Applications of hierarchical reasoning in the verification of complex systems Swen Jacobs and Viorica Sofronie-Stokkermans Max-Planck-Institut für Informatik, Stuhlsatzenhausweg 85, Saarbrücken, Germany e-mail: {sjacobs, sofronie}@mpi-sb.mpg.de Abstract In this paper we show how hierarchical reasoning can be used to verify properties of complex systems. Chains of local theory extensions are used to model a case study taken from the European Train Control System (ETCS) standard, but considerably simplified. We show how testing invariants and bounded model checking can automatically be reduced to checking satisfiability of ground formulae over a base theory. 1 Introduction Many problems in computer science can be reduced to proving satisfiability of conjunctions of (ground) literals modulo a background theory. This theory can be a standard theory, the extension of a base theory with additional functions (free or subject to additional conditions), or a combination of theories. In [8] we showed that for special types of theory extensions, which we called local, hierarchic reasoning in which a theorem prover for the base theory is used as a “black box” is possible. Many theories important for computer science are local extensions of a base theory. Several examples (including theories of data structures, e.g. theories of lists (or arrays cf. [3]); but also theories of monotone functions or of functions satisfying semi-Galois conditions) are given in [8] and [9]. Here we present additional examples of local theory extensions occurring in the verification of complex systems. In this paper we address a case study taken from the specification of the European Train Control System (ETCS) standard [2], but considerably simplified, namely an example of a communication device responsible for a given segment of the rail track, where trains may enter and leave. We suppose that, at fixed moments in time, all knowledge about the current positions of the trains is available to a controller which accordingly imposes constraints on the speed of some trains, or allows them to move freely within the allowed speed range on the track. Related problems were tackled before with methods from verification [2]. The approach we use in this paper is different from previously used methods. We use sorted arrays (or monotonely decreasing functions) for storing the train positions. The use of abstract data structures allows us to 1 pass in an elegant way from verification of several finite instances of problems (modeled by finite-state systems) to general verification results, in which sets of states are represented using formulae in first-order logic, by keeping the number of trains as a parameter. We show that for invariant or bounded model checking the specific properties of “position updates” can be expressed in a natural way by using chains of local theory extensions. Therefore we can use results in hierarchic theorem proving both for invariant and for bounded model checking1 . By using locality of theory extensions we also obtained formal arguments on possibilities of systematic “slicing” (for bounded model checking): we show that for proving (disproving) the violation of the safety condition we only need to consider those trains which are in a ’neighborhood’ of the trains which violate the safety condition 2 . Structure of the paper. Section 2 contains the main theoretical results needed in the paper. In Section 3 we describe the case study we consider. In Section 4 we present a method for invariant and bounded model checking based on hierarchical reasoning. Section 5 contains conclusions and perspectives. 