An approach to cyclic protocol validation

ELSEVIER

Computer Communications

19 (1996) 1175-l 187

An approach to cyclic protocol validation* Hong Liu, Raymond E. Miller Department

of Compufer Science, University of Maryland at College Park, College Park, MD 20742, USA

Abstract In this paper, the notion of fair reachability is generalized to cyclic protocols with more than two processes, where all the processes in a protocol are connected via a unidirectional ring and each process might contain internal transitions and can be non-deterministic. We identify ‘indefiniteness’ as a new type of logical error due to reachable internal transition cycles. By properly incorporating internal transitions into the formulation, we show that, with a few modifications, all the previous results established for cyclic protocols without non-deterministic and internal transitions still hold in the augmented model. Furthermore, by combining fair progress and maximal progress during state exploration, we prove that the following three problems are all decidable for Q, the class of cyclic protocols with finite fair reachable state spaces: (1) global state reachability; (2) abstract state reachability; and (3) execution cycle reachability. In the course of the investigation, we also show that detection of k-indefinitenessand k-live&k are decidable for Q. Keywords: Protocol validation; Fair reachability; Cyclic protocols

1. Introduction It is well known that automatic validation of real world complex communication protocols modeled as communicating finite state machines is primarily limited by the slate explbsion problem. To tackle this problem, many techniques have been proposed to reduce the number of states that need to be examined [l-3]. It is observed that in most cases, significant state reduction can be achieved by eliminating as much redundancy as possible which occurs from the interleaving of equivalent execution sequences during state exploration. However, care must be taken to ensure that the reduced state space still maintains competitive, if not the same, logical error detecting capability as the original reachable state space. Fair reachability analysis was originally proposed as one such improved state exploration technique for protocols with two machines [4, 51. By forcing the two machines in a protocol to make progress at the same time, whenever possible, only fair progress states are generated during state exploration. If the fair reachable state space of a protocol is finite, detection of deadlock and unspecified receptions are decidable within the fair reachable state space [4], while unboundedness detection * Research reported in this paper was supported by NASA Grant No. NAG 5-2648 and NSF Grant No. NCR9506039. 0140-3664/96/$15.00 0 1996 Published by Elsevier Science B.V. PZZ: SO140-3664(96)01152-S

is decidable with finite extension on the fair reachable state space [5]. In [6], we generalized the fair reachability notion to cyclic protocols with n > 2 machines, where each machine is deterministic but partially defined and does not have internal transitions. We showed that each fair reachable state is of equal channel length and the fair reachable state space F is finite if and only if (iff for short) P is not ‘simultaneously unbounded’. Moreover, we proved that for 9, the class of cyclic protocols whose F’s are finite, deadlock detection is decidable within F, while detection of other logical errors, such as unspecified reception, unboundedness, and nonexecutable transition, are all decidable via finite extension of F. We also showed that for any P E 8, P is logically correct iff its F does not contain any logical errors. As a result, for class 8, our generalized fair reachability analysis technique not only can achieve substantial state reduction, but also maintains very competitive fault coverage. Therefore, it is a very useful technique for the analysis of a wide variety of cyclic protocols. In this paper, we extend the fair reachability notion to the analysis of cyclic protocols, where a process in a protocol can be non-deterministic but partially defined and can have internal transitions. We observed that the inclusion of internal transitions into the model results in a new type of logical error called ‘indefiniteness’,

1176

H. Liu, R.E. Miller/ComputerCommunications19 (1996) 1175-1187

meaning that a protocol could reach a state from which one of the processes could execute internal transitions indefinitely without communicating with other processes in the protocol. However, by properly incorporating internal transitions into the formulation of fair progress vectors, we are able to show that, with only a few modifications, all the aforementioned results established in [6] still hold. Using maximal progress state exploration [7,8] as a means for finite extension, we also show that the reachability of a global state, an abstract state, and an execution cycle are all decidable for the class of cyclic protocols whose F’s are finite. Cacciari and Rafiq [9, lo] proposed a technique called reduced reachability analysis that can handle internal transitions for protocols with two machines. Since their approach is closely related to ours, we will defer the comparison of these two methods to Section 5, after our method is presented. The paper is organized as follows. In the following section, we introduce the communicating finite state machine model. In Section 3, we generalize the fair reachability formulation for cyclic protocols and study the logical error detection capability of fair reachable state space. We present the decidability results for the three general reachability problems in Section 4. Finally, we compare our work with others and discuss related issues in Section 5. Extension of fair reachability to cyclic protocols with nondeterministic and internal transitions was first reported in ICNP’95 [ll], while the decidability of the three reachability problems for cyclic protocols were given in IC3N’95 [12]. This paper is a more detailed presentation, including some modifications, of the results first reported in [ 1l] and [12]. Due to space limitations, lemmas and theorems in this paper are stated without proofs. Please refer to the full paper for details [13].

2. The CFSM model Notation

(1) We use bto denote concatenation. Given a set M, M’ denotes its reflexive and transitive closure under concatenation. 1MJ denotes its cardinality. 2M denotes the power set of M. (2) For Y, Y’ E M*, 1Y 1 denotes its length. E denotes an empty string, ]E]= 0. Define head(Y) = m if Y=m.Y’; head(Y)=6 if Y=E. Denote Y’5 Y if Y’ is a prefix of Y. (3)Givenn,forany 1 jelse i@j=i-j+n. (4) An intervaZ[i.& is an ordered set of at most n consecutive integers i, i CD1, . . . , i @ k = j, where

(1 5 i 5 n) A (0 5 k < n). The corresponding (unordered) set is denoted as {i..j}n. When n is known, we omit n from the notation. (5) Let [i’..j’] and [i..j] be two intervals, [i’..j’] c [i..j] iff {i’..j’} c {i..j}. Unless specified as [l..n], we assume 1[i..j] I< n. (6) We designate n as the number of processes in a protocol. Unless otherwise specified, we assume n 2 2 and let i,j range over {l..n}. In the communicating finite state machine (CFSM) model, a protocol is specified as a set of n processes P= (PI, pz,**, P,), where each process Pi is a finite state machine that can communicate with other processes via FIFO channels. For each Pi, Si denotes the set of local states in Pi. The initial local state of Pi is denoted as ~7. A channel from Pi to Pj, i #j, is denoted as Cij. The set of messages that Pi can send to Pi is denoted as Mu. The content of Cij, denoted as cij, is a sequence of messages sent from Pi to Pj* When Cij is empty, Cij = 6. Let tii = denotes the partially defined transitionfunction: U :=I (Si x (A4i U {v}) + 2si), where 7 stands for a dummy message. For each Pi, a transition defined at local state si E Si is denoted as r(si, g), where u E ai U { 7). It is a sending (receiving) transition if (T= -m (V = +m); it is an internal transition if 0 = q. As a convention, we use t g T(s~, a) to give a name t for this transition, and use si E r(si, a) to mean that si is a local state resulting from the execution of the transition. We also use p(si) as a shorthand for the internal transition r(si, 7). Denote Di as the set of transitions defined at si. si is a receiving local state iff each transition in Di is a receiving transition. By definition, each Pi is non-deterministic but partially defined. A transition cycle in Pi, denoted as Vi, is a cycle in the transition graph of Pi. It is an internal cycle if each transition in the cycle is an internal transition. It is a sending (receiving) cycle if it is not an internal cycle and each transition in the cycle is either a sending (receiving) transition or an internal transition. A protocol P = (PI, P2,. . . , P,) is cyclic iff each Pi has exactly one input channel Cio ii and exactly one output channel Ciie 1. From now on, we are dealing with cyclic protocols. For results established later in this paper, it should be clear that they apply to cyclic protocols only. For ease of reference, we call a cyclic protocol P a D-cyclic protocol if each Pi in P is deterministic and does not contain any internal transitions. For a cyclic protocol P = (PII P2,. . . , P,,), a global state (state for short) S is represented as a 2n-tuple . . ,s,, cnl , C ,2,. . . ,c,_ In), where si is the local hs2,. state of Pi, and cioii is the content of channel Cioli. In particular, the initial state So is denoted as (8, & . * . , s;, E, E, . . . , e). S is of equal channel length iff (Uj+i{

Mjj}).

