A Divide & Conquer Approach to Leads-to Model Checking

The paper proposes a new technique to mitigate the state explosion in model checking. The technique is called a divide & conquer approach to leads-to model checking. As indicated by the name, the technique is dedicated to leads-to properties. It is known that many important systems requirements can be expressed as leads-to properties, thus it is worth focusing on leads-to properties. The technique divides an original leads-to model checking problem into multiple smaller model checking problems and tackles each smaller one. We prove a theorem that the multiple smaller model checking problems are equivalent to the original leads-to model checking problem. We conduct two case studies demonstrating the power of the proposed technique.


INTRODUCTION
Model checking [1] is one of the most successful computer science achievements in the past few decades. This is why Edmund M. Clarke, together with E. Allen Emerson and Joseph Sifakis, was honored with the 2007 A. M. Turing Award 1 for their role in developing model checking into a highly effective verification technology. Model checking has been widely adopted in the hardware and software industries. There are still some challenges to tackle in model checking, one of which is the state explosion, the most challenging one. Many techniques to mitigate the state explosion, such as partial order reduction [2] and abstraction [3][4][5], have been devised as those existing techniques are not enough to deal with the state explosion; however, it is still worth tackling.
The present paper proposes a new technique to mitigate the state explosion. The technique is called a divide & conquer approach to leads-to model checking. As indicated by the name, the technique is dedicated to leads-to properties. An informal 1 https://amturing.acm.org/award_winners/clarke_1167964.cfm description of leads-to properties is that whenever something occurs, something else will eventually occur. For example, one desired property mutual exclusion protocols should enjoy can be expressed as a leads-to property: whenever a process wants to enter a critical section, it will eventually be there. Chandy and Misra [6] designed a temporal logic called UNITY in which the leads-to temporal connective plays an important role and demonstrated that many important systems requirements can be expressed as leads-to properties. Therefore, it is worth focusing on leads-to properties.
The proposed technique splits each infinite state sequence in each sub-sequence is much smaller than the one in the original infinite state sequence, it would be feasible to conduct the model checking experiment for the infinite sequence generated from each sub-sequence (including the final one) even though it is impossible to conduct the model checking experiment for the original infinite state sequence due to the state explosion. The proposed technique makes it possible to use any existing linear temporal logic (LTL) model checking algorithm and then any existing LTL model checker. We prove a theorem that the original leads-to model checking problem for the original infinite sequence is equivalent to the multiple model checking problems for the multiple infinite sequences. We design an algorithm based on the theorem and conduct two case studies demonstrating the power of the proposed technique. One case study is a model checking experiment that Qlock protocol, an abstract version of the Dijkstra binary semaphore, enjoys the lockout freedom property that can be expressed as a leads-to property, when 10 processes participate in the protocol, which has been successfully tackled with the proposed technique that uses two layers but has not without it. The other is a model checking experiment that MCS protocol [7], whose variants have been used in Java VMs, enjoys the lockout freedom property, when six processes participate in the protocol, which has been successfully tackled with the proposed technique that uses three layers but has not without it.
The remaining part of the paper is organized as follows. Section 2 explains some preliminaries, such as Kripke structures and LTL. Section 3 describes the theoretical part of the proposed technique. Section 4 describes the proposed technique. Section 5 reports on two case studies. Section 6 mentions some existing related work. Section 7 concludes the paper including some future directions.

PRELIMINARIES
We use the symbol as 'if and only if' or 'be defined as.' where i and j are any natural numbers. Note that π (0,j) = π j .
Let P K be the set of all paths of K. Let P (K,s) The syntax of LTL is as follows: where a ∈ A.

Definition 2.3. (Semantics of LTL).
