On the verification of asynchronous parameterized networks of communicating processes by model checking Текст научной статьи по специальности «Математика»

On the verification of asynchronous parameterized networks of communicating processes by model checking1

I. V. Konnov, V. A. Zakharov

Abstract. The uniform verification problem for parameterized systems is to determine whether a temporal property is true for every instance of the system which is composed of an arbitrary number of homogeneous processes. We consider some aspects of the induction-based technique which assumes the construction of finite invariants of such systems. An invariant process is one which is greater (with respect to some preorder relation) than any instance of the parameterized system. Therefore the preorder relation involved in the invariant rule is of considerable importance. For this purpose we introduce a new type of simulation preorder — quasi-block simulation. We show that quasi-block simulation preserves the satisfiability of formulae from ACTL*_X and that asynchronous composition of processes is monotonic w.r.t. quasi-block simulation. This suggests the use of quasi-block simulation in the induction-based verification techniques for asynchronous networks. To demonstrate the feasibility of quasi-block simulation we implemented this technique and apply it to verification of Dijkstra’s token ring algorithm.

Keywords: program verification, asynchronous networks, model checking, temporal logic, simulation, induction.

1. Introduction

Verification plays an important role in designing reliable computer systems. With the increasing involvement of computer hardware and software in daily life, checking the safety and correctness of these systems has become essential and sometimes even critical. Therefore it is an imperative task for computer scientists to develop advanced verification techniques that will support the development of reliable systems.

Two main approaches to program verification are testing and formal verification.

'This paper is supported by the grant RFBR 06-01-00106 and INTAS 05-1000008-8144.

Testing assumes an activity of generating a collection of input data (test cases), running system to be verified on these data, and then analyzing its behavior. Since the behavior of concurrent systems is usually very complicated and tends to be non-reproducible, many bugs are difficult to detect by conventional testing. Formal verification approach assumes that one provides a mathematical model for the system under study, specifies the properties the system should comply with, and then applies mathematical techniques (deductive methods, model-checking, equivalence-checking, etc.) to check that the model satisfies the properties. Formal verification is relatively inexpensive in comparison to exhaustive simulation and can be applied at various points through the development process. It receives an ample algorithmic support from various branches of mathematics and manifests its strength in areas where other verification methods are inadequate. That is why formal verification is now becoming an indispensable stage of software development process.

According to the approach towards formalization, formal methods fall into the following major categories: model checking, theorem proving, and equivalence checking. Model checking is technique which allows verification of computer system by checking that a model M(P)( represented as transition system derived from hardware or software design P) satisfies a formal specification <p (usually represented as temporal logic formula). When M(P) is a finite state model then one could find a rich variety of model checking procedures, including tableau-based, symbolic and on-the-fly algorithms, partial order reduction techniques and many others (see [ ]). In what follows we will assume that each system (process) P under consideration has only finite state and will not distinguish it from its model (transition system) M(P).

It is quite another matter of checking infinite state models or infinite families of parameterized systems T = {Pk}™= i- The latter is one of the most challenging problems in verification today. As a matter of fact, the parameter k may stand for any variable characteristics of the design Pk (say, the size of some data structures, stacks, etc.), but much attention is given to the cases when the concurrent systems Pk are the parallel compositions pi ||p2|| • • • Ibfclk of similar "user” processes Pi, p2,..., pk and a control process ("environment”) q. Then the uniform verification problem for parameterized systems is formulated as follows: given an infinite family T of systems Pk = pi HP2II • • • Ibfclk and a temporal formula ip, check that each transition system M(Pk) satisfies ip.

Though in [ ] it was shown that the problem is undecidable in general, some positive results may be obtained for specific parameterized systems. For the most part three

basic techniques, namely,

• symmetry,

• abstraction, and

• induction

are employed to extend the applicability of conventional model checking to restricted families of parameterized systems.

Symmetry is commonly used to avoid the combinatorial explosion in the number of states in transition systems. Suppose that a transition system P has a non-trivial group G of permutations acting on the state set S and preserving the transition relation R and the labelling function L. Then one could replace the system P with a quotient model Pq, where the state space SG = (0(s) : s e S', 9(s) = {r : 3a e G(a(s) = ?-)}} is the set of orbits of the states in S. If the property ip to be checked is invariant under G then P,s \= ip Pq,0(s) \= ip. The idea of exploiting

symmetry for state set reduction was introduced in [ ,15, 16]. Symmetry-based reduction has been successfully applied to a number of case studies (see [ ] for survey) and now it is implemented within a framework of many model-checkers [ , 1 ]. However, in many practical cases this approach run into obstacles, since the problem of finding orbit representatives is as hard as graph isomorphism problem. Some papers [ 4, 2 ] have demonstrated a considerable progress in automatic symmetry detection, but this problem still remains the main critical point of the symmetry-based reduction techniques.

Symmetry can be also exploited to reduce the number of cases to be checked when

k

a specification of a system is also parameterized (say, when ipk = f\ V’M )• In [15]

% — 1

it was demonstrated that if a group G of permutations acting on the state set S of a transition system P offers some nice properties then the verification problem Pfc |= tpk may be reduced to that of checking Pk |= '0[1].