T

-mlm

E

i&})

u

(Uj#i

{+ml

m

E

H. Liu, R.E. Miller/Computer

Communications 19 (1996) 1175-1187

all channel contents in S are of the same length. For convenience, we use s; in S to denote that 3; is a local state of S, and (s, m) in S to denote that s; in S and head(c;el;) = m in S. S is in a sending (internal) cycle iff there is a local state S; in S that is in a sending (internal) cycle of Pi. As a convention, we use capital letters S, X to denote a state and small letter 3; to denote a local state of P;. The reachability relation among states is formulated as follows. Given two states S = (s,,s2,. . . ,s,, cnl, and S’= (s’,,sk,.. .,4,&,42,..., c127. ..,Ll” ) ch_ ,,,). S’ is directly reachable from S, denoted as S H S’, iff 3 i E { 1..n} such that the elements of S’ can be derived from S by executing one of the following transitions: (1) si E T(s;,-m) and c{;@t = c;;~l;m. (2) S: E r(S;r +m) and c;e 1; = m . cieli. (3) s: E p(S;). Except for the elements affected by the one transition applied, all other elements of S’ remain the same as those in S. Denote H* as the reflexive, transition closure of H. S’ is reachable from S 8 SH*S’. When S = So, we say S’ is a reachable state. The set of reachable states in P is denoted as R, called the reachable state space of P. A local state si is reachable (from S) iff there is a state S’ such that So H* S’(St+* S’) and si in S’. (si, m) is reachable (from S) there is a state S’ such that So H* S’ (St+* S’) and (s:, m) in S’. A transition cycle ‘ik;:in P; is reachable (from S) if one of the local states in Q?;is reachable (from S). Suppose So I+* S’). An execution sequence, of S,’ (from S to S’ is a sequence e = X0 5 X ’ -L . . . I, Xk, k 2 0, such that X0 = So (X0 =S), Xk = S’, and Vl : 1 5 15 k, X’-’ I-+X’ via transition t’. The corresponding (possibly empty) local execution sequence in P;, denoted as e;, is the sequence of local states and transitions process P; goes through in e. {cl) e2, . . . , e,} is called a local execution sequence set of S’ (from S to S’). We use e !? {ei, e2,. . . , e,} to denote the correspondence. The length of e, denoted as 1e 1, is defined as the number of transitions in e, i.e. )e )= k 2 0. We use e;(X;) to denote the transition of e; in X;. If e; is at its last local state in X;, then e;(X’) = A, where X stands for a null transition. An execution cycle of S is a nonempty execution sequence from S to S, denoted as wl, where Z is the index set of those nonempty local execution sequences in the execution cycle. By definition, 0 c Z C { l..n}. Each nonempty local execution sequence e;, i E I, in 59, is a transition cycle in Pi, denoted as %;. ‘ik;is an internal execution cycle of S iff Vi E Z : $7;is an internal cycle in P;. WI is reachable iff 3 S E R of which it is an execution cycle. For protocol validation, we check R against common errors defined below. Given a state S E R, let

1177

S is a deadlock state iff each S; E S is a receiving local state in P; and each channel C;, i; is empty; S is an unspecified reception state iff there is an si E S such that s; is a receiving local state, head(c;, 1;) = m, and ~(s;, +m)$ D;; S is an in&finite state 8 S is in an internal cycle. P is unbounded iff V’K 2 0 : 3s E R : 3i E {l..n} :Ic;ot;]> K. A transition 7 (s;, U) E D; is executable in S iff g = -m, or (T= p, or 0 = +m and head(c;, l;) = m. ~(s;, o) is nonexecutable iff it is not executable in any S E R. Deadlock, unspecified reception, nonexecutable transition, unboundedness and indefiniteness are called logical errors. P is logically correct iff R is free of logical errors. It should be clear that the inclusion of internal transitions into the model introduces indefiniteness as a new type of logical error, meaning that from an indefinite state, a process could loop indefinitely through its internal cycle without communicating with its neighbors. It can be shown that none of the logical errors are decidable for cyclic protocols in general, using the results established in Ref. [14]. s =

(s1,s2,.

. . , s,, c,,~, c12,. . . , c,_

In) :

3. Fair reachability analysis In this section, we show how the fair reachability notion for D-cyclic protocols [6] can be extended to cope with nondeterministic and internal transitions for general cyclic protocols. For the sake of space, we will emphasize the modification part of the formulation and be brief on the part that is unchanged. Please refer to [6] and the full paper [ 131 for a complete treatment. 3.1. Basic formulation Given a cyclic protocol P = (PI, P2,. . . , P,), let be a state of P. S = (s1,s2,. . ,sn,cn1,c12,. . . ,c,_~J Define Er = {~(s;, -m) E D;}, Et = {~(s;, +m) E D; (head(c;e 1;) = m}, Er = { /J(s;) E D;)}, and E; = E; u ET u E ‘. Then E; is the set of executable transitions at s; in S. A transition T(s;, +m) E D; is enabled in S iff (c;,l; = E) A (~(s;@i, -m) E DieI). Let ET+ be the set of enabled transitions at S; in S. Convention The notations defined above are implicitly bound to a state S. For brevity, S is dropped from the notations when S is given and no confusion arises. This convention is adopted throughout the paper when a new notation is introduced. Whenever distinction is necessary, the binding arguments, such as S, will be put into the notation. For example, when we talk about the set of executable transitions in P; in both S’ and S2, we will use E;(S’) and Ei ( S2), respectively. Let T be a nonempty set of executable transitions in S.

1178

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

T is a prime transition set in S iff Vt, t’ E T : (t E Ei) A (t’ E Ei =s (t = t’). A linear ordering of T is an execution sequence e where )e I=) T ( and each transition of T occurs exactly once in e.

Lemma 3.1. Given a prime transition set T in S, let e and e’ be two linear orderings of T. S’ is reachable from S via e ifl S’ is reachable from S via e’.

Lemma 3.2. Assume S++*S.

Let e be an execution sequence from S to S’. Let T be a prime transition set in S such that V t E T : (t E Ei) + (t = ei(S)). Then there is another execution sequence e’ from S to S’ such that SW* St’ via a linear ordering of T and S” I+* S’ via the remaining transitions in e.

The basic idea of fair progress is to let more than one process to progress at the same time. To group transitions into progress vectors, we first construct TV = {? = (tl, t2, . . . , tn)} satisfying the following three conditions: (i) V i E { 1.. n} : ti E Et U E F’ if Ei U Et+ # 0; ti = X otherwise. (ii) 3 ti E Ei. (iii) Vi E then (ti = {l..n}: if (ti E Ei) A (tie1 E ET:,), (si, -m)) A (tie1 = r(siel,+m)). Each ZE TV is called a pseudo transition vector in S. Then for each z, we compute another transition vector v’= (vi, 02, . . . , v,) according to one of the following four cases: (1);~ (X~=lEk)~(X;=IEk+). In this case, ?=z. Here, v’is called a concurrency vector in S. (2) 3j: (tj E El’) A (tj,l E ET@, U E&Jl). (tj, tjel) is called a send-receive pair in c In this case, zli = ti if ti is in a send-receive pair or ti = p(Si); vi = X otherwise. v’is called a synchronization vector in S. (3) 3j : tj = p(Sj) and there is no send-receive pair in 5 In this case, vi = ti if ti = cL(si); vi = X otherwise. v’ is called an internal vector in S. (4) None of conditions (1) through (3) hold. In this case, set ‘ui= X. The resulting vector is called a null vector, denoted as X. v’ thus computed is called a fair progress vector in S if it is not a null vector. The set of concurrency (synchronization, internal) vectors in S is denoted as V, (V,, V,). Let V = V, U V, U V,. Given v’E V, let T, and T2 be the set of executable and enabled transitions in 7, respectively. The execution of v’in S is carried out in two steps: first, all the transitions in T1 are executed in any linear order to get to a state S”. Next, if T2 # 0, then all the transitions in T2 are executed in any linear order to get to S’. It should be clear that T1 and T2 are prime transition sets in S and S”, respectively. By Lemma 3.1, SN and S’ are unique with respect to (w.r.t. for short) Sand v’.Thus the execution of v’in S is well-defined. In this case, we say S’ is directly fair reachable from S, denoted as Swf S’. Let I-$ be the reflexive, transitive closure of H,-. S’ is fair reachable from S iff S H; S’. Inductively, we can show that S’ is

also unique when S I+; S’. Hence H; is also well-defined. When S = So, S’ is fair reachable. We can also define fair reachability for si, (Si,m), %‘i,and %?Iin much the same way as their reachability counterparts. As is the case of D-cyclic protocols, F maintains the equal channel length property. Theorem 3.1. Each fair reachable state is a reachable state with equal channel length.