For any Kripke structure K, any path π of K and any LTL formulas ϕ, K, π | ϕ is inductively defined as follows: • K, π | a if and only if a ∈ L(π(0)) and only if there exists a natural number i such that K, π i | ϕ 2 and for each natural number j < i, K, π j | ϕ 1 where ϕ 1 and ϕ 2 are LTL formulas. Then, K | ϕ if and only if K, π | ϕ for all computations π of K. ⊥ ¬ and some other connectives are defined as follows: . , U, ♦, and are called next, until, eventually, always and leads-to temporal connectives, respectively. Although it is unnecessary Proposition 2.1. Let K be any Kripke structure. If ϕ is any state proposition, then (K, π | ϕ) ⇔ (K, π | ϕ) for any paths π & π of K such that π(0) = π (0).
Leads-to properties are those that are expressed in the form of ϕ 1 ϕ 2 , where ϕ 1 and ϕ 2 are LTL formulas. In this paper, furthermore, we give the constraints to ϕ 1 and ϕ 2 : ϕ 1 and ϕ 2 are state propositions. Chandy and Misra [6] demonstrate that many important systems requirements can be expressed as ϕ 1 ϕ 2 , where ϕ 1 and ϕ 2 are state propositions. Let K, s | ϕ, where s ∈ S, be K, π | ϕ for all π ∈ P (K,s) . Note that K, s | ϕ for all s ∈ I is equivalent to K | ϕ. Let K, s, b | ϕ, where s ∈ S and b is a natural number or ∞, be K, π | ϕ for all π ∈ P b (K,s) . Note that K, s, ∞ | ϕ is K, s | ϕ. Some logical connectives are abused for K, π | ϕ as follows:

MULTIPLE-LAYER DIVISION OF LEADS-TO MODEL CHECKING
First, we prove in Theorem 3.1 that a leads-to model checking problem for a Kripke structure K and a path π of K is equivalent to a model checking problem that is composed of three submodel checking problems for K and two paths of K, where the two paths are obtained by splitting π into two parts. We then prove in Theorem 3.2 that a leads-to model checking problem is equivalent to a model checking problem that is composed of 2L + 1 sub-model checking problems for K and L + 1 paths of K, where L ≥ 1 and the L + 1 paths are obtained by splitting π into L + 1 parts. Let K be any Kripke structure, π be any path of K and ϕ 1 & ϕ 2 be any LTL formulas of K in this section unless otherwise stated. π is an arbitrarily chosen path (or computation) of K and then can be regarded as the whole reachable state space (see Fig. 1). Let π be split into two paths π k and π k , where π k can be regarded as the first layer of the reachable state space and π k can be regarded as the second layer of the reachable state space (see Fig. 1). We prove four lemmas from which Theorem 3.1 is derived.
The first lemma says that if ϕ 1 ϕ 2 holds for the whole reachable state space, then it also holds for the second layer.
Note that (K, π k | ϕ 1 ϕ 2 ) ⇒ (K, π | ϕ 1 ϕ 2 ) because of the following. If there exists i < k such that K, π i | ϕ 1 , there does not exist any j ≥ i such that K, π j | ϕ 2 and there does not exist any i ≥ k such that K, π i | ϕ 1 , then K, π k | ϕ 1 ϕ 2 and K, π | ϕ 1 ϕ 2 . The second lemma says that if ϕ 1 ϕ 2 holds for the whole reachable state space and it does not hold for the first layer, then ♦ϕ 2 holds for the second layer, where ϕ 1 and ϕ 2 are state propositions.
Proof. From the assumption K, π k | ϕ 1 ϕ 2 , there exists i ≤ k such that K, π i k | ϕ 1 but does not exist any j ≥ i such that Because ϕ 1 is a state proposition, K, π i | ϕ 1 from Proposition 2.1. Because ϕ 2 is a state proposition, K, π j | ϕ 2 for any j such that i ≤ j ≤ k from Proposition 2.1. From the assumption K, π | ϕ 1 ϕ 2 as well, however, there must exist j > k such that K, π j | ϕ 2 . Thus, K, π k | ♦ϕ 2 .
The third lemma says that if ♦ϕ 2 holds for the second layer and ϕ 1 ϕ 2 holds for the second layer, then ϕ 1 ϕ 2 holds for the whole reachable state space.