Abstraction is likely to be the most important technique for coping with state explosion problem in model checking. It provides a way to replace a large model P with a smaller one h(P) such that h(P) inherits some properties of P. This may be achieved by picking out some distinguished set of formulae A and introducing an equivalence relation over the state set S such that if two states are equivalent then for every formula tp from A they both either satisfy or falsify ip. Using the equivalence classes as abstract states and defining an abstract transition relation appro-

priately, one gets an abstract model h(P). If a temporal formula tp to be checked is built of formulae from A then h(P) |= tp ==>■ P ¡= ip. A theoretical framework for abstraction technique has been developed in [ ,12, 20]. Abstraction has been widely applied in verification of parameterized systems. Only with the essential help of abstraction does it become possible to apply model checking to verify infinite state systems (see [ 7, 2\ ]). But,unfortunately, most of the abstraction techniques require user assistance in providing key elements and mappings.

The common idea of the induction technique can be summarized as follows. Define some preorder ■< (a simulation or bisimulation) on transition systems and choose some class of temporal formulae Form such that

1. the composition operator || is monotonic w.r.t. i.e. Pi ^ P[ and P2 ■< P2 implyPi||P2=<Pi||P^;

2. the preorder ■< preserves the satisfiability of formulae tp from Form, i.e. P' \= tp and M < P' imply M \= tp.

Then, given an infinite family T = {Pt}^, where Pk = pi||p2|| • • • Ibfclk, And a finite transition system I such that

3. P, -< X for some n, n > 1;

4. pi\\l<l.

A transition system I which meets the requirements 3 and 4 is called an invariant of the infinite family T. Requirements 1, 3 and 4 guarantee that Pk < T holds for every k, k > ii. If a property is expressed by a formula tp from Form then, in view of the requirement 2, to verify this property of the parameterized system T it is sufficient to model check I and Pk, 1 < k < n, against tp. The latter may be done by means of traditional model-checking techniques for finite state transition systems. This approach to the verification of parameterized networks was introduced in [22, 21 ] and developed in many papers (see [ ] for a survey).

The central problem with induction technique is deriving a general method for constructing invariants. In many cases invariants can be obtained by using the following heuristics: if Pfc+i ^ Pfc holds for some k then Pk may be used as an invariant

I. This idea was applied in [7, 8, 1 ] for developing fully automated approach for verifying parameterized networks. A typical verification scenario looks as follows.

1. Given a parameterized system {Pt}^ and a parameterized property tpk,

a symmetry-based reduction technique is used to degenerate <fk to a more simple formula ip.

2. The formula ip is used to generate an abstraction h such that h( h(Pi) || h(pi +i)) h(Pi+1) holds for every i, i > 1.

3. Next an attempt is made to find n such that h(Pn+i) ^ h(Pn).

4. As soon as such n is found a conventional model-checking technique is applied to verify the satisfiability of ip on the finite transition systems h(Pn) and Pk, 1 < k < n.

As it may be seen from this description the right choice of abstraction h and a preorder ^ is of prime importance for the successful application of this heuristic in practice. In [7, 8] it was demonstrated how to derive an appropriate abstraction h from the property ip to be checked when the latter is represented by a finite automaton. Less attention has been paid to In [ ] and [15] strong simulation and block bisimulation respectively were used as a preorder but so far as we know no systematic study of other possible preoreders has been made (though bisimulation equivalences were studied in detail). It is clear that the weaker is preorder the larger in number are the cases of parameterized systems for which this approach succeed. Furthermore, a careful choice of ^ makes it possible to circumvent difficulties pertaining to abstractions: if ^ is loose enough an invariant Pn can be found without resorting to abstraction h. To be certain that this effect could appear we introduced in [21] a block simulation preorder (which is an amalgamation of block bisimulation [ ] and visible simulation [ ]) and showed that by using this preorder

one can generate invariants of some parameterized systems straightforwardly.

In this paper we continue this line of research. Unfortunately, asynchronous composition of processes is not monotonic w.r.t. block simulation in general case. Therefore we extend this preorder and introduce a quasi-block simulation which is weaker than block simulation. We show that quasi-block simulation preserves the satisfiability of formulae from ACTL*_X and that asynchronous composition of processes is monotonic w.r.t. quasi-block simulation. This suggests the use of quasi-block simulation in the induction-based verification techniques. To demonstrate the feasibility of quasi-block simulation we consider Dijkstra’s token ring algorithm [ 1 i ]. This algorithm was treated as a case study in [ ]. We demonstrate that its induction-based verification can be performed by employing quasi-block simulation.

The paper is organized as follows. In Section 2 we define the basic notions, including asynchronous composition of labelled transition systems, block and quasi-block simulations on transition systems. In Section 3 we study some essential features of quasi-block simulation. In Section 4 we apply induction technique based on quasi-block simulation to token ring protocol. Section 5 concludes with some directions for future research.

