Model Checking Guarded Protocols

E. Allen Emerson and Vineet Kahlon Department of Computer Sciences, The University of Texas at Austin, U.S.A.

Abstract 1 Introduction

The Parameterized Model Checking Problem (PMCP) is Systems with finite but unbounded number of homoge-

to decide whether a temporal property holds for a uniform neous processes or subcomponents arise in many important ¥§¦ family of systems, ¡£¢¤¢ , comprised of a control process, applications, including cache coherence protocols, multi- ¡ , and finitely, but arbitrarily, many copies of a user pro- processor systems and data communication applications. cess, ¥ , executing concurrently with interleaving seman- This gives rise to the Parameterized Model Checking Prob-

tics. We delineate the decidability/undecidability bound- lem (PMCP) which is to decide whether a temporal property ary of the PMCP for all possible systems that arise by holds for every size instance, , of the given system, being letting processes coordinate using different subsets of the the number of homogeneous processes or subcomponents in following communication primitives: conjunctive boolean the system. PMCP is of great practical importance as it set- guards, disjunctive boolean guards, pairwise rendezvous, tles, in one fell swoop, the scaling and the state explosion asynchronous rendezvous and broadcast actions. Our fo- problems. However, the problem is, in general, undecid-

cus will be on the following linear time properties: (p1) able [2]. Since tractable decidable cases of the PMCP have

¡ ¡

LTL ¨ X formulae over , (p2) LTL formulae over , (p3) many applications, it is important to clarify the relationship

regular properties specified as regular automata, and (p4) between decidability and undecidability for its various for- © © -regular properties specified as -regular automata. mulations.

In this paper, we consider the PMCP for systems of the ¥§¦ We also establish a hierarchy based on the relative ex- ¡£¢¢ form, , consisting of a distinguished control process, pressive power of the primitives by showing that disjunctive ¡ , and finitely, but arbitrarily, many copies of a user pro- guards and pairwise rendezvous are equally expressive, in ¥

© cess, , executing concurrently with interleaving seman- that we can reduce the PMCP for regular and -regular tics. Processes can communicate with each other using pair- properties for systems with disjunctive guards to ones with wise rendezvous (a process sends a message only if there is pairwise rendezvous and vice versa, but that each of asyn- an enabled receiver), asynchronous rendezvous (a process chronous rendezvous and broadcasts is strictly more ex- sends a message which is received iff there is an enabled pressive than pairwise rendezvous (and disjunctive guards). receiver), broadcast primitives (a process sends a message Moreover, for systems with conjunctive guards, we give a which is received by all the other processes), and global simple characterization of the decidability/undecidability boolean guards labeling the transitions of the individual boundary of the PMCP by showing that allowing stutter- processes. The boolean guards could either be purely con- ing sensitive properties bridges the gap between decidabil-

junctive, viz., of the general form ¤£ , expressing ity (for p1) and undecidability (for p2). A broad framework the condition that each process other than the one firing the for modeling snoopy cache protocols is also presented for

transition is currently in one of the local states ¤ , or which the PMCP for p3 is decidable and that can model all

purely disjunctive, viz., of the general form   !"¤#%$& , snoopy cache protocols given in [13] thereby overcoming expressing the condition that there exists a process other the undecidability results. than the one firing the transition in one of the local states

'¤$ . The difference between pairwise rendezvous and asynchronous rendezvous, introduced only recently in the literature [6] in the context of verification of multi-threaded

Java programs, is that while in the former case for a process This work was supported in part by NSF grant CCR-009-8141

& ITR-CCR-020-5483, and SRC contract 2002-TJ-1026. Contact: to send a message, a matching receiver must be present in

emerson,kahlon @cs.utexas.edu the current global state to receive it, in the later case a pro- cess can simply send a message irrespective of whether a tions of the five primitives (see figure 6). receiver is present to receive it or not. If a receiver is present The undecidability of the PMCP for regular properties then the message will be received; else it is discarded. for systems with conjunctive guards is discouraging from Our goal is to delineate the decidability/undecidability the point of view of model checking parameterized snoopy boundary of the PMCP for all possible systems that arise by cache coherence protocols which require the use of broad- letting processes using different subsets of the above men- cast primitives labeled with conjunctive guards as well as

tioned primitives. We focus on the following properties (p1) ones labeled with disjunctive guards. However, in practice,

¡ ¥ ¡

LTL ¨ X formulae over control process (p2) LTL formu- templates and describing transition diagrams of snoopy

lae over ¡ (p3) regular properties specified as regular au- cache protocols have the following properties:

¡ ¥ © tomata, and (p4) © -regular properties specified as -regular 1. Templates and are initializable, viz., for each automata. We first show the following. template there exists an unguarded internal transition from

1. The PMCP for LTL formulae over ¡ is undecidable each of its states to its initial state. Such transitions,

¥ ¦ for families of the form ¡£¢¢ where processes are allowed not usually drawn for simplicity reasons [3], are required

to communicate via conjunctive guards. This result is some- to model block replacement for caches which may non-

¦¥&¨§©¤ $ ¤ ¦¤ ¤ ¨§ what surprising because it was shown in [7] that for such deterministically push a block into its ¤ ( ) state irrespective of the current state of the block.

systems, the PMCP is not only decidable for LTL ¨ X formu- ¥ lae but efficiently so in the size of both ¡ and . Thus we 2. Each global boolean guard labeling a transition of a

have the interesting fact that allowing stuttering sensitive template is either disjunctive or is of the specialized form

  properties bridges the gap between decidability and unde-  , where is the initial state. Such guards suffice as each cidability for systems with conjunctive guards. Moreover, cache only needs to test whether there exists another cache this result greatly sharpens the result in [9] wherein it was possessing the memory block that it requires, a disjunctive shown that the PMCP for p2 is undecidable for systems with guard, or whether no other cache has the required memory both conjunctive and disjunctive guards. Since © -regular block, the specialized conjunctive guard. automata are strictly more expressive than LTL, therefore Under these assumptions, we show that the PMCP for the undecidability of the PMCP for © -regular properties fol- regular properties is decidable. This gives us a broad and lows as a corollary. We go on to show that the PMCP for useful framework for modeling snoopy cache protocols for regular properties is also undecidable for systems with con- which the PMCP for regular properties is decidable and junctive guards. which is able to handle all of the snoop-based cache co- ¡ herence protocols in [13], thereby overcoming the undecid-

