Linking Theorem Proving and Model-Checking with Well-Founded Bisimulation

We present an approach to verification that combines the strengths of model-checking and theorem proving. We use theorem proving to show a bisimulation up to stuttering on a—potentially infinite-state—system. Our characterization of stuttering bisimulation allows us to do such proofs by reasoning only about single steps of the system. We present an on-the-fly method that extracts the reachable quotient structure induced by the bisimulation, if the structure is finite. If our specification is a temporal logic formula, we model-check the quotient structure. If our specification is a simpler system, we use an equivalence checker to show that the quotient structure is stuttering bisimilar to the simpler system. The results obtained on the quotient structure lift to the original system, because the quotient, by construction, is refined by the original system. We demonstrate our methodology by verifying the alternating bit protocol. This protocol cannot be directly model-checked because it has an infinite-state space; however, using the theorem prover ACL2, we show that the protocol is stuttering bisimilar to a small finite-state system, which we model-check. We also show that the alternating bit protocol is a refinement of a non-lossy system.