Constraint-Based Deadlock Checking of High-Level Specifications

Establishing the absence of deadlocks is important in many applications of formal methods. The use of model checking for finding deadlocks in formal models is often limited. In this paper we propose a constraint-based approach to finding deadlocks employing the ProB constraint solver. We present the general technique, as well as various improvements that had to be performed on ProB’s Prolog kernel, such as reification of membership and arithmetic constraints. This work was guided by an industrial case study, where a team from Bosch was modeling a cruise control system. Within this case study, ProB was able to quickly find counter examples to very large deadlock-freedom constraints. In the paper, we also present other successful applications of this new technique. Experiments using SAT and SMT solvers on these constraints were thus far unsuccessful.

💡 Research Summary

The paper introduces a constraint‑based technique for checking deadlock freedom in high‑level formal specifications, focusing on Event‑B, B‑Method, and Z models. Traditional model checking struggles when the state space is infinite or when the out‑degree of states is very large, making exhaustive exploration infeasible for industrial‑scale systems. To overcome this, the authors leverage the ProB constraint solver to transform the deadlock‑freedom proof obligation (DLF) – formally A ∧ I ⇒ G₁ ∨ … ∨ Gₙ, where A are axioms, I invariants, and Gᵢ the enabling predicates of events – into its negated form (DLN): A ∧ I ∧ ¬G₁ ∧ … ∧ ¬Gₙ. Solving DLN yields a state that satisfies the model’s axioms and invariants while disabling all events, i.e., a deadlock state, regardless of reachability.

The authors first present a naïve “direct” approach that feeds DLN to ProB. While conceptually simple, this approach suffers from three major drawbacks: (1) redundancy – many variables/constants irrelevant to guards are still instantiated, inflating the search space; (2) inaccuracy – users often care only about a subset of deadlocks (e.g., those satisfying a predicate P), which the direct method cannot filter; (3) inefficiency – existential quantifiers in guards (∃x …) force the solver to enumerate candidates before evaluation, leading to poor performance.

To address these issues, the paper proposes an improved algorithm (Fig. 2). The key ideas are:

• Predicate of interest (P): Users can supply an additional predicate that restricts the search to relevant states. P is conjoined with A and I, and events whose guards are trivially false under P are pruned.
• Guard simplification: A pre‑processor rewrites common patterns, e.g., ∃x·x∈S → S≠∅, ∃x·x>E → TRUE, and eliminates redundant conjuncts. This reduces the size and complexity of the constraints before they reach the solver.
• Component partitioning: The combined constraint A∧I∧P∧Deadlock is decomposed into independent sub‑components based on variable/constant dependencies. Irrelevant components are discarded, and the remaining ones are solved separately, dramatically cutting down the search space.
• Conjunct ordering: Frequently used conjuncts are moved to the front of the solving queue to improve propagation.

Implementation-wise, the authors extend ProB’s Prolog kernel. They reify membership and arithmetic constraints, allowing Boolean and numeric constraints to be handled uniformly by SICStus CLP(FD). This reification enables tight integration of set‑theoretic predicates (e.g., s ⊆ 0..3) with integer arithmetic (e.g., x < min). The kernel also incorporates a lightweight simplifier that applies the aforementioned rewrite rules, and it can optionally invoke Isabelle’s simplifier for richer theories.

The technique is evaluated on an industrial case study from Bosch: a cruise‑control system model containing more than 30 A4 pages of deadlock‑freedom constraints. Model checking and off‑the‑shelf SAT/SMT solvers failed to find counter‑examples within reasonable time or ran out of memory. In contrast, the improved ProB approach discovered a deadlocking state in under two seconds, demonstrating that constraint‑based checking scales far better with the size of the specification than exhaustive state exploration. Additional successful applications include railway network verification (Siemens) and data‑validation scenarios, where the predicate‑of‑interest feature proved valuable for focusing the analysis on safety‑critical subsets.

The authors also discuss the relationship between constraint solving, model checking, and theorem proving. Model checking provides concrete execution traces, theorem proving establishes logical properties, and constraint solving bridges the gap by quickly exposing violations of proof obligations without requiring a full proof. Together they form a complementary verification workflow that can handle the complexity of modern safety‑critical systems.

In summary, the paper makes the following contributions:

1. A clear formulation of deadlock‑freedom as a constraint satisfaction problem.
2. Identification of practical shortcomings of a naïve formulation and systematic remedies (guard simplification, predicate filtering, component decomposition).
3. Extensions to the ProB kernel (reification, Prolog‑level simplifications) that enable efficient handling of large set‑theoretic and arithmetic constraints.
4. Empirical evidence from an industrial-scale case study showing orders‑of‑magnitude speed‑ups over traditional model checking and SAT/SMT approaches.
5. A vision of integrated verification where constraint solving complements model checking and theorem proving to achieve scalable, early‑stage detection of deadlocks in high‑level specifications.