an infinite sequence of states. We say that transition τ ∈ T is enabled at position k of σ if τ is enabled on s k . We say that τ is taken at position k if s k+1 is a τ -successor of s k . Note that several different transitions can be considered as taken at the same position.
We say that σ is a computation of an fts S if it satisfies the following requirements: • Initialitys 0 is initial, i.e., s 0 |= Θ.
• Consecution -For each = 0, 1, ..., state s +1 is a ρ-successor of s . • Justice -for every τ ∈ J , it is not the case that τ is continuously enabled beyond some point j in σ (i.e., τ is enabled at every position k ≥ j) but not taken beyond j. • Compassion -for every τ ∈ C, it is not the case that τ is enabled at infinitely many positions in σ but taken at only finitely many positions.
Note that the idling transition being just implies that every computation contains infinitely many stuttering steps.

Bounded Fair Transition Systems
To allow the application of the invisible constructs methods, we further restrict the systems we study, leading Let N ∈ N + be the system's parameter . We allow the following data types: 1. bool: the set of Boolean and finite-range scalars; 2. index: a scalar data type that includes integers in the range [1..N ]; 3. data: a scalar data type that includes integers in the range [0..N ]; and 4. Any number of arrays of the type index → bool.
We refer to these arrays as Boolean arrays. 5. At most one array of the type b : index → data. We refer to this array as the data array.
Atomic formulas may compare two variables of the same type. E.g., if y and y are index variables, and z is an index → data array, then y = y and z[y] < z[y ] are both atomic formulas. For z : index → data and y : index, we also allow the special atomic formula z[y] > 0. We refer to quantifier-free formulas obtained by boolean combinations of such atomic formulas as restricted assertions.
As the initial condition Θ, we allow assertions of the form ∀i.u(i), where u(i) is a restricted assertion.
As the transitions τ ∈ T , we allow assertions of the form τ (i) : ∀j : ψ(i, j) for a restricted assertion ψ(i, j). This results in total transition ρ : ∃i : ∀j : ψ(i, j). For simplicity, we assume that all quantified and free variables are of type index.
Example 2.1 (The Token Ring Algorithm). Consider program token-ring in Fig. 2.1, which is a mutual exclusion algorithm for any N processes.
In this version of the algorithm, the global variable tloc represents the index of the process currently holding the token. Location 0 constitutes the non-critical section which may non-deterministically exit to the trying section at location 1. While being in the non-critical section, a process guarantees to move the token to its right neighbor, whenever it receives it. This is done by incrementing tloc by 1, modulo N . At the trying section, a  process P [i] waits until it receives the token, which is signaled by the condition tloc = i. Fig. 2.2 describes the bfts corresponding to program token-ring, where for a variable v ∈ V , pres(v) denotes v = v and for a set U ⊆ V , pres(U ) denotes v∈U pres(v). When there is no danger of confusion, we use pres(a 1 , . . . , a k ) instead of pres({a 1 , . . . , a k }). Note that tloc is an index-variable, while the program counter π is an index → bool array. Actually, π is of type index → [0..2], but it can be encoded by two boolean arrays, hence we are justified in referring to it here and in future examples as a index → bool array.
Note that transition τ 2 0 (i) is not listed as a just transition. This allows a process to remain forever in its non-critical location (0), as long as it diligently transfers any incoming token to its right neighbor. Also note that this system has an empty set of compassion transitions, which we omitted from the presentation in Fig. 2

.2.
Example 2.2 (The Bakery Algorithm). Consider program bakery in Fig. 2.3, which is a variant of Lamport's original Bakery Algorithm that offers a solution to the mutual exclusion problem for any N processes. In this version of the algorithm, location 0 constitutes the non-critical section which a process may nondeterministically exit to the trying section at location 1. Location 1 is the ticket assignment location. Location 2 is the waiting phase, where a process waits until it holds the minimal ticket. Location 3 is the critical section, and location 4 is the exit section. Note that y, the ticket array, is of type index → data, and the program location array (which we denote by π) is of type index → bool.
Note also that the ticket assignment statement at 1 is non-deterministic and may modify the values of all tickets. Let α be an assertion over V , and R be an assertion over V ∪ V , which can be viewed as a transition relation. We denote by α • R the assertion characterizing all states which are R-successors of α-states. We denote by α • R * the states reachable by an R-path of length zero or more from an α-state. In a symmetric way, we denote by R • α the assertion characterizing all the states which are Rpredecessors of α-states.