The fourth lemma says that if ϕ 1 ϕ 2 holds for the first layer and ϕ 1 ϕ 2 holds for the second layer, then ϕ 1 ϕ 2 holds for the whole reachable state space.
We are ready to prove that a leads-to model checking problem K, π | ϕ 1 ϕ 2 for a Kripke structure K and a path π of K is equivalent to a model checking problem that is composed of three sub-model checking problems K, for K and the two paths π k and π k of K, where k is a natural number. Proof.
Theorem 3.1 makes it possible to divide the original model checking problem K, π | ϕ 1 ϕ 2 into the three sub-model checking problems K, π k | ϕ 1 ϕ 2 , K, π k | ϕ 1 ϕ 2 and K, π k | (♦ϕ 2 ) ∧ (ϕ 1 ϕ 2 ). We need to have two more lemmas to prove Theorem 3.2 whose description uses two abbreviations of statements on ternary satisfaction relations among Kripke structures, their paths and LTL formulas. The first one of the two lemmas says that an eventually model checking problem for a Kripke structure K and a path π of K is equivalent to a model checking problem that is composed of two sub-model checking problems for K and two paths of K, where the two paths are obtained by splitting π into two parts.
The second one of the two lemmas is on a model checking problem that tackles an eventually property and a leadsto property. Let us call such a model checking problem an eventually & leads-to model checking problem. The lemma says that an eventually & leads-to model checking problem for a Kripke structure K and a path π of K is equivalent to a model checking problem that is composed of three sub-model checking problems for K and two paths of K, where the two paths are obtained by splitting π into two parts.
Proof. It follows from Theorem 3.1 and Lemma 3.5.
We define Leads2 L and E&Leads2 L that are abbreviations of statements on ternary satisfaction relations among Kripke structures, their paths and LTL formulas. To this end, let π be split into L + 1 paths is a non-zero natural number for l = 1, . . . , L (see Fig. 2). π (d(l),d(l+1)) can be regarded as the l + 1st layer of the reachable state space for l = 0, 1, . . . , L.
Section A: Computer Science Theory, Methods and Tools The Computer Journal, 2021 We are ready to prove that a leads-to model checking problem K, π | ϕ 1 ϕ 2 for a Kripke structure K and a path π of K is equivalent to a model checking problem that is composed of 2L+1 sub-model checking problems K, π d(1) | ϕ 1 ϕ 2 , . . . , (1) and (2) are proved by simultaneous induction [8] on L.

A DIVIDE & CONQUER APPROACH TO LEADS-TO MODEL CHECKING ALGORITHM
An algorithm can be constructed based on Theorem 3.2, which is shown as Algorithm 1. For each initial state s 0 ∈ K, unfolding s 0 by using T without sharing any nodes that are states, an infinite tree whose root is s 0 is made. Such an infinite tree can be divided into L + 1 layers as shown in Fig. 3, where L is a non-zero natural number. Because R is finite, the number of different states in each layer is finite. Theorem 3.2 makes it possible to check K | ϕ 1 ϕ 2 in a stratified way in that for each layer l ∈ {1, . . . , L + 1} we can check K, s, d(l) | ϕ for each s ∈ {π(d(l − 1)) | π ∈ P d(l−1) The code fragment at lines 6 -10 checks K, π (d(l−1),d(l)) | ϕ 1 ϕ 2 for some paths π (d(l−1),d(l)) in the lth layer of R for l = 1, . . . , L. The code fragment at lines 11 -15 checks K, π (d(l−1),d(l)) | (♦ϕ 2 ) ∧ (ϕ 1 ϕ 2 ) for the remaining paths π (d(l−1),d(l)) in the lth layer of R for l = 1, . . . , L. When l is 1, LS consists of all initial states and ELS is ∅. The code fragment at lines 18 -21 checks K, π (d(L),d(L+1)) | ϕ 1 ϕ 2 for some paths π (d(L),d(L+1)) in the L + 1st layer of R, where d(L + 1) is ∞ and then π (d(L),d(L+1)) is π d(L) . The code fragment at lines 22 The two assignments at lines 9 & 10 (and those at lines 14 & 15 as well) could be replaced with ELS ← ELS ∪ {π(d(l))} and the condition at line 13 (and that at line 24) could be replaced with K, π | ♦ϕ 2 .
