A Divide and Conquer Approach to Eventual Model Checking

: The paper proposes a new technique to mitigate the state of explosion in model checking. The technique is called a divide and conquer approach to eventual model checking. As indicated by the name, the technique is dedicated to eventual properties. The technique divides an original eventual model checking problem into multiple smaller model checking problems and tackles each smaller one. We prove a theorem that the multiple smaller model checking problems are equivalent to the original eventual model checking problem. We conducted a case study that demonstrates the power of the proposed technique.


Introduction
Model checking is an attractive and promising formal verification technique because it is possible to automatically conduct model checking experiments once good concise formal models are made.It has also been used in industries, especially hardware industries.There are still some challenges to tackle in model checking, one of which is the state explosion, the most annoying one.Many techniques to mitigate the state explosion have been devised, such as symbolic model checking [1] and SAT-based bounded model checking (BMC) [2], where SAT stands for Boolean satisfiability problem.As those existing techniques are not enough to deal with the state explosion, it is still worth tackling the issue.
Moe Nandi Aung et al. [3] tried to check that an autonomous vehicle intersection control protocol [4] enjoyed some desired properties, where there were 13 vehicles, and encountered the notorious state space explosion, making it impossible to conduct the model checking experiments.Note that it was possible to conduct the model checking experiments for a case wherein there were five vehicles.One property is the starvation freedom property that can be expressed as an eventual property.An informal description of the starvation freedom property is that every vehicle will pass the intersection concerned.The case motivated us to come up with the technique proposed in the present paper.
The present paper proposes a divide and conquer approach to eventual model checking.The technique splits the reachable state space from each initial state into L + 1 layers, where L ≥ 1, generating multiple smaller sub-state spaces, dividing the original eventual mode checking problem into multiple smaller model checking problems and tackling each smaller one.As the name indicates, the technique proposed in the present paper is dedicated to eventual properties.Many important software requirements can be expressed as eventual properties.For example, halting is one important requirement many programs should enjoy.Halting can be expressed as an eventual property.We prove a theorem that the multiple smaller model checking problems are equivalent to the original eventual model checking problem.We conducted a case study that demonstrates the power of the proposed technique.Maude [5] was used as the formal specification language and Maude LTL (linear temporal logic) model checker was used as the model checker.
The model checking algorithm adopted by Maude LTL model checker is the same as the one used by SPIN [6], which is one of the most popular model checkers for model checking software systems.It has been reported that Maude LTL model checker is comparable with SPIN with respect to model checking running performance.This implies that whenever Maude LTL model checker encounters the state space explosion problem, making it impossible to conduct model checking experiments, SPIN does so as well, and so do most existing model checkers.The proposed technique aims at mitigating the state space explosion problem and we demonstrate that it can mitigate the problem through a case study.We are allowed to use Maude as a formal specification language for systems under model checking.Maude is extremely expressive because it is one direct descendant of and OBJ language family, such as OBJ3 [7] and CafeOBJ [8].Inductively-defined data structures, associative and/or commutative binary operators, etc., can be used in systems' specifications under model checking with the Maude LTL model checker.Inductively-defined data structures and associative and/or commutative binary operators cannot be used in systems' specifications under model checking for most existing model checkers, such as SPIN and NuSMV [9].This is mainly why we used the Maude LTL model checker.Those who are more interested in the flavor of the Maude LTL model checker are recommended to see the paper [10] in which the Maude LTL model checker is intensively compared with the Symbolic Analysis Laboratory (SAL) [11], a collection of model checkers.
The remaining part of the paper is organized as follows.Section 2 explains some preliminaries, such as Kripke structures and LTL.Section 3 uses a simple example to outline the proposed technique.Section 4 describes the theoretical part of the proposed technique.Section 5 describes the proposed technique.Section 6 reports on a case study.Section 7 mentions some existing related work.Section 8 concludes the paper and suggests some future directions.

