Verifying Systems with Replicated Components in Mur ' ?

states are written in the form (s; fqe1 1 ; : : : ; qek k g), where each ei is 1 or + (when the constructor is 0, the component state is omitted). A concrete state a = (s; [r1; :::; rz]) is represented by an abstract state A = (s; fqe1 1 ; :::; qek k g) if the following conditions are satisfied: – ei = + if qi occurs in [r1; : : : ; rz] two or more times; – ei = 1 or ei = + if qi occurs in [r1; : : : ; rz] exactly once; – a component state does not appear in [q1; : : : ; qk] if it does not appear in [r1; : : : ; rz]. The abstract states are partially ordered: (s; fqe1 1 ; :::; qek k g) (s; fqe0 1 1 ; :::; qe0k k g) if and only if ei = + implies e0i = +. In this case, (s; fqe01 1 ; :::; qe0k k g) is said to cover (s; fqe1 1 ; :::; qek k g). The notation a 2 A is used to indicate thatA represents a. The set of abstract states representing a particular concrete state has a unique minimum element in this order; the abstracting function abs used in our verifier maps a concrete state to its minimum abstract representative. In many cases, it is useful to maintain in the abstract state the total number of replicated components, while forgetting exactly how many components are in each component state. Definition 4 Restricted Abstract State. A restricted abstract state is an abstract state paired with a number representing the total number of replicated components. We write (s; fqe1 1 ; : : : ; qek k g)jn to represent the restricted abstract state with n components. 3.2 The Basic On-The-Fly Algorithm We can construct the abstract state graph for a Mur' program with a RepetitiveID type using an on-the-fly algorithm, First of all, C++ code for the abstraction function abs is generated by the Mur' compiler. The start states of the abstract state graph are generated by using this function to abstract the concrete start states. Given an abstract state, the verifier needs to generate all its successors in the abstract state graph. Because of the restrictions of the RepetitiveID, the verifier can always find a small number of concrete states that can be used to find the successors to the abstract state. The choice of concrete states depends on the abstract state, and on the nature of the concrete transition functions.