2. Definitions

Definition 1. Labelled Transition System(LTS )is asextuple M = (S,Sq,A,R,Y,,L) where

• S is a finite set of states,

• S0 c S is the set of initial states,

• A is a set of actions, not containing the distinguished action r (invisible action),

• RCSxAu {t} x S is a labelled transition relation,

• £ is a nonempty set of atomic propositions,

• L : S —> 2s is an evaluation function on the set of states.

Any triple (s, a,t) from R is called a transition. To simplify notation we write s t instead of (s, a,t) e R and often elide the subscript M when a spe-

cific LTS is assumed. A finite path n of LTS M is a finite sequence n = si S2 —^ • • • ——> «ft of transitions (s., s,:+i). The length |7r| of a finite path n

is the number of states this path passes through, i.e. |7r| = k. An infinite path 7r is an infinite sequence of transitions n = si s2 —^ > Sj • • •

(Si s,:+i). We write 7r[•/] for the state s,: of a path tt.

Temporal Logics. Temporal specifications (or properties) of parameterized systems are expressed in temporal logics. The logic used in the framework of induction-based verification technique are usually the Full Branching Time Logic CTL* or its sub-logics ACTL* and ACTL*_X. An important factor in deciding between them is capability of an abstraction h and a preorder ^ used in verification procedure to preserve the satisfiability of temporal formulae. For the lack of space we do not define the syntax and semantics of these logics; they may be found in many textbooks, e.g. in [ ].

Syntax of CTL*. Let £ be a set of propositional variables. CTL* formulas are defined using state formulas and auxilary path formulas.

State formulas are defined as follows:

• For any pe£ propositional variable p is a state formula.

• If ip and tp are state formulas, then <p A ip, ip V tp,-up are also state formulas.

• If ip is a path formula, then E ip and A ip are state formulas.

Path formulas are defined as follows:

• If ip is a state formula, then ip is a path formula.

• If ip and tp are path formulas, then ip A tp, ip v tp, -up are also path formulas.

• If ip and tp are state formulas, then Xip, Fip, Gip, ip\itp are path formulas.

Any state formula is a formula of Full Branching Time Logic CTL*.

Semantics of CTL*. Semantics of CTL* may be defined on Labelled Transition Systems. Let M = (S', S0, A, R, £, L) be a LTS. We write M, s \= ip to mean that formula ip (ip is a state or path formula) is true in state s of LTS M. Also we write M, 7r |= tp to mean that formula ip (ip is a state or path formula) is true on path 7T of LTS M.

Then, semantics of CTL* is defined as follows:

• M, s \= p p e L(s).

• M, s \= ~^<p -i(M, s \= ip).

• M, s \= tp A tp M, s \= tp and M, s \= tp.

• M, s \= ip V tp M, s \= ip or M, s \= tp.

• M, s |= E<^ there is a path in 7r from state s in LTS M such that M, 7r |=

• M, s |= A</? for any path n from state s in LTS M it holds M, n \= ip.

• M,tt \= ip in the first state s of path n it holds M, s \= ip.

• M, 7T |= -i</? ~<{M, 7r |= </?).

• M, tv \= ip A tp M, tv \= ip and M, 7r |= ■0.

• M, tv \= tp V tp ■<=> M, tv \= tp or M, tv \= tp.

• M, 7r |= Xtp ■<=> M, 7T1 |= tp.

• M, 7r |= F</? there is At > 0 such that M, nk \= tp.

• M, 7r |= G</? for any i > 0 it holds M, 7r* |= (p.

• M, 7r |= there is fc > 0 such that M, 7rfc |= ip and for any 0 < i < fc

it holds M, 7r* |= 4>.

Formula </? is true in LTS M = (S', S0:A, R, E, L) (M \= ip in symbols), if for any initial state s0 € S0 it holds M, s0 |= </:’-

Formulas of ACTL*-X are formulas of CTL* in positive normal form, without subformulas Eip and Xtp.

Let Mi and M2 be two LTSs, Mi = (S'1,Sg,A1,i?1,E1,L1) and M2 = (S'^S'o,^2,^2,^2,!;2),!;1^2 = 0. Wecallasi/nrftron^eranypairr = (A,-), where AC A1, and — : A —> A2 is an injection, relating some actions of Mi and M2. We write A for the set {b e A2 | 3a e A : a = b}. When introducing a synchronizer we assume that some actions a of one LTS are executed only synchronously with the co-actions a of another LTS. Thus, a pair (a, a) forms a channel for communication between Mi and M2. One of this action (say, a) may be thought as an action of sending a message, whereas the other (co-action a) is an action of receiving a message.