Note that the converse of this theorem is not true. However, for each reachable state S, we can always find a fair reachable state that is ‘closest’ to S w.r.t a local execution sequence set {ei , e2, . . . , e,} of S. Specifically, we can construct a partial fair execution sequence for v’S w.r.t ,{el,e2,. . . ,e,}, denoted as pfs = XQX’~... >,x k ) such that k 2 0, X0 = So, ‘do < 15 k : X’-’ HEX’ via fair progress vector i$, and no fair progress vector can be derived from {et ,e2,. ..,e,} in state Xk. Xk is called the fair precursor of S w.r.t denoted as fp = {e,,e2,.. .,e,}, sf, s;, . . . ,&cP . . . , c:_~,). It is not difficult to ( “l&2, show that pfs and fp are unique w.r.t {ei, e2,. . . , e,}. Lemma 3.3. Let fp be the fair precursor for a reachable state S w.r.t {elre2,. . . ,e,}. Then 3k E {l..n} : t?k(fp) = X.

Moreover, if fp # S, then !I k E {l..n) : ek(fp) # X andfp H* S via the remaining transitions from {e,, e2,. . . , e,} in fp.

We are primarily interested in the class of cyclic protocols whose fair reachable state spaces are finite. A protocol P is simultaneously unbounded iff VK 2 0 3 K’ > K such that there is a state S E R where each channel has length no less than K’. It turns out that the lack of simultaneous unboundedness is exactly a necessary and sufficient condition for F to be finite, as in the case for D-cyclic protocols. The proofs for the following lemmas and theorems are similar to those for the case of D-cyclic protocols, we refer the interested readers to [6]. Lemma 3.4. Given a cyclic protocol P without reachable sending cycles, tfP is unbounded, then P is simultaneously unbounded. Lemma 3.5. If a cyclic protocol P is simultaneously unbounded, then its F is infinite. Theorem 3.2. Given a cyclic protocol P with ajnite F. P is unbounded 13 it has a reachable sending cycle.

Theorem 3.3. Given a cyclic protocol P, F is$nite tf P is not simultaneously unbounded. Theorem 3.4 It is undecidable whether a cyclic protocol P has a$nite F. By Theorem 3.2, we define a reachable state S as an unbounded state iff it is in a sending cycle. For unbound-

edness detection, it is sufficient to check the reachability

1179

H. Liu, R.E. Miller/ComputerCommunications19 (1996) 1175-1187

of an unbounded state. We use S to denote the class of cyclic protocols whose F’s are finite. From now on, we will restrict our study to class 9. In the rest of the paper, unless otherwise stated explicitly, when we mention a cyclic protocol P, we mean P E 2; when we mention F, we mean that it is finite. 3.2. Logical correctness validation For fair reachability analysis to be an effective means of validating the logical correctness of cyclic protocols, we need to make sure that the reduced state space F remains competitive in terms of fault coverage. By taking indefiniteness into account, we are going to show that those results established for 9 in [6] are still valid for 9, except for a few minor changes. Since the line of reasoning is similar to that used in [6], we will be quite informal in the arguments we make and highlight the differences along the way. Interested readers should refer to [6] for details. Our first result states that each deadlock state is included in F. Theorem 3.5. Deadlock detection is decidable for 2? However, F itself is not sufficient to detect all the logical errors. As for D-cyclic protocols, we reduce the detection of other logical errors to the following two local state reachability problems [5, 61: P-I Given a local state sk, decide whether sk is reachable. P-II Given a local state sk and a message m E Mj, tj, decide whether (Sk, m) is reachable.

Clearly, not reachable local state Sk is fair reachable. To solve P-I and P-II for 9, F needs to be finitely extended to uncover those local states. For concise presentation, we defer the proofs of decidability for P-I and P-II to the following section. In what follows, we will focus our discussion on P-I, but similar arguments can be made for P-II. Suppose Sk is reachable but not fair reachable. Then, none of the reachable states containing Skis in F. Let S be any reachable state with Skin S, {ei , e2, . . . , e,} be a local execution sequence set for S, and fp be the fair precursor for S w.r.t {ei, e2, . . . , e,}. By Lemma 3.3, we can find an interval [i..j] in fp such that VI E [i..j]et(fp) # A and ei@I(fp) = ejel(fp) = A. Starting from fp, we construct the set of states fair reachable from fp as follows: in each such state S’,

each fair progress vector 7 is computed as usual except that vl must take on the transition from el if (I E [i..j]) A (e’(S’) # X) in that state. Note that some of the ells might become empty during the process, but by no means can ek become empty. Without loss of generality, let’s assume that none of the ells becomes empty during the construction. Let Fr.71 be the set of states from the construction, where sum of the

remaining transitions, in {ei, eie is minimum. Note that if S’ E Fr,T1 and S” is fair reachable from S’ by the construction, then S” E FT.;]. More importantly, S” is fair reachable from S’ without progress in [i..j]. Given S’ E Fp’i, let ii[i..jl = (u’, ~‘oi,. . . , Uj) be the vector such that VI E [i..j] : ut = et(S’). Then iili,,‘l satisfies the following five conditions: 1,

.

.

.

,

ej}

(1) (2) (3) (4)

VI E [i..j] : U/ E Ek. There is no send-receive pair in ii[i..jl. There is no concurrency vector in S’. Neither Uinor Ujappears in a send-receive pair in any synchronization vector in S’. (5) For each S” fair reachable from S’ without progress in [i..j], is a vector in S” satisfying (l)-(4). ii[i,,j]

si[j,,jl is called a persistent incompatible transition vector (pitv for short) in S. Hence Sk is reachable but not fair reachable only if 3 S’ E F : S’ has a pitv lii,,j) such that k E [i..j] and Sk is reachable from S’. Therefore, the finite extension of F should be based on the set of states in F each of which has apitv ti(i,,jl for some interval [i..j]. This set is called an extension set of F, denoted as FT. Thanks to the following lemma, FT can be easily identified and its size can be greatly reduced. The proof is similar to that for D-cyclic protocols. Please refer to [6] for details. Lemma 3.6. Given S E F and a transition vector ii[i,,jl’ iiLi,dl is a pitv in S only lf there is another S’ E F such that ii[i,,j) is a pitv in S’ and S’ is either an unspecified reception state, or an unbounded state, or an inde$nite state.

Denote Fdl (F,,, Fub, Fid) as the set of deadlock (unspecified reception, unbounded, indefinite) states in F. By the above lemma, Fr = F, U FubU Fid. Clearly, FT can be easily computed during the construction of F. Moreover, This lemma gives us a fault coverage characterization for F that is similar to that for F of a D-cyclic protocol in B [6]. The only difference is that we need to take indefiniteness into account. Theorem 3.6. Given a cyclic protocol P E 9, P has a deadlock I@- Fd 5 0. P has an unspecified reception but F, = 8 only if Fd U Fid # 8. P is unbounded but Fh = 8 only if F, U Fid # 0. P is in&jmite but Fid = 8 only tf F,, U Fub# 0. P has a nonexecutable transition that is not detectable via F only if F, U Fd U Fid # 8. P is logically correct @I”F does not contain any logical errors.

As a result, F not only can offer substantial state reduction over R but also is very competitive in fault coverage. Theorem 3.6 suggests the following iterative validation strategy: we first generate F. If F is errorfree, then we are done; otherwise we fix the errors

1180

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

detected in F and regenerate F. We repeat this process until no errors are caught in F. At the end of the process, we will have a cyclic protocol that is logically correct. By doing so, finite extension of F is in fact not needed at all

4. General reachability problems Based on the preceding presentation, we move on to study three general reachability problems for cyclic protocols in this section: P-S: P-A:

P-C:

Given a (global) state S, decide whether S is reachable. Given an ‘abstract state’ A = (s,,s~, . . . ,s,, where mj E Mielt U {c}, decide ml,m2,. . . , m,), whether A is reachable - whether there is state s’= (sl;& )...) s;,c;1, a reachable I c 12,. . . , ck_ ,,,) such that A is an abstract state of S, i.e. Vi E {l..n} : (si =si) A (mi = head(ci,li)). Given an execution cycle Wt, decide whether there is a reachable state S such that ‘ik; is an execution cycle of S.