2 Preliminaries Theories and models. Theories can be regarded as sets of formulae or as sets of models. Let T be a theory in a (many-sorted) signature Π = (S, Σ, Pred), where S is a set of sorts, Σ is a set of function symbols and Pred a set of predicate symbols (with given arities). A Π-structure is a tuple M = ({Ms }s∈S , {fM }f ∈Σ , {PM }P ∈Pred ), where for every s ∈ S, MQ s is a non-empty set, for all f ∈ Σ with arity a(f )=s1 . . .sn → s, fM : ni=1 Msi →Ms and for all P ∈ Pred with arity a(P ) = s1 . . .sn , PM ⊆ Ms1 × . . . ×Msn . We consider formulae over variables in a (many-sorted) family X = {Xs | s ∈ S}, where for every s ∈ S, Xs is a set of variables of sort s. A model of T is a Π-structure satisfying all formulae of T . In this paper, whenever we speak about a theory T we implicitly refer to the set Mod(T ) of all models of T , if not otherwise specified. Partial structures. Let T0 be a theory with signature Π0 = (S0 , Σ0 , Pred). We consider extensions T1 of T0 with signature Π = (S, Σ, Pred), where S = S0 ∪ S1 , Σ = Σ0 ∪ Σ1 (i.e. the signature is extended by new sorts and function symbols) and T1 is obtained from T0 by adding a set K of (universally quantified) clauses. Thus, Mod(T 1 ) consists of all Π-structures which are models of K and whose reduct to Π 0 is a model of T0 . A partial Π-structure is a structure M = ({M s }s∈S , {fM }f ∈Σ , {PM }P ∈Pred ), where for every s ∈ S, Ms is a non-empty set and for every f ∈ Σ with arity 1 Here we only focus on one example. However, we also used this technique for other case studies (among which one is mentioned – in a slightly different context – in [9]). 2 In fact, it turns out that slicing (locality) results with a similar flavor presented by Necula and McPeak in [6] have a similar theoretical justification. 2 s1 . . . sn → s, fM is a partial function from Ms1 × · · · × Msn to Ms . The notion of evaluating a term t with variables X = {X s | s ∈ S} w.r.t. an assignment {βs :Xs → Ms | s ∈ S} for its variables in a partial structure M is the same as for total many-sorted algebras, except that this evaluation is undefined if t = f (t1 , . . . , tn ) with a(f ) = (s1 . . . sn → s), and at least one of βsi (ti ) is undefined, or else (βs1 (t1 ), . . . , βsn (tn )) is not in the domain of fM . In what follows we will denote a many-sorted variable assignment {βs :Xs → Ms | s ∈ S} as β : X → M. Let M be a partial Π-structure, C a clause and β : X → M. We say that (M, β) |= w C iff either (i) for some term t in C, β(t) is undefined, or else (ii) β(t) is defined for all terms t of C, and there exists a literal L in C s.t. β(L) is true in M. M weakly satisfies C (notation: M |=w C) if (M, β) |=w C for all assignments β. M weakly satisfies (is a weak partial model of) a set of clauses K (notation: M |= w K, M is a w.p.model of K) if M |=w C for all C ∈ K. Local theory extensions. Let K be a set of (universally quantified) clauses in the signature Π = (S, Σ, Pred), where S = S 0 ∪ S1 and Σ = Σ0 ∪ Σ1 . In what follows, when referring to sets G of ground clauses we assume they are in the signature Πc = (S, Σ ∪ Σc , Pred) where Σc is a set of new constants. An extension T0 ⊆ T0 ∪ K is local if satisfiability of a set G of clauses with respect to T0 ∪K, only depends on T0 and those instances K[G] of K in which the terms starting with extension functions are in the set st(K, G) of ground terms which already occur in G or K. Formally, K[G] = {Cσ |C ∈ K, for each subterm f (t) of C, with f ∈ Σ 1 , f (t)σ ∈ st(K, G), and for each variable x which does not occur below a function symbol in Σ1 , σ(x) = x}, and T0 ⊆ T1 =T0 ∪ K is a local extension if it satisfies condition (Loc): (Loc) For every set G of ground clauses G |= T1 ⊥ iff there is no partial Πc -structure P such that P|Π0 is a total model of T0 , all terms in st(K, G) are defined in P , and P weakly satisfies K[G] ∧ G. In [8, 9] we gave several examples of local theory extensions: e.g. any extension of a theory with free function symbols; extensions with selector functions for a constructor which is injective in the base theory; extensions of several partially ordered theories with monotone functions. In Section 4.2 we give additional examples which have particular relevance in verification. Hierarchic reasoning in local theory extensions. Let T 0 ⊆ T1 =T0 ∪ K be a local theory extension. To check the satisfiability of a set G of ground clauses w.r.t. T1 we can proceed as follows (for details cf. [8]): Step 1: Use locality. By the locality condition, G is unsatisfiable w.r.t. T 1 iff K[G] ∧ G has no weak partial model in which all the subterms of K[G] ∧ G are defined, and whose restriction to Π0 is a total model of T0 . 