Definition2. 77ie( asynchronous) parallel composition ofLTS’s Mi and M2 w.r.t. synchronizer r is an LTS M = Mx ||r M2 = (S', S0, A, R, E, L) such that

• S' = S'1 x S'2, S'o = S'q1 x Sf. A = A1 U A2 \ (A U A), E = E1 U E2,

L(s,u) = L1(s)UL2(m)

• For every pair of states (s, u), (t, v) e S and an action a e A a transition ((s, w), a, (i, ii)) is in R iff one of the following requirements is met:

— a € A1 \ A, u = v, (s, a, i) G i?1 (Mi executes a),

— a e A2 \ A, s = t, {u, ci,v) e R2 (M2 executes a),

— a = r, and there exists b e A such that (s, 6, t) e R1 and («, 6, v) € i?2 (Mi and M2 communicate),

Let <p be a temporal formula. Denote by the set of all basic propositions involved in ip. Given an LTS M = (S', S0, A, R, £, L), one may separate those transitions of M that either are visible (i.e. marked with an action a ^ r) or affect the basic propositions of ip:

Observ(M, = {(s, a,i)|(s, a,t) € R and (a/rV L(s) fl ^ L(t) fl X^)}.

On the other hand, one may also distinguish some set of transitions that seemed "significant” for an observer. Any set E C R of transitions which includes all visible transitions will be called a set of events of M. If Observ{M, C E then the set

of events E will be called well-formed w.r.t. ip.

Definition 3. A finite block from a state sx w.r.t. a set of events E is a path B = s i —^ s2 —^ ••• —^ sm —such that (sm,a, sm+i) € E and (s,:, r, s.j+i) ^ E for all i : 1 < i < m. An infinite block from a state si is an infinite sequence B = si —^ s2 —-> • • • sk • • • such that (s,:, r, s,:+i) <£ E for all i > 1.

We write MAXF(E, s) and MAXI(E, s) for the set of all finite and infinite blocks, respectively from a state s w.r.t. a set of events E.

Definition 4. Let M be the LTS M = Mi ||r • • • ||r Mn and S be the path S = si s2 Si ... in M. We define the projection it = prMl {$) on

the model Mi by induction on the length of path.

If n = 1 then 7Ti = si.

If n = k > 2 then the following cases may occur:

• Model Mi does not make a move in (s|_1,..., s^_1) (s|,..., s’?). In

this case we put Sk = Sk-i.

• The transition (s|_1,..., s^_1) (s|,..., s’?) is a local move of Mi.

In this case Sk = 6k-1 slk.

• The transition (s|_1,..., s^_1) (s|,..., s’?) is a synchronous move of Mi and Mj (ak = t). This transition is built as a composition of

some transitions slk_1 slk and s{_:L s(. In this case Sk =

4-i 4-

Let prbMl(S) (block projection) denote any finite or infinite block B such that B starts with prMl(,S).

Definition 5. Let M* = (S'1, S''0, A' ,Rl, £*, L1), i = 1,2, be two LTSs, let E0 be a subset of E1 n £2, and let E1 and E2 be some sets of events of M1 and M2. Then a binary relation H c S1 x S2 is called a quasi-block simulation on M1 and M2 w.r.t. E0, E1, E2, iff for every pair (si,ii) e H meets the following requirements:

1. L1(si) n E0 = L2(ti) n E0,

2. For every finite block B' = si —^ s2 —-> • • • —-> sm sm+i e

MAXF{E1,si) there is a block B" = t\ —^ t2 —^ ••• —^ ^

i„+i e MAXF(E2,ti) such that (sm+i,in+i) € H, and () e FI holds for every pair i,j, 1 < i < m, 1 < j < n.

3. For every infinite block B' = Si s2 —• • • € MAXI(E1, si) there is an infinite block B" = t\ —^ i2 —^ • • • —^

^ • • • e MAXI(E2,ti), such that (s,:,ij) e FI holds for every pair 1 < i, 1 < ./•

We write M1 -<^6 M2 iff there exist two sets of events E1 and E2 of LTSs M1 and

— Z^o

M2 and a binary relation H c S1 x S2 such that FI is a quasi-block simulation on M1 and M2 w.r.t. E0, E1, E2, and for every initial state s0 € Sq there exists an initial state i0 e S2 such that (s0,t0) e H. If both E1 andi?2 are well-formed w.r.t. tp then we say that the quasi-block simulation M1 M2 is also well-formed w.r.t. ip. A block simulation (M1 ^ M2 in symbols) is a quasi-block simulation w.r.t. So, Obsen^M1, So), Observ(M2, So).

Block simulation is similar to block bisimulation which was defined in [ ] for the

purpose of checking correctness properties for parameterized distributed systems composed of similar processes connected in ring network. It is also close to visible simulation introduced in [ ] and studied in [ ]. Quasi-block simulation is an

extension of block simulation. The necessity of this extension stems from the fact that asynchronous composition of LTSs (unlike synchronous one) is not monotonic w.r.t. block simulation. The following example reveals this effect.

Example 1. Let Mi, M2, M3, M4 be LTSs depicted below and T = ({{a, 6}, {a —> a, b —> 6}}) be a synchronizer.

«2

S4

«6

a

s-3

s 5

«7

(J

It can be seen that Mi ^ M2 and M3 ^ M4. However, there exists no block simulation for the compositions Mi ||r M3 and M2 ||r M4.