These three problems are referred to as the global state reachability problem, the abstract state reachability problem, and the execution cycle reachability problem, respectively. Note that none of these problems are decidable for cyclic protocols in general, using the results in [14]. In this section, we will show that they are all decidable for 9. We also use Si in A to mean that Si is the local state of Pi in A. The study of P-S is important in its own right. P-A is a generalization of both P-I and P-II in Section 3.2. Since the set of abstract states is finite for P, it follows that the decidability of P-A will imply that of P-I and P-II. In fact, an abstract state captures most of the important information regarding a state. Many safety properties, including those logical correctness properties studied in the previous section, can be decided by the set of reachable abstract states. On the other hand, many liveness properties [15], such as livelock [16], are related to reachable execution cycles. Thus, the investigation of both P-A and P-C will enable us to validate more complex properties for cyclic protocols modeled as CFSMs. Our approach to solving these problems is the following. First, we use fair progress to generate F. Then, we use F as a (finite) basis from which finite extension is performed via maximal progress state exploration [7, 81. The key to finite extension is the following lemma, which follows directly from Lemma 3.3: Lemma 4.1. S is reachable tfl 3s’ E F: 3i E {l,..n} St I+* S without progress in Pi.

:

As a result, P-S and P-A can be reduced to the following simpler problems P-S’ and P-A’, respectively: P-S’: P-A’:

Given S, St, and i E { 1.. n}, decide is reachable from S’ without progress Given St, A and i E { l..n}, decide is reachable from S’ without progress

whether S in Pi. whether A in Pi.

Since F is finite, if P-S’ (P-A’) is decidable, then so is P-S (P-A) for 9, As will be shown, the solution to P-C can also be simplified to P-A. So we will focus on solving P-S’ and P-A’. First, we introduce a finite subset construction procedure based on maximal progress. 4.1. Maximal progress subset construction In studying P-S’ and P-A’, we assume that one of the processes does not make progress. Without loss of generality, let’s assume i = n and let k range over { 1.. n - 1) in the rest of the section. The arguments we are going to make will hold for any i E { 1.. n} with only a few changes in notation that are obvious from the context. Since the set of states reachable from S’ without progress in P,, can still be infinite, we cannot just simply generate the set to decide P-S’ and P-A’. Intuitively, it seems that we do not always need to do that. First, the fact that P,, makes no progress ‘breaks the ring’, i.e. the progress of PI from St does not depend on P,,. This allows us to adopt maximal progress to construct a subset of the states reachable from S’ incrementally in n - 1 steps. Second, the given S or A can be used as a constraint to guide the state exploration procedure so that the number of new states generated in each step is finite. As a result, we will be able to do finite extension from St to solve both P-S’ and P-A’. This brief argument, though informal, will be very helpful in understanding the formality presented below. We first formalize the notion of maximal progress adopted from [7, 81. S’ = (So, si,.. . ,sL, CL,, ci2,. . I , ck_ ,,J, for Given each k E [ 1.. n - 11, we compute a set of maximal progress vectors w.r.t [l ..k] by only considering transitions executable in St from processes indexed by [l..k]. Recall that TV is the set of pseudo transition vectors in S’. Denote MVk={z= (tl,t2,...,t,)I(zc W)A (Vl E [k@ I..n] : tl = A)}. For each ZE MVk, we compute a new vector G = (w,, w2,. . . , w,J as follows by selecting the first executable transition, in the order from k to 1, as the next transition to execute: l

l

Find k’ in the order from k to 1 such that Pk’ has an unspecified reception in St. If no such k’ is found, set k’= 1. Find h in the order from k to k’ such that t), # A. If no such h can be found, set h = 0. Set*=X.Ifh#O,setw/+h.

l

The resulting vector * is called a maximalprogress vector

H. Liu, R.E. Miller/Computer

Communications

of S’ w.r.t [l..k] if ti # x’. In this case, there is exactly one element wh in + that is executable in S’. Given S’ and a maximal progress vector $ of S’ w.r.t [l..k], suppose whrh E [l..k], is executable in S’. Let S” be the state resulting from the execution of w,, in S’. S” is said to be directly maximal reachable from S’ w.r.t [l..k], denoted as S’++m[l,.kjS”. Let ++*m[i..k]be the reflexive, transitive closure of H~~~.,~I. S” is maximal reachable from S’ w.r.t [l..k] iff S’H~[~,,~~S”. Denote MRk as the set of states maximal reachable from S’ w.r.t [l..k]. Even though h4Rk could still be infinite, the following lemma shows that maximal progress ensures that each S” E MRk satisfies the channel constraint of S’ w.r.t [l..k], i.e. VIE [l..k] : I&III

I ~~Jw;.d>

1).

4.2. Every S” E MRk constraint of S’ w.r.t [l..k].

Lemma

satisjies the channel

The following algorithm gives the generic decision procedure for solving both P-S’ and P-A’, which consists of n - 1 steps, in the order from n - 1 to 1. For notational convenience, we number the steps from n - 1 to 1, meaning that the k-th step here corresponds to the (n - k)-th step in actual construction. In the k-th step, we construct a set of states maximal reachable from S’, denoted as RSk, from the set of states generated in the previous step, i.e. RSk’ ‘. To ensure finite construction, a predicate I is used to decide whether a newly generated state should be added into RSk. In solving P-S’ and P-A’, the only difference is the formulation of I’, which will be clear in the following two subsections. Algorithm 1 Maximal-Progress-Subset-Construction begin 1 if I’(S’, n) then RS” = {S’} else RS” = 0 2 for k := n - 1 to 1 do RSk := 0 3 4 foreach S” E RSk’ ’ do Compute RSk(S”) := {S”‘j (S”+-+m[l,,kjS”‘) 5 A l-‘(S”‘,k)}. RSk := RSk u RSk(S”) 6 7 end foreach 8 end for end Maximal-Progress-Subset-Construction

19 (1996) 1175-1187

1181

The following lemma shows that I’(S”, k) ensures the finite construction of RS’ in Algorithm 1, i.e. the procedure always terminates after finite number of steps. Lemma 4.3. RSk is finite and each S”’ E RSk satisfies the following three conditions: (i) croik 5 cko ik; (ii) VZ E [k..n] : sy = sl; and (iii) Vl, k $ 1 < I I n : “1 clell

=

CIBll.

By this lemma, we know that Algorithm 1 always terminates. In the k-th step, we let Pk maximally progress to reach Sk. At the end of the k-th step, if RSk # 0, then each state S”’ E RSk and S have in common the local states of processes Pk through P, and the input channel contents of processes Pk@i through P,,. Furthermore, the input channel content of Pk in S” is a prefix of that in S. Thus, at the end of the construction, if S E RS’, then S is maximal reachable from S’. On the other hand, suppose S is reachable from S’ without progress in P,. Let {ei, e2,. . . , e,} be a local execution sequence set from S’ to S. Then e, = E. From {ei , e2, . . . , e,}, we rearrange the transition execution order by first letting P,, _ 1 maximally progress along e,_ , to reach a state S”- ‘, then Pn_2 maximally progress from S-i along the remaining transitions in e,_2 to reach a state Sne2, etc, until PI maximally progress from S2 along the remaining transitions in el to reach a state S1 . By construction, it is not difficult to show that Sk E RSk for each k ranging from n - 1 to 1 and S ’ = S. Hence S is reachable from S’ without progress in P, iff S E RS’. Since RS’ is finite and can be constructed in finite number of steps, it follows that it is decidable whether S is reachable from S’ without progress in P,. Although we assume i = n, we can obtain the same results for any i E { 1.. n} by similar arguments. Theorem 4.1. P-S’ decidable for 9.

is decidable.

Therefore, P-S is

From this theorem, we know that R is a recursive set for each P E 8. The finite F serves as a basis from which the membership function of R can be effectively tested via finite extension. To our best knowledge, this is the first characterization of R in terms of its reduced subset (including F) for any improved reachability analysis technique in the CFSM model.