The Small-Model Theorem
Let ϕ : ∀i∃j.R(i, j) be an ∀∃-formula, where R(i, j) is a restricted assertion which refers to the state variables of a parameterized bfts S(N ) in addition to the quantified (index) variables i and j. We show that if there exists some model that does not satisfy this assertion, then there exists a model smaller than a certain bound that does not satisfy it. It follows that in order to check the validity of this formula it is enough to check all models up to the given bound. The proof follows by contracting a model that does not satisfy ϕ to a smaller model that does not satisfy ϕ. In order to decrease the size of the model we consider the existentially quantified variables in the negation of ϕ. These variables refer to some processes in the model that does not satisfy ϕ. We keep the processes refered to by these variables and throw away the rest. For simplicity, we assume that the only data variable/constant that may appear in R is the data constant 0. Let N 0 be the number of universally quantified variables, free index variables, and index constants appearing in R. The following theorem, stated first in [PRZ01] and extended in [APR + 01], provides the basis for the automatic validation of the premises in the proof rules.
Theorem 2.1 (Small model property). Let ϕ be an ∀∃-formula as above. Then ϕ is valid over For completeness of presentation we include the proof.
Proof. We denote by ψ the formula ∃i∀j.¬R(i, j), which is the negation of ϕ. Assume ψ is satisfiable in state s of a system S(N 1 ) for N 1 > N 0 . We show that it is satisfiable in a state s of a system S(N ) for some N ≤ N 0 .
Let V ∃ be the set of index variables that appear existentially quantified in ψ. Let F be the set of index constants (including 1) and variables which appear free in ψ. Note that state s provides an interpretation for all the variables in F and all the arrays which appear in s. Similarly, let V ∀ be the set of index variables that appear universally quantified in ψ, i.e., the j variables.
The fact that ψ : ∃i∀j.¬R(i, j) is satisfiable in s means that there exists an assignment α which interprets all variables of V ∃ by values in the domain [1..N 1 ] such that (s, α) |= χ, where χ : ∀j.¬R(i, j), and (s, α) is the joint interpretation which interprets all system variables according to state s and all V ∃ -variables according to the assignment α.
Let U = {u 1 < u 2 < · · · < u k } be a sorted list of values assigned to the V ∃ ∪ F -variables by α and s.
We construct a state s of system S(k) and an assignment α : V ∃ → [1..k], such that (s , a ) |= χ. The state s is an interpretation defined as follows: we define the interpretation α as follows: For each vari- We proceed to show that (s , α ) |= χ. To do so, consider an arbitrary assignment β assigning to each variable v ∈ j a value β [v] ∈ [1..k]. We will show that (s , α , β ) |= ¬R(i, j). As we show this for an arbitrary assignment β , it follows that (s , α ) |= ∀j.¬R(i, j). That is, (s , α ) |= χ.
Consider the assignment β interpreting each v ∈ j as u i iff β [v] = i. It follows that β interprets each variable v ∈ j by a value in [1..N 1 ]. Since (s, α) |= χ, it follows that (s, α, β) |= ¬R(i, j). By induction on the structure of the formula ¬R(i, j), we can show that every sub-formula γ ∈ ¬R(i, j) evaluates to t under the joint interpretation (s, α, β) iff γ evaluates to t under the interpretation (s , α , β ).
We conclude that (s , α ) |= χ, which leads to the result that ψ is satisfied in the state s of system S(k).
The small model theorem allows to check validity of ∀∃-assertions on small models. In [PRZ01,APR + 01] we obtain, using project&generalize, candidate inductive assertions for the set of reachable states that are ∀-formulae, checking their inductiveness required checking validity of ∀∃-formulae, which can be accomplished, using bdd techniques.

Removing Compassion
The proof rule we are employing to prove progress properties assumes an incompassionate system (system with no compassionate transitions). As outlined in [KPP03] 1 every fts S can be converted into an incompassionate This transformation adds to the system variables, for each compassionate transition τ , a new boolean variable nvr τ . The intended role of nvr τ is, non-deterministically, to identify a point in the computation beyond which τ is never enabled. The new transition relation includes two types of transitions: For each original non-compassionate transition τ , a transition f 1 (τ ) that behaves like τ while preserving the values of all nvr τ variables. For each original compassionate transition τ ∈ C, T  contains a transition f 2 (τ ) that either takes τ and preserves all nvr τ variables, or changes nvr τ from f to t and preserves all other variables. Intuitively, as long as nvr τ = f, f 2 (τ ) is enabled and, to comply with the justice requirement associated with f 2 (τ ), either τ is taken infinitely often, or nvr τ eventually set to t. Once nvr τ is set to t, τ is not expected to be enabled (and therefore taken) ever again.
Let Err denote the assertion τ ∈C (En(τ ) ∧ nvr τ ), describing states where both τ is enabled and nvr τ holds, which indicates that the prediction that τ will never be enabled is premature. For a computation σ  of S  , denote by σ  ⇓ V the sequence obtained from σ  by projecting away the nvr variables. The relation between S and its compassion-free version S  is stated by the following claim.
Claim. Let σ be an infinite sequence of S-states. Then σ is an S-computation iff there exists an Err -free com- Proof. In one direction, let σ = s 0 , s 1 , . . . be a computation of S. We will show how to define the values of nvr τ at each position of the computation, such the resulting sequence of S  -states σ = s 0 , s 1 , . . . is an Err -free computation of S  .
The intention is to guarantee that transition τ ∈ C is continuously disabled beyond some position j of σ iff nvr τ is set to t at some position beyond j. For simplicity, assume that the compassionate transitions are T = {τ 1 , . . . , τ k }, and that we may refer to nvr τi simply as nvr i .
The initial values are determined as follows: for each i = 1, . . . , k, the initial value of nvr i is taken to be t iff τ i is disabled at all positions of σ.
Next, we consider a step from position j to position That is, if at least one system variable of system S is modified in step j, then all the Nvr variables preserve their values.
On the other hand, if step j is a stuttering step, i.e. If there does not exist a τ i such as described above, we let again s j+1 [Nvr ] = s j [Nvr ].
Since, as previously observed, all computations contain infinitely many stuttering steps, the above definition guarantees that nvr i eventually turns t iff τ i eventually becomes continuously disabled. Furthermore, we never have a state in which τ i is enabled while nvr i = t.
In the other direction, consider an Err -free computation σ  of S  . We claim that σ = σ  ⇓ V is a computation of S. Suppose, by contradiction, that some τ ∈ C is enabled infinitely often but taken only finitely often in σ. Then it must be the case that f 2 (τ ) is enabled infinitely often in σ  . As τ is taken finitely often in σ it must be the case that nvr τ is set in σ  as not to violate J  . Since τ is enabled infinitely often, it is enabled after nvr τ is increased and σ  is not Err -free.
We can therefore conclude that for every q and r, Which allows us to assume that all bftss we consider here have an empty compassion set.  In this section we present a new proof rule that allows, in some cases, to obtain an automatic verification of liveness properties for a bfts of any size. We first describe the new proof rule, and then present methods for the automatic generation of the auxiliary constructs required by the rule using token-ring as an ongoing example.