The proposed technique can be interpreted as follows. For each initial state, the reachable state space from the initial state is split into multiple layers (L+1 layers) and generates multiple smaller sub-state spaces as shown in Fig. 4. For each smaller Section A: Computer Science Theory, Methods and Tools The Computer Journal, 2021 sub-state space, we check if ϕ 1 ϕ 2 and/or ♦ϕ 2 holds. If the number of different states in each sub-state space is much less than the one in the entire reachable state space, then model checking for each sub-state space is feasible even though model checking for the entire reachable state space is not.
Although Algorithm 1 does not construct a counterexample when Failure is returned, it could be constructed.   to another state s m as shown in Fig. 5 such that n 0 or s m+n is far from s m . Thus, we should write a systems specification such that there is no such a backward transition in it in order to effectively use the proposed technique.

CASE STUDIES
We have mainly used a computer (referred as Computer A) that carries a 3.00GHz microprocessor with 16GB memory to conduct experiments. Maude [9] is a rewriting logic-based specification/programming language. It is equipped with an LTL model checker. We have used Maude in the case studies.

Qlock: A Mutual Exclusion Protocol
Qlock is a shared-memory mutual exclusion protocol for multiple processes and can be regarded as an abstract version of the Dijkstra binary semaphore in that the queue used is an atomic object. Let us consider that each process would like to enter a critical section once. Each process p is initially located in a place called the start section (ss), putting its ID into a queue shared by all processes (see Fig. 6 (a)) and moving to a place called the wait section (ws). Process p then waits there until its ID becomes the top of the queue (see Fig. 6 (b)). If that is the case, it can enter the critical section (cs) (see Fig. 6 (b)). When it finishes doing what it is supposed to do in the cs, it leaves there, deleting the top from the queue and moving to a place called the finish section (fs) (see Fig. 6 (d)).
A state is expressed as a braced soup of observable components, where observable components are name-value pairs and  : n) is an observable component whose value is a natural number n. The role of (cnt: n) will be described later.
Transitions are described in terms of rewrite rules. The transitions of Qlock are specified as follows: where Q is a variable of queues, I is a variable of process IDs, OCs is a variable of observable component soups and N is a variable of natural numbers. I | Q denotes a non-empty queue such that I is the top and Q is the remaining part of the queue. deq(Q) returns the empty queue if Q is empty and what is obtained by deleting the top from Q otherwise. dec(N) returns 0 if N is 0 and the predecessor number of N otherwise. start, wait, exit and fin are the labels given to the four rules, respectively. Rule start says that if process I is in ss, then it puts its ID into Q at end and moves to ws. Rule wait says that if process I is in ws and the top of the shared queue is I, then I enters cs. Rule exit says that if process I is in cs, then it deletes the top from the shared queue, decrements the natural number N stored in (cnt: N) and moves to fs. Rule fin says that if the natural number N stored in (cnt: N) is 0, a self-transition s → K s occurs. Rule fin is used to make the transitions total. The natural number N stored in (cnt: N) is the number of processes that have not yet reached fs. Use of it and rule fin make it unnecessary to use any fairness assumptions to model check a leads-to property.
Let Qlock when there are 10 processes. We then use Algorithm 1 to tackle the latter case, where L = 1 and d(1) = 3.