2. The PMCP for LTL ¨ X formulae over is undecid- able for systems where processes are allowed to communi- ability results. cate via asynchronous rendezvous. As a corollary, we have The rest of the paper is organized as follows. The system that the PMCPs for both LTL and © -regular properties are model along with some other preliminaries is introduced in also undecidable for such systems. section 2. The decidability and undecidability results are presented in sections 3 and 4, while the expressiveness hi- As part of previous work it is known that the PMCP for erarchy and decidability/undecidability boundaries are es- p3 is decidable for systems with broadcasts [10] and asyn- tablished in section 5. In section 6, we present the frame- chronous rendezvous [6] but that the PMCP for p4 is unde- work for modeling cache protocols for which the PMCP for cidable for systems with broadcasts [10]. Furthermore the

¡£¢ regular properties is decidable, and we conclude with some PMCP for is decidable for systems with conjunctive and remarks in section 7. for systems with disjunctive guards [7] and pairwise ren- dezvous [12]. We next establish a hierarchy for the communication 2 Preliminaries primitives based on their relative expressive power. We The System Model We focus on systems comprised of a show that disjunctive guards and pairwise rendezvous are ¡ distinguished control process, , and finitely, but arbitrar- equally expressive in that we can reduce reasoning about the ¥ PMCP for regular and © -regular properties for systems with ily, many copies of a user process template, , communi- disjunctive guards to systems with pairwise rendezvous and cating with each other using broadcast primitives, pairwise vice versa. However, each of asynchronous rendezvous and rendezvous, asynchronous rendezvous actions and guards broadcasts is strictly more expressive than pairwise ren- labeling the transitions of individual processes. Each guard

is a boolean expression over the local states of other pro- ¥ dezvous (and disjunctive guards). Though interesting in its ¡

own right, we use this hierarchy, and the decidability and cesses in the system. Templates and are given, respec-

    !  !   undecidability results to completely pin down the decid- tively, by the 4-tuples  and ,

ability/undecidability boundary for the PMCPs for all four where



   properties p1, p2, p3 and p4 and for all possible combina-  and are finite, non-empty sets of states.

L]o

B

 ©

¦

¢¡ lm=D "n ` `

 is the set of labels comprised of the set of inter- sequences such that . The -language of

¡ ¥ L

¢£ ¤ ¥ b$c    `

nal transition labels; the sets ¢£¢¤¦¥¨§©§ and from is defined accordingly.

 ¤

of input and output broadcast labels, respectively; the A parameterized configuration, p, is a tuple in 

^

(

¤¥© ¤¥ 



2IKJ ¥qpr  s=  t& &r%rp sets and of input and output  . Intuitively, if for state , , it

asynchronous rendezvous labels, respectively; and the means that the number of processes in local state  are arbi-

  ¤ ¥¨§   ¤ ¥!

sets and of input and output trary. Thus parameterized configuration t represents the set

" t

pairwise rendezvous labels, respectively, where , of all configurations that result by replacing each p in by

¡ ¥

 

£  $#

  

and are disjoint finite sets. The elements a concrete natural number. The language of b$c from

L

¦)( ( ( (

 

&%' ¡ £ $#

of are called ac- the initial parameterized configuration t (corresponding to

¥

§  *  ©§ +§©§  -, .  /,"0§' /,"1&

tions. The labels  , , , , having arbitrarily many copies of in their initial states),

¡ ¥ ¡ ¥

L

/,"1  §2 §3§4§ ,5 ,§$,6

3b$c     t   3b$c    

and are abbreviated as , , , and denoted by  (in short by ), is

¡ ¥ ¡ ¥

L

,6

ub$c     t % vxwAyqz2{¦ 3b$c   G` 

, respectively. defined as  . The

¡ ¥

L

©

}| ub$c     t  ¥

¡ -language is defined accordingly.



 

and are the initial states of and , respectively.

Parameterized Model Checking Problems The Parame-



87 ¦9¤ :¤    ;7 <¤ 9¤ 

 and , are the terized Model Checking Problem is formally defined as fol-

¡ ¥ ¡

transition relations of and , respectively, satisfying lows: given a temporal logic formula ~ , and templates

¥ ¡£¢¤¢ ¥§¦ ¢

(

8= >%   

the condition that for each state , and , to decide whether for all : %&~ . In this

?= £ = 

and each § , there exists a state such that paper, we focus on the following linear time properties:

#@A@

B

(

C= D%     . Furthermore, each transition

(p1) LTL ¨ X formulae with atomic propositions over the ¡ of  is either guarded by true or by a conjunctive guard

local states of control process ,

$ "¤  E 

of the general form  , or by a disjunctive

¡

 $   FE  $  ¤GE guard, of the general form  , where (p2) LTL formulae over .

are propositions identified with the states in  .

Note that the absence of the next-time operator X in LTL ¨ X We assume that for transitions labeled with input broad- makes it stuttering insensitive. More generally, we also cast or input rendezvous labels (both pairwise and asyn- consider the following automata-theoretic formulations of chronous), the guard is true. Thus only the “initiator” of model checking (see, for instance, [14]): Note that in [10],

a transition is guarded. regular and © -regular properties were termed as safety and

¥ ¡£¢¢ ¥ ¦

¡ 1 liveness properties, respectively:

H=HIKJ

Given templates and and , %

¦ ¦ ¦

¡ ¥

    

 , the system comprised of (a unique copy ¥

¡ (p3) Regular properties: Given templates and , a L

of) and copies of the template running in paral- 

parameterized configuration t and a regular language , to ¥

lel asynchronously (with interleaving semantics) is defined ¡

 3b$c    t©€ ‚ƒ„%† L ¥ decide if .

in the standard way. We use to represent the unique

¡ ¥

¡£¢¢ ¥ ¦

concrete copy of the control process in , while for (p4) © -regular properties: Given a templates and ,

L

¥

©

t

8=NMOQP£ SR ¤

¤ , the th concrete copy of is denoted by a parameterized configuration and an -regular language

¡ ¥

¥ ¡£¢¤¢ ¥ ¦

L

| | |

  ub$c    t©€ ‚5 %†

%      T% T TVU'¤

¡ ¡ ¡

¡ . A computation of , to decide if . L

is a sequence of states such that T is the initial state of

¡£¢¤¢ ¥ ¦ ¦ %

Counter Machines A counter machine is a tuple ‡

¡ L

¤XWZY  [T  GT U=  ¡\

and for every ¡ for some

[ˆ   +‰ 0Š G‹  ˆ

 , where is the set of states, the set

¡ L X=¦

 .