A Distributed Ranking Proof Rule
In Fig. 3.1 we present proof rule DistRank (short for Distributed Ranking) for verifying response properties for bftss whose only fair transitions are just. The rule is configured to deal directly with parameterized systems. As in other rules for verifying response properties ([MP91], e.g.), progress is accomplished by the actions of helpful transitions in the system. In a parameterized system, the set of transitions has the struc- Assertion ϕ is an invariant assertion characterizing all the reachable states. Assertion pend characterizes the states which can be reached from a reachable q-state by an r-free path. For each transition τ , assertion h τ characterizes the states at which τ is helpful . These are the states s that have a τ -successor s , and the transition from s to s leads to a progress towards the goal. This progress is observed by immediately reaching the goal or a decrease in the ranking function δ τ , as stated in premises D5 and D6. The ranking functions δ τ measure progress towards the goal. The disabling of τ is often caused by τ being taken (D6), but may also be caused by some condition turning false (D5). We require decrease in ranking in both cases.
Premise D1 guarantees that any reachable q-state satisfies r or pend . Premise D2 guarantees that any successor of a pend -state also satisfies r or pend . Premise D3 guarantees that any pend -state has at least one transition which is helpful in this state. Premise D4 guarantees that ranking never increases on transitions between two pend -states. Note that, due to D2, every ρ-successor of a pend -state that has not reached the goal is also a pendstate. Premise D5 guarantees that taking a step from an h τ -state leads into a state which either already satisfies the goal r, or causes the rank δ τ to decrease, or is again an h τ -state. Premise D6 guarantees that taking a τ -transition from an h τ -state either reaches the goal r or decreases the rank δ τ . Premise D7 guarantees that in all h τ -states τ is enabled. Together, premises D5, D6, and D7 imply that the computation cannot stay in h τ forever, otherwise justice w.r.t τ is violated. Therefore, the computation must eventually decrease δ τ . Since there are only finitely many δ τ and until the goal is reached they monotonically decrease, we can conclude that eventually an r-state is reached.

Automatic Generation of the Auxiliary Constructs
We now proceed to show how the auxiliary constructs necessary for the application of rule DistRank can be automatically generated. Recall that we have to construct a symbolic version of each construct so that the rule can be applied to a generic N . We consider each auxiliary construct, provide a method for its generation, and illustrate it on the case of program token-ring.
In token-ring, the progress property we wish to check is: For simplicity, as all processes are symmetric we choose z = 1, thus, we check This property claims that every state in which process P [1] is at location 1 is eventually followed by a state in which process P [1] is at location 2. The construction uses the instantiation S(N 0 ) for the cutoff value N 0 required in Theorem 2.1. For tokenring, as explained in Subsection 3.3, N 0 = 6. We denote by Θ C and ρ C the initial condition and transition relation for S(N 0 ). The construction begins by computing the concrete auxiliary constructs for S(N 0 ), denoted by ϕ C , pend C . We then compute the concrete h C k [j]'s and δ C k [j]'s. Next, we apply project&generalize to derive the symbolic (abstract) versions of these constructs: ϕ A , pend A , h A k [j]'s, and δ A k [j]'s. Since we focus on process 1, we would expect the constructs to have the symbolic forms ϕ : ∀i.ϕ A (i) and All concrete assertions are computed on S(N 0 ). We set ϕ C to be reach C = Θ C • ρ * C , the assertion characterizing all states reachable within S(N 0 ). Compute ϕ A (i) = reach C [3 → i], by projecting reach C on index 3 , and then generalizing 3 to i. That is, maintaining only variables pertaining to process 3 and then replacing every reference to index 3 by a reference to index i. For example, in token-ring(6), The generalization of 3 to i yields Note that when we generalize, we should generalize not only the values of the variables local to P [3] but also the case that the global variable, such as tloc, has the value 3. The choice of 3 as the generic value is arbitrary. Any other value would do as well, but we prefer indices different from 1, N .
In this part we computed ϕ A (i) as the generalization of 3 into i in ϕ C , which is denoted by In later parts we may need to generalize two indices, such as α A = α C [2 → i, 4 → j], where α C and α A are a concrete and abstract versions of some assertion α. The way we compute such abstractions over the state variables tloc and π of system token-ring is given by Note that this computation is very similar to the symbolic computation of the predecessor of an assertion, where map(2, i, 4, j) serves as a transition relation. Indeed, we use the same module used by a symbolic model checker for carrying out this computation.