3 Step 2: Flattening and purification. We purify and flatten K[G] ∧ G by introducing new constants for the arguments of the extension functions as well as for the (sub)terms t = f (g1 , . . . , gn ) starting with extension functions f ∈ Σ1 , together with new corresponding definitions c t ≈ t. The set of clauses thus obtained has the form K0 ∧ G0 ∧ D, where D is a set of ground unit clauses of the form f (c1 , . . . , cn ) ≈ c, where f ∈ Σ1 and c1 , . . . , cn , c are constants, and K0 , G0 are clause sets without function symbols in Σ 1 . Step 3: Reduction to testing satisfiability in T 0 . We reduce the problem to testing satisfiability in T0 by replacing D with the following set of clauses: N0 = n ^ ^ { ci ≈di →c≈d | f (c1 , . . . , cn ) = c, f (d1 , . . . , dn ) = d ∈ D}. i=1 Theorem 1 ([8]) With the notations above, the following are equivalent: (1) T0 ∧ K ∧ G has a model. (2) T0 ∧K[G]∧G has a w.p.model (where all terms in st(K, G) are defined). (3) T0 ∧K0 ∧G0 ∧D has a w.p.model (with all terms in st(K, G) defined). (4) T0 ∧K0 ∧G0 ∧N0 has a (total) Σ0 -model. 3 The RBC Case Study The case study we discuss here is taken from the specification of the European Train Control System (ETCS) standard (cf. e.g. [2]): we consider a radio block center (RBC), which communicates with all trains on a given track segment. Trains may enter and leave the area, given that a certain maximum number of trains on the track is not exceeded. Every train reports its position to the RBC in given time intervals and the RBC communicates to every train how far it can safely move, based on the position of the preceding train. It is then the responsibility of the trains to adjust their speed between given minimum and maximum speeds. For a first try at verifying properties of this system, we have considerably simplified it: we abstract from the communication issues in that we always evaluate the system after a certain time ∆t, and at these evaluation points the positions of all trains are known. Depending on these positions, the possible speed of every train until the next evaluation is decided: if the distance to the preceding train is less than a certain limit l alarm , the train may only move with minimum speed min (otherwise with any speed between min and the maximum speed max). 3.1 Formal Description of the System Model We present two formal system models. In the first one we have a fixed number of trains; in the second we allow for entering and leaving trains. Model 1: Fixed Number of Trains. In this simpler model, any state of the system is characterized by the following functions and constants: 4 • ∆t > 0, the time between evaluations of the system. • min and max, the minimum and maximum speed of trains. We assume that 0 ≤ min ≤ max. • lalarm , the distance between trains which is deemed secure. • n, the number of trains. • pos, a function which maps indices (between 0 and n − 1) associated to trains on the track to the positions of those trains on the track. Here pos(i) denotes the current position of the train with index i. We use a new function pos′ to model the evolution of the system: pos′ (i) denotes the position of i at the next evaluation point (after ∆t time units). The way positions change (i.e. the relationship between pos and pos ′ ) is defined by the following set Kf = {F1, F2, F3, F4} of axioms: (F1) ∀i (i = 0 → pos(i) + ∆t∗min ≤R pos′ (i) ≤R pos(i) + ∆t∗max) (F2) ∀i (0 < i < n ∧ pos(i − 1) >R 0 ∧ pos(p(i)) − pos(i) ≥R lalarm → pos(i) + ∆t ∗ min ≤R pos′ (i) ≤R pos(i) + ∆t∗max) (F3) ∀i (0 < i < n ∧ pos(i − 1) >R 0 ∧ pos(p(i)) − pos(i) <R lalarm → pos′ (i) = pos(i) + ∆t∗min) (F4) ∀i (0 < i < n ∧ pos(i − 1) ≤R 0 → pos′ (i) = pos(i)), Note that the train with number 0 is the train with the greatest position, i.e. we count trains from highest to lowest position. Axiom F1 states that the first train may always move at any speed between min and max. F2 states that the other