Model Checking Guarded Protocols E. Allen Emerson and Vineet Kahlon Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract 1 Introduction The Parameterized Model Checking Problem (PMCP) is Systems with finite but unbounded number of homoge- to decide whether a temporal property holds for a uniform neous processes or subcomponents arise in many important ¥§¦ family of systems, ¡£¢¤¢ , comprised of a control process, applications, including cache coherence protocols, multi- ¡ , and finitely, but arbitrarily, many copies of a user pro- processor systems and data communication applications. cess, ¥ , executing concurrently with interleaving seman- This gives rise to the Parameterized Model Checking Prob- tics. We delineate the decidability/undecidability bound- lem (PMCP) which is to decide whether a temporal property ary of the PMCP for all possible systems that arise by holds for every size instance, , of the given system, being letting processes coordinate using different subsets of the the number of homogeneous processes or subcomponents in following communication primitives: conjunctive boolean the system. PMCP is of great practical importance as it set- guards, disjunctive boolean guards, pairwise rendezvous, tles, in one fell swoop, the scaling and the state explosion asynchronous rendezvous and broadcast actions. Our fo- problems. However, the problem is, in general, undecid- cus will be on the following linear time properties: (p1) able [2]. Since tractable decidable cases of the PMCP have ¡ ¡ LTL ¨ X formulae over , (p2) LTL formulae over , (p3) many applications, it is important to clarify the relationship regular properties specified as regular automata, and (p4) between decidability and undecidability for its various for- © © -regular properties specified as -regular automata. mulations. In this paper, we consider the PMCP for systems of the ¥§¦ We also establish a hierarchy based on the relative ex- ¡£¢¢ form, , consisting of a distinguished control process, pressive power of the primitives by showing that disjunctive ¡ , and finitely, but arbitrarily, many copies of a user pro- guards and pairwise rendezvous are equally expressive, in ¥ © cess, , executing concurrently with interleaving seman- that we can reduce the PMCP for regular and -regular tics. Processes can communicate with each other using pair- properties for systems with disjunctive guards to ones with wise rendezvous (a process sends a message only if there is pairwise rendezvous and vice versa, but that each of asyn- an enabled receiver), asynchronous rendezvous (a process chronous rendezvous and broadcasts is strictly more ex- sends a message which is received iff there is an enabled pressive than pairwise rendezvous (and disjunctive guards). receiver), broadcast primitives (a process sends a message Moreover, for systems with conjunctive guards, we give a which is received by all the other processes), and global simple characterization of the decidability/undecidability boolean guards labeling the transitions of the individual boundary of the PMCP by showing that allowing stutter- processes. The boolean guards could either be purely con- ing sensitive properties bridges the gap between decidabil- junctive, viz., of the general form ¤£ , expressing ity (for p1) and undecidability (for p2). A broad framework the condition that each process other than the one firing the for modeling snoopy cache protocols is also presented for transition is currently in one of the local states ¤ , or which the PMCP for p3 is decidable and that can model all purely disjunctive, viz., of the general form !"¤#%$& , snoopy cache protocols given in [13] thereby overcoming expressing the condition that there exists a process other the undecidability results. than the one firing the transition in one of the local states '¤$ . The difference between pairwise rendezvous and asynchronous rendezvous, introduced only recently in the literature [6] in the context of verification of multi-threaded Java programs, is that while in the former case for a process This work was supported in part by NSF grant CCR-009-8141 & ITR-CCR-020-5483, and SRC contract 2002-TJ-1026. Contact: to send a message, a matching receiver must be present in emerson,kahlon @cs.utexas.edu the current global state to receive it, in the later case a pro- cess can simply send a message irrespective of whether a tions of the five primitives (see figure 6). receiver is present to receive it or not. If a receiver is present The undecidability of the PMCP for regular properties then the message will be received; else it is discarded. for systems with conjunctive guards is discouraging from Our goal is to delineate the decidability/undecidability the point of view of model checking parameterized snoopy boundary of the PMCP