We use one more observable component (depth: d), where d is a natural number, to work on the 1st layer. The initial state turns into the following: The rules turn into the following: where D is a variable of natural numbers and Bound is 3. Rule stutter has been added to make each state at depth 3 have a transition to itself. The revised version of rule start says that if D is less than Bound and process I is in ss, then I puts its ID into Q at end and moves to ws and D is incremented. The other revised rules can be interpreted likewise. When we model check inWs1 inCs1 for the revised specification of Qlock, we find a counterexample that is a finite state sequence starting from the initial state and leading to a state loop that consists of one state that is as follows: We need to find all counterexamples and then revise the definition of inCs1 such that inCs1 holds in the state as well. When we model check the same property for the revised specification, we find another counterexample. This process is repeated until no more counterexample is found. We totally find 227 counterexamples and 227 states at depth 3. We gather all states at depth 3 from the initial state, which are totally 820 states that include the 227 states found in the last step. For each of the 820 states as an initial state, we model check inWs1 inCs1 for the original specification of Qlock, finding no counterexample. For each of the 227 states as an initial state we model check ♦ inCs1 for the original specification of Qlock, finding no counterexample. Therefore, we can conclude that it completes to model check inWs1 inCs1 for Qlock when there are 10 processes, finding no counterexample. It takes about 13h to conduct the model checking experiments for the second layer and it takes less than 100ms to conduct each model checking experiment for the first layer. Because there are 227 counterexamples for inWs1 inCs1 in the first layer, we need to conduct 228 model checking experiments for the first layer.

MCS: A Mutual Exclusion Protocol
MCS [7] is also a shared-memory mutual exclusion protocol for multiple processes. Its variants have been used in Java virtual machines and therefore the inventors (John M. Mellor-Crummery and Michael L. Scott) were honored with 2006 Edsger W. Dijkstra Prize in Distributed Computing 3 .
In MCS, one global variable glock shared by all processes participating in the protocol is used. glock contains a process ID or nop implying that no process is referred by glock. Each process p maintains three local variables next[p], pred [p] and lock [p]. Both next [p] and pred[p] contain a process ID or nop and lock[p] contains a Boolean value. Each process is located at one of the 14 locations rs (Remainder Section), l1, l2, l3, l4, l5, l6, cs, l7, l8, l9, l10, l11 and l12. Initially, glock is nop and for each process p, p is located at rs, next[p] is nop, pred[p] is nop and lock[p] is false. Fig. 7 shows MCS written in an Algollike pseudo-code and a graphical picture 4 of a state of MCS when there are three processes p1, p2 and p3. Each process p's next [p] and pred[p] are used to construct a virtual queue of process IDs. glock refers to the bottom element of the queue if the queue is not empty and is nop otherwise. In Fig. 7, for example, p2 is the bottom element of the queue and referred by glock; pred[ p2] is p3 and p3 is the bottom but one element of the queue; pred[p3] is p1 and p1 is the third element from the bottom and the top element of the queue. next[p1] is p3, while next[p3] is not p3 but nop, which means that it has been completed to enqueue p3 into the queue, while it has not been completed to enqueue p2 into the queue. MCS uses two nontrivial atomic operations (or instructions) that are fetch&store and comp&swap (or CAS). fetch&store(x, a) atomically does the following: it sets a variable x to a value a and returns the old value stored in x. comp&swap(x, a, b) atomically does the following: it compares the value stored in a variable x and a value a; if they are the same, it sets x to a value b and returns true; otherwise it just returns false.
We suppose that each process enters the critical section once and formalize MCS as a Kripke structure like Qlock. The Kripke structure is specified in Maude. Let us also consider two atomic propositions inWs1 and inCs1 for MCS. inCs1 for the third layer. We do not find any counterexamples. It takes less than half a minute to conduct each model checking experiment from most of the 67,962 states, but it takes about 2h to do so from some. Thus, it takes longer than one week to complete the 67,962 model checking experiments. Therefore, it would take longer than one year to complete all model checking experiments for the third layer. Then, we use 16 nodes in an SGI UV3000 computer (referred as SGI Computer) available in our institute such that each node carries a 2.9GHz microprocessor with 256GB memory. There are totally 3,730,668 states at depth 16. It takes about one month to complete all model checking experiments for the third layer. We do not find any counterexamples for the third layer, either. Hence, we successfully model check that inWs1 inCs1 holds for MCS when there are six processes and each process enters the critical section once.