trains can do so if their predecessor has already started and the distance to it is larger than l alarm . If the predecessor of a train has started, but is less than l alarm away, then the train may only move at speed min (axiom F3). F4 requires that a train may not move at all if its predecessor has not started. Model 2: Incoming and leaving trains. If we allow incoming and leaving trains, we additionally need a measure for the number of trains on the track. This is given by additional constants first and last, which at any time give the number of the first and last train on the track (again, the first train is supposed to be the train with the highest position). Furthermore, the maximum number of trains that is allowed to be on the track simultaneously is given by a constant maxTrains. These three values replace the number of trains n in the simpler model, the rest of it remains the same except that the function pos is now defined for values between first and last, where before it was defined between 0 and n − 1. The behavior of this extended system is described by the following set Kv consisting of axioms (V1) − (V9): (V1) ∀i (i = first → pos(i) + ∆t ∗ min ≤R pos′ (i) ≤R pos(i) + ∆t ∗ max) (V2) ∀i (first < i ≤ last ∧ pos(i − 1) >R 0 ∧ pos(i − 1) − pos(i) ≥R lalarm → pos(i) + ∆t ∗ min ≤R pos′ (i) ≤R pos(i) + ∆t ∗ max) 5 (V3) ∀i (first < i ≤ last ∧ pos(i − 1) >R 0 ∧ pos(i − 1) − pos(i) <R lalarm → pos′ (i) = pos(i) + ∆t ∗ min) (V4) ∀i (first < i ≤ last ∧ pos(i − 1) ≤R 0 → pos′ (i) = pos(i)) (V5) last − first + 1 < maxTrains → last′ = last ∨ last′ = last + 1 (V6) last − first + 1 = maxTrains → last′ = last (V7) last − first + 1 > 0 → first′ = first ∨ first′ = first + 1 (V8) last − first + 1 = 0 → first′ = first, (V9) last′ = last + 1 → pos′ (last′ ) <R pos′ (last) where primed symbols denote the state of the system at the next evaluation. Here, axioms V1−V4 are similar to F1−F4, except that the fixed bounds are replaced by the constants first and last. V5 states that if the number of trains is less than maxTrains, then a new train may enter or not. V6 says that no train may enter if maxTrains is already reached. V7 and V8 are similar conditions for leaving trains. Finally, V9 states that if a train enters, its position must be behind the train that was last before. 4 Hierarchical reasoning in verification The safety condition which is important for this type of systems is collision freeness. Intuitively (but in a very simplified model of the system of trains) collision freeness is similar to a ’bounded strict monotonicity’ property for the function pos which stores the positions of the trains: Mon(pos) ∀i, j (0 ≤ i < j < n → pos(i) > R pos(j)) Mon(pos) expresses the condition that for all trains i, j on the track, if i precedes j then i should be positioned strictly ahead of j. We will also consider a more realistic extension, which allows to express collision-freeness when the maximum length of the trains is known. In both cases, we focus on invariant checking and on bounded model checking. 4.1 Problems: Invariant checking, bounded model checking In what follows we illustrate the ideas for the simple approach, in which collision-freeness is identified with strict monotonicity of the function which stores the positions of the trains. To check that strict monotonicity of train positions is an invariant, we need to check that: (a) In the initial state the train positions (expressed by a function pos 0 ) satisfy the strict monotonicity condition Mon(pos 0 ). (b) Assuming that at a given state, the function pos (indicating the positions) satisfies the strict monotonicity condition Mon(pos), and the next state positions, stored in pos ′ , satisfy the axioms K, where K ∈ {Kf , Kv }, then pos′ satisfies the strict monotonicity condition Mon(pos ′ ). 