Ml || M3

M2 ||

3. The basic features of quasi-block simulation

As it can be seen from the definitions above M1 -<v M2 =>■ M1 -<?? M2. Moreover, quasi-block simulation can be reduced to block simulation. Let Mi = (S1, Sq, A1, R1 ,H1, L1), i = 1,2, be two LTSs such that M1 M2 w.r.t. sets of events E1 and E2. Consider an auxiliary visible action t such that t £ A1 U A2, and build the LTSs .\l = (s\ Sj, A U {t}, R\ £\ D^, i = 1,2,

such that (s, a,t) e R' iff either a ^ t and (s, a, t) e R', or a = t and (s, r, t) e E'. Thus, t marks all those invisible transitions that included in the sets of events E1 and E2.

Theorem 1. M1 -<ib M2 <=> M1 M2.

— 2-i 0 —2-i0

Theorem 1 may have a considerable utility in checking quasi-block simulation, since it provides a way of taking an advantage of efficient simulation-checking algorithms [1,1 ] that are applicable to block simulation.

Quasi-block (unlike visible or block simulations) is preserved under asynchronous compositions of LTSs.

Theorem 2. Let M* = (S'*, Sg, A\R\ £*, U), i = 1,2,3,4, be four LTS’s such that

• (E1uE2)n(E3uE4) = 0,

• A1 = A2 = A, A3 = A4 = A", and A n A" = 0.

Let 17 and £" be the distinguished sets such that S' c (E1 u £2) and £" c (£3u£4).

Let T = (A, “) be a synchronizer such that A C A, and ~ : A —> A".

Then Mi M2 and M3 M4 implies Mi ||r M3 M2 ||r M4.

Proof. Let H' and H" be the relation of quasi-block simulation on Mi, M2 w.r.t. S', Event1, Event2 and M3, M4 w.r.t Event3, Event4 re-

spectively. We build such a relation H c (S'1 x S'3) x (S'2 x S'4), that H = {((s1, s3), (s2, s4)) | (s1, s2) € H' A (s3, s4) e H"}, and show that H is a quasi-block simulation of Mi3 and M24 w.r.t. some Event' and Event”.

Event' is built as follows.

((s1, s3), a, (i1, i3)) € Event' iff one of the conditions met:

• а Є A A (s1, a, t1) Є Event1,

• а Є A' A (s3, a, t3) Є Event3,

• a = т and for some b є A it is true that (s1, b, t1) є R1 A (s3,b,t3) є R3. Event" is built similar to Event'.

The proof idea is as follows. Block simulation may fail for the composition of models only in case of failure of condition 2. Condition 2 is failed only if blocks expand in comparison to that in original models. We build Event' and Event" in such a manner that blocks are not enlarged. Conditions 1-3 are proved by considering all the possible ways of the composition of original blocks.

We show for any pair of states ((s1, s3), (s2, s4)) є H that conditions of quasi-block simulation are satisfied.

1. L((s\s3)) П (S' U S") = (Lis1) U L(s3)) П (S' U S") = L(s1) flE'U L(s3) П S" = L(s2) nS'U L(s4) П S" = (L(s2) U L(s4)) П (S' U S") = L((s2,s4))n(S'uS").

2. Let Віз be any block such that Віз Є MAXF(Event',(s1,s3)). Bi3 =

(si,s3) (4,s3) ... (4„4) (4,+і,і+Д («) =

(s\s3).

Let Bi = prbMl (Віз), B3 = ргЬМз (Віз).

There are several cases to be considered:

(a) a = t is a result of synchronous move of some s,1, —> s,J,l+i and s3, s3l+i in Mi and M3 correspondingly.

As (s1, s2) e H12, (s3, s4) G B34, then there is the blocks B2 and B4 such that B2 € MAX F (Event2, s2), B2 matches Bi, and B4 e MAXF(Event4, s4), B4 matches B3.

B34 is built by shuffling all the transitions of B3 and B4 excluding the last ones. The parallel composition of the last transitions of B3 and B4 form the last transition of B34.

(b ) B13 contains only the part of B3. The blocks Bi and B3 are finite ones. As (s\s2) € H12, (s3,s4) € B34, then there is blocks B2 and B4 such that B2 = sf s\ —^ • • • —^ s\ s|+1 e

MAX F (Event2, s2), B2 matches Bi, and B4 = sf —^

----^ sf sf+1 e MAXF(Event4, s4), B4 matches B3.

B24 is constmcted as B24 = (sf,sf) (44) ~^ (4,4) ~^

• • • ~^ (sb 4) (si+i’ 4) • The block B24 matches to Bi3.

(c) Віз contains only the part of B3. The block Bi is a finite one and B3 is an infinite one.

As (s\s2) Є #i2, (s3,s4) Є #34, then there is blocks B2 and B4 such that B2 = sf ~^ sl sl+1 є

MAXF(Event2, s2), B2 matches Bi, and B4 = sf —^ s|

-----^ sf sf+1 є MAXF(Event4, s4), B4 matches B3.

As in the previous case we construct B24 as B24 = (sf,sf) —^ (S2,S4) ^ (S2,S4) ^ (S2,S4) _JL* (s2+1,s4). The blOCk

B24 matches Bi3.