¦ Š

of labels, the set of counters, ‰ the set of transitions,

 U

%]¥   ¤¤^¨ _8=  Let  . Then each state can be

the initial state and ‹ the set of halting states. There are

U

`C%  '[a ¤[aS^ 

U

Œ Ž‚G\

represented as a tuple of the form , where #*Œ

B

¡



Š Š 

three type of transitions in ‰ (i) , viz., incre-

_ ¤ aS¡

is the local state of in and for each , indicates

U

#*Œ +Œ Ž‚.‘

B



Š Š 

L

 _ `

the number of copies of ¡ in . Tuple is then called a ment a counter (ii) , viz., decrement a counter

¡ ¥

#*Œ GŽ

B



_ b$c    Š 

configuration corresponding to global state of , if it has a positive value and (iii) Š , test if a counter

¦

¡£¢¢ ¥

¡

U

 ¤¤0’”“r

the guarded protocol comprised of all systems for has value 0. Let %†¥¨’ . Then a configuration of

dWeO ` /_  a `  

¡ ¡

U

-Š –•  ¤u•4“§ Š5=ˆ •4¡

. We denote by config and by . For ‡ is a tuple , where and is a non-

#

B

’

¡

` f § =g `©U `.f

configurations `©U and and , we write negative integer, indicating the current value of counter .

B B

‡ ©U f 

h=hIKJ _

to mean that there exists and global states and A run of is either an infinite sequence or a

B B

¡£¢¢ ¥§¦ # ¦

¦ ¦

B

4U ¤

finite sequence , where is halting. A con-

U

¥ _ -_ j%k` ¥i= 

of such that , config and L

¡ ¥

-Š –• U' ¤u•  Š%mŠ

figuration “ is initial if and n-bounded

©¥&%D`.f b$c   

config  . The language of , from an initial

¡ ¥

L L

¢U+— — •

“ ¡F˜

if ¡ . A run is initial if its first configuration

 3b$c   G`  configuration ` , denoted by , is the set of

is initial, n-bounded if all its configurations contain only - 1 IN denotes the set of natural numbers. bounded configurations, and bounded if it is -bounded for

¥  ¢ ¢

£

¡

£¡£¡ ¡ ¡¨¡ ¡ ¡£¨¡£

¦¨§ ¥

'\nm`1Domp1Ha=mq1H/0K) \nm Dom ©

© , where is the set of states; the set

¥ 

arm /0

 £¡

£¡ of labels; the transition relation and the initial state

¢¡ ¤£

< \ a

m m

¥ of . State set and transition relation is gotten from

¢

L @2<>+ s¤tRgOL

£ £¨£ £ , the transition relation for , as follows. Let

@2<>+ £

¡ be a transition of . We consider three cases based on

¦ § ¥

!"

¡£¡£



© ©

£¡ £¡

¥



¡ ¡ ¡ ¡ whether s¤t is a zero test, increments a counter or decrements

a counter.

0

|~} 

uwvx yz{ 1. If s¤t is of the form , then we add the transi-

Figure 1. The template #

h6i‹k

|~}‚

vx €H

ƒ A „M'†c‡ˆ&d‰) f†Šg @*l

tion u , where guard , with

v

Af arm ƒ

and f†ŠCŒ , to . Guard expresses the condition that

v

% &('%*)

some number $ . For configuration , we use to denote

# &

every copy of is either in state i or state d‰ , viz., no copy

% , ,-'.%*)

the state of + in and for counter , we use to denote

# & , d

of is in state d and so the value of counter is zero.

G %

the value of counter , in .

|} 

s¤t u z zŽ

y x {ny 2. If is of the form vx , then we add the

The Halting Problem for counter machines is to decide

d d

|~} |}’

v x €H

u a

vj‘ m m transitions inc m and inc to . Here guard

whether a given counter machine + has a halting run, viz.,

ƒ A „M'¤c‡b& ‡“& ) I G , expresses the condition that all the user a run leading to configuration in with + in a halting state, processesv are in their non-intermediate local states indicat- beginning at the configuration '/¨021341¨5655137) . In this paper, we make use of the fact that the Halting Problem is unde- ing completion of simulation of all previous operations of the 2-counter machine.

cidable, in general, for machines with two or more counters. G

|} 

uUvx yz†x {nyz”

3. If s¤t is of the form , then we add the

d d

|} |}•

v ¢x €

u v a=m

‘ m

3 Systems with Conjunctive Guards transitions dec m and dec to , where, as

ƒ A '†c‡–& ‡ˆ& )

G I

above, „ .

v

d d m

The states inc m and dec are called the intermediate d

In this section, we show that for guarded protocols of the d

< \m—A˜BU™w'š F JK)

d›4œ G I¢ m

states of . Thus, inc m , dec . We

x 8:9;'<=1#>)

form , where processes are allowed to communi- G

|} 

Ž

yz†x {nyz cate via conjunctive guards, the PMCP for LTL formulae now show how the operation uUvx of increment-

ing counter ,7d is simulated, the decrement operation be- over the control process < is undecidable. Furthermore, we show that the undecidability of the PMCP carries over to ing handled similarly. First, the control process < , after making sure that the simulations of all previous operations

regular and ? -regular properties.

'¤c7‡ž& ‡ž& )

G I have finished via the guard „ , fires the tran-

Undecidability of the PMCP for LTL The proof is by re- d

|}

v¢x €H

s¤t A˜u G

sition inc m thus issuing the command to be- duction from the halting problem for 2-counter machines.

gin simulating the increment operation. Then one of the

A 'BC1DE1F*,4G¨1H,2IKJ71HLM1H/0(1HNO)

Let @2<>+ be a given 2-

d

|}

zx € z

s¤t AcŸ †¡ I

user processes fires transition inc ] , where #

counter machine. We construct templates < and and a

d

ƒ A ' ‡pcS‡_& ‡_& )

d G „ G I

inc m , expressing the conditions that (a) <

LTL formula, P , over , such that there is a halting run of

d <

the control process is in local state inc m , viz., a command

$ TUQ AWVXP @2<>+ iff there exists such that , viz., there

to increment counter ,7d has been issued; and (b) that every P

exists a computation of T satisfying . This reduces

&KG &I the decidability of the halting problem for a given 2-counter other user process is in local state c , or , viz., none is machine to an instance of the PMCP for the LTL formula, in an intermediate state of # implying that all previous sim-

Y ulations of the operations of the 2-counter machine have < P , over . Since the halting problem for 2-counter ma-

chines is undecidable, so is the PMCP for LTL formulae finished. Then the control process transits back to a non-

d

|}£

s¤t*¢=A

vj‘ <

over . intermediate state by firing transition inc m and <

Given @7<>+ , we now show how to construct templates completes its part of the simulation. Having noticed that

ƒ A¤„M'‡;¥ )

dI ›2¦:§ < and # . The control process is used to simulate the control via the guard (control process is in a non-

part of @7<>+ , while the two counters are implemented using intermediate state), the (unique) user process in local state

d d

|}

#

x € z

the many copies of template process . The counters are z ‘ ‘

s¤t¨¨žA Ÿ †¡ &

d ] inc ] fires the transition inc completing

represented in unary, with each copy of # storing one bit of the simulation.