Computing Concrete and Abstract pend :
Compute the assertion pend C = (ϕ C ∧ q ∧ ¬r) •(ρ C ∧ ¬r ) * characterizing all the states that can be reached from a reachable (q ∧ ¬r)-state by an r-free path. Then we take Thus, for token-ring(6), We therefore take

Computing Concrete and Abstract h k [i]'s:
We compute the concrete helpful assertions h C k [i]. This is based on the following analysis: Assume that set is an assertion characterizing a set of states, and let τ be some just transition. We wish to identify the subset of states φ within set for which the transition τ is an escape transition. That is, any application of this transition to a φ-state takes us out of set. Consider the fix-point equation: The equation states that every φ-state must satisfy set ∧ En(τ ), every ρ-successor of a φ-state is either a φ-state or lies outside of set, and every τ -successor of a φ-state lies outside of set. Note that the expressions AXψ and AX τ ψ can be computed by ¬(ρ •(¬ψ)) and ¬(τ •(¬ψ)), respectively.
Following is an algorithm that computes the concrete helpful assertions {h C k [i]} corresponding to the just transitions {τ k [i]} of system S(N 0 ). For simplicity, we will use τ ∈ T (N 0 ) as a single parameter. Let The "for all τ ∈ T (N 0 )" iteration terminates when it is no longer possible to find a τ ∈ T (N 0 ) that satisfies the non-emptiness requirement. The iteration may choose the same τ more than once. When the iteration terminates, set is 0, i.e., for each of the states covered under pend C there exists a helpful justice requirement that causes it to progress.
The abstract ranking function obtained by applying this procedure to token-ring(6)are described in Appendix A.2.

Validating the Premises
Having computed internally the necessary auxiliary constructs, and checking the invariance of ϕ, it only remains to check that the six premises of rule DistRank are all valid for any value of N . Here we use the small model theorem stated in Theorem 2.1 which allows us to check their validity for all values of N ≤ N 0 for the cutoff value of N 0 which is specified in the theorem. First, we have to ascertain that all premises have the required ∀∃ form. For auxiliary constructs of the form we have stipulated in this Section, this is straightforward. Next, we consider the value of N 0 required in each of the premises, and take the maximum. Note that once ϕ is known to be inductive, we can freely add it to the left-hand-side of each premise, which we do for the case of Premises D5, D6, and D7 that, unlike others, do not include any inductive component.
Usually, the most complicated premise is D2 and this is the one which determines the value of N 0 . For pro-gram token-ring, this premise has the form (where we renamed the quantified variables to remove any naming conflicts):     (∀a.pend (a)) ∧ (∃i, i 1 ∀j, j 1 .ψ(i, i 1 , j, j 1 ))     → r ∨ (∀c.pend (c)), which is logically equivalent to The index variables which are universally quantified or appear free in the formula above, are {i, i 1 , c, tloc, 1, N } whose count is 6. It is therefore sufficient to take N 0 = 6. Having determined the size of N 0 , it is straightforward to compute the premises of S(N ) for all N ≤ N 0 and check that they are valid, using bdd symbolic methods. We cannot use the same form of auxiliary constructs to automatically verify algorithm bakery(N), for every N . Indeed, it is straightforward to see that in order to conclude that τ 2 [2] is helpful, one has to consider helpful assertions of the form ∀j.ψ(i, j). In Section 7 we show how to obtain helpful assertions that relate to all processes and how to change the proof rule for such a case. We can still use the simple proof rule in order to automatically verify algorithm bakery(N). However, this requires the introduction of an auxiliary variable minid into the system, which is the index of the process which holds the ticket with minimal value. This is explained in detail in Section 5.
We emphasize that the generation of all assertions is completely invisible; so is the checking of the premises on the instantiated model. While the user may see the assertions, there is no need for the user to comprehend them. In fact, being generated using bdd techniques, they are often incomprehensible.

Cases Requiring an Existential Invariant
In some cases, ∀-assertions, i.e., assertions of the form ∀i.u(i), are insufficient for capturing all the relevant features of the constructs ϕ A and pend A , and we need to consider assertions of the form ∀i.u(i) ∧ ∃j.e(j). In this section we describe how to obtain constructs that are boolean combinations of ∀-assertions, illustrating the procedure and its applications on program channelring, presented in Fig. 4.1.
In this program the location of the token is identified by the index i such that chan[i] = 1. Computing the universal invariant according to the previous methods we obtain ϕ A : ∀i.(at − 0,1 ∨ chan[i]), which is inductive but insufficient in order to establish the existence of a helpful transition for every pending state.

Generalizing project&generalize
We provide a sketch of the extension that enables computation of a (∀ ∧ ∃) construct by obtaining a ∀i.u(i) ∧ ∃j.e(j) invisible invariant. As before, we pick a value N 0 , instantiate S(N 0 ) and use the project&generalize procedure to derive an inductive ∀-assertion ϕ : ∀i.u(i). As a byproduct of project&generalize, we compute reach C -the set of states reachable in S(N 0 ). Being inductive and implied by the initial condition, the assertion ϕ is an over-approximation of reach C . In order to isolate the (anticipated) assertion e(j), we first compute the difference between the concrete reachable set and ϕ, denoted here by α 1 . Obviously, we proceed only if α 1 is nonempty. Then, we project&generalize α 1 by replacing index 1 by k (α 2 below). Finally, we negate the result to get the proposed existential invariant (α 3 below). Algorithm We use ∃k.α 3 (k) as the candidate for an existential invariant. In the table below, we list the results of these computations for the case that reach C equals precisely the conjunction N0 i=1 w(i) ∧ N0 j=1 e(j) and the application of project&generalize to reach C yields precisely

Results when reach
Note that, while we did not succeeded in precisely isolating e(k), we computed instead the implication w(k) → e(k). However, the conjunction ∀i.w(i) ∧ ∃k.(w(k) → e(k)) is logically equivalent to the conjunction ∀i.w(i) ∧ ∃k.e(k).
This technique of obtaining an existential conjunct to an auxiliary assertion can be used for other auxiliary constructs.