Preliminaries
This section describes some preliminaries needed to read the technical contents of the paper.We give the definitions of Kripke structures, the syntax of LTL formulas and the semantics of LTL formulas.We need infinite sequences of states (called paths of Kripke structure) to define the semantics of LTL formulas.We introduce several notations or symbols for paths, sets of paths and satisfaction relations, where satisfaction relations are the essence of the semantics of LTL formulas.We prepared tables for those notations or symbols.We use the symbol as "if and only if" or "be defined as." Definition 1 (Kripke structures).A Kripke structure K S, I, T, A, L consists of a set S of states, a set I ⊆ S of initial states, a left-total binary relation T ⊆ S × S over states, a set A of atomic propositions and a labeling function L whose type is S → 2 A .An element (s, s ) ∈ T is called a (state) transition from s to s and may be written as s → K s .S does not need to be finite.The set R of reachable states is inductively defined as follows: I ⊆ R and if s ∈ R and (s, s ) ∈ T, then s ∈ R. We suppose that R is finite.K in s → K s may be omitted if it is clear from the context.
An infinite sequence of states is a sequence that consists of states infinitely many times, where infinitely many copies of some states may occur.Let s 0 , s 1 , . . ., s i , s i+1 , . . .be an infinite sequence of states, where s 0 is the top element (called 0th element), s 1 is the next element (called 1st element) and s i is the ith element.As we suppose that R is finite, if s 0 ∈ R, then s 0 , s 1 , . . ., s i , s i+1 , . . .only consists of bounded number of different states, although infinitely many copies of some states occur.As usual, let ∞ be used to denote the infinity.An infinite sequence s 0 , s 1 , . . ., s i , s i+1 , . . . of states is called a path of K if and only if for any natural number i, (s i , s i+1 ) ∈ T. Let π be s 0 , s 1 , . . ., s i , s i+1 , . . .and some notations are defined as follows: where i and j are any natural numbers.Note that π (0,j) = π j .Note that where a ∈ A.
Definition 3 (Semantics of LTL).For any Kripke structure K, any path π of K and any LTL formula ϕ, K, π |= ϕ is inductively defined as follows: ⊥ ¬ and some other connectives are defined as follows: , U , ♦, and are called next, until, eventually, always and leads-to temporal connectives, respectively.Although it is unnecessary to directly define the semantics for ♦, and , we can define it as follows: We summarize some notations or symbols used in the paper in the three tables: Tables 1-3.Table 1 describes notations or symbols for paths.Table 2 describes notations or symbols for sets of paths.Table 3 describes notations or symbols for satisfaction relations.the postfix s i , s i+1 , . . .obtained by deleting the first i states s 0 , s 1 , . . ., s i−1 from π π i s 0 , s 1 , . . . ,s i , s i , . . .constructed by first extracting the prefix s 0 , s 1 , . . . ,s i , the first i + 1 states from π and then adding s i , the final state of the prefix, to the prefix at the end infinitely many times π ∞ s 0 , s 1 , . . ., s i , s i+1 , . .., the same as π π (i,j) if i ≤ j, then s i , . . ., s j , s j , . .., the same as (π i ) j−i ; otherwise, s i , s i , . .., the infinite sequence in which only s i occurs infinitely many times π (i,∞) s i , s i+1 , . .., the same as π i π i j the same as π (i,j) Table 2. Descriptions of path-set notations (or symbols), where b is a natural number.

P K
the set of all paths of K P (K,s) the set of all paths π of K such that π(0), the 0th state of the path π, is s the same as P (K,s)

Symbol Description
K, π |= ϕ an LTL formula ϕ holds for a path π of K K |= ϕ an LTL formula ϕ holds for all computations of K K, s |= ϕ an LTL formula ϕ holds for all paths in P (K,s) K, s, b |= ϕ an LTL formula ϕ holds for all paths in P b