,7I #[A either ,ZG or . The transition diagram for template

The operation of decrementing counter ,Zd is simulated in

) #

'\^]_1D`]:1ab]_1c is shown in figure 1. If a copy of is in a similar fashion with a user process now firing the transi-

&d ,ed fOg d

local , then that corresponds to one bit of . For d

|} |n}

hji>k

z  z  z z

x ¬ ‘x ¬ ‘

„

&dª©¢«¡ ©¢«¡ c ­Kd G‹A '

d d ]

tions dec ] and dec , where

@*l

d ]

, the states inc ] and dec are called the intermediate

‡®c‡ˆ& G;‡ˆ&I ) ­(d6I=A¯ƒ2d6I

dec m and . states of # and are used for book-keeping purposes while However the above simulation is not faithful. This is be- simulating incrementing or decrementing of counter ,Zd .

cause, for instance, while trying to simulate incrementing

,7d s¤t2G Definition (Template C) Template < is defined as the tuple counter , the control process could fire transitions and ¡ £¢

back to back without a user process firing any transi- regular properties is decidable for guarded protocols with ¡ ¤¢ tions at all. This can happen because is guarded by true. disjunctive guards, pairwise rendezvous, asynchronous ren-

Thus the control process would indicate execution of an in- dezvous and broadcasts. Model checking for regular prop- ’

crement of ¡ , without any additional user process transiting erties via backward reachability was considered for broad-

¡ ¥

to local state ¡ . From our definitions of and , it follows cast protocols in [10] and for asynchronous rendezvous in

¡ ¥ ¡

   ¡ ”U

that in any computation of b$c , process firing [6]. In addition to these we also assume global disjunctive

¡

is followed either by (a) the firing of ¢ , or (b) the firing guards for our model. The procedure is exactly the same as

f

¡ ¡ £¢ ¡ £¥

of , and back to back in that order. A computa- in [1] therefore we only recapitulate the basic idea below.

¡ ¥

L

b$c   

tion of faithfully executes the increment opera- Let t be a parameterized initial configuration and let

'

L

 

3ˆ + )('GŠ +* 

tion, iff in the computation, option is never exercised. % be an automaton. Then the PMCP for

¦

¦¨§

We now define a LTL formula ¡ that captures precisely regular properties translates to the following: Does there

^

„=sIKJ ¤-*

such computations. Towards that end, we observe that after exists a combined state , reachable from a com-

L L L L

¡

U

¡

-` GŠ  ` =

firing in any computation, the current local state inc  of bined state , where ?

¡

¡ ¤¢

-` GŠ ¢=

changes in the very next step of the computation iff A set . of combined states is upwards-closed if

¦

¦¨§

U

¡ ¡ %Db     ©

   

. -` GŠ =/. -` 0Š !0 -` GŠ 

is fired immediately after firing . Thus ¡ implies for every , where

¡ ¡ ¡

  

    

-` GŠ 10 -`. GŠ   `32 `. 2

inc inc inc . The case of faithfully simu-  iff ( denotes component-wise

Šg% Š¨ a# ©E'$ 4. 

lating the decrement operation is handled similarly. Now, ˜ ) and . Let be the set of combined

¡

 ‡

has a halting computation iff there is computation states from which . is reachable in one step. The algo-

¡ ¥

  

of b$c that faithfully executes both increment and rithm for verifying regular properties then proceeds as fol-

^

¤5*

decrement operations and leads to a state in which the con- lows. Starting at I*J , an upward-closed set, it itera-

L

^

‹

% IKJ ¤5*

trol process is in a local state of . By the above discus- tively computes the minimal elements of . ,

L

^ ^

f

(

U f

%/. a E'$AI*J ¤5*  . %ha E'$ 2IKJ ¤5* 

sion, this can be decided by checking whether for some , . , , etc.

¥ ¦ ¢

¦ ¦ ¦ ¦ ¦

§ ¦¨§



% # ¡

, where is the LTL formula . Each iteration relies on the facts that for an upward-closed

¦ ¦ ¦



¡

¦¨§



# %  y ¨§  ¡ %†b     ©



!

 . .

 ¡

Here, # , inc set , (i) the set of minimal elements of is finite (ii) the set

¦#

¡ ¡ ¡

§

"   % b     ©

  

 $

a E'$¡. 

inc inc and ¡ dec is upwards-closed and (iii) the minimal elements

¡ ¡

%  

 



# ©E'$ 4. 

dec dec . Thus we have the following. of a are effectively computable from the minimal el-

¡ 

ements of . . Termination is guaranteed because in any infi- Proposition 3.1 The 2-counter machine ‡ has a halt-

nite set of combined states there exists two elements , and

ing run starting at the initial configuration iff for some ,

¡£¢¤¢ ¥ ¦%¢

¦

¦

© ,607,  .

, such that . Therefore there exists an such that &

% .

^

L

a E'$n AI*J ¤8* % v . ¡ :9 and ¡ coincide. Since the Halting Problem for 2-counter machines is un-

decidable, therefore as a corollary, we have that 4.2 Undecidability of LTL ¨ X properties over the con- ¥

¡ trol process for Guarded Protocols with Asynchronous

   Proposition 3.2 For guarded protocols b$c , with con- junctive guards, the PMCP for LTL formulae over control Rendezvous The proof is in two parts. First we show that process ¡ , is undecidable. we can simulate pairwise rendezvous using asynchrony ren- dezvous. Then we show the much stronger result that for

Similarly we can show the following. systems with pairwise rendezvous and asynchronous ren- ©

Proposition 3.3 The PMCPs for regular and -regular prop- dezvous, even the following LTL ¨ X property is undecid-

¡ ¥

  

erties are undecidable for guarded protocols b$c , able: Does there exist an such that there is a computation

¡£¢¢ ¥§¦ ¡ with conjunctive guards. of in which fires infinitely often ? Then combin- ing the above two facts we have our result.

4 Systems without Conjunctive Guards Simulation of Pairwise Rendezvous by Asynchronous

%      Rendezvous. Let ; be a given template with We now focus on systems without conjunctive guards, pairwise rendezvous. Without loss of generality, we may

viz., wherein processes communicate using global disjunc-

=  assume that for each label § , there exists a unique tran-

tive guards, pairwise rendezvous, asynchronous rendezvous § sition of ; labeled by . We perform the following transfor- and broadcasts. The main results shown are that the PMCP mations (figure 2):

for p1 (and hence for p2 and p4) is undecidable for guarded

#=< #@ B

protocols with asynchronous rendezvous but that the PMCP B



 

 $

for p3 for guarded protocols without conjunctive guards is for each matching pair  and re-

#=?A@

#><

B B

 

  ,4#=<

decidable. place  by the pair of transitions

#BDC

#@

B B

 

,4#=<   

4.1 Decidability of Regular Properties We show using the and . and transition by the pair

?