6 Checking (a) is not a problem. For (b) we need to show that in the extension T of a combination T0 of real arithmetic with an index theory describing precedence of trains, with the two functions pos and pos ′ the following hold: T |= K∧Mon(pos) → Mon(pos′ ), i.e. T ∧K∧Mon(pos)∧¬Mon(pos′ ) |=⊥ . The set of formulae to be proved unsatisfiable w.r.t. T involves the axioms K and Mon(pos), containing universally quantified variables of sort i. Only ¬Mon(pos′ ) corresponds to a ground set of clauses G. However, positive results for reasoning in combinations of theories were only obtained for testing satisfiability for ground formulae [7, 4], so are not directly applicable. In bounded model checking the same problem occurs. For a fixed k, one has to show that there are no paths of length at most k from the initial state to an unsafe state. We therefore need to store all intermediate positions in arrays pos0 , pos1 , . . . , posk , and – provided that K(pos i−1 , posi ) is defined such that K = K(pos, pos ′ ) – to show: j ^ K(posi−1 , posi ) ∧ Mon(pos0 ) ∧ ¬Mon(posj ) |=⊥ for all 0 ≤ j ≤ k. T ∧ i=1 4.2 Our solution: locality, hierarchical reasoning Our idea. In order to overcome the problem mentioned above we proceed as follows. We consider two successive extensions of the base many-sorted combination T0 of real arithmetic (for reasoning about positions, sort num) with an index theory (for describing precedence between trains, sort i): • the extension T1 of T0 with a monotone function pos, of arity i → num, • the extension T2 of T1 with a function pos′ satisfying K ∈ {Kf , Kv }. We show that both extensions T0 ⊆ T1 = T0 ∪Mon(pos) and T1 ⊆ T2 = T1 ∪K are local, where K ∈ {Kf , Kv }. This allows us to reduce problem (b) to testing satisfiability of ground clauses in T 0 , for which standard methods for reasoning in combinations of theories can be applied. A similar method can be used for bounded model checking. The base theory. As mentioned before, we assume that T 0 is the manysorted combination of a theory T 0i (sort i) for reasoning about precedence between trains and the theory T0num of real numbers (sort num) for reasoning about distances between trains. As a convention, everywhere in what follows i, j, k denote variables of sort i and c, d denote variables of sort num. We have several possibilities of choosing T 0i : we can model the trains on a track by using an (acyclic) list structure, where any train is linked to its predecessor, or using the theory of integers with predecessor. In what follows let T0i be (a fragment of) integer arithmetic and T 0num be the theory of real or rational numbers. In both these theories satisfiability of ground clauses is decidable. 7 Collision freeness as monotonicity. Let T 0 be the (disjoint, manysorted) combination of T0i and T0num . Then classical methods on combinations of decision procedures for (disjoint, many-sorted) theories can be used to give a decision procedure for satisfiability of ground clauses w.r.t. T 0 . Let T1 be obtained by extending T0 with a function pos of arity i → num mapping train indices to the real numbers, which satisfies condition Mon(pos): Mon(pos) ∀i, j (first ≤ i < j ≤ last → pos(i) > R pos(j)), where i and j are indices, < is the ordering on indices and > R is the usual ordering on the real numbers. (For the case of a fixed number of trains, we can assume that first = 0 and last = n − 1.) A more precise axiomatization of collision-freeness. The monotonicity axiom above is, in fact, an oversimplification. A more precise model, in which the length of trains is considered can be obtained by replacing the monotonicity axiom for pos with the following axiom: ∀i, j, k (first ≤ j ≤ i ≤ last ∧ i − j = k → pos(j) − pos(i) ≥ k ∗ LengthTrain), where LengthTrain is the standard (resp. maximal) length of a train. As base theory we consider the combination T 0′ of the theory of integers and reals with a multiplication operation ∗ of arity i × num → num (multiplication of k with the constant LengthTrain in the formula above) 3 . Let T1′ be the theory obtained by extending the combination T 0′ of the theory of integers and reals with a function pos satisfying the axiom above. Theorem 2 The following extensions are local theory extensions: (1) The theory extension T0 ⊆ T1 . (2) The theory extension T0′ ⊆ T1′ . Proof : We prove that every model of T 