Summary of case studies
The proposed divide & conquer approach to leads-to model checking makes it possible to successfully conduct the two model checking experiments: (1) inWs1 inCs1 for Qlock when there are 10 processes and each process enters the critical section once and (2) inWs1 inCs1 for MCS when there are six processes and each process enters the critical section once, which cannot be otherwise tackled by Computer A. Case (1) may be able to be tackled with SGI Computer even though Section A: Computer Science Theory, Methods and Tools The Computer Journal, 2021 the divide & conquer approach to leads-to model checking is not used. We do not think that case (2) can be tackled even with SGI Computer if the approach is not because it would take longer than three weeks to complete case (2) but 3 weeks are the longest time for which we are allowed to continuously use SGI Computer in our institute. We should make best use of multiple nodes or cores to make the approach effective. The specifications in Maude used in the case studies are available at the webpage 5 .

RELATED WORK
The state explosion is one of the most notorious problems in model checking. Many researchers have tackled the problem and come up with several techniques to mitigate it. Among such techniques are partial order reduction [2], symmetry reduction [12], abstraction [3][4][5], abstract logical model checking [13] and SAT-based bounded model checking (BMC) [14]. The proposed divide & conquer approach to leads-to model checking is a new technique to mitigate the challenge on space.
Clarke, et al. summarize several techniques that address the state space explosion problem in model checking [15]. Among them are counterexample-guided abstraction refinement (CEGAR) [4] and SAT-based BMC. For a system model whose (reachable) state space is enormous, CEGAR starts with one abstract model whose (reachable) state space is reasonably small such that it can be tractable by a model checker. If a counterexample is found, CEGAR checks if the counterexample is real. If no, CEGAR refines the abstract model based on the counterexample and repeats the experiment for the refined model until a real counterexample is found or no counterexample is found for some refined model (including the initial 5 http://www.jaist.ac.jp/~ogata/code/dca2l2mc/ abstract model). It may be the case that the (reachable) state space of some refined model becomes enormous and then it will be infeasible to do model checking for the model. SAT-based BMC is used in industries, especially hardware industries. BMC can find a flaw located within some reasonably shallow depth k from each initial state but cannot prove that systems whose (reachable) state space is enormous (including infinitestate systems) enjoy desired properties. Some extensions have been made to SAT-based BMC so that we can prove that such systems enjoy desired properties: Craig interpolationbased model checking [16] and k-induction [17,18]. Craig interpolation-based model checking approximately traverses the reachable state space of a system under model checking by calculating an interpolation of two logical formulas obtained from the logical formula used for SAT-based BMC. Such an interpolation can be efficiently calculated by a SAT solver.
McMillan demonstrates that some model checking problems that cannot be handled with symbolic model checking can be efficiently tackled with Craig interpolation-based model checking [16]. k-induction is a combination of mathematical induction and SAT/SMT-based BMC. The bounded state space of each initial state up to depth k is tackled with BMC, which is regarded as the base case. For each state sequence s 0 , s 1 , . . . , s k , where s o is an arbitrary state, such that a property concerned is not broken in each state s i for i = 0, 1, . . . , k, it is checked that the property is not broken in all successor states s k+1 of s k , which is done with a SAT/SMT solver and regarded as the induction case. If an SMT solver is used, infinite-state systems, for example, in which integers are used, could be handled. Our proposed technique can be regarded as another extension of BMC, although we do not use any SAT/SMT solvers.