Outline of the Proposed Technique
Let us outline the proposed technique with a simple system (or Kripke structure) called SimpSys as depicted in Figure 1 so that you can intuitively comprehend the technique.SimpSys has four states s 0 , s 1 , s 2 and s 3 , where s 0 is the only initial state.There are seven transitions depicted as arrows in Figure 1.Let us consider three atomic propositions init, middle and final.The labeling function is defined as depicted in Figure 1.For example, middle holds in s 1 and s 2 and does not in s 0 and s 3 .Let us take ♦ final as a property concerned.We can straightforwardly check that SimpSys satisfies ♦ final, namely SimpSys |= ♦ final, and then do not need to use the proposed technique for this model checking experiment.We, however, use this simple model checking experiment to sketch the technique.The left part of Figure 2 shows the computation tree made from the reachable states such that its root is the initial state s 0 .Let us split the computation tree into two layers such that the first layer depth is 1.Note that it is unnecessary to specify the second (or the final) layer depth.The first layer has one sub-state space such that its initial state is s 0 as shown in the right part of Figure 2. The second layer has three sub-state spaces such that their initial states are s 1 , s 2 and s 3 , respectively.We first conduct the model checking experiment that ♦ final holds for the sub-state space in the first layer.There are two counterexamples: (1) s 0 , s 1 , s 1 , . . .and (2) s 0 , s 2 , s 2 , . .., where s 1 and s 2 are called counterexample states.As ♦ final holds for s 1 , s 3 , s 3 , . .., we do not need to conduct the model checking experiment that ♦ final holds for the sub-state space whose initial state is s 3 in the second layer.It suffices to conduct the model checking experiments that ♦ final holds for the two sub-state spaces whose initial states are s 1 and s 2 , respectively.There are no counterexamples for the two model checking experiments and then we can conclude that SimpSys satisfies ♦ final.This is how the proposed technique works.For this simple example, the number of different states in each sub-state space is the same as or almost the same as the number of different states in the original state space.If the number of each sub-state space is much smaller than the number of the original state space, then even though it is impossible to conduct a model checking experiment for the original reachable state space because of the state space explosion, it may be possible to conduct the model checking experiment for each sub-state space.This is how the proposed technique mitigates the state space explosion problem.

Multiple Layer Division of Eventual Model Checking
This section describes the theoretical contribution of the paper.An overview of the proposed technique is as follows: an eventual model checking problem is divided into multiple smaller model checking problems and each smaller model checking problem is tackled so as to tackle the original eventual model checking experiment.We need to guarantee that tackling each smaller model checking problem is equivalent to tackling the original eventual model checking problem.We prove a theorem for it.
We first tackle the case in which L is 1.
Lemma 1 (Two-layer division of ♦).Let ϕ be any state proposition of K.For any natural number k, (K, because they are equivalent).
If so, we have the following as an instance of the induction hypothesis: Therefore, the induction hypothesis instance can be rephrased as follows: From Definition 5, Eventually l+1 (K, π, ϕ, 0) is because of the induction hypothesis instance.From Lemma 1, this is equivalent to K, π |= ♦ϕ.
Theorem 1 makes it possible to divide the original model checking problem

A Divide and Conquer Approach to an Eventual Model Checking Algorithm
This section describes an algorithm that carries out the proposed technique.The algorithm takes as inputs a Kripke structure K, a state proposition ϕ, a non-zero natural number L and a function d such that d(x) is a natural number for x = 1, . . ., L, where d(x) is the depth of layer x; and returns as an output success if K |= ♦ϕ holds and failure otherwise.
An algorithm can be constructed based on Theorem 1, which is shown as Algorithm 1.For each initial state s 0 ∈ K, unfolding s 0 by using T such that each node except for s 0 has exactly one incoming edge, an infinite tree whose root is s 0 is made.The infinite tree may have multiple copies of some states.Such an infinite tree can be divided into L + 1 layers, as shown in Figure 3, where L is a non-zero natural number.Although there does not actually exist layer 0, it is convenient to just suppose that we have layer 0. Therefore, let us suppose that there is virtually layer 0 and s o is located at the bottom of layer 0. Let n l be the number of states located at the bottom of layer l = 0, 1, . . ., L and then there are n l sub-state spaces in layer l + 1.In this way, the reachable state space from s 0 is divided into multiple smaller sub-state spaces.As R is finite, the number of different states in each layer and in each sub-state space is finite.Theorem 1 makes it possible to check K |= ♦ ϕ in a stratified way in that for each layer l ∈ {1, . . ., L + 1} we can check K, s, d(l) |= ♦ ϕ for each s ∈ {π(d(l − 1)) | π ∈ P d(l−1) (K,s 0 ) }, where d(0) is 0, d(x) is a non-zero natural number for x = 1, . . ., L and d(L + 1) is ∞.
ES and ES are variables to which sets of states are set.Each iteration of the outermost loop in Algorithm 1, which conducts the model checking experiment in layer l = 1, . . ., L + 1. ES, is the set of states located at the bottom of layer l = 0, 1, . . .L and ES is the empty set before the model checking experiments conducted in the l + 1st iteration.If K, π |= ♦ϕ for π ∈ P d(l) (K,s) , then π(d(l)) is added to ES .ES is set to ES at the end of each iteration.If ES is empty at the beginning of an iteration, Success is returned, meaning that K |= ♦ϕ holds.After the outermost loop, we check whether ES is empty.If so, Success is returned, and otherwise, Failure is returned.
Although Algorithm 1 does not construct a counterexample when failure is returned, it could be constructed.For each l ∈ {0, 1, . . ., L}, ES l is prepared.As elements of ES l , pairs (s, s ) are used, where s is a state in S or a dummy state denoted δ-stt that is different from any state in S, s is a state in S and s is reachable from s if s ∈ S. The assignment at line 6 should be revised as follows: The assignment at line 10 should be revised as follows: The assignment at line 14 should be revised as follows:

A Case Study
Many systems' requirements can be expressed as eventual properties.Termination or halting is one important requirement that many programs should satisfy, which can be expressed as an eventual property.The starvation freedom property that should be satisfied by systems, such as an autonomous vehicle intersection control protocol [4], can be expressed as an eventual property.Some communication protocols, such as Alternating Bit Protocol (ABP) and the sliding window protocol used in Transmission Control Protocol (TCP), guarantee that all data sent by a sender are delivered to a receiver without any data loss and duplication.The requirement can be expressed as an eventual property.
We use a mutual exclusion protocol as an example in the case study.The requirement we take into account is that the protocol guarantees that a process can enter the critical section, doing some tasks there, leaving the section and reaching a final position (or terminating).The requirement can be expressed as an eventual property.The mutual exclusion protocol is called Qlock, an abstract version of the Dijkstra binary semaphore in that an atomic queue of process IDs is used.
In the rest of the section, we first describe Qlock, how to formally specify Qlock and the property concerned in Maude and how to model check the eventual property with the proposed technique.Let us note that when there are 10 processes that participate in Qlock, it is impossible to complete the model checking experiment with Maude LTL model checker, while it is possible to do so with the proposed technique.We finally summarize the case study.

Qlock
We report on a case study that demonstrates the power of the proposed technique.The case study used a mutual exclusion protocol called Qlock whose pseudo-code for each process p can be described as follows: "Start Section" ss : enq(queue, p); ws : repeat until top(queue) = p; "Critical Section" cs : deq(queue); fs : . . ."Finish Section" where queue is an atomic queue of process IDs shared by all processes participating in Qlock.enq(queue, p) atomically puts a process ID p into queue at bottom.top(queue) atomically returns the top element of queue.deq(queue) atomically deletes the top element of queue.If queue is empty, deq(queue) does nothing.queue is initially empty.Each process p is supposed to be located at one of the four locations ss (start section), ws (waiting section), cs (critical section) and fs (finish section), and is initially located at ss.Let us suppose that each process p stays fs once it gets there, implying that it enters the critical section at most once.The property to be checked in this case study is that a process will eventually get to fs.The property can be formalized as an eventual property.When there were 10 processes, it did not complete the model check with the Maude LTL model checker running on a computer that carried a 2.10 GHz microprocessor and 8 GB main memory because of the state space explosion.