4.2. Solving P-S’ 4.3. Solving P-A’ Let’s

first. Recall that S= ) is the state whose reach(9 >s2, . . .,~,,C,l,C12r.~~~Cfl-ln ability from S’ we want to decide. In this case, we define r(S”‘, k) as follows:

rys”‘,k)

look

=

at

(~~~:‘k

P-S’

5 eke Ik) A (St’= Sk)

The proof of decidability for P-A’ can be carried out similarly. To formulate r for P-A’, we define an equivalence relation = [i,,kJ over h4Rk as follows: given S”,

ifk=n

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

1182

MRk : Sa = [,,,k]Sb iff (VI E [l..k] : (s;I = SF) A (cyezz = cfeIz)) A (head(c&@,) = head(& Denote [S”] as the representative state for the equivalent class of S” and let [h4Rk] = {[S”]]S” E MRk}. It follows from Lemma 4.2 that [MRk] is finite. Given E ll,,k], we proceed to construct RS’ for S’ using Algorithm 1. Initially, let RS” = {St}. In the k-th step, for each St’ E RSk@‘, we compute RSk(S”) = {St” ](St’ ~m[l,,k]S”) A (l?(S”‘, k)}, where I’(,!$“‘,k) is defined as follows: Sb E

=

Vx E RSk(Stt)

The decidability of P-A for 9 implies that many problems related to logical error detection are decidable for 9. It also solves the k-indejiniteness problem, namely, whether there is a reachable state S that are in exactly k E { 1.. n} internal cycles. We summarize these results as a corollary below. Corollary 4.2. The following problems are decidable for 9:

ifk=n

true r(Stt”k)

Theorem 4.2. P-A’ are decidable. Therefore, P-A is decidable for 9.

: (x # St”) + (x $ [,,,k]S”‘)

In addition, we delete from RSk those extra states belonging to the same equivalence class in Line 6. By construction, RSk(SN) = [MRk](S”). Thus RSk is finite if RSk” is finite. Since RS” = {S’} is finite, by induction on n - k, RSk is finite for each k ranging from n - 1 to 1. Hence Algorithm 1 terminates. Denote RA, = {A 13X E RS’ : A is an abstract state of X}. Clearly, since each state in RS’ is reachable from S’ without progress in P,,, so is each abstract state A E ZL4,. Conversely, suppose A is reachable from S’ without progress in P,,, then there is a state S reachable from S’ without progress in P,, and A is an abstract state of S. Let {et, es,. . . , e,} be a local execution sequence set from S’ to S such that e, = E. From {ei, e2, . . . , e,}, we construct another state S” in n - 1 steps as follows so that St’ E RS’ and A is an abstract state of St’: initially, we set S” = S’. In the k-th step, we start from Sk” and let Pk maximally progress along the remaining transitions in ek until we reach a state Sk = (&, s:, . . . ,si, &, . . , c:_~,,) such that S: = Sk and head(cfk,, ) = head(ckk,z). It iS not difficult to show, by induction on n - k, that 3 Xk E [MRk](Skel) : Xk =[l,,k] Sk, for each k E [l..n - 11. At the end of the construction, we have S’ such that 3x’ E RS’ : x’ = [z.,k]S’ . By construction, A is an abstract state of both X ’ and S ’ . Let St’ be X ’ . Then AEM,.

ct,.

Lemma 4.4. An abstract state A is reachable from St without progress in P,, IT A E RA,. Note that, although we assume i = n in the discussion, we can obtain the same results for any i E { 1..n} by similar arguments. Let ZU = lJ yXiRAi. Then R4 is exactly the set of abstract states reachable from S’ without progress in one of the processes. Let RA = U sfEFRA(S’). By Lemma 4.1, RA is exactly the set of reachable abstract states, which is finite. As a result, we can enumerate all the reachable abstract states via finite extension of F.

otherwise.

(1) P-I; (2) P-II; (3) Unboundedness; (4) Indefiniteness; (5) Unspecified reception; (6) Nonexecutable transition; and (7) k-inde$niteness. 4.4. Solving P-C To decide the reachability of an execution cycle ‘ig,,we break down the problem into three cases. Let h range over I. Case 1: Vh E Z : ‘is, is an internal cycle. In this case, the reachability of %‘1can be decided by checking the existence of a reachable abstract state A where Vh E Z : sh in A is in %?h. Case2: Z={l..n}andVh~(l..n]:%‘~,isnotaninternal cycle. In this case, for each reachable execution cycle ‘;s,, we can construct a fair execution cycle fc in F that has the same local execution sequence set as %I [6, 161. Thus the reachability of ‘X1is equivalent to the fair reachability of gl. This can be done by checking the cycles in the (finite) fair reachability graph. Case 3: Z = Zi u Z2, where (i) Vh E Zz : Wh is not an internal cycle; (ii) Vh E Z2 : %h is an internal cycle; (iii) Z2could be empty; and (iv) 0 c Z1 c { 1..n}. Let’s first look at a simpler case where It = [i..j] and 12 = 0. In this case, we say ‘is, is a normal execution cycle, which has the following nice properties: Lemma 4.5. Given a normal execution cycle %z. where Z = [i..j]. Then the following statements hold: (1) I [i-j] I 2 2 (2) %i is a sending cycle; (3) %’ is a receiving cycle; (4) If ][i..j] 1> 2, then Vh E [i@ l..je l] : ‘Es,is a mixed cycle. Lemma 4.6. Given a normal execution cycle ‘is,, where Z = [i..j]. %‘z is reachable zfl 3 S E R such that Wz is a normal execution cycle of S and Vh E [i $ l..j] : chelh = E. As a result, the execution of any normal execution cycle %‘ii,,jlin ‘is, of S depends only on the set of local

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

states indexed by [i..j], not on the contents of those input channels of the processes indexed by [i $ 1..j]. Let RA’= {A = (s1,s2 ,..., s,,ml,m2 ,..., m,)&I E RA) A (3 [i..j]VI E [i@ l..j] : mt = 6)). For each A E RA’, we can effectively compute the set of normal execution cycles NC = {qIi,.il} such that VI E [i $ l..j] : mt = E and VIi,,il can loop through A indefinitely. As for the general scenario for Case 3, by Lemma 4.5, Z1can be further decomposed into a set of disjoint intervals, denoted as Zi = { [i..j]}, where V [i..j] E Zi : %‘Li,,jlis a normal execution cycle in ‘ik;. Lemma 4.7. Given an execution cycle Wt satisfying the conditions of Case 3. Then Zl is composed of mutually disjoint intervals, denoted as {[i..j]}, such that each %‘t,,jlis a normal execution cycle in Wt. Furthermore, %?I is reachable i# 3 S E R such that (i) V[i..j] E Ii V h E [i@ l..j] : chelh = E and (ii) Vh E Z2 : sh is a local state of Ph in %?h.

Therefore, given WI, we can determine the reachability of those normal execution cycles in ‘X1by examining RA. The set of internal cycles in Ca; can be determined by inspecting the local states of A that are not involved in any normal execution cycles. To sum up all three cases, we have the decidability of P-C. This indicates that the set of reachable execution cycles of a protocol in d is also a recursive set. Theorem 4.3. P-C is decidable for 9. We can use RC to investigate some of the liveness properties related to execution cycles. Suppose we are given a ‘marked’ cyclic protocol P, where each edge (transition) in the state transition graph of each process is marked as either ‘progress’ or ‘nonprogress’. P is said to have a k-livelock iff there is a reachable execution cycle +?I such that V h E Z : each edge in Ch is marked as ‘nonprogress’ and II I= k. Note that our k-livelock definition is a generalization of the one in [16, 171, where ]Z]= n.

1183

Jan Pa&l is probably the first person who formalized and investigated the reachability problems for cyclic protocols. In his unpublished research report [A, he showed that the detection of deadlock and unspecified reception are decidable for the class of cyclic protocols with one channel whose channel expressions are recognizable. Although the relationship between this class and d is not clear at the moment, we believe that our results complement those in [A in terms of decidability for logical correctness problems, and we have addressed the reachability problems for cyclic protocols in a much broader scope. Moreover, Pa&l’s decision procedure is composed of two semi-algorithms working in parallel, which is highly inefficient compared to ours for practical validation. Cacciari and Rafiq [9, lo] proposed a technique that can also handle internal transitions for n = 2. Compared to their work, our approach has the following advantages: (1) our method can handle cyclic protocols with more than two processes; (2) our method can handle protocols with internal and sending cycles; (3) except for internal transitions, our method allows at least two processes to make progress, whenever possible; (4) the fair reachable state space maintains the equal channel length property, while the reduced state space generated by their approach does not. This is, what we feel, more difhcult to derive a non-trivial necessary and/or sutIicient for a protocol to have a finite reduced state space; (5) we also studied three general reachability problems in cyclic protocols. We extend the notion of fair reachability to multi-cyclic protocols [18], where a number of cyclic protocols are connected in such a way that each channel belongs to exactly one component cyclic protocol. By composing fair progress vectors of each component cyclic protocol, we are able to show that all deadlock states are fair reachable. However, we are not sure whether we can get the same competitive fault coverage as 9 for the class of multi-cyclic protocols whose fair reachable state spaces are finite. We are currently working on this issue.