Verifying Progress of channel-ring
Applying the extended project&generalize to channelring we obtain, for the set of reachable states, the auxiliary construct: Using this extended form of an invariant for both ϕ A and pend A , we can complete the proof of program channelring using the methods of Section 3.
Applying the method of invisible ranking, with the new addition, to program channel-ring and the response property at which is obviously valid and has the ∀∃ form.

The Bakery Algorithm
As another example of the application of the invisibleranking method we consider the modified version of program bakery, presented in Fig. 5.1.
As previously explained, in order to be able to use the rule in its current form we introduce the variable minid. The variable minid is expected to hold the index of a process whose y value is minimal among all the positive y-values. The maintain construct implies that this variable is updated, if necessary, whenever some y variables change their values. Already in [PRZ01] we pointed out that in some cases, it is necessary to add auxiliary variables in order to find inductive assertions with fewer indices. This version of bakery illustrates the case that such auxiliary variables may also be needed in the case of the invisible ranking method.
The property we wish to verify for this parameterized system is at − 1 [z] =⇒ ¡ at − 3 [z] which implies accessibility for an arbitrary process P [z].
Having the auxiliary variable minid as part of the system variables, we can proceed with the computation of the auxiliary constructs as explained in Section 3: After some simplifications, we can present the automatically derived constructs as detailed in Appendix A.1. Using these derived auxiliary constructs, we can verify the validity of the premises of rule DistRank over S(5) and conclude that for every value of N the property of accessibility holds.

Protocols with p(i, i + 1) Assertions
In algorithms for ring architectures, the auxiliary assertions for a process often depend, in addition to the process itself, on its immediate neighbors. Assume a ring of of size N . For every j = 1, .., N , denote j ⊕ 1 = (j mod N ) + 1 and j 1 = ((j − 2) mod N ) + 1. Assertions of the type p(i, i ⊕ 1) and p(i, i 1) can be replaced by equivalent ±-less ∀∃-assertions 2 . Unfortunately, this often results in formulae not covered by our small model theorem. We bypass the problem by establishing a new small model theorem that allows proving validity of ∀∃p(i, i ± 1) assertions. The size of the model in the new theorem is larger than the one indicated by the small model theorem, which is why we refer to it as "modest." We state the modest model theorem and prove it in Subsection 6.1, describe how to fine-tune the bounds in Subsection 6.2, and demonstrate its application in Subsection 6.3.

Modest Model Theorem
Consider a parameterized bfts S(N ) with no data variables or arrays 3 . Let the formula ϕ: ∀i∃j.R(i, j) be an ∀∃-formula, where R(i, j) is a restricted assertion (augmented by operators ⊕1 and 1) which refers to quantified index variables i and j. We show that if there exists some model that does not satisfy this assertion, then there exists a model smaller than a certain bound that does not satisfy it. The proof follows by contracting a model that does not satisfy ϕ to a smaller model that does not satisfy ϕ. In order to decrease the size of the model, again, we count the number of existentially quantified variables in the negation of ϕ. This time, as R may contain ⊕1 and 1, we ensure that in the smaller model each of these variables refers to a different process and, in addition, also pay attention to the way we handle the chain of processes between every two 'existentially quantified processes'.
Let K be the number of universally quantified index variables, index constants (including 1 and N ), and free index variables appearing in R. Assume there are index → bool arrays in S and let L = 2 , i.e., L is the number of different values that can be assigned to all variables indexed by a single process. Define N 0 = (K − 1)(L 2 +1)+K.
Theorem 6.1 (Modest Model Theorem). Let ϕ be an ∀∃-formula as above. Then ϕ is valid over S(N ) for every N ≥ 2 iff ϕ is valid over S(N ) for every N ≤ N 0 .
Proof. We denote by ψ the formula ∃i∀j.¬R(i, j), which is the negation of ϕ. Assume ψ is satisfiable in state s of system S(N 1 ) for N 1 > N 0 . We show that ψ is also satisfiable in a state s of a system S(N ) for some N ≤ N 0 .
Let V ∃ be the set of index variables that appear existentially quantified in ψ. Let F be the set of index constants (including 1 and N ) and variables which appear free in ψ. Note that state s provides an interpretation for all the variables in F . Observe that |V ∃ ∪ F | = K. Similarly, let V ∀ be the set of index variables that appear universally quantified in ψ, i.e., the j variables.
The fact that ψ : ∃i∀j.¬R(i, j) is satisfiable in s means that there exists an assignment α which interprets all variables of V ∃ by values in the domain [1..N 1 ] such that (s, α) |= χ, where χ : ∀j.¬R(i, j), and (s, α) is the joint interpretation which interprets all system variables according to state s and all V ∃ -variables according to the assignment α.
Let U = {1 = u 1 < u 2 < · · · < u k = N 1 } be a sorted list of values assigned to the F ∪V ∃ -variables by the joint interpretation (s, α).
Since N 1 > N 0 there exist some i < k such that u i+1 −u i > L 2 +1. We construct a state s , in an instantiation S(N ), N < N 1 , such that s |= ψ. The process is repeated until we obtain an instantiation that satisfies ψ where the u's are at most L 2 +1 apart from one another.
Since u i+1 −u i > L 2 +1, there exist two pairs of adjacent indices between u i and u i+1 that agree on their local array values, i.e., there exist some m and n such that u i <m<n < n + 1 < u i+1 and, for every boolean array a: index → bool, we have a[m] = a[n] and a[m+1] = a[n+1]. Intuitively, removing all processes m+1, . . . , n does not impact any of the other processes whose indices are in U , since the array values of their immediate neighbors remain the same. In particular, since m+1 and n+1 are identical, processes m and n+1 maintain the same neighbors after the removal. Once the processes are removed, the remaining processes are renumbered.
Formally, let N = N 1 −(n−m), and define the function g: [1..N 1 ] → [1..N ] such that g(i) = i for i ≤ m, and g(i) = i−(n−m) for i ≥ n+1. It is easy to see that g is injective and onto, hence g −1 is well defined. Consider the state s of system S(N ) such that for every array a : index → bool we have s [a[i]] = s[a[g −1 (i)]], i.e., the value of a in state s at index i is the value of a in state s at index g −1 (i).
We conclude that (s , α ) |= χ, which leads to the result that ψ is satisfied in the state s of system S(N ).
Thus, s is obtained from s by leaving the values of the index variables in the range 1..m intact, reducing the index variables larger than n by n − m, while maintaining the assignments of their index → bool variables. Obviously, s is a state of S(N 1 −(n−m)) that satisfies ψ.