1 in which the function pos is partially defined can be extended to a model in which pos is totally defined. Locality then follows by results in [8]. To define pos at positions where it is undefined we use the density of real numbers and the discreteness of the index theory (between two integers there are only finitely many integers). ✷ We now extend the resulting theory T 1 again in two different ways, with the axiom sets for one of the two system models, respectively. A similar construction can be done starting from the theory T 1′ . Theorem 3 The following extensions are local theory extensions: (1) The extension T1 ⊆ T1 ∪ Kf (2) The extension T1 ⊆ T1 ∪ Kv . 3 In the light of locality properties of such extensions (cf. Theorem 2), k will always be instantiated by values in a finite set of concrete integere, all within a given, concrete range; thus the introduction of this many-sorted multiplication does not affect decidability. 8 Proof : (1) Clauses in Kf are flat and linear w.r.t. pos′ , so we again prove locality of the extension by showing that weak partial models can be extended to total ones. The proof proceeds by a case distinction. We use the fact that the left-hand sides of the implications in K f are mutually exclusive. (2) is proved similarly. ✷ Let K ∈ {Kv , Kf }. By the locality of T1 ⊆ T2 = T1 ∪ K and by Theorem 1, the following are equivalent: (1) T0 ∧ Mon(pos) ∧ K ∧ ¬Mon(pos′ ) |=⊥, (2) T0 ∧ Mon(pos) ∧ K[G] ∧ G |=w ⊥, where G = ¬Mon(pos′ ), (3) T0 ∧ Mon(pos) ∧ K0 ∧ G0 ∧ N0 (pos′ ) |=⊥, where K[G] consists of all instances of the rules in K in which the terms starting with the function symbols pos′ are ground subterms already occurring in G or K, K0 ∧ G0 is obtained from K[G] ∧ G by introducing new constants for the arguments of the extension functions as well as for the (sub)terms t = f (g1 , . . . , gn ) starting with extension functions f ∈ Σ 1 , and N0 (pos′ ) is the set of instances of the congruence axioms for pos ′ which correspond to the definitions for these newly introduced constants. It is easy to see that, due to the special form of the rules in K (all free variables in any clause occur as arguments of pos ′ both in Kf and in Kv ), K[G] (hence also K0 ) is a set of ground clauses. By the locality of T 0 ⊆ T1 = T0 ∪ Mon(pos), the following are equivalent: (1) T0 ∧ Mon(pos) ∧ K0 ∧ G0 ∧ N0 (pos′ ) |=⊥, (2) T0 ∧ Mon(pos)[G′ ] ∧ G′ |=w ⊥, where G′ = K0 ∧ G0 ∧ N0 (pos′ ), (3) T0 ∧ Mon(pos)0 ∧ G′0 ∧ N0 (pos) |=⊥, where Mon(pos)[G′ ] consists of all instances of the rules in Mon(pos) in which the terms starting with the function symbol pos are ground subterms already occurring in G′ , Mon(pos)0 ∧G′0 is obtained from Mon(pos)[G′ ]∧G′ by purification and flattening, and N0 (pos) corresponds to the set of instances of congruence axioms for pos which need to be taken into account. This allows us to use hierarchical reasoning on properties of the system, i.e. to reduce the verification of system properties to deciding satisfiability of constraints in T0 . An advantage is that, after the reduction of the problem to a satisfiability problem in the base theory, one can automatically determine which constraints on the parameters (e.g. ∆t, min, max, ...) guarantee truth of the invariant. This can be achieved, e.g. using quantifier elimination. The method is illustrated in Section 4.3; more details can be found in [5]. Similar results can be established for bounded model checking. In this case the arguments are similar, but one needs to consider chains of extensions of length 1, 2, 3, . . . , k for a bounded k, corresponding to the paths from 9 the initial state to be analyzed. An interesting side-effect of our approach (restricting to instances which are similar to the goal) is that it provides a possibility of systematic “slicing”: for proving (disproving) the violation of the safety condition we only need to consider those trains which are in a ’neighborhood’ of the trains which violate the safety condition. 