- Email: [email protected]
An improved protocol validation technique for a class of communication models
INFORMATION
SCIENCES
39.299-310
299
(1986)
An Improved Protocol Validation Technique for a Class of Communication Models SI-YEONG
HWANG
and JUNG
WAN
CHO
Department of Computer Science, Korea Advanced Institute P. 0. Box 1.50, Cheongryang-ri, Seoul, 131. Koreu
of Snence und Technology.
ABSTRACT
The topology of a communication network is often represented by a directed labeled graph in which there exists one and only one elementary path from one node to any other node. where nodes and arcs in the graph represent the processes in the communication network and the links between the processes, respectively. In this paper, we propose an algorithm for the validation of the protocols, represented by N (N > 2) communicating finite state machines, in the restricted class of the communication networks with such topology. The algorithm can detect deadlocks and unspecified with the conventional perturbation
I.
receptions, technique.
and saves time and/or
storage
in comparison
INTRODUCTION
The applicability of a protocol validation technique depends on the characteristics of the protocol, on the model used to specify the protocol, and on the properties to be validated [l]. The topology of a communication network can be represented by a directed labeled graph. In this graph, a node represents a process in the communication network, and an arc represents a link which allows the transmission of a message between the processes represented by the starting node of the arc to the final node of the arc. As investigated by Merlin [l], the topology of a communication network is one of the important characteristics of the protocol, but the increase in its complexity precludes the applicability of a protocol validation technique in general. In this paper, we consider a restricted class of communication networks such that there exists only one elementary path, i.e., there exists only one sequence of arcs which does not traverse the same node more than once. from one node to QElsevier Science Publishing Co., Inc. 1986 52.Vanderbilt Ave., New York, NY 10017
0020-0255/86/$03.50
300
SI-YEONG HWANG AND JUNG WAN CHO
any other in the topology of each of the communication networks. In practice, there are a lot of applications for this restricted class of communication networks. For example, any hierarchical network or any unidirectional ring network belongs to this class of communication networks. Moreover, the decentralized networks composed of some of the hierarchical networks and unidirectional ring networks also belong to this class. In this paper, we propose an algorithm for the validation of protocols [protocols are represented by N (N > 2) communicating finite state machines] in such a restricted class of communication networks. The motivation for the development of such a validation algorithm is to reduce the execution time and storage required by the conventional state exploration (i.e., the perturbation technique). Although some efficient state explorations have been proposed [2, 31, they are applicable only to protocols represented by two finite state machines. The validation algorithm proposed in this paper is based on another variation of state exploration, which is applicable to protocols represented by not only two but also more than two finite state machines. The validation algorithm can detect deadlocks and unspecified receptions, but it cannot always detect all the overflows.
II. N COMMUNICATING
FINITE-STATE
DEFINITION 1. A communicating finite-state sented by a directed labeled graph where
MACHINES machine
(FSM) can be repre-
(i) nodes are referred to as states; (ii) each of the arcs is labeled t, y, and is referred to as a sending arc if t is a negative integer, and as a receiving arc otherwise, where the absolute value It] of z is a positive integer called a message, and x and y are distinct positive integers from 1 to N; and (iii) one of the states is identified as the initial state, and all the states in the FSM are reachable by directed paths from the initial state. It is assumed that there are N nodes n,, n2,. . . , nN represented by N FSMs FN, respectively, in the topology of the communication network, and F,,F,,..., the subscript x of an arc labeled t,, means that the arc is in F,. The following definitions within this section are similar to those in [4]. DEFINITION 2. A global state of Fi,. . . , FN is a pair (S, M) where (i) S is a l-by-N matrix [s,], where s, is a state in F, for 1~ i < N, and (ii) M is an N-by-N matrix [m,,], where m,, is a string of messages such that L(m,,) < Kij, where L(m,,) represents the length of the string m,,, and K,, is a positive integer called the channel capacity from F] to F,.
PROTOCOL
VALIDATION
301
TECHNIQUE
It is also assumed that all the channel capacities in the set X are the same. where X is a set of channel capacities such that ((i, j)]K,, E X} is circular (circular sets are defined in Definition 5 in Section III). A global state ([si],[m,,]) is called the initial global state iff s, is the initial state of 4 and m,, is an empty string (i.e.. the channel from F; to F; is empty) forl,
state s, labeled
t,,.. Then a globalstate
g’ is said to follow g over e. denoted
by g L g’, iff the following two conditions
are satisfied:
(i) if e is a sending arc from s, to s: in F,. then L(m,,.)< K,,, and g’=([a,],[b,,]), where [a,]=[s,] except that u, =s;, and [h,,]=[m,,] except that b,,. = m,;~t~, where - is the concatenation operator; and (ii) if e is a receiving arc from s, to s: in F,, then g’ = ([a,], [ h,,]), where [a,] = [s;] except that a, = s_;, and [b,,] = [m,,] except that m,,, = t.h,.,. DEFINITION 4. A global state g is called reachable iff g = g, or there exists a sequence of global states g,, g,, . . . , gk suchthat g=g, and,forl
g,-I
f; g,
for some arc e, ,
where g,, is the initial global state. The perturbation technique explores all the reachable global states, but in Section III, we propose another variation of state exploration.
III. CIRCULAR
EXPLORATION
DEFINITION 5. Let 1 be a finite set of pairs of positive integers. Then I is called circular if there exists an ordered set ((i,, jx)](in ,,jn) E f) with ir elements such that:
(9 i, = j,, (ii) i,.+,=j, forl
((1,3),(3,4),(4,1))
is circular.