Calibrating N 0
The bound computed in Theorem 6.1 may be quite large. In some cases it can be reduced significantly as we explain below.

General bool's:
If there are index → bool arrays for arbitrary (finite) bool, L in the bound should be replaced by the product of the sizes of ranges of all index → bool variables.

Primed Occurrences:
When a variable appears both unprimed and primed in R(.), both occurrences add to the count (unless equal). This is in general the case with the transition relation ρ (that appears on the l-h-s of several implicants in our proof rules). While it may seem that each additional variable that can be modified doubles the count, only a single step is to be considered at a time, which is further restricted by reach (reach appears explicitly in all the implicants; moreover, it can always be added since it is shown to be an invariant).
Hence, in practice, the bound can often be reduced as to be manageable.
Restricted Use of ±: Assume that for each V ∀ variable under a ± operator, all occurrences of the operator are of the same kind (only ⊕ or for each variable). Then, when reducing a large model into a smaller one, instead of finding two processes at the endpoint of a chain that agree on values of both their neighbors, it suffices to find a pair that agrees on one neighbor, which implies a chain of length L. Consequently, in this case the cut-off value is N 0 = (K − 1)L+K. Further analysis reveals that if only one operator (⊕ or ) is applied to V ∃ variables, then the bound can be further reduced to N 0 = (K−1)(L−1)+K.
Restricting to "Observable" States: Suppose that a process only has a "partial" view of its neighbor, i.e., can access some, but not all, of its neighbor index → bool array entries. Then, it suffices to find processes that agree on the part of the state observable by their neighbors, and not the complete state.

Chains of Consecutive Free Variables:
If, in addition to N, 1 there are longer, or other, chains of consecutive values the bound is reduced accordingly, since there are less "gaps" to collapse. E.g., when there is a N − 1, N, 1 combination, the (K − 1) in the bound can be replaced by (K − 2).

Example: Dining Philosophers
We demonstrate the use of the modest model theorem by validating accessibility for a classical solution to the dining philosophers problem, using rule DistRank.
Consider program Dine that offers a solution to the dining philosophers problem for any N philosophers. The program uses semaphores for forks. In this program, N −1 philosophers (processes P [1], . . . , P [N −1]) reach first for their left forks and then for their right forks, while P [N ] reaches first for its right fork and only then for its left fork. Program Dine is presented in Fig. 6.1.
The semaphore instructions "request x" and "release x" appearing in the program stand, respectively, for " when x = 1 do x := 0 " and "x := 1". Consequently, the transition associated with "request x" is compassionate, indicating that if a process is requesting a semaphore that is available infinitely often, it obtains it infinitely many times.
As outlined in Section 2.4, we transform the bfts into a compassion-free bfts by adding two new boolean arrays, nvr 1 and nvr 2 , each nvr [i] corresponding to the request of process i at location . Appendix A.3 describes the bfts we associate with Program Dine.
The progress property of the original system is which is proved in two steps, the first establishing that (π[z] = 1) = ¡ (π[z] = 2) and the second establishing that (π[z] = 2) = ¡ (π[z] = 3). For simplicity of presentation, we restrict discussion to the latter progress property.
Since P [N ] differs from P [1], . . . , P [N −1], and since it accesses y[1], which is also accessed by P [1], and y[N ], which is also accessed by P [N −1], we choose some z in the range 2, . . . , N − 2 and prove progress of P [z]. The progress property of the other three processes can be established separately (and similarly.) Taking into account the translation into a compassion-free system, the property we attempt to prove is