Corollary 4.3. k-livelock detection is decidable for 9.

Appendix: Proof of lemmas and theorems 5. Conclusion

In this paper, we generalized the fair reachability notion to cyclic protocols with nondeterministic and internal transitions. We showed that the fair reachable state space is not only much smaller than the original reachable state space, but also very competitive in fault coverage. We also proved that the reachability of a global state, an abstract state, and an execution cycle are all decidable for b. The principal technique we used is to first generate the finite fair reachable space F and then perform finite extension of F via maximal progress state exploration. As examples, we showed that detection of k-indefiniteness and k-livelock are decidable for 2.

Lemma 3.1. Given a prime transition set Tin S, let e and e’ be two linear orderings of T. S’ is reachable from S via e tf S’ is reachable from S via e’. Proof. Assume I T ]= k > 0. The transition sequences in e and e’ are both permutations of transitions in T. Observe that the transition sequence in e’ can be obtained from that in e by successively shufIling neighboring transitions in e. As a result, we only need to show the lemma for e and e’, where e’ can be obtained from e by shuffling one pair of transitions in e. Let t l...tltl+l... tk be the transition sequence in e tk be the transition sequence in e’. and tl...tl+ltl... Assume St-+*X via transition sequence tl . . . tl_ ,,

1184

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

X H* X’ via transition sequence t[ tl + , , and X H* X” via transition sequence tl+ I tl. It is not difficult to show that X’ = X” since both tl and tI+ I are executable in X and they belong to different processes. Since X’ H* S’ via the remaining transitions in e, we have S I+* S’ via e’. 0 Lemma 3.2. Assume SW* S. Let e be an execution sequence from S to S’. Let T be a prime transition set in Ssuch that t/t E T : (t E EJ + (t = ej(S)). Then there is another execution sequence e’ from S to S’ such that S cf* S” via a linear ordering of T and S” H* S’ via the remaining transitions in e. Proof. We first show that for each t E T, if t is not the first transition in e, then there is another execution sequence e’ from S to S’ in which t is the first transition. We show it by induction on h, the position oft in e. Since t is not the first transition in e, we have h 2 2. Basis: h = 2. Let t’ be the first transition in e. Then t’ and t belong to two different processes. As a result, S H* X via t’t iff S I+* X via tt’. The claim holds. Induction: suppose the claim is true for h = h’ 2 2. We want to show it is true for h = h’ + 1. Let t’ be the h’-th transition in e. Then t’ and t belong to different processes since t is the first transition in its respective local transition sequence. Suppose SH* X via the first h’ - 1 transitions in e. Using the same argument as in the basis case, we can show that X H* X’ via t’t iff X H* X’ via tt’. As a result, there is an execution sequence from S to S’ where t is the h’-th transition. By induction hypothesis, the claim also holds. Now we can successively move those transitions in T that appear after the k-th position in e to the beginning of the sequence. At the end of the procedure, we obtain an execution sequence e’ whose first k transitions are those from T. Hence SH* S’ via a linear ordering of T and S” H* S’ via the remaining transitions in e. 0 Theorem 3.1. Each fair reachable state is a reachable state with equal channel length.

Proof.

yppose

fe=X”&X’l

S _is a fair ... ZXk,

reachable

state.

Let

k > 0, be a fair execution

sequence for S such that X0= So and Xk = S. We show the lemma by induction on k. Basis: k = 0. In this case S = So. Since So is of equal channel length of zero. The lemma trivially holds. Induction: suppose the lemma holds for k = k’ 2 0. We want to show for k = k’ + 1. By induction hypothesis, we know that Xk’ is of equal channel length. Depending on ?k, there are three cases to consider: 0 ?k is a concurrency vector. Then the execution of i’kwill either increase the length of each channel content by one or decrease the length of each channel by one. l Vk is a synchronization vector. Then the execution of each send-receive pair (vi, vi@,) will keep the length of channel content cii, 1 unchanged.

l

?k is an internal V&Or. Then the no effect on the channel contents.

eXeCUtiOn

of ?k has

In all cases, Xk remains of equal channel length. Hence S is of equal channel length. Therefore, each fair reachable state is of equal channel length. 0 Lemma 3.3. Let fp be the fair precursor for a reachable S w.r.t {el,e2,. . . ,e,}. Then 3k E {l..n} :

state

Moreover, if fp#S, then 3kE ek(fp) = A. H* S via the remaining transi{l..n) : ek(fp) # X andfp tions from {el, e2, . . . , e,} in fp.

Proof. We first show that given a state X and a local execution sequence {e{,e;,...,eh} from X, if Vi E { l..n} : e: (S) # X, then a fair progress vector can be derived from {e’,, ei, . . . , e;} in X. Let i be the vector such that ti = e:(X), then ti E E,(X) U Et+(X), since otherwise the protocol cannot make progress from X. Hence in TV(X). If there is a send-receive pair in 5 then we can extract those send-receive pairs and internal transitions in z to form a synchronization vector in X. Otherwise, if there is any internal transition in 5 then we can extract those internal transitions to form an internal vector in X. Otherwise, i is a concurrency vector in X. Now by definition of fp and the above result, we must have 3k E {l..n} : ek(fp) = X. Clearly, if fp # S, then 3 k E { l..n} : ek( fp) # X. By Lemma 3.2 and induction on k, we can show that fp H* S via the remaining transitions from {e, , e2, . . . , e,} in fp. 0 Lemma 3.4. Given a cyclic protocol P without reachable sending cycles, if P is unbounded, then P is simultaneously unbounded.

Proof. Since P is unbounded, P has at least one unbounded channel. Without loss of generality, suppose channel Cl2 is unbounded. Since Cl2 is unbounded, there must exist an infinite execution sequence e = {ei, e2, . . . , e,} such that for any k > 0, there is a state reachable via a prefix of e such that ]c121 > K. Moreover, since each process Pi has no reachable sending cycles, each ei is composed of infinitely many sends and receives, and there can only be at most ]!$I -1 consecutive receives before a send in e’, where 1Si I is the number of states in Pi. As a result, there must be at least one such execution sequence along which P can proceed indefinitely, i.e. no unspecified reception can occur along this sequence, otherwise Cl2 will be bounded. Fix e = {e,, e2,. . . , e,} as such an execution sequence. Define a function f : [O..n - l] -+ N, N being the set of natural numbers, as follows: * . f(i)={

i+/Sn,(i,l)/

xf(i81)

t:iJS
Based on the preceding argument, for any K 2 0, there

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

reachable is a state S = (sI,s2, . . ..~.,C,l,C12,...,C,-In) via a prefix of e such that 1cl2 I=f(n 8 1) x K’, where K’ > K. If all other channels have more than K messages, we are done. Suppose not, starting from S, in the order from P2 to P,, each process Pi, i E [2..n], can receive ISi 1 xf(n 8 i) x K’ messages from channel Cioii, and as a result, send at least f(n Oj) messages to channel Ciioi. In the end, the protocol must arrive at a reachable state such that each channel should have at least K’ messages. Therefore, there is a reachable global state in which each channel length is greater than K, i.e. P is simultaneously unbounded. 0

Ifa

cyclic protocol P is simultaneously unbounded, then its F is infinite.

Lemma 3.5.

1185

Thus, V K > 0 3 K’ > K : Fp # 0. Since any state in F is of equal channel length, P is simultaneously unbounded. On the other hand, by Lemma 3.5, if P is simultaneously unbounded, then F is infinite. Cl Theorem 3.4. It is undecidable whether a cyclic protocol P has afinite F.

Proof. Since it is undecidable whether a D-cyclic protocol has a finite fair reachable state space [6], it follows that it is also undecidable whether a (general) cyclic protocol P has a finite F. 0 Theorem 3.5. Deadlock detection is decidable for 22.

Theorem 3.3. Given a cyclic protocol P. F isfinite t&rP is not simultaneously unbounded.