Formal Specification
We describe how to formally specify Qlock in Maude.A state is expressed as a braced soup of observable components, where observable components are name-value pairs and soups are associative-commutative collections.When there are n processes, the initial state of Qlock is as follows: {(queue: empq) (pc[p1]: ss) ... (pc[pn]: ss) (cnt: n)} where (queue: empq) is an observable component saying that the shared queue is empty, (pc[pi]: ss) is an observable component saying that process pi is in the ss and (cnt: n) is an observable component whose value is a natural number n.The role of (cnt: n) will be described later.
Transitions are described in terms of rewrite rules.The transitions of Qlock are specified as follows: where Q is a variable of queues, I is a variable of process IDs, OCs is a variable of observable component soups and N is a variable of natural numbers.I | Q denotes a non-empty queue such that I is the top and Q is the remaining part of the queue.deq(Q) returns the empty queue if Q is empty and what is obtained by deleting the top from Q otherwise.dec(N) returns 0 if N is 0 and the predecessor number of N otherwise.
start, wait, exit and fin are the labels given to the four rules, respectively.Rule start says that if process I is in ss, then it puts its ID into Q at end and moves to ws.Rule wait says that if process I is in ws and the top of the shared queue is I, then I enters cs.Rule exit says that if process I is in cs, then it deletes the top from the shared queue, decrements the natural number N stored in (cnt: N) and moves to fs.Rule fin says that if the natural number N stored in (cnt: N) is 0, a self-transition s → K s occurs.Rule fin is used to make the transitions total.The natural number N stored in (cnt: N) is the number of processes that have not yet reached fs.Use of it and rule fin make it unnecessary to use any fairness assumptions to model check an eventual property.
Let us consider one atomic proposition inFs1.inFs1 holds in a state if and only if the state matches {(pc[p1]: fs) OCs}, namely, that process p1 is in fs.

Model Checking with the Proposed Technique
It quickly completes to model check ♦ inFs1 for Qlock when there are five processes, finding no counterexample.It is, however, impossible to model check the same property for Qlock when there are 10 processes.We then use Algorithm 1 to tackle the latter case, where L = 1 and d(1) = 3.
We use one more observable component where D is a variable of natural numbers and Bound is 3. Rule stutter has been added to make each state at depth three have a transition to itself.The revised version of rule start says that if D is less than Bound and process I is in ss, then I puts its ID into Q at end and moves to ws and D is incremented.The other revised rules can be interpreted likewise.When we model checked ♦ inFs1 for the revised specification of Qlock, we found a counterexample that is a finite state sequence starting from the initial state and leading to a state loop that consists of one state that is as follows: We needed to find all counterexamples and then revise the definition of inFs1 such that inFs1 holds in the state as well.When we model checked the same property for the revised specification, we found another counterexample.This process was repeated until no more counterexamples were found.We totally found 819 counterexamples and 819 counterexample states at depth three.
We gathered all states at depth three from the initial state, which totaled 820 states, including the 819 states found in the last step.There was one state at depth three such that process p1 was located at fs.For each of the 819 states as an initial state, we model checked ♦ inFs1 for the original specification of Qlock, finding no counterexample.Therefore, we can conclude that it completed model check ♦ inFs1 for Qlock when there were 10 processes, finding no counterexample.It took about 44 h to conduct the model checking experiments for the second layer and it took less than 200 ms to conduct each model checking experiment for the first layer.As there were 819 counterexamples for ♦ inFs1 in the first layer, we needed to conduct 820 model checking experiments for the first layer.

Summary of the Case Study
The proposed divide and conquer approach to eventual model checking makes it possible to successfully conduct the model checking experiment ♦ inFs1 for Qlock when there are 10 processes and each process enters the critical section at most once, which cannot be otherwise tackled by the computer used in the case study.The specifications in Maude used in the case study are available at the webpage (http://www.jaist.ac.jp/ ~ogata/code/dca2emc/).