Automatic Generation of Symbolic Assertions
Following the guidelines in Section 3, we instantiate the program Dine according to the small model theorem, compute the auxiliary concrete constructs for the instantiation, and abstract them. Here, we chose an instantiation of N 0 = 6 (obviously, we need N 0 ≥ 4; it seems safer to allow at least a chain of three that does not depend on the "special" three, hence we obtained 6.) For the progress property, we chose z = 3, and attempt to prove (π[3] = 2) = ¡ (π[3] = 3). Due to the structure of Program Dine, process P [i] depends only on its neighbors, thus, we expect the auxiliary constructs to include only assertions that refer to two neighboring process at the same time. We chose to focus on pairs of the form (i, i 1).
We first compute ϕ A (i, i 1), which is the abstraction of the set of reachable states. We distinguish between three cases, i = 1, i = N , and i = 2, . . . , N −1. For the first, we take ϕ A =1 = reach C [1 → 1, 6 → N ] (i.e., project the concrete reach C on 1 and 6 and generalize to 1 and N ), for the second, we take ϕ A =N = reach C [6 → N, 5 → N −1] (i.e., project the concrete reach C on 6 and 5 and generalize to N and N −1), and for the third we take ϕ A =1,N = reach C [3 → i, 2 → i − 1] (i.e., project the concrete reach C on 3 and 2 and generalize to i and i−1). The abstract pending sets we obtain are in Appendix A.3. We then define: For the helpful sets, and the δ's, we obtain, as expected, assertions of the type p(i, i 1). The assertions are described in Appendix A.3. Thus, the proof of inductiveness of ϕ, as well as all premises of DistRank, are now of the form covered by the modest model theorem.
We now compute the size of the instantiation needed. Premises D1, D3, and D7 relate only to unprimed copies of the variables. Other premises relate to both unprimed and primed copies of the variables. When we use the modest model theorem "as is" the resulting figures are L = 40 2 = 1600 (5 possible locations, one fork, two nvr variables, all counted as current and next), L 2 +1 ∼ 2.5 · 10 6 which results in a bound of about 10 7 processes. In order to get a reasonable figure we use the following reductions.
• We syntactically analyze all the resulting assertions and find that only variables in V ∃ are referenced by both ⊕1 and 1. Variables in V ∀ are referenced only by 1. Thus, we have to search only for two identical processes and not for two pairs of adjacent processes. • The transition ρ is on the left-hand-side of the implication in all the premises that include primed variables (D2,D4,D5, and D6). This implies that all possible counter-examples to these premises satisfy ρ.
According to ρ all primed variables for every j ∈ {i, i⊕1} equal to their unprimed versions. Thus, if we treat i, i⊕1 as another 2-element long chain of universally quantified variables, we do not have to consider different values of the primed variables. It follows that we can use L = 40 for our search for duplicate entries.
As a result, the value L above (the maximal length of chain with no "equivalent" processes) is 40. There are three free variables in the system, 1, N , and N −1.
(The reason we include N −1 is, e.g., its explicit mention in ϕ A ). Following the remarks on the modest model theorem, since the three variables are consecutive, and since with all universally quantified variables we use only i 1, the size of the (modest) model we need to take is 40(u+1)+u+4, where u is the number of universally quantified variables. Since u ≤ 2 for each of D1-D7 (it is 0 for D4, 1 for D1, and 2 for D2, D3, and D5), it is sufficient to choose an instantiation of 128. 4 In Table 6.1, we present the number of bdd nodes computed for each auxiliary construct, and the time it 4 By modifying project&generalize to include only part of the variables of a process and not all variables this can be further reduced to 83 processes.   ) where i is the index of the process which can take a helpful step, and all other processes (j) satisfy some supporting conditions. However, such a helpful assertion presents a problem when trying to verify premise D4 of rule DistRank, since we obtain an ∃∀-disjunct in the premise. In this section we show a new proof rule for progress, that allows us to order the helpful assertions in terms of the precedence of their helpfulness. "The helpful" assertion is then the minimal in the ordering, so that we can avoid the disjunction in the r-h-s of Premise D4.

Pre-Ordering Transitions
A binary relation is a pre-order over domain D if it is reflexive, transitive, and total. Consider a bfts S with set of transitions T (N ) = [0..m]×N (as in Subsection 3.1). For every state in S(N ), define a pre-order over T . From the totality of , every S(N )-state has some τ [i] ∈ T which is minimal according to . We replace premise D4 in DistRank with a premise stating that for every pending state s, the transition that is minimal in s is also helpful at s. We call the new rule PreRank and, to avoid confusion, name its premises R1-R7. Thus, PreRank is exactly like Dis-tRank, with the addition of a pre-order : Σ → 2 T ×T , premises ascertaining that the relation is a pre-order (R8-R10), and replacement of D4 by R4. In order to automate the application of PreRank, we need to be able to automatically generate the pre-order relation . As usual, we first instantiate S(N 0 ), compute concrete C , and then use the method project&generalize to compute an abstract A . The main problem is the computation of the concrete C . We define s |= τ 1 τ 2 if s |= Φ(τ 1 , τ 2 ) for the following ctl formula: where W is the weak-until or unless operator. The intuition behind the first disjunct is that for a state s, transition τ 1 is "helpful earlier" than τ 2 if every path departing from s doesn't reach h τ2 before it reaches h τ1 . The role of the second disjunct is to guarantee the totality of , so that when τ 1 becomes helpful earlier than τ 2 in some computations, and τ 2 precedes τ 1 in others, we obtain both τ 1 τ 2 and τ 2 τ 1 . To abstract a formula )) over S(N 0 ) (2 and 3 being chosen arbitrarily to represent two generic indices), and then generalize 2 to i and 3 to j. To abstract the negation of such a formula, we first abstract the formula, and then negate the result. Therefore, to abstract Formula (7.1), we abstract each A W -formula separately, and then take the disjunction of the first abstract assertion with the negation of the second abstract assertion.