# C #BE@

B B

 

,.#@ ,.#@  backward reachability procedure of [1] that the PMCP for  and .

¦ ¦

¤ ¤ ¨ ©

'(&)

¡ £ ¡  ¡ 

%+* !&%

0 1324

% 5

, -.)

%+*

, -.)

$+*

§ §

¥ ¥ ¨ ©

0 13264

$75

¡ ¢ ¡  ¡ 

, 1.8:9

!#$

'(#)

$/*

, -.)

"#* 13264

Figure 2. Simulating Pairwise Rendezvous by 0

"

5

!#" '(#) Asynchronous Rendezvous "+*

Figure 3. The template ¥

#

B



 

replace each internal transition  , by the pair of

#>? #

B

¡

B B

 

 ,4# ,©#  ‡

internal transitions and . defining a 3-counter machine ; with the following be-

¡ ¡



; ‡

haviour: Given a run of ‡ , the machine mimics

¡



z z z z z

%     

Let ; be the resulting template. De-

U f

‡ ’ ’

 each step of on counters and but, in addition,

B

z

z

 n

fine a morphism P such that for every action

’ ¢

 it uses counter to keeps track of the number of steps of

¡



z

U f

§ C% § §

§ , . Then we have the following result shows

’ ¢ ‡ mimicked by incrementing each time it does so. If

that we can reduce reasoning about PMCP for a property ¡

‡ ; ‡ ¥

¡ reaches a configuration with a halting state, then

¡£¢ ¡ ¡

b$c    in each of the classes  and for to rea- re-initializes itself by draining all the counters and transiting

soning about a property in the same respective classes for L

Š ¥

¡ back to the initial control state . Thus every bounded infi-

¡

z z

  

b$c . ‡ nite run of ; has infinitely many initial configurations.

Then we have ¡

Proposition 4.1 

¡ ¡£¢¢ ¥ ¦ ¢

¦ ¦

Proposition 4.2 The 2-counter machine ‡ has a halting

¨ %  ¡

1. For LTL X formula over , iff L

¡ ¢¤¢ ¥ ¦ ¢

¦ 

[Š 0Y 0Y  ; ‡ 

z run starting at iff the 3-counter machine has

z



%  , # £ #

, where for each intermediate state , L



-Š GY 0Y 0Y 



# £ #

 a bounded infinite run starting at .

B



,.# £ #

such that  is the (unique) transition leading to

¡

¡ ¥



; ‡

z z

 We now show how to weakly simulate with a sys- ,.# £ # 

in or , the atomic proposition is interpreted

¡ ¥ ¡ ¥



b$c   

 tem of the form , where and are templates ,4# £ #

to be true over .

¡ ¥ L

¡ that communicate with each other using solely pairwise ren- 3b$c    <  %

2.  if and only if

¡ ¥ L



¡

 z z

z dezvous and weak asynchrony. The idea is the same as in

3b$c     $ 2#% 

 , where is a regular

¡

¡ ¥ L

¡

|

| the previous section. The template process is used to sim-

3b$c    }  %

language and  if and only if

¡



¡ ¥ L



¡ ©

‡

 z z

z ulate the control part of , whereas the three counters

| | |

ub$c    } A X%& 

 where is an - ¥

regular language. are implemented using multiple copies of template . The ¥

template (figure 3) has five local states: , the initial state

Undecidability of LTL ¨ X for systems with Pairwise Ren-

U f

¢ and , and corresponding, respectively, to each of the

dezvous and Asynchronous Rendezvous. The proof is by

U f

’ ’ ¢

three counters ’ , and and the terminal state end.

¡ ¡ reduction from the halting problem for 2-counter machines 

Given ‡ , we define template as the tuple

© ¡

and is inspired by the proof for undecidability of -regular L

[ˆ   GŠ  ˆ  , where is the state set of , is the set

properties for broadcast protocols [10]. We show that even L Š of labels;  is the transition relation and the initial state:

the LTL ¨ X property that a given guarded protocol with pair- ‰ Transition relation  is gotten from as follows:

wise and asynchronous rendezvous has an computation in

¡

U

=

B

 ‰

which fires infinitely often, is undecidable. 1. for each transition of the form  in add

w

¡

L



< <

B



‡ % 3ˆ $ ¥¨’ U'G’qf G ‰ 0Š 

 ?> @ 

Let be a given 2-  to .

U

=

counter machine. We can assume, without loss of gener- 

B

¡



 ‰

2. for each transition of the form  in add

‡

w <

ality, that has no transitions that are self loops. For <

B



#

 BAC 

B to .

 

if is a self looping transitions, then we can add an L

=<[Ž

B

% 

additional state and replace the self loop by the fol- 

 ‰

3. for each transition of the form  in add

#



# ^D< @

B

B



 

  lowing pair of transitions: and the internal tran-  to .

B 2

  ¡ sition that executes no operation . We start by 

Note that since no transition of ‡ was a self-loop, nei- 2Strictly speaking, internal transitions are not allowed by our defini- ther is any transition of ¡ . Furthermore, all of the simula- tion of counter machines, but can be implemented by first incrementing

tions except the one for theL zero-test are faithful. In simu-

a counter, say  , and then decrementing it, thus leaving its value un-

D<-Ž

¡

B  changed. lating the zero test  , we let the control process



¦ § ¨ ¦ ©

 <

# ^ @

¥

B



¡ % 

fire  even if we have copy of in local state

   

¥

¥ ¡

. But in that case, as is evident from the definition of ,

§

¦

¥

¡

§   

¦



firing “clobbers” one such copy of by making it transit

¥

©

¦ ¨

¤

   

§ 

to the terminal state end. Henceforth that copy of can no

 <

# ^ @

¥

B

 

longer execute any transitions. Such a firing of  is

§

therefore called a “leak”. ¦

© ¨

Proposition 4.3 There exists a bounded infinite run of ¦

 

 

¡ L ¡£¢¢ ¥

“

‡ -Š GY GY 0Y 

; starting at iff there is a run of , ¡

for some , , from its initial state in which fires infinitely often. Figure 4. Simulation of Disjunctive Guards by

Pairwise Rendezvous

¡ 

Combining, the previous two results, we have that ‡ has

¡£¢¢ ¥

L

“

-Š GY GY 

a halting run starting at  iff there is a run of , ¡

for some , , in which fires infinitely often. Recalling that

8:9'.< 1# ) £! 8:9ª'.< 1# ) " "

G G I I G$# I ¡ . We use to denote

has no self loops, we have that the property that there Y

" %" " " " *" '&" '" )

G I G)( I G I I G ¡ and ; and to denote

is a computation in which fires infinitely often can be

" +"

I G ¦

¦ and . ¨

expressed by the formula  , where is the LTL X formula



, A

Disjunctive Guards Pairwise Rendezvous. Let

b  y¡ $-  © $& 

 . This gives us the following.