Related Work
The state space explosion problem is one of the biggest challenges in model checking.Many techniques to mitigate it have been proposed so far.Among them are partial order reduction [12], symmetry reduction [13], abstraction [14][15][16], abstract logical model checking [17] and SAT-based bounded model checking (BMC) [2].The proposed divide and conquer approach to eventual model checking is a new technique to mitigate the problem when model checking eventual properties.The second, third and fourth authors of the present paper proposed a (L + 1-layer) divide and conquer approach to leads-to model checking [18].The technique proposed in the present paper can be regarded as an extension of the one described in the paper [18] to eventual properties.
Clarke et al. summarized several techniques that address the state space explosion problem in model checking [19].One of them is SAT-based BMC.SAT-based BMC is used in industries, especially hardware industries.BMC can find a flaw located within some reasonably shallow depth k from each initial state but cannot prove that systems whose (reachable) state space is enormous (including infinite-state systems) enjoy the desired properties.Some extensions have been made to SAT-based BMC so that we can prove that such systems enjoy the desired properties.One extension is k-induction [20,21].k-induction is a combination of mathematical induction and SAT/SMT-based BMC, where SMT stands for SAT modulo theories.The bounded state space from each initial state up to depth k is tackled with BMC, which is regarded as the base case.For each state sequence s 0 , s 1 , . . ., s k , where s o is an arbitrary state, such that a property concerned is not broken in each state s i for i = 0, 1, . . ., k, it is checked that the property is not broken in all successor states s k+1 of s k , which is done with an SAT/SMT solver and regarded as the induction case.If an SMT solver is used, infinite-state systems, for example, in which integers are used, could be handled.Our proposed technique can be regarded as another extension of BMC, although we do not use any SAT/SMT solvers.
SAT/SMT-based BMC has been extended to model check concurrent programs [22].Given a concurrent (or multithreaded) program P together with two parameters u and r that are the loop unwinding bound and the number of round-robin schedules, respectively, an intermediate bounded program P u is first generated by unwinding all loops and inlining all function calls in P with u as a bound, except for those used for creating threads, and then P u is transformed into a sequential program Q u,r that simulates all behaviors of P u within r round-robin schedules.Q u,r is then transformed into a propositional formula, which is converted into an equisatisfiable CNF formula that can be analyzed by an SAT/SMT solver.This way to model check multithreaded programs can be parallelized by decomposing the set of execution traces of a concurrent program into symbolic subsets and analyzing the set of execution traces in parallel [23].Instead of generating a single formula from P via Q u,r , multiple propositional sub-formulas are generated.Each sub-formula corresponds to a different symbolic partition of the execution traces of P and can be checked for satisfiability independently from the others.The approaches to BMC of multithreaded programs seem able to deal with safety properties only, while our tool is able to deal with leadsto properties, a class of liveness properties.Another difference between their approach and our approach is that the target of our approach is designs of concurrent/distributed systems, while the one of theirs is concurrent programs.
Barnat et al. [24] surveyed some recent advancements of parallel model checking algorithms for LTL.Graph search algorithms need to be redesigned to make the best use of multi-core and/or multi-processor architectures.Parallel model checkers based on such parallel model checking algorithms have been developed, among which are DiVinE 3.0 [25], Garakabu2 [26,27] and a multicore extension of SPIN [28].In the technique proposed in the present paper, there are generally multiple sub-state spaces in each layer, and model checking experiments for these sub-state spaces are totally independent from each other.Furthermore, model checking experiments for many sub-state spaces in different layers are independent.It is possible to conduct such model checking experiments in parallel.Therefore, it is possible to parallelize Algorithm 1, which never requires us to redesign any graph search algorithms and makes it possible to use any existing LTL model checker, such as Maude LTL model checker.
To tackle a large system that cannot be handled by an exhaustive verification mode, SPIN has a bit-state verification mode that may not exhaustively search the entire reachable state space of a large system, but can achieve a higher coverage of large state spaces by using a few bits of memory per state stored.The larger a system under verification becomes, the higher chances the SPIN bit-state verification mode may overlook flaws lurking in the system.To overcome such situations, swarm verification [29] has been proposed.The key ideas of swam verification are parallelism and search diversity.For each of the multiple different search strategies, one instance of bit-state verification is conducted.These instances are totally independent and can be conducted in parallel.Different search strategies traverse different portions of the entire reachable state space, making it more likely to achieve higher coverage of the entire reachable state space and find flaws lurking in a large system if any.An implementation of swarm verification on GPUs, called Grapple [30], has also been developed.Although the technique proposed in the present paper splits the reachable state space from each initial state into multiple layers, generating multiple sub-state spaces, it exhaustively searches each sub-state space with the Maude LTL model checker.It may be worth adopting the swarm verification idea into our technique such that swarm verification is conducted for each sub-state space instead of exhaustive search, which may make it possible to quickly find a flaw lurking in a large system.
One hot theme in research on methods to formally verify liveness properties including program termination is liveness-to-safety reductions.Biere et al. [31] have proposed a technique that formally verifies that finite-state systems satisfy liveness properties by showing the absence of fair cycles in every execution and coined the term "liveness-tosafety reduction" to refer to the technique.The technique can be extended to what is called "parameterized systems" in which the state space is infinite but actually finite for every system instance [32].Padon et al. [33] have further extended "liveness-to-safety reduction" to systems such that processes can be dynamically created and each process state space is infinite so that they can formally verify that such systems enjoy liveness properties under fairness assumptions.Their technique basically reduces a infinite-state system liveness formal verification problem under fairness to a infinite-state system safety formal verification problem that can be expressed in first-order logic.The latter problem can be solved by existing first-order theorem provers, such as IC3 [34,35] and VAMPIRE [36].The technique proposed in the present paper does not take into account fairness assumptions.We need to use fairness assumptions to model check liveness properties, including eventual ones from time to time.We might adopt the idea used in the Padon et al.'s liveness-to-safety reduction technique.To our knowledge, the liveness-to-safety reduction technique has not been parallelized.Our approach to eventual model checking might make it possible to parallelize the liveness-to-safety reduction technique.