Case Study: Bakery
Consider program bakery of Example 2.2 (Fig. 2.3). Suppose we want to verify (π[z] = 1) = ¡ (π[z] = 3). We instantiate the system to N 0 = 3, and obtain the auxiliary assertions ϕ, pend , the h's and δ's. After applying project&generalize, we obtain for h [i], two types of assertions. One is for the case that i = z, and then, as expected, h 2 [z] is the most interesting one, having an ∀-construct claiming that z's ticket is the minimal among ticket holders. The other case is for j = z, and there we have a similar ∀-construct (for j's ticket minimality) for = 2, 3, 4. For the pre-order, one must τ 2 [j] for every 1 , 2 = 1, ..., 4 and i = z = j, i = j = z, i, j = z for ( 1 , i) = ( 2 , j). The results for τ 1 [i] τ 2 [j] for i = z that are not trivially t are described in Appendix A.1 Using the above pre-order, we succeeded in validating Premises R1-R9 of PreRank, thus establishing the liveness property of program bakery.

Multiple Pre-Order Relations
In the previous section we described how to compute the pre-order relation. Formula (7.1) is one alternative of computing the pre-order. We can view rule DistRank as a special case of rule PreRank, with a trivial preorder defined by s |= τ 1 τ 2 if s |= Ψ (τ 1 , τ 2 ), where Obviously, other definitions are also possible. In fact, by allowing different schemes of computing pre-order on different states, the rule PreRank can be applied to a wider range of protocols. In this section we demonstrate this idea on a version of Szymanski's mutual exclusion protocol described in Fig. 8.1. The progress property we would ideally like to verify is (π[z] = 1 = ¡ (π[z] = 7). This property, however, is beyond the scope of the methods and rules described here since it requires some just transition to be helpful twice. It is not difficult, but rather tedious, to extend our technique for generating ranking so to deal with cases where transitions may be helpful up to k times, for any bounded k. We bypass this difficulty here by restricting to a "smaller" progress property to which the proof applies, namely, to the progress property An inspection of the protocol reveals that τ 6 [i] is the only transition whose enabling condition is of the form ∀j.p(i, j) which is an obvious candidate for preordering of the type we used in Section 7. The other For a parameterized system with a transition T = T (N ) set of states Σ(N ), just transitions J ⊆ T (N ), invariant assertion ϕ, assertions q, r, pend and {hτ | τ ∈ J }, ranking functions {δτ : Σ → {0, 1} | τ ∈ J }, and a pre-order : where Ψ is defined in Formula (8.1) and Φ is defined Formula (7.1). These definitions allow us to use project&generalize on the concrete pre-order (as described in Section 7) and successfully prove Formula (8.2) for program Szymanski.

Discussion
We have presented a method for automatically verifying liveness properties of parameterized systems. The method is based on automatic computation of the assertions needed by a deductive rule according to the analysis of a small instance of the problem. Then, using a small model theorem, the verification conditions of the deductive rule are discharged using bdd techniques on a (sometimes not so) small instance of the parameterized system. Being able to discharge the verification conditions on a finite model has the additional advantage that the user never gets to see the assertions, which is why we termed the method 'invisible constructs'.
Deductive proofs for liveness require the identification of helpful transitions and, in addition, a ranking function that measures the progress towards the goal. The deductive proof rule we are using is similar. In order to facilitate the generation of the ranking function, we partition it and include one ranking function per helpful transition. The range of these ranking functions is usually {0, 1}. There are cases where a single transition must be helpful more than once before other helpful transitions can be taken. In such cases the restricted range of {0, 1} (i.e., the helpful transition was or was not taken) is not sufficient. We would have to consider ranking functions with a larger range set. In general, we believe that it is best to use the smallest range possible for the ranking functions. The main burden in using our method is in devising the method in which we compute the explicit ranking functions and in deciding how to generalize these explicit assertions. Thus, having a larger range for the ranking functions would make the method harder to use and is inadvisable.
A key feature of our method is generalizing a concrete set of states into a universal assertion. In the paper, we explain briefly how to obtain existential auxiliary assertions in the case that our approximation of the concrete set is too abstract. This process can be iterated as follows: When the assertion we have is too abstract, we can add an existential conjunct that tightens the abstraction. When the assertion does not capture the entire concrete set, we can generalize the difference and add a universal disjunct. Thus, we can get assertions of the general form ((· · · (∀ ∧ ∃) ∨ ∀) ∧ ∃) · · ·). Note that the quantifiers are not nested, hence using these assertions we can still employ the small-model theorem. We have studied examples where this iterative computation of the generalization is necessary in order to get assertions that fulfill the requirements of the deductive rule. This, however, is beyond the scope of this paper.
Finally, we recall that the problem of uniform verification of parameterized systems is undecidable, thus we cannot hope that our method, or other methods, always succeed. When the method does not work immediately, it may help to obtain tighter abstractions. It may help to increase the size of the small model on which we compute the concrete assertions. The corner stone of our method is a deductive rule, so manual intervention of the user may help push a proof forward. Sometimes, unfortunately, it would be best to try something completely different.