.-`1Ha“1c ) '\1 be a given template with disjunctive guards.

Theorem 4.4 The PMCP for LTL ¨ X formulae over the

¡ Without loss of generality, we assume that each transition

control process is undecidable for guarded protocols of

, ¥

¡ of is labeled with a unique label. We perform the follow-

   the form b$c , with pairwise rendezvous and asyn- ing operations (figure 4).

chronous rendezvous.

/

|n}  u replace each transition v guarded by the dis-

Then from the first part of proposition 4.1 and theorem 4.4,

A '&*GX‡b555¤‡r&10e)

junctive guard ƒ by the two transitions 4

we have the desired undecidability result. A similar proof 2

2 2

|n} |}£

uv c&3 c&3 v &d

and ‘ and for each state introduce 4

can be used to show the undecidability of PMCP for p1 for 2

v v

4 4

|~} |}

&  c&3 c&3 &

d v vj‘

systems with broadcast actions. the two new transition and d .

v v

/

|}  u replace each internal transition v by the two

5 The Decidability/Undecidability

|} |~}£

u  c&3 c&3 vj‘

internal transitions v and . v

Boundaries v

A•'.\ 16- 1a 1c )

Let , be the resulting template.

k

©.5 ©65 ©65 ©65

}

- -98 :g D

We first establish a hierarchy based on the relative ex- Define a morphism 7 such that for each ,

©65

©65

':)MA;:G<: I

pressive power of the various primitives which proves help- 7 . Then, analogous to proposition 4.1(2), we

©65

!>@?

# 8:9;'.<=1#>)=

ful in establishing the decidability/undecidability boundary. can show that given templates < and ,

1# )

8:9'.< .

65 ©.5

5.1 Comparing expressive power of Communication ©

, A

Pairwise Rendezvous Disjunctive Guards. Let U %

Primitives. Given two labeled transition systems 

.-`1Ha“1c )

'\1 be a template with pairwise rendezvous. We

[ˆ U' ¢U' rU  U  fD% [ˆrf#} f  Cf  f 

 and , possibly 

B perform the following operations.

U

P) ¢n

of infinite size, let (homo)morphism f be

2 4

U /

   %e

 |~}

such that for any regular language , iff |}

u &

§

v v

 for each matching pair and , re-

©

2

f |

 " 2#% 

 and for any -regular language ,

2



|}  |}

v  x ACB

u u c&3

place v by the pair of transitions

| U | | f |

   : %h     2 r%h

iff . Then we say 4

v

2

|} |~} 

c&3 &

§ vD

that we can reduce, respectively, the model checking prob- and , and v by the pair of transitions

v

©

4 4

U f

  |n}

lems for regular and -regular properties for to via |}

E v x

‘ A

Ÿ

& c&3 c&3 vF §

 and .

v v

U f

  £¢

. This is denoted by ˜ . Note that this notion is

/

|n}  v

broader than trace equivalence, to which it reduces when replace each internal transition u by the four



U } } }

is the identity map. We say that primitive a is at least

¢

u¯v c&3 G c&3 G v c&3 I c&3 IOv c&3 D

internal transitions , ‘ , ,

v v v v v

aSf

as expressive as primitive with respect to the PMCP for }£

¢

v&F &3

c .

©

a U a f ˜

regular and -regular properties, denoted by , iff v

¡ ¥

 U  U , A '\ 1a 16- 1c )

for every guarded protocol b$c , wherein processes Let be the resulting template.

k

5 © 5 © 5 © 5 © 5S©

}

U 7 - -G8

communicate solely using primitives a , we can construct a Define a morphism such that for every la-

¡ ¥

5 ©

5 ©

f f ¢ ¨

   : gWD 7 ':)žAH:G<: I1: :

guarded protocol b$c wherein processes communi- bel , . Again, we can show that



5 ©

f !? >

8:9'.<=1#>)9 8:9;'< 1# )

cate solely using primitives a , and a morphism such that .

5 © 5 ©

¥ © ¥

¡ ¡

¢ £ ¢  ¢ ¨ § more it was shown that checking whether a guarded proto- col with broadcasts has an infinite computation is undecid-

able. Then using this fact, we can by an argument similar to

¦ © ¦

§ §

¢ ¤ ¢  © ¢  

 the one used in proving the above result show the following.

¡ ¥

   Proposition 5.4 There exist guarded protocols b$c

with broadcasts such that there is no guarded protocol

¡ ¥

Figure 5. Simulation of Pairwise Rendezvous 

    

b$c with pairwise rendezvous, and a morphism

¥ ¡ ¥

by Disjunctive Guards ¡

b$c    b$c     £¢ such that ˜ . 5.2 Decidability/Undecidability Boundaries First consid- ering regular properties, we have that the PMCP for p3

Pairwise Rendezvous  Asynchronous Rendezvous. is undecidable for systems with conjunctive guards (prop.

From proposition 4.1, we have that Pairwise Rendezvous ˜ 3.3), but is decidable for systems with any combination

Asynchronous Rendezvous. To prove that © (Asynchronous of the remaining primitives (section 4.1). This settles the

Rendezvous ˜ Pairwise Rendezvous), it suffices to show boundary issue for property p3. Next, we have that the the following.

PMCP for property p1, is undecidable for systems with

¡ ¥

   Proposition 5.3 There exists a guarded protocol b$c , asynchronous guards and systems with broadcasts (section

with asynchronous rendezvous, such that there is no 4), while it was shown in [7] to be decidable for sys-

¡ ¥

  

guarded protocol b$c with pairwise rendezvous, tems with conjunctive guards and systems with disjunctive

¡ ¥ ¡ ¥



b$c    b$c     ˜

and a morphism such that ¢ . guards (and hence for pairwise rendezvous). Moreover, it ¥

¡ is undecidable for systems that have both conjunctive and

  

Proof Sketch Given b$c with asynchronous ren- ¥

¡ disjunctive guards ([9]). Then using the expressiveness hi-

    dezvous, let b$c with pairwise rendezvous be such

that we can construct morphism  with the property erarchy, we have that it is undecidable for systems that have