(d) The cases when B3 is fully included in B13 and Bi is only partly included in В із are similar to the previous two cases.

3. Let B13 be an infinite block such that B13 e MAXI(Event',(s1,s3)).

Віз = (44) (4,4) ••• (4„4) (4l+i,4+i),

(•si, sf) = (s\s3).

Let Bi = prbMl (Віз), B3 = ргЬМз(В13).

We have to consider several cases:

(a) The blocks Bi and B3 are infinite ones.

As (s\s2) Є #12, (s3,s4) Є #34, then there is blocks B2 and

B4 such that B2 = sf s\ • • • —^ s| s|+1 є

MAXI(Event2, s2), B2 matches Bi, and B4 = sf —^ s| ~

-----^ sf sf+1 є MAXI (Event4, s4), B4 matches B3.

B34 is built by shuffling all the transitions of B3 and B4.

(b) The block Bi is an infinite block and the block B3 is a finite one.

As (sx,s2) є #12, (s3,s4) є #34, then there is blocks B2 and

B4 such that B2 = sf s\ • • • —^ s| s|+1 є

MAXI(Event2, s2), B2 matches Bi, and B4 = s4 —^ s| —^

-----^ sf sf+1 є MAXI (Event4, s4), B4 matches B3.

B34 is built by shuffling all the transitions of B3 and B4.

(c) The case when the block Bi is a finite one and the block B3 is an infinite one is similar to the previous case.

□

Yet another simulation which has close relationships with quasi-block one is stuttering simulation. It was introduced in [ ] and enjoys wide applications in the framework of partial order reduction technique (see [9, 1 £ ]).

Let Af = (S'*, Sg, A, R\ £*, Ll), i = 1,2, be two LTSs, and E0 C E1 n £2. A relation H c S'1 x S'2 is called a stuttering simulation w.r.t. E0 iff every pair (s', s") e H comply with the following requirements:

1. LV) n£o = L2(s")nS0.

2. For every path ir\ tt' = s'i s'2 ... a-^—i s'k , s'0 = s' there

is a path tt", tt" = s"i s"2 s"fc ..., s" = s" and

partitions P{P2..., P"P2' • • • of 7r' and 7r", such that for every i > 1 the sub-paths Pi and P" match, i.e. (s', s") e H holds for every pair of states s' e P' and s" e P".

We write M1 M2 to indicate the existence of stuttering simulation between M1 and M2.

Theorem 3. M1 -<t M2 => M1 -<SJ M2.

— 2^o —

A proof this theorem is straightforward.

Since stuttering simulation preserves the satisfiability of temporal formulae from ACTL-x, Theorem 3 brings us to the following conclusion.

Th eorem 4. Suppose that a quasi-block simulation M1 M2 is well-formed w.r.t. a ACTL-x-formula ip, and M2 \= ip. Then M1 \= ip as well.

As it may be seen from the definition, stuttering simulation does not take into account any actions, but even in the case when A1 = A2 = 0 it is weaker than quasi-block one.

Example 2. Consider models Mi and M2 below. The evaluation functions associate with every state exactly one of basic propositions from the set So = {pi,p2,p-3}. It could be directly checked that Mi M2.

----->S3<P3)

Si(p2) -------> Sb(P3)

M6(P2)

S7<Pl)

ut{pi)

Suppose that there exists a quasi-block simulation on Mi and M2 w.r.t. some sets of events Ei and i?2. It should be noted, that the path n = sis6s7 may correspond only to the path 7r' = «i«4«6«7 with the partitioning .si; s6; s7 and wi;w4w6;w7 respectively. This means that the transition w4 —is not in E2. On the other hand, the path 6 = S1S2S4S6S7 may correspond only to the path S' = wiw2w4w6w7 with the partitioning .si; s2s4; s6; s7 and «i; w2«4; «e; «7 respectively. Hence, «4 has to be in i?2. This certifies that Mi ¿1? M2.

The fact that quasi-block simulation is stronger than stuttering simulation implies that the former is easy for checking and more feasible for practical applications in the framework of induction-based verification techniques.

4. Applying quasi-block simulation to the verification of asynchronous networks

There are very few papers (in fact, the authors of [ ] were not aware of any) where the induction-based verification technique is applied to asynchronous networks. In [ 1 ] parameterized systems composed of identical asynchronous processes which are arranged in a ring topology and communicate by passing a boolean token were considered. They demonstrated that for several classes of indexed CTL*_ x properties a cutoff effect takes place, i.e. the verification of the whole parameterized system can be reduced the model checking of finitely many instances of the system. In a certain sense, a cutoff plays a role of an invariant for such systems. In [10]

the results of Emerson and Namjoshi were extended from rings to other classes of asynchronous networks. Nevertheless, many interesting classes of parameterized asynchronous systems do not fall into this category.