for all possible systems that arise by cache coherence protocols which require the use of broad- letting processes using different subsets of the above men- cast primitives labeled with conjunctive guards as well as tioned primitives. We focus on the following properties (p1) ones labeled with disjunctive guards. However, in practice, ¡ ¥ ¡ LTL ¨ X formulae over control process (p2) LTL formu- templates and describing transition diagrams of snoopy lae over ¡ (p3) regular properties specified as regular au- cache protocols have the following properties: ¡ ¥ © tomata, and (p4) © -regular properties specified as -regular 1. Templates and are initializable, viz., for each automata. We first show the following. template there exists an unguarded internal transition from 1. The PMCP for LTL formulae over ¡ is undecidable each of its states to its initial state. Such transitions, ¥ ¦ for families of the form ¡£¢¢ where processes are allowed not usually drawn for simplicity reasons [3], are required to communicate via conjunctive guards. This result is some- to model block replacement for caches which may non- ¦¥&¨§©¤ $ ¤ ¦¤ ¤ ¨§ what surprising because it was shown in [7] that for such deterministically push a block into its ¤ ( ) state irrespective of the current state of the block. systems, the PMCP is not only decidable for LTL ¨ X formu- ¥ lae but efficiently so in the size of both ¡ and . Thus we 2. Each global boolean guard labeling a transition of a have the interesting fact that allowing stuttering sensitive template is either disjunctive or is of the specialized form properties bridges the gap between decidability and unde- , where is the initial state. Such guards suffice as each cidability for systems with conjunctive guards. Moreover, cache only needs to test whether there exists another cache this result greatly sharpens the result in [9] wherein it was possessing the memory block that it requires, a disjunctive shown that the PMCP for p2 is undecidable for systems with guard, or whether no other cache has the required memory both conjunctive and disjunctive guards. Since © -regular block, the specialized conjunctive guard. automata are strictly more expressive than LTL, therefore Under these assumptions, we show that the PMCP for the undecidability of the PMCP for © -regular properties fol- regular properties is decidable. This gives us a broad and lows as a corollary. We go on to show that the PMCP for useful framework for modeling snoopy cache protocols for regular properties is also undecidable for systems with con- which the PMCP for regular properties is decidable and junctive guards. which is able to handle all of the snoop-based cache co- ¡ herence protocols in [13], thereby overcoming the undecid- 2. The PMCP for LTL ¨ X formulae over is undecid- able for systems where processes are allowed to communi- ability results. cate via asynchronous rendezvous. As a corollary, we have The rest of the paper is organized as follows. The system that the PMCPs for both LTL and © -regular properties are model along with some other preliminaries is introduced in also undecidable for such systems. section 2. The decidability and undecidability results are presented in sections 3 and 4, while the expressiveness hi- As part of previous work it is known that the PMCP for erarchy and decidability/undecidability boundaries are es- p3 is decidable for systems with broadcasts [10] and asyn- tablished in section 5. In section 6, we present the frame- chronous rendezvous [6] but that the PMCP for p4 is unde- work for modeling cache protocols for which the PMCP for cidable for systems with broadcasts [10]. Furthermore the ¡£¢ regular properties is decidable, and we conclude with some PMCP for is decidable for systems with conjunctive and remarks in section 7. for systems with disjunctive guards [7] and pairwise ren- dezvous [12]. We next establish a hierarchy for the communication 2 Preliminaries primitives based on their relative expressive power. We The System Model We focus on systems comprised of a show that disjunctive guards and pairwise rendezvous are ¡ distinguished control process, , and finitely, but arbitrar- equally expressive in that we can reduce reasoning about the ¥ PMCP for regular and © -regular properties for systems with ily, many copies of a user process template, , communi- disjunctive guards to systems with pairwise rendezvous and cating with each other using broadcast primitives, pairwise vice versa. However, each of asynchronous rendezvous and rendezvous, asynchronous rendezvous actions and guards broadcasts is strictly more expressive than pairwise ren- labeling the transitions of individual processes. Each guard is a boolean expression over the local states of
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-