¡ ¥ ¡ ¥

© conjunctive guards combined with any one (or more) of the

b$c    b$c      ˜

¢ . Then for any -regular lan-

¥ ¡ ¥

¡ four other types of primitives. This pins down the boundary

}| ub$c     9 |5% | 3b$c      

guage ¨| , iff L

 for property p1. Since both p2 and p4 are more expres-

A | g% % ¥ §  ¤§q

 . Let be the set of ac-

¡£¢

¡ ¥

L 

| sive than , all undecidability results for p1 carry over for

D% ©§  §  tions of and . Define  . Then

using the fact that  is a homomorphism, we have that p2 and p4. From proposition 3.2 and 3.3, we have that the

¡ ¥

¡ PMCPs for p2 and p4 are undecidable for systems with con-

  

b$c has a computation in which fires infinitely

¥ ¡

¡ junctive guards. Furthermore, since guarded protocols with

     often iff b$c has a computation in which fires

 pairwise rendezvous can be modeled as petri nets, therefore



A 

infinitely often and that accepts a string in  . We ¥

¡ using results from petri net theory (see for instance [11])

  

then construct templates  and that use only pairwise

¡ 

rendezvous as communication primitives and a morphism we have that the PMCP for p2 and is decidable for sys-

¡ ¥ ¡ ¥ 

 tems with pairwise rendezvous (and therefore for disjunc-

| |

 ub$c       i%   3b$c    ¤ C

 such that 

 tive guards). The expressiveness hierarchy and the bound-



A  

. Then since  is a morphism, it follows that

¥ ¡

¡ aries are pictorially shown in figure 6.

  

b$c has a computation in which fires infinitely of-

¥ ¡ ¡

     

   ten iff b$c has a computation in which fires in- finitely often. Thus we have reduced the problem of check- 6 Special case for modeling Cache Coherence ing whether a guarded protocol has a computation in which Protocols the control process fires infinitely often for protocols with asynchronous rendezvous to ones using solely pairwise ren- In general, modeling parameterized cache protocols

dezvous. But from [12], we know that model checking

¥

¡ (e.g., Illinois-MESI) requires broadcast transitions labeled

   ¨

b$c with pairwise rendezvous, for LTL X properties ¡ with conjunctive and disjunctive guards. But the PMCP

with atomic propositions over the local states of is decid- for regular properties for such systems is undecidable (prop

¡ ¥

   

  

able. So, in particular, it is decidable whether b$c

¡ 3.3). However, as was noted in the introduction, in practice,

¥ 

has a computation in which  executes infinitely often.

 +    template % for a snoopy cache coherence

But this implies that checking whether a guarded proto-

¥ ¡ protocol typically has the following features:

¥

  

col b$c with asynchronous rendezvous has an infinite ¡ 1. Every conjunctive guard labeling the transitions of

computation in which fires infinitely often is decidable, a



%  

is of the specialized form  . ¥

contradiction to the result proved in section 4.2. >

= 

2. is initializable, viz., for each state  , there is a

B

local transition of the form  .

Pairwise Rendezvous  Broadcasts. The fact that pair- We now show that if we consider guarded protocols of

¡ ¥

b$c    wise rendezvous ˜ broadcasts was shown in [10] Further- the form , with broadcasts, pairwise and asyn-

    ¤¤  Broadcasts 3. ¤ : in case the transition labeled by Conjunctive +

Guards Asynchronous

¢

{

 \ + § was a broadcast transition with the broadcast

Broadcasts Rendezvous

B

 Asynchronous send leading to  and being the matching re- Rendezvous Regular + Conjunctive Broadcasts ceive. Guards

Keeping these three type of states in mind, we define

§

t¦¥ t ¥

¨§ ¨§ §

© £ © Asynchronous LTL\X the parameterized configurations £ and where

Rendezvous

  x=  t ¥ $&C%6O $%  p $% 

¨§ ©

, as follows: £ if , if

§

Y t¦¥ $&¦% O $†%  $†%  p

¨§ § ©

and otherwise; £ if or ,

L

9% Y t

Conjunctive Conjunctive if $ and otherwise. Now let be a parameterized '

+ Guards L

[ˆ  +('0Š +*  + initial configuration and let % be an au- Disjunctive Pairwise Guards Rendezvous LTL tomaton. Recall that the model checking problem for regu-

lar properties is the following: Does there exist a combined

L L

^

=

state , reachable from a combined state ,

L L =Nt

where ` ? Consider the set of combined states

¢ ¢

(

GŠ  j= 0Š  <= "¨ ¥ 0Š =;ˆx ¥ –t ¥ %]¥ 2t ¥

¨§ § §

© £

-Regular ©

¦ >

Conjunctive Disjunctive Pairwise >

 ¨?¥ &GŠƒ=ˆ FE'  x7 . Let  be the set of param- Guards Guards Rendezvous

eterized configurations of S reachable from the combined

L L

2t 0Š 

initial configuration  . Then we can see that a com-

^

=iIKJ ¤ *

bined state , can be reached from a combined

L L L

Figure 6. The Decidability-Undecidability bound- L

[` GŠ  ` =st

state  , where , iff it is reachable from a state

aries ¦

?E'&   in  by firing a sequence of only those transitions that are not labeled with the specialized conjunctive guard

 , viz., that are labeled either with true or a disjunctive

¦

>

FE'&   chronous rendezvous, disjunctive guards and the special- guard. Thus if  can be determined then using the

ized conjunctive guard with initializable templates ¡ and backward reachability procedure presented in section 6.1,

L L

¥

[` GŠ  , then the PMCP for p3 is decidable. This framework can we can decide whether , is reachable from or not.

model all snoopy protocols in [13]. Therefore the problem boils down to determining the set

¦

¡ ¥

FE &    . This can be done by a fixed point computation

For simplicity, we assume that % , though our tech-

L L

¥ ¦

2t GŠ 1 starting from the set ¥ that in each iteration, given

nique works in general. Let T be a finite computation of

L ¡

the current set of nodes  determines what set of combined L L

§ ¤§/^

that results by executing the sequence of actions % .

¡ ¡ ¡ ¡ ¡ ¡

U

“C‘ “

¨  

¨§ § § ¦¨§

¦ states of are reachable from . This is done as fol- ¤

Then can be parsed as % , where for

¡£¢

¢= ¨   ¨§ ¦ lows. Add to iff :

each • , is a (possibly empty) subsequence of actions la-

¥

¡£¢

§



%   

beling transitions of not guarded by , and is 

¦

$% 2t ¥ 0Š  –t ¥ § =¦ ¡ GŠ  = 

§ §

£ © ©

> , there exists and

 >

a subsequence of actions labeling transitions guarded by . >

# # #

B B B

¡¤¢

>

 ƒ=  Š  Š:= (  

¢ ¢

{ {

§ such that and with



§ ¤§ \

Consider the non-empty sequence % . Then

 ¢

{ labeled with guard .