To the best of our knowledge the only paper where induction-based verification is applied to asynchronous networks is that of Clarke, Grumberg, and Jha [ ]. In this paper they represented parameterized systems by network grammars, and used regular languages to express state properties. To generate invariants they developed an unfolding heuristics', given a parameterized system to find n such that

h(Pn+1) ^ h(P,J, where ^ is a strong simulation and h is some appropriate abstraction. Much attention has been paid to the development of effective technique for constructing required abstractions. The feasibility of this approach has been demonstrated by applying it to the verification of Dijkstra’s token ring algorithm. We extend this approach by replacing strong simulation with quasi-block simulation. This makes it possible to get rid of abstraction h and considerably simplify the verification algorithm.

4.1. Dijkstra’s token ring algorithm

In Dijkstra’s token ring algorithm a network is composed of similar processes connected in bidirectional ring. A token t is passed in the clockwise direction. Each process may send a request the token (a signal s) in the counter-clockwise direction. A process sends the signal s if either it intends acquiring the token, or it receives the signal from its neighbor on the counter-clockwise side.

A state of each process is described by a word XYZ, where

• X stands for a control state of the process, X e {n, d, c}; state symbols n, d, and c stand for the neutral state, the delayed state, and the critical section respectively.

• Y indicates an intention of the process to acquire the token, Y e {6, w}; symbols b and w stand for black (there is a process to the right that wishes to acquire the token) and white (no one to the right is interested in the token) respectively.

• Z indicates whether the token is granted to the process or not, Z e {i, e}; t means that the process has a token, and e means that the process is empty.

The transition relation of each such process is depicted on the table 1. Numbers 1,

2, and 3 are auxiliary countervalues. The star symbol admits any allowed element in

Table 1: Transitions table of Dijkstra’s algorithm

i rcvtok A , lnew —» lntw 1 rcvsig p. t lnew —» zneb 1 , rcvsig 0 lntw —» ¿new

lntw —^ lctw 1 , rcvtok 0 lneb —» 3new lnew —^ 2deb

lneb —^ ldeb ldew?'^ ldeb i i * rcvtok * i lde* —» let-

lctwrf^ lctb lctw —^ lntw lctb —^ lntw

lctw?'^ lctb 2 * * * snds\9 | 2n** r^' 3-w

2(j** rcvtok | ^ 'i- '{■ '{' sndtok j

the position. The dash symbol means that the values of the corresponding element before and after transition are the same.

Let P0 be a distinguished process with hunt as the initial state. All other processes P, 1 < i < n, have lione as the initial state. Each process Pi, 0 < i < n, has the set of actions {rcvsigt, sndsigi,rcvtoki, sndtoki}, and these sets are pairwise disjoint. Every process Pi is synchronized with the p+i (modulo n) by the synchronizer Tj = {{rcvsigi, sndtoki}, {rcvsigi —>■ sndsigi+i, sndtoki —>■ rcvtoki+1}}. Thus we obtain the infinite family of parameterized systems T = {Pk}kLi such that Pfc = Po||Pi • • • Pfc- This parameterized network can be described in terms of network diagrams as follows:

S' - Po \\A P\\A A^P\\P\\P

We have implemented in Python a straightforward algorithm to check block simulation of LTSs and apply to the network described above. The results are shown in table 2.

Since it was found that h(P4) -<qb h(P3), Theorems 1, 2, and 4 guarantee that h(P3) is an invariant of the family T. Unfortunately abstraction techniques should be also applied in case of Dijkstra’s algorithm. This experiment lends support to the feasibility of the using of quasi-block simulation in the framework of invariant-based verification technique.

Table 2: Computation of block simulation. Results.

LTSs time have block simulation

P3 and P2 0.99s no

P4 and P3 17.8s no

abstract P3 and P2 0.2s no

abstract P4 and P3 0.22s yes

4.2. Tree wave algorithm with neighbor synchronisation

We consider an algorithm in which processes are organized into a binary tree. The root of a tree sends message to children. Each intermediate tree node executes synchronous action sync_neighbor (which is synchronized with its sibling) and sends message to the children. Any leaf node sends a message back on receipt of the message from the leaf’s parent. Then, intermediate nodes pass messages freely from the lower nodes to the upper ones.

It may be useful to check the property that the root node eventually receives its message back after it has sent a message to the children. This property is satisfied on the model with root, two intermediate nodes and four leaves. To check the property on the infinite family of models, we distinguish states of the root nodes as visible and states of other processes as invisible ones.

There exists a block simulation of the model with two intermediate nodes and four leaves by the model with two leaves. Thus, we can infer that there exists a quasi-block simulation of any tree by the tree with two leaves. Note that a block simulation may be unavailable due to the properties of block simulation.

This example does not deal with any property-specific abstraction. After showing that any model of the family is simulated by the invariant (the tree with two leaves) it is possible to check any property on visible variables, i.e. any property of the root node.

5. Conclusions and directions for future research

There is a number of tasks to be solved next to make a good "reputation” for quasi-block simulation. Certainly, we have to find out some practical case studies that

could indicate convincingly the advisability of using quasi-block simulation in the verification of parameterized systems. It depends to a large extent also on how much effectively quasi-block simulation can be checked. We assume that Theorem 1 could give an essential prerequisite for constructing efficient checking procedures.