Proof. Given P E 22, we only need to show that each Let S= deadlock state is fair reachable. be a deadlock state. (SlrS2> . . . , s,, cnl, c12,. . . , c,_ In) Suppose S 4 F. Let {ei, e2,. . . , e,} be a local exytiy ,..., s,,c,l, sequence set of S and fp=($,$ of S w.r.t fp ) be the fair precursor ... >Cn-ln ,e,}. Denote A = {i ]ei(fp) = A} and f3 = {el,e2,... {i ]ei(fp) # A}. By Lemma 3.3, fp # S implies that A # 0 and t3 # 0. Hence we can find an i such that i 8 1 E B and i E A. By definition, we have ST = Si and thus is a receiving local state of Pi in fp. Moreover, since the length of channel Cioii cannot be decreased from fp to S, we must have lc~oul = 0, i.e. fp is of equal channel length zero. Let eio 1(fp) be the transition associated with eioi in state fp. Then eioi( fp) is either executable or enabled in fp, since otherwise fp cannot be extended along the remaining transitions in {eh 1h E I?} to reach S. Since no fair progress vector can be derived from those transitions in {eh( fp) Ih E Z3}, et@ 1(fp) cannot be a transition enabled by eio2( fp). Thus ei, I (fp) is executable in fp, i.e. eio I (fp) is either a sending transition or an internal transition. Suppose eioi( fp) is a sending transition, then the message sent to Pi via eioi( fp) will not be received in S since ei(fp) = A. As a result, S will not be a stable state. A contradiction. Hence eio 1(fp) must be an internal transition. Note that this result holds for any i E A such that i 8 1 E a. Now construct a vector z such that Vi E { l..n} : if (iEd)r\ ti = ei(fp) if i E B; ti E K’+(fP) (E++(fi) # 0); ti = X otherwise. Then ? E TV( fp). By definition of fp, no concurrency nor synchronization vector can be derived from 5 Let u’ be the vector such that Vi E { 1;. n} : Ui = ti if ti 6 p(si); Ui = X otherwise. Then ii # X and thus is an internal vector in fp. A contradiction. Therefore, eio 1(fp) cannot be an internal transition either. In other words, eio 1(fp) must be X, which contradicts the fact that i 8 1 E B. As a result, we must have fp = S, i.e. S is fair reachable. Cl

Proof. Suppose F is infinite, then F = U rsOFk is infinite.

Lemma 3.6. Given S E F and a transition vector ii~~..~l,

Proof. We first show the following: if there is a reachable state S = (si, s2,. . . , s,, cnl, c12,. . .,C,-ln ) such that Vi E [l..n] :Iciiol 12 K for some constant K 2 0, then there exists a fair reachable state S’ = (S)l,.&,... 1s’n, c’1 ?I? 42,. . . ,c;_~,) such that Vi E [l..n] : I&

(2 K.

First, if S E F, then let S’ = S, we are done. Second, if K = 0, then let S’ = So, and we are done. Now suppose S$F and K > 0. Let eb {e,,e2,...,e,} be an execution sequence for S. Based on {ei, e2,. . . , e,}, we construct the partial fair execution sequence for S to get to fp, the fair precursor of S. Clearly, fp E F and is of equal channel length by Theorem 3.1. Suppose fp is of channel length K’. If K’ 2 K, then let S’ = fp, and we Lemma 3.3, Suppose not, by are done. 3 k E [l..n] : ek( fp) = A. Note that from state fp and on, the length of channel C,,,i cannot be increased with the execution of remaining transitions in e by other processes. Therefore, at the end of the execution of e, i.e. in state S, the length of channel C,,, 1 will be less than K, which contradicts the fact that every channel length in S is no less than K. Hence,fp must have channel length no less than K. In summary, we can find a fair reachable state whose channel length is no less than K. Now since P is simultaneously unbounded, V K L 0, there exists a K’ > K such that there is a reachable state S in which each channel length is no less than K’. As a result, there is a fair reachable state S’ whose channel length is no less than K’. Therefore, F is infinite. 0 Theorem 3.2. Given a cyclic protocol P with afinite F, P is unbounded tjZit has a reachable sending cycle.

Proof. Obviously, if P has a reachable sending cycle, then Suppose P is unbounded but does not have a reachable sending cycle. Then by Lemma 3.4, P is simultaneously unbounded. By Lemma 3.5, F is infinite. A contradiction. 0 P is unbounded.

1186

H. Liu, R.E. Miller/Computer Communications 19 (1996) 1175-1187

ti[i.,il is a pitv in S only if there is another S’ E F such that G[i..jlis a pitv in S’ and S’ is either a UnspeciJiedreception state, or an unbounded state, or an indefinite state. Proof. Let U’ii.,jl be the set of @v’s in S. Assume that $Ii,,j) E UTi,.jl. We construct a graph FRGi,,,jI such that the set of the nodes in the graph corresponds to the set of states fair reachable from S without progress in [i..j] and S is the initial node of the graph. Then we construct the quotient graph QFRGI~.,~~such that each node is a strongly connected component (SCC) in FRG li ,.jl. From graph theory, this graph is a directed acyclic graph (DAG). Each node in QFRGii..,I is denoted as IS’], where S’ is a state in that SCC. The initial node is denoted as [S]. Let TN be the set of terminal nodes in QFRG[i,,,). Observe that U[,,jI(S”) c U~~,,j1(S’) if S” is fair reachable from S’ without progress in [i..j]. Thus, Ub,,il(S”) = Ufi,,j](S’) if S’ and S” are in the same SCC of QFRGIi..jl. Hence, we can use the notation U[.J~([S’]) to represent the set of pitv’s in any state in [S’]. In addition, it is not difficult to show that Ufi_il(S) = n Is’lt=~Ufli,,jl([S’]). Since we assume Ub,,l(S) # 0, it follows that V [S’] E TN : UTi..j,([S’]) # 0. As a result, we only need to focus on those nodes in TN. Given a node [S’] E TN, there are two cases to consider: (1) [S’] contains only one state S’ but no outgoing edges. Then S is not a deadlock state but does not have any fair progress vector without progress in [i..j]_ In this case, we claim that S’ is an unspecified reception state. By definition, U’Ii,.jl(S’) # 8 implies that Vk E [i..j] : Ek(S’) # 0. Denote [i..j] as the complement interval of [i..j] w.r.t [l..n]. Suppose S’ is not an unspecified reception state, then Vk E [i..j] : Ek(S’)‘U Ekf+(S’) # 0. As a result, a fair progress vector can be derived from each z E TV(S’). Let z be a transition vector in TV(S’) such that Vk E [i..j] : uk = tk. Then a fair progress vector v’ can be derived from c such that Vk E [i..j] : vk = A. Hence v’is a fair progress V&Or in S’ without progress in [L-j]. A contradiction. Therefore, S’ is a unspecified reception state. (2) There is a fair execution cycle (i.e. a cycle in the corresponding SCC in FRG[i,,j)) among states in IS’]. Then S’ is in a fair execution cycle fc without progress in [i..j]. If S’ is in an internal cycle, then S’ is an indefinite state. Suppose not, we want to show that S’ is in a sending cycle. Let {e’i, eh, . . . , eb} be the corresponding local execution sequence set from S’ to S’. Then Vk E [i..j] : e;(S’) = A. Since lfcl# 0, there must be a nonempty interval [h..l] in S such that {i..j} n {h..l} = 0, Vk E [h..l] : e;(S’) # X, and ei,t(S’) = e;o,(S’) = X. Note that Vk E [h..I] : e; is a transition cycle (not necessarily elementary) in the state transition graph of Pk. We C&n

that ei is a sending cycle in Ph. Suppose not. Then there is at least one receiving transition in ei. Assume S is of channel length K. Then going through fc once will decrement the length of channel C,, rh by at least one. On the other hand, Phel is idle during the execution of fc. As a result, executing fc once will not lead the system back to S, contradicting the assumption that fc is a fair execution cycle. Therefore, e6 must be a sending cycle in Ph. As a result, S is a fair unbounded state. Therefore, tili..jl is a pitv in S only if there is another S’ E F such that ii[i.,jl is a pitv in S’ and S’ is either a unspecified reception state, or an unbounded state, or an indefinite state. 0 Lemma 4.2. Every S” E MRk constraint of S’ w.r.t [l..k].