4.3 Illustration In this section we indicate how to apply hierarchical reasoning on the case study given in Section 3, Model 1. We follow the steps given at the end of Section 2 and show how the sets of formulas are obtained that can finally be handed to a prover of the base theory T 0 . To check whether T1 ∪ Kf |= ColFree(pos′ ), where ColFree(pos′ ) ∀i (0 ≤ i < n − 1 → pos′ (i) >R pos′ (i + 1)), we check whether T1 ∪ Kf ∪ G |= ⊥, where G = {0 ≤ k < n − 1, k ′ = k + 1, pos′ (k) ≤R pos′ (k ′ )} is the (skolemized) negation of ColFree(pos ′ ), flattened by introducing a new constant k ′ . This problem is reduced to a satisfiability problem over T1 as follows: Step 1: Use locality. We construct the set K f [G]: There are no ground subterms with pos′ at the root in Kf , and only two ground terms with pos′ in G, pos′ (k) and pos′ (k ′ ). This means that Kf [G] consists of two instances of Kf : one with i instantiated to k, the other instantiated to k ′ . E.g., the two instances of F2 are: (F2[G]) (0 < k < n ∧ pos(k − 1) >R 0 ∧ pos(k − 1) − pos(k) ≥R lalarm → pos(k) + ∆t ∗ min ≤R pos′ (k) ≤R pos(k) + ∆t∗max) ′ (0 < k < n ∧ pos(k ′ − 1) >R 0 ∧ pos(k ′ − 1) − pos(k ′ ) ≥R lalarm → pos(k ′ ) + ∆t ∗ min ≤R pos′ (k ′ ) ≤R pos(k ′ ) + ∆t∗max) The construction of (F1[G]), (F3[G]) and (F4[G]) is similar. In addition, we specify the known relationships between the constants of the system: (Dom) ∆t > 0 ∧ 0 ≤ min ∧ min ≤ max Step 2: Flattening and purification. Kf [G] ∧ G is already flat w.r.t. pos′ . We replace all ground terms with pos′ at the root with new constants: we replace pos′ (k) by c1 and pos′ (k ′ ) by c2 . We obtain a set of definitions D = {pos′ (k) = c1 , pos′ (k ′ ) = c2 } and a set Kf0 of clauses which do not contain occurrences of pos′ , consisting of (Dom) together with: ∧ k′ = k + 1 (G0 ) 0 ≤k <n−1 ∧ c 1 ≤ R c2 (F20 ) (0 < k < n ∧ pos(k − 1) >R 0 ∧ pos(k − 1) − pos(k) ≥R lalarm → pos(k) + ∆t ∗ min ≤R c1 ≤R pos(k) + ∆t∗max) ′ (0 < k < n ∧ pos(k ′ − 1) >R 0 ∧ pos(k ′ − 1) − pos(k ′ ) ≥R lalarm → pos(k ′ ) + ∆t ∗ min ≤R c2 ≤R pos(k ′ ) + ∆t∗max) The construction can be continued similarly for F1, F3 and F4. 10 Step 3: Reduction to satisfiability in T 1 . We add the functionality clause N0 = {k = k ′ → c1 = c2 } and obtain a satisfiability problem in T 1 : Kf0 ∧ G0 ∧ N0 . To decide satisfiability of T1 ∧ Kf0 ∧ G0 ∧ N0 , we have to do another transformation w.r.t. the extension T 0 ⊆ T1 . The resulting set of ground clauses can directly be handed to a decision procedure for the combination of the theory of indices and the theory of reals. We flatten and purify the set Kf0 ∧ G0 ∧ N0 of ground clauses w.r.t. pos by introducing new constants denoting k − 1 and k ′ − 1, together with their definitions k ′′ = k−1, k ′′′ = k ′ −1; as well as constants di for pos(k), pos(k ′ ), pos(k ′′ ), pos(k ′′′ ). Taking into account only the corresponding instances of the monotonicity axiom for pos we obtain a set of clauses consisting of (Dom) together with: (G′0 ) k ′′ = k − 1 ∧ k ′′′ = k ′ − 1 (G0 ) 0 ≤ k < n − 1 ∧ k ′ = k + 1 ∧ c1 ≤R c2 (GF20 ) 0<k<n ∧ d3 >R 0 ∧ d3 −d1 ≥R lalarm → d1 +∆t∗min ≤R c1 ≤R d1 +∆t∗max 0<k ′ <n ∧ d4 >R 0 ∧ d4 −d2 ≥R lalarm → d2 +∆t∗min ≤R c2 ≤R d2 +∆t∗max and Mon(pos)[G′ ]. After making some simplifications we obtain the following set of (many-sorted) constraints: CDefinitions pos′ (k) = c1 pos′ (k ′ ) = c2 pos(k) = d1 pos(k ′ ) = d2 pos(k ′′ ) = d3 pos(k ′′′ ) = d4 CIndices k ′′ = k − 1 k ′′′ = k ′ − 1 0≤k <n−1 k′ = k + 1 CReals c 1 ≤ R c2 d1 >R d2 d3 >R d1 d3 >R d2 d3 >R d4 d4 >R d2 d1 = d4 (Dom) CMixed (GF10 ) (GF20 ) (GF30 ) (GF40 ) For checking the satisfiability of CIndices ∧ CReals ∧ CMixed we can use a prover for the two-sorted combination of the theory of integers and the theory of reals, possibly combined with a DPLL methodology for dealing with full clauses. An alternative method, somewhat similar to DPLL(T 0 ), would be to use only branching on the literals containing terms of index sort – this reduces the verification problem to the problem of checking the satisfiability of a set of linear constraints over the reals. 