References

[1] Apt K.R., Kozen D. Limits for automatic program verification of finite-state concurrent systems. Information Processing Letters, 22(6), 1986, p. 307-309. 38

[2] Bosnacki D., Dams D., Holenderski L. A heuristic for symmetry reductions with scalarset. In Procedings of FME2001, Lecture Notes in Computer Science, 2021, 2001, p. 518-533. 39

[3] Brown M.C., Clarke E.M., Grumberg O. Characterizing finite Kripke structures in prepositional temporal logics. Theoretical Computer Science, v. 59, 1988, p. 115-131. 46,51

[4] Calder М., Miller A. Five ways to use induction and symmetry in the verification of networks of processes by model-checking, in Proceedings of AvoCS 2002 (Automated Verification of Critical Systems),2002, p. 29-42 39, 40, 52

[5] Clarke E.M., Grumberg O., Long D.E. Model checking and abstraction. In Proceedings of Principles of Programming Languages, 1992. 40

[6] Clarke EM., Filkorn Т., Jha S. Exploiting symmetry in temporal logic model checking. In Proceedings of CAV93, Lecture Notes in Computer Science,697, 1993, p. 450-461. 39

[7] Clarke E.M., Grumberg, O., and Jha, S. Verifying parameterized networks using abstraction and regular languages, In Proceedings of the 6-th International Conference on Concurrency Theory, 1995. 40, 41

[8] Clarke E.M., Grumberg, O., and Jha, S. Verifying parameterized networks. ACM Transactions on Programming Languages and Systems, 19(5), 1997, p. 726-750. 40,41,53

[9] Clarke E.M., Grumberg O., Peled D.A. Model checking. MIT Press, 1999. 38, 42, 51

[10] Clarke E., Talupur M., Touili T., Veith H. Verification by network decomposition. In Proceedings of CONCUR’04, Lecture Notes in Computer Science, 3170,2004, p. 276-291. 52

[11] Cleaveland R., Sokolsky O. Equivalence and Preorder Checking for Finite-State Systems, In Handbook of Process Algebra, Elsevier, 2001, p. 391— 424. 48

[12] Dams D., Grumberg O., Gerth R. Abstract interpretation of reactive systems: abstractions preserving ACTL*, ECTL* and CTL*. In IFIP Working Conference and Programming Concepts, Methods and Calculii, 1994. 40

[ 13] Dijkstra E. Invariance and non-determinacy. In Proceedings of a discussion meeting of the Royal Society of London on Mathematical logic and programming languages, 1985, p. 157-165. 41

[14] Donaldson A.F. Miller A. Automatic symmetry detection for model checking using computational group theory. In Proceedings of the 13th International Symposium on Formal Methods Europe (FME 2005), Lecture Notes in Computer Science, 3582, 2005, p. 481-496. 39

[15] Emerson E.A., Namjoshi K.S. Reasoning about rings. In Proceedings 22th ACM Conf. on Principles of Programming Languages, POPL’95, 1995, p.85-94. 39,40,41,46, 52

[16] Emerson E.A., Sistla A.P. Symmetry and model checking. Formal Methods in System Design, 9( 1/2), 1996, p.105-131. 39

[17] Etessami K., Schuller R., Wilke T. Fair simulation relations, parity games, and state space reduction for Buchi automata. In Proceedings of 28th International Collquium "Automata, Languages and Programming’’, Lecture Notes in Computer Science, 2076, 2001, p. 694-707. 48

[18] Gerth R., KuiperR., Peled D., Penczek W. A partial order approach to branching time logic model checking. Information and Computation, 150(2), 1999, p. 132-152. 41,51

[19] Ip C.N., Dill D.L. Verifing systems with replicating components in mur^. Formal Methods in System Design, 14, 1999, p.273-310. 39

[20] Kesten Y., Pnueli A. Verification by finitary abstraction. Information and Computation, 163, 2000, p.203-243. 40

[21] Konnov I.V., Zakharov V.A. An approach to the verification of symmetric parameterized distributed systems. Programming and Computer Software 31(5), 2005, p. 225-236. 41

[22] Kurshan R.P., MacMillan K.L. Structural induction theorem for processes. In Proceedings of the 8-th International Symposium on Principles of Distributed Computing, PODC’89, 1989, p. 239-247. 40

[23] Lesens D., Saidi H. Automatic verification of parameterized networks of processes by abstraction. In Proceedings of the 2-nd International Workshop on the Verification of Infinite State Systems (INFINITY97), 1997. 40

[24] Manku G.S., Hojati R., Brayton R.K. Structural symmetries and model checking. In Proceedings of International Conference on Computer-Aided Verification (CAV98), 1998, p. 159-171. 39

[25] Penczek W., Gerth R., Kuiper R., SzreterM. Partial order reductions preserving simulations. In Proceedings of the CSP99 Workshop, 1999, p. 153— 171. 46

[26] Wolper P., Lovinfosse. Properties of large sets of processes with network invariants. Lecture Notes in Computer Science, 407, 1989, p. 68-80. 40