Formalization – Outer DFS

This shows that the restriction is done by removing the restriction setRboth from the edges and the starting nodes. Of course, to still ensure correctness, the setRhas to meet certain requirements:

• The restriction must be closed underE: E `` R⊆R. This ensures that no unrestricted nodes are ”shielded off“ by nodes inR. If this was not the case, there might be nodes fulfillingP, but only reachable by paths throughR.

• The restriction must not contain any node fulfillingP: Collect P∩R ={}.

Under these requirements, combined into a single predicaterestr_invar, it can be shown that this restricted search is correct (forrestr_invarto be an invariant, it is also demanded that it is also valid for the new updated restriction set):

lemmafind_path0_restr_correct:

assumesrestr_invar E R P

showsfind_path0_restr E V₀ P R≤specr.caserof Inl R'⇒R' = R∪E^∗``V0∧restr_invar E R' P

| Inr (vs,v)⇒P v∧ (∃v₀∈V₀−R. path(E∩(−R)×(−R))v₀vs v)

Note, thatR' = R∪E^∗``V0 ∧Collect P∩R' ={} entails¬(∃v0∈V0.∃v.(v0,v)∈E^∗ ∧P v). This is then further extended intofind_path1_restr, which bears the additional restriction that the final path must be at least of length 1. This is necessary for Nested DFS. We will omit its definition here.

4.6.3 Formalization – Outer DFS

Having laid the foundation for the inner “red” part of Nested DFS, we can continue with defining the outer part. Again, we begin by stating what the extension part of the state is going to look like. This time, it will consist of two parts: redbeing the set of nodes visited by red search, andlasso, which will be the counter-example we are looking for:

record'v blue_dfs_state = 'v state +

lasso ::('v list×'v list)option(_{* pr} ×_{pl *}) red :: 'v set

Note the form forlasso: it consists of the path to an accepting node (without this node), and the loop from that node to itself. Also, similarly to the formalization of the safety checker, it is embedded in an option to signal the non-existance of such a counter-example.

4.6 An Application in Model Checking: Nested DFS

Again, we then start a new locale for the DFS⁷: localeBlueDFS = fb_graph E V₀

forEandV₀ :: 'v set + fixesaccpt :: 'v⇒bool

Note the additional parameteraccptrepresenting the acceptance property on nodes.

Now, inside this locale, we can combine our definition of state with the safety property checker to gain our equivalent to running the red search:

abbreviation(inBlueDFS)red_dfs R P x≡find_path1_restr E{x}P R

Here,{x}is taken as the value forV₀ of the safety checker, because this is indeed the only node where paths should begin. Then we combine it further to also interpret the return value correctly:

definition(inBlueDFS)run_red_dfswhere run_red_dfs u s≡caselasso sof

None⇒do{

redS←red_dfs(red s) (λx. x = u∨ x∈ set(stack s))u;

return(mk_blue_witness s redS) }

| _⇒NOOP s

With this definition, we only call the red DFS if we have not found a counter-example yet.

Also, we state in the property to check for that we are looking for a node which is either on the stack, or equals the current node. The latter part is needed, because it has already been popped from the stack when calling this function. The functionmk_blue_witnessis used to interpret the result and construct a counter-example, if necessary. Its definition is as follows:

definition(inBlueDFS)mk_blue_witnesswhere mk_blue_witness s redS≡caseredSof

Inl R'⇒_Llasso = None, red = R'M

| Inr(vs, v)⇒letrs = rev(stack s)in

Llasso = Some(rs, vs@dropWhileNot v rs), red = red sM

This definition states that in case the safety checker just returns a new restriction set, we take it to represent our new set of nodes visited by red searches. In case we found some nodevon the stack and some pathvsleading to it, we build the lasso: The leading path (to the current nodeu) is the reversed stack. The loop is then made up of two parts, the pathvsfromutov, and this part of the reversed stack betweenvandu. While this is not necessarily the shortest counter-example, it is the easiest one to construct.

We now can already instantiate our DFS framework to yield the outer DFS (omitted fields again are no-ops):

definition(inBlueDFS)blue_dfs_paramswhere blue_dfs_params =L

on_init =returnLlasso = None, red ={} _M,

7One might notice, that this time the new locale does not extendparam_DFS. This is due to the fact that we first need some setup to actually create the DFS definition. The sublocale relation is established later on.

on_finish =λu s.ifaccpt uthenrun_red_dfs u selseNOOP s, is_break =λs. lasso s6=None,

But this only represents the Nested DFS version of Holzmann et al. [19]. To get the one of Schwoon and Esparza [51], we also need to handle back edges:

on_back_edge = se_back_edgeM

The functionse_back_edgehandles the cases of one of the ends of the edge being accepting.

In any of those cases we get a lasso constructed by the stack and the back edge which is then created. Of course, nothing is done in case a counter-example has already been found:

definition(inBlueDFS)se_back_edgewhere se_back_edge u v s≡caselasso sof

None ⇒

(* it's a back edge, so u and v are both on stack *) (* we differentiate whether u or v is the 'culprit'

to generate a better counter example *) ifaccpt uthen

letrs = rev(tl(stack s)); ur = rs;

ul = u#dropWhileNot v rs

in returnLlasso = Some(ur,ul), red = red sM else ifaccpt vthen

letrs = rev(stack s); vr = takeWhileNot v rs;

vl = dropWhileNot v rs

in returnLlasso = Some(vr,vl), red = red sM elseNOOP s

| _⇒NOOP s

To prove correctness for this formalization, we define three different invariants:

• In case we have not found a counter-example yet, we have to show that redis a restriction set fulfilling the requirements stated earlier, and that it only contains finished nodes:

lasso s = None−→restr_invar E(red s) (λx. x∈set(stack s))∧red s⊆dom(finished s)

• If we have not found a counter-example yet, there is no accepting finished node which is part of a cycle:

lasso s = None−→(∀x. accpt x∧x∈dom(finished s)−→(x,x)∈/E⁺))

• In the case where we have found a counter-example, it indeed is a lasso:

∀pr pl. lasso s = Some(pr,pl)−→

pl6= []

∧ (∃v0∈V0. path E v0pr(hd pl))

∧ accpt(hd pl)

∧ path E(hd pl)pl(hd pl) (_{* cycle *})