Barnat et al. [19] survey some recent advancement of parallel model checking algorithms for LTL. Graph search algorithms need to be redesigned to make best use of multi-core and/or Section A: Computer Science Theory, Methods and Tools The Computer Journal, 2021 multi-processor architectures. Parallel model checkers based on such parallel model checking algorithms have been developed, among which are DiVinE 3.0 [20] and Garakabu2 [21,22]. We do not describe how to parallelize Algorithm 1 in the present paper, although we conduct sub-model checking experiments in the second case study in parallel by hand with several nodes in SGI Computer and it is possible to parallelize Algorithm 1. We do not need to redesign graph search algorithms so as to parallelize Algorithm 1 but can use any existing LTL model checking algorithm and model checker, which is one advantage of the approach, although Algorithm 1 is limited to properties in the form p q such that p and q are state propositions, though. The proposed divide & conquer approach to leads-to model checking can mitigate the challenge on time as well.

CONCLUSION
We have proposed a new technique to mitigate the state explosion in model checking. The technique is dedicated to leadsto properties. It divides a leads-to model checking problem into multiple smaller model checking problems and tackles each smaller one. We have proved that the multiple smaller model checking problems are equivalent to the original leads-to model checking problem. We have reported on two case studies demonstrating the power of the proposed technique.
A prototype tool [23,24] has been first implemented in Maude and is dedicated to the case when L = 1, namely the 2 layer divide & conquer approach to leads-to model checking.
We have also implemented a support tool for the L + 1layer divide & conquer approach to leads-to model checking [25]. The tool does all necessary modifications to systems specifications (or systems models). Thus, human users do not need to change both their systems specifications and property specifications (namely LTL formulas of leads-to properties) to use the divide & conquer approach to leads-to properties. The proposed technique can be naturally parallelized because all sub-state spaces in one layer can be tackled independently and even many sub-state spaces in different layers can be. One piece of our future work is to parallelize Algorithm 1 and develop a tool that can make best use of multi-core and/or multi-processor architectures for the proposed technique. As usual, we need to conduct more case studies to make sure that the proposed technique is really useful. We may also want to make it possible to apply the proposed technique to a larger class of LTL properties.
We suppose that systems (or protocols) are specified in Maude. Maude is a rich-typed specification language, for example, making it possible to use inductively defined data structures in systems under model checking. We could translate systems specifications in Maude to those in other rich-typed specification languages, such as VDM++ [26] and SOFL [27]. If so, a support tool can be used to model check that systems specified in those specification languages enjoy leadsto properties.
A mutual exclusion protocol for ad hoc mobile networks [28] has motivated us to come up with the proposed technique. When there are only three nodes and at most three link failures could occur, the state explosion makes it impossible to conduct a leads-to model checking experiment [29]. It is also a piece of our future work to complete the leads-to model checking experiment for the ad hoc mobile network mutual exclusion protocol. Note that although we mention our preliminary idea of a divide & conquer approach to leads-to model checking in [29] without any proofs, it is flawed. The present paper proposes a divide & conquer approach to leads-to model checking together with its correctness proof.
It is crucial to find L and d(l) for l = 1, . . . , L reasonably well so that we can effectively use the proposed technique. Good L and d(l) for l = 1, . . . , L depend on systems or Kripke structures formalizing systems. It is also a piece of our future work to investigate how to find good L and d(l) for l = 1, . . . , L. One possible idea for it is as follows. As written, we should make a formal specification such that it does not have any long backward transitions as shown in Fig. 5 so as to effectively use the proposed technique. The two formal specifications of the two mutual exclusion protocols used in the case study reported do not have any long backward transitions and have a terminallike state. For a formal specification that has a terminal-like state, we could calculate the depth to the terminal-like state from each initial state. We could use the depth to find out good L and d(l) for l = 1, . . . , L.
The model checking performance may depend on the number of transitions as well as the number of states in a system under model checking. The proposed technique addresses the problem caused by the number of states but does not the one caused by the number of transitions. It may be the case that there are some sub-state spaces that have a smaller number of states than the whole state space but a similar number of transitions than the whole state space. If so, the proposed technique may not efficiently tackle such a system. It is one piece of our future work how we should handle such a system. 12 Y. Phyo et al.