Conclusions
We have proposed a new technique to mitigate the state explosion in model checking.The technique is dedicated to eventual properties.It divides an eventual model checking problem into multiple smaller model checking problems and tackles each smaller one.We have proved that the multiple smaller model checking problems are equivalent to the original eventual model checking problem.We have reported on a case study demonstrating the power of the proposed technique.
There are several things left to do as our future research.One piece of future work for us will be to develop a tool supporting the proposed technique.We will use Maude as an implementing language with its reflective programming (meta-programming) facilities to develop the tool that will do all necessary modifications to systems specifications (or systems models) so that human users do not need to change systems specifications to use the divide and conquer approach to eventual properties.It was impossible to conduct the model checking experiment with Maude LTL model checker; the autonomous vehicle intersection control protocol [4] enjoys the starvation freedom property when there are 13 vehicles with the tool supporting the proposed technique.The starvation freedom property can be expressed as an eventual property.Another piece of future work will be to complete the model checking experiment with the tool supporting the proposed technique.To complete the model checking experiment, we may need to make the best use of up-to-date multi-core/processor architectures.To this end, we need to parallelize Algorithm 1 and the tool supporting the proposed technique.Therefore, yet another piece of future work may be to evolve the tool into a parallel version that can make best use of up-to-date multi-core/processor architectures.

Figure 2 .
Figure 2. Two-layer division of the SimpSys reachable state space.

Lemma 1
makes it possible to divide the original model checking problem K, π |= ♦ϕ into two model checking problems K, π k |= ♦ϕ and K, π k |= ♦ϕ.We only need to tackle K, π k |= ♦ϕ unless K, π k |= ♦ϕ holds.Definition 5 (Eventually L ).Let L be any non-zero natural number, k be any natural number and d be any function such that d(0) is 0, d(x) is a natural number for x = 1, . . ., L and d
and k is a natural number.A path π of K is called a computation of K if and only if π(0) ∈ I.Let P K be the set of all paths of K. Let P (K,s) be {π | π ∈ P K , π(0) = s}, where s ∈ S. Let P b (K,s) be {π b | π ∈ P (K,s) }, where s ∈ S and b is a natural number.Note that P ∞ (K,s) is P (K,s) .If R is finite and s ∈ R, then P (K,s) is finite and so is P b (K,s) .

and only if there exists a natural number i such that K, π i |= ϕ 2 and for each natural number j < i, K, π j |= ϕ 1 where
ϕ 1 and ϕ 2 are LTL formulas.Then, K |= ϕ if and only if K, π |= ϕ for all computations π of K.

Table 1 .
Descriptions of path notations (or symbols), where i and j are natural numbers.

Table 3 .
Descriptions of satisfaction relation |= notations (or symbols), where b is a natural number.

11 end 12 end 13 end 14 ES ← ES 15 end 16 if ES = ∅ then 17 return Success 18 end 19 else 20 return Failure 21 end
We could then construct a counterexample, when failure is returned, by searching through ES L , . . ., ES 1 and ES 0 .