5 Conclusions In this paper we described a case study concerning a system of trains on a rail track, where trains may enter and leave the area. An example of a safety condition for such a system (collision freeness) was considered. The problem above can be reduced to testing satisfiability of quantified formulae in complex theories. However, the existing results on reasoning in combinations of theories are restricted to testing satisfiability for ground formulae. This paper shows that, in the example considered, we can reduce satisfiability checking of universally quantified formulae to the simpler task of satisfiability checking for ground clauses. For this, we identify corresponding chains of theory extensions T0 ⊆ T1 ⊆ · · · ⊆ Ti , such that Tj = Tj−1 ∪ Kj is a local extension of Tj−1 by a set Kj of (universally quantified) clauses. This 11 allows us to reduce, for instance, testing collision freeness in theories containing arrays to represent the train positions, to checking the satisfiability of a set of sets of ground clauses over the combination of the theory of reals with a theory which expresses precedence between trains. The applicability of the method is however general: the challenge is, at the moment, to recognize classes of local theories occurring in various areas of application. The implementation of the procedure described here is in progress, the method is clearly easy to implement. At a different level, our results open a possibility of using abstraction-refinement deductive model checking in a whole class of applications including the examples presented here – these aspects are not discussed in this paper, and rely on results we obtained in [9]. The results we present here also have theoretical implications: In one of the models we considered here, collision-freeness is expressed as a monotonicity condition. Limits of decidability in reasoning about sorted arrays were explored in [1]. The decidability of satisfiability of ground clauses in the fragment of the theory of sorted arrays which we consider here is an easy consequence of the locality of extensions with monotone functions. Acknowledgements. This work was partly supported by the German Research Council (DFG) as part of the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS). See www.avacs.org for more information. References [1] A. Bradley, Z. Manna, and H. Sipma. What’s decidable about arrays? In E. Emerson and K. Namjoshi, editors, Verification, Model-Checking, and Abstract-Interpretation, 7th Int. Conf. (VMCAI 2006), LNCS 3855, pp. 427–442. Springer, 2006. [2] J. Faber. Verifying real-time aspects of the European Train Control System. In Proceedings of the 17th Nordic Workshop on Programming Theory, pp. 67–70. University of Copenhagen, Denmark, October 2005. [3] H. Ganzinger, V. Sofronie-Stokkermans, and U. Waldmann. Modular proof systems for partial functions with weak equality. In D. Basin and M. Rusinowitch, editors, Automated reasoning : 2nd Int. Joint Conference, IJCAR 2004, LNAI 3097, pp. 168– 182. Springer, 2004. An extended version will appear in Information and Computation. [4] S. Ghilardi. Model theoretic methods in combined constraint satisfiability. Journal of Automated Reasoning, 33(3–4):221–249, 2004. [5] S. Jacobs and V. Sofronie-Stokkermans. Applications of hierarchical reasoning in the verification of complex systems (extended version). Available online at http://www.mpi-sb.mpg.de/∼sofronie/papers/jacobs-sofronie-pdpar-extended.ps [6] S. McPeak and G. Necula. Data structure specifications via local equality axioms. In K. Etessami and S. Rajamani, editors, Computer Aided Verification, 17th International Conference, CAV 2005, LNCS 3576, pp. 476–490, 2005. [7] G. Nelson and D. Oppen. Simplification by cooperating decision procedures. ACM Trans. on Programming Languages and Systems, 1(2):245–257, 1979. [8] V. Sofronie-Stokkermans. Hierarchic reasoning in local theory extensions. CADE’2005: Int. Conf. on Automated Deduction, LNCS 3632, pp. 219–234. Springer, 2005. [9] V. Sofronie-Stokkermans. Interpolation in local theory extensions. In Proceedings of IJCAR 2006, LNAI 4130, pp. 235–250. Springer, 2006. 12