satisfies the channel

Proof. We prove the lemma by induction on 1, the number of maximal progress vectors w.r. t [ 1.. k] executed from S’ to S”. Basis: I = 0. Then S’ = S’. The lemma trivially holds. Induction: suppose the lemma holds for I = 1’ 2 0, we want to show for I = 1’ + 1. Let S”’ be the state reachable from S’ via the first I’ maximal progress vectors w-r-t [l.. k] and G be the last maximal progress vector in S” w.r.t [l..k]. Suppose wh,h E [l..k], is the executable transition in 1. Then S” is reachable from S”’ via the execution of wh_ By induction hypothesis, S”’ satisfies the channel constraint of S’ w.r.t [l .. k]. There are three cases to consider: (1) wn is an internal transition, then Icihbl I= c&+~; (2) wh is a receiving transition, then Ic&thl< Ic&tIh 1; (3) wh is sending transition, then we must have 1cyh@i I= 0, since otherwise Ph@I has an unspecified reception, which is not possible by construction. As a result, we have Icx, th )= 1. In all three cases, we have Ic iho, I< kfAx(Ic~h@l 1,I), i.e. S” also satisfies the channel constraint of S’ w.r.t [l..k] for l=l’+l. Hence S” satisfies the channel constraint of S’ w.r.t [l..k] for all 12 0. q Lemma 4.3. RSk is finite and each S”’ f RSk satisfies the fotlowing three conditions: (1) c:@,k 5 ck@& (2) VI E [k..n] : s:” = sl; and (3) V 1, k @ 1 5 I 5 n : I” Cl,11 = cl,ll. Proof. Note that each S”’ E RSk(S”) is maximal reachable from S” w.r.t [l..k]. By Lemma 4.2, S”’ satisfies the channel constraint of S” w.r.t [l.. k]. Thus RSk(Sf’) is finite for each S” E RSk’ I. Thus RSk is finite only if RSk@’ is finite. This is true since RS” is finite. By induction on n - k, it follows that RSk is also finite. We show the rest of the lemma by induction on Olh=n-kin. Basis: h = 0, i.e. k = n. In this case, RS” has only one state S’ if l?(S’, n) is true. The lemma trivially holds.

H. Liu, R.E. Miller/Computer

Communications

Induction: suppose the lemma holds for h = h’ 2 0 (k=n-h’); we want to show for h=h’+l (k= n - h’ - 1). By construction, S”’ E RSk implies that 3 S” E RSk@’ : (s” H;[,,,k]S”‘) A (&:,,, 5 c,@,k) A (8; = Sk) A (crk@l = ckkel). Hence, we immediately know that property (1) holds for h = h’ + 1. By induction hypothesis, we have V 1 E [k @ 1.. n] : sl =sl and VI, k@2 5 15 n: c;‘,~, = clell. Since each process Pt, I E [k CB1.. n], does not make progress from S” to S”‘, we also have VI E [k$ l..n] : ST = sI and VIE [k$2..n]:~&~t=ct,~~. By I’(S”,k), we have sr = Sk and c&o 1 = ckkeI. Therefore properties (2) and (3) are also true for h = h’ + 1. Therefore, properties (l)-(3) hold for all 0 5 h 5 n. 0

Lemma 4.5. Given a normal execution cycle %‘t, where Z = [i..j]. Then the following statements hold (1) I [i-j] I 2 2; (2) wi is a sending cycle; (3) %‘jis a receiving cycle; (4) Zf][i..j]] > 2, then Vh E [i$ l..j@ l] : %‘his a mixed cycle.

Proof. Assume i = j, then %i must have at least one sending transition or at least one receiving transition. If there is a sending transition, then Pi will send a message to channel Ciio 1. If there is a receiving transition, Pi will receive a message from channel Cioii. In both cases, going through Wi once will not return to the same state, which contradicts the fact that Wi is an execution cycle. Hence we must have i #j, i.e. I [i..j] I 2 2. By the same argument, %i must be a sending cycle since otherwise after traversing %I once, the length of channel Cio ii will be decreased by one. Similarly, %‘jmust be a receiving cycle since otherwise after traversing W1once, the length of channel Ciio 1 will be increased by one. Moreover, if I [i..j] I > 2, then %io 1 must have at least one receiving transition and Wjo, must have at least one sending transition. Using this argument inductively, we can show that each %?h,h E [i @ l..j 8 11, must have at least one sending transition and one receiving transition, i.e. it must be a mixed cycle. 0 Lemma 4.6. Given a normal execution cycle %?t, where Z = [i..j]. WI is reachable ty 3 S E R such that ‘ig, is a normal execution cycle of S and V h E [i CBl..j] : chelh

=

6.

Proof. Suppose W1is a normal execution cycle of a reachable state S’ = (sir &, . . . , s;, &, &, . . . , ck-l,J. Let Z = [i..j]. For each Ph, h E [i..j], we stipulate that Ph can only take on the transitions in ‘i9hin the following construction: Starting from S’, we let Pj, maximally progress along %j to get to a state S’ in which cselj = E. This is possible because ]cjo ij I is finite and %j is a receiving cycle in Pj. If ) [i..j] ]= 2, then we stop. Otherwise, from S’, we continue to let Pj maximally progress through %j until we reach a state Siel jel = E. This is also possible such that ciel ~02if31 7 ‘jelj since Jc,!,2joi I IS fimte, Wjoi is a mixed cycle in Pjel

19 (1996) 1175-1187

1187

(which contains at least one receiving transition), and %‘j is a receiving cycle in Pi. Inductively, we can eventually get to a state S in which c&u, = 6 for each h E [i $ l..j]. Since S is reachable from S’, it is also a reachable state. Furthermore, W1is also a normal execution cycle of S. 0

References [l] F.J. Lin, P.M. Chu and M.T. Liu, Protocol verification using reachability analysis: the state explosion problem and relief strategies, Proc. SIGCOMM, 1987, p. 126-135. [2] MC. Yuang, Survey of protocol verification techniques based on finite state machine models, Proc. NBS Computer Networking Symposium, 1988, pp. 164172. [3] D. Sidhu, A. Chung and T.P. Blumer, Experience with formal methods in protocol development, ACM SIGCOMM, Computer Connn. Rev., 21(2) (April 1991) 81-101. [4] J. Rubm and C.H. West, An improved protocol validation technique, Computer Networks & ISDN Systems, 6 (1982) 65-73. [5] M.G. Gouda and J.Y. Han, Protocol validation by fair progress state exploration, Computer Networks & ISDN Systems, 9 (1985) 353-361. [6] H. Liu and R.E. Miller, Generalized fair reachability analysis for cyclic protocols, ACM/IEEE Trans. Networking (accepted). [7] J. Pachl, Reachability problems for communicating finite state machines, Research Report, CS-82-12, Department of Computer Science, University of Waterloo, May 1982. [8] M.G. Gouda and Y.T. Yu, Protocol validation by maximal progress state exploration, IEEE Trans. Comm., COM-32(l) (1984) 94-97. [9] L. Cacciari and 0. Rafiq, On improving reduced reachability analysis, In M. Diaz and R. Groz (eds.), FORTE ‘92, 1992, pp. 137-152. [lo] L. Cacciari and 0. Rafiq, De&lability issues in reduced reachability analysis. Proc. International Conference on Network Protocols (0&93), San Francisco, CA, October 19-22 1993, pp. 158-165. [ill H. Liu and R.E. Miller, Generalized fair reachability analysis for cyclic protocols with non-deterministic and internal transitions, Proc. International Conference on Network Protocols (ICNP’95), Tokyo, Japan, November 7-10 1995, pp. 6-13. WI H. Liu and R.E. Miller, Reachability problems for cyclic protocols, Proc. 4th International Conference on Computer Comrnunications and Networks (IC3N’95), Las Vegas, NV, September 20-24 1995, pp. 32-39. ]131 H. Liu and R.E. Miller, An approach to cyclic protocol validation. Technical Report, to appear. ]141 D. Brand and P. Zafiropulo, On communicating finite-state machines, J. ACM, 30(2) (April 1983) 323-342. ]151 M.G. Gouda and C.K. Chang, Proving liveness for networks of communicating finite state machines, ACM Trans. Programming Languages and Systems, 8(l) (January 1986) 154-182. 1161M.G. Gouda, C.H. Chow and S.S. Lam, Livelock detection in networks of communicating finite state machines, Technical Report, TR-84-10, Department of Computer Science, University of Texas at Austin, April 1984. ]171 M.G. Gouda, C.H. Chow and S.S. Lam, On the decidability of livelock detection in networks of communicating flnite state machines, In Y. Yemini, R. Strom and S. Yemini (Eds.), PSTV, 1985, pp. 47-56. 1181H. Liu, R.E. Miller, H.v.d. Schoot and H. Ural, Deadlock detection via fair reachability analysis: from cyclic protocols to multicyclic protocols (and beyond?), in preparation.