\ ¡

since each of the transitions corresponding to action § ,

>





¤=9M YxP a OR ¤

is guarded by , therefore for each , in state 

§

 % –t ¥ 0Š  2t ¥ §„= 0Š )= 

§ § ¨§

£ © ©

> , there exists and

¢ ¢

{ {

T U §

\ ¡*\ \ ¡ >

, resulting by firing the transition labeled with , >

#=< #@ #

B B B



 

Šs= (    =  Š 

there is exactly one process in its non-initial state and so it such that and

#><

B

 ¤   ¤  <= 

 

is of the form , for some . The state with  being labeled with guard .

>

¢

{

T  U

\ \

, on the other hand, could be of one of the following



§

 % 2t ¥ 0Š  2t ¥ §=5 £ 0Š  = 

§ ¨§

£ ©

three forms. , there exists © and

>

#=< < #@2@ #

B B B





  =  Š Š<= (

such that  and with

#=< <

B

 ¤    ¤¤ 

1.  : in case the transition labeled by

 

 being labeled with guard .

¢

{

§   \

is a local transition leading to state or an asyn- >



¢

{



§ \  

 

$% 2t ¥ 2t ¥ § =ƒ  0Š  GŠ =

§ ¨§

£ ©

chronous rendezvous labeled by leading to © , there exists and

> >

#@

with no matching receive from . B

„= 

such that  , there does not exist a transition

#C

#

B B

%   Š¨ Š = (

of the form , where in , and

 ¤    ¤¤   ¤ 

2.  : in case the transition la-

#@

B



¢

{



 

§ 

beled by \ was a pairwise rendezvous or an asyn- with being labeled with .

>

chronous rendezvous with a matching receive from ,



§

 

0Š )=  % –t ¥ 0Š  2t ¥ §„=

¨§ § §

© ©

with one of the two processes to fire ending up in state £ , there exists and

> >

#@ #C

#

B B B





  ' ¦=  Š  Š5= (  and the other one in . such that and

#@

B

  with  being labeled with guard . broad framework for reasoning about safety properties, but

> this decision procedure is guaranteed to terminate only for



GŠ  ?% –t ¥ 

¨§

© is reachable from a state in by firing the special case of broadcast protocols which cannot model >

only those transitions that are not labeled with  . Note protocols like the Illinois-MESI that require conjunctive ¥

that since is initializable, therefore we can, starting> guards. On the other hand, by exploiting features com- ¥§¦ in any global state of force any set of process not in mon to most cache coherence protocols, we have proposed a their initial state into their initial states one by one by broad framework than can be used to model parameterized

firing the initializing transition. Thus to check whether versions of all cache coherence protocols in [13] and for

 is reachable from  by firing only those transitions which the PMCP for safety properties is decidable. Thus

that are not labeled with  , it suffices to check whether by appropriately restricting the framework, we could iden-

¢

>

5% ¥¡ 0¢ G

the upward closed set . is reachable from tify a useful framework for which the PMCP for safety is

a combined state in  by firing only those transitions decidable thereby beating the undecidability results.

that are not labeled with  . This is done using the > backward reachability procedure (section 4.1). References

The above step is repeated until no more state are added.

¢ Clearly at most ¢ iterations are needed. We thus have: [1] P. Abdulla, K. Cerans, B. Johnson, Y. K. Tsay. General De- cidability Theorems for Infinite State Systems. LICS. 1996.

Theorem 6.1 The PMCP for regular properties is decidable ¥

¡ [2] K. Apt and D. Kozen. Limits for automatic verification of

  

for guarded protocols of the form b$c , where tem- ¥ ¡ finite-state concurrent systems. IPL, 15, 307-309, 1986.

plates and are initializable and the conjunctive guard [3] D. E. Culler and J. P. Singh. Parallel Computer Architec-



%   is of the specialized form  . ture: A Hardware/Software Approach. Morgan Kaufmann > Publishers, 1998. 7 Concluding Remarks [4] E. M. Clarke and E. A. Emerson. Design and Synthesis of Synchronization Skeletons using Branching Time Temporal Logic. Logics of Programs Workshop, LNCS 131, pp 52-71, We have studied the decidability of the PMCP for 1981. guarded protocols and have delineated the decidabil- [5] G. Delzanno. Automatic Verification of Parameterized Cache ity/undecidability boundary for various linear time proper- Coherence Protocols. CAV 2000, 51-68. ties. For protocols with conjunctive guards, we first showed

© [6] G. Delzanno, J. Raskin, L. V. Begin. Towards the Automated undecidability of the PMCP for LTL, regular and -regular Verification of Multithreaded Java Programs. TACAS 2002. properties, allowing us to exhibit a decidability gap between 173-187. stuttering insensitive (LTL ¨ X) and stuttering sensitive prop- [7] E.A. Emerson and V. Kahlon. Reducing Model Checking of erties (LTL). Roughly speaking, this is because the pres- the Many to the Few. CADE. 2000. ence of the next-time operator, X, allows us to “count” the [8] E.A. Emerson and K.S. Namjoshi. On Model Checking for number of transitions fired starting at a given state, thereby Non-Deterministic Infinite-State Systems. LICS 1998. giving us the ability to simulate incrementing and decre- [9] E. A. Emerson and K. S. Namjoshi. Automatic Verification menting the counters of a 2-counter machine by exactly one of Parameterized Synchronous Systems, CAV, 1996. as opposed to stuttering insensitive logics, where there is [10] J. Esparza, A Finkel and R. Mayr, On the Verification of no control on the amount by which counters can be incre- Broadcast Protocols. LICS 1999, 352-359. mented or decremented. We next settled the decidability [11] J. Esparza and M. Nielsen: Decidability Issues for Petri Nets issue for PMCP for guarded protocols with asynchronous - a survey Journal of Information Processing and Cybernetics rendezvous, by showing undecidability of the PMCP for 30(3), 1994, pp. 143-160. p1, p2 and p4. This was followed by the establishment of [12] S.M. German and A.P. Sistla. Reasoning about Systems with a hierarchy based on the relative expressive power of the Many Processes. J. ACM, 39(3), July 1992. various communication primitives which is not only useful [13] J. Handy. The Cache Memory Book. Academic Press, 1993. in its own right but also allowed us to pin down the decid- [14] M. Vardi and P. Wolper. An Automata-Theoretic Approach ability/undecidability of PMCP for its various formulations. to Automatic Program Verification. LICS, 1986. The results are represented in a compact form in figure 6 from where one can deduce the decidability of the PMCP for any of the properties p1, p2, p3 and p4 for a guarded protocol with any combination of the five communication primitives considered in this paper. In the context of sound and complete verification of cache coherence protocols, Delzanno [5] has identified a