DEFINITION6. A finite set C of arcs is called a circular
{(x,
y ) 1there exists an arc labeled f, ~ in C } is circular.
group iff the set
SI-YEONG
302
HWANG
AND JUNG WAN CHO
If all the arcs in a circular group are sending (or receiving) arcs, then the circular group is called a sending (or receiving) circular group; otherwise, it is called a mixed circular group. For example, { -l,,, - 234, - 341}, + 243 }, { l,, , + l,, } are a sending circular group, a receiving {+314,+1X, circular group, and a mixed circular group, respectively. DEFINITION 7. Let g = ([s,],[ m,,]) and g’ be two global states, and let c be a circular group consisting of arcs from s or s2 or . . . or sN. Then g’ is said to I! circularly follow g over c, denoted by g * g’, iff there exists a sequence of arcs
e,, . . , ek, where e, E c for 1~ i < k and k is the number of elements in c, such that e2 g2gl + ...
e,-1 --,
2
gk-1
g’
for some global states g,, , . . , g,_ i. DEFINITION 8. A global state g is called circularly
there exists a sequence l,
g;-,
reachable iff g = g, or of global states g, ,. . . , & such that g = gk and, for
2 g, for some circular
group ci, where g, is the initial global
state. The validation technique proposed in this paper explores all the circularly reachable global states rather than all the reachable global states. This exploration is called the circular exploration. In Section IV, an algorithm is proposed to validate a protocol using the circular exploration. IV.
PROTOCOL
VALIDATION
ALGORITHM
DEFINITION 9. For a circularly reachable define the following three types of errors:
global state g = ([ s,],[ m,, I), we
(a) Type-l error: All the arcs from state s, are receiving arcs for 1~ i d N, and all m,,‘s are empty strings. (b) Type-2 error: There exists a nonempty string m,, or a sending arc from s, labeled t, “, but for all arcs e from sy, e is a receiving arc which satisfies one of the following three conditions: (i) t’ is not equal to the first message of the nonempty string m,,,, (ii) there does not exist a sending arc from s, labeled 1;; such that m,, is an empty string and t’ = - r”, and (iii) mxv is an empty string, r = x, and t’ # - t, where ‘hr is the label of e. (c) Type-3 error: there exists a sending arc from s, labeled t,,., but L( m,,) K,,.
>
PROTOCOL
VALIDATION
TECHNIQUE
303
Algorithm 1 below presents the protocol validation procedure using circular exploration. For the convenience of writing the validation algorithm, we define a follower of a global state g as a global state which circularly follows g over c. for some circular group c. ALGORITHM1 (Algorithm
for protocol validation
by the circular exploration).
Step 1. Let G be a set of circularly reachable global states, initially containing only the initial global state. Step 2. Find an element g of G whose followers have not been determined. If no such element exists, terminate the algorithm. as the validation is completed. Step 3. Check whether or not g contains some types of errors (report the types of errors, if they exist). Step 4. Calculate the set G, of global states consisting of all the followers of g. Step 5. Add all the elements of G,? which are not already in G to the set G. Step 6. Repeat from step 2.
THEOREM1. Algorithm 1 always terminates. Proof. Since the set of states and the set of arcs in the FSM are finite, and the capacities of all channels are also finite, the set of circularly reachable global states must be finite. Therefore the only case that would not terminate is the sequence involving a loop. But this sequence cannot be repeated, since each of the created circularly reachable global states is checked against all of the previously generated circularly reachable global states. Thus the algorithm will terminate.
Theorem 2 and Theorem 3 below show that Algorithm 1 can detect deadlocks and unspecified receptions. The exact definitions of these two types of errors are in [5]. LEMMA1. A mixed circular group consists of on!v two arcs: a sending arc and a receiving arc. Proof. Let c be a mixed circular group with k elements e,, . . ek , and let, for 1~ i < k, (x,, yi) be the subscript pair of the label of e,. Assume k >, 3. Then, since c is a mixed circular group with more than two elements, there are two arcs e, and e, in c such that (i) e, and ej are a sending arc and a receiving arc, respectively, (ii) y, = x,, and (iii) x, + y,. This implies that there are two distinct elementary paths p1 and pz consisting of only the arcs from n, to nX, and from n to nxr respectively, in the topology of the communication network. Singe, by the characteristics of the topology, there is an elementary path p from n,, to n,,, there are two elementary paths from n,, to n,!: the
SI-YEONG
304
HWANG
AND JUNG WAN CHO
path pi, and one via ny, (i.e., the concatenated path pp2). This violates the characteristics of the topology. Thus k G 2. This implies that, by definition of the mixed circular group, there are two arcs, a sending arc and a receiving arc, in c. LEMMA 2. A circularly reachable global state is reachable. Proof. Let g and g, be a circularly reachable global state and the initial global state, respectively. Then, by Definitions 7 and 8, there exists a sequence of global states g,, g,, . . . , g, suchthat g=g,, and,forl
g,-1
Thus, by Definition
+
g,
for some arc e,
4, g is reachable.
THEOREM 2. There is a deadlock in a protocol iff Algorithm 1 detects a type-l error from the protocol. Proof. “If” part: Since the definitions of deadlock and type-l error are equivalent, the “if” part can be proven by showing that a reachable deadlock state is circularly reachable. Let d = ([s, ],[ mij]) be a reachable deadlock state. Then, by Definitions 4 and 9, the m;, ‘s are empty strings and there exists a sequence of arcs S = e,, e2,. . . , e, such that
for some global g, = d. Let, for eliminating all generality, we
states g,, g,, . . . , g,_ i, where go is the initial global state and 1~ i G N, S,(O) be the sequence of arcs generated from S by the arcs in S which are not in E]. Then without loss of can assume that there are r nonempty sequences S,(O),
S, (O), . . ., 8 (0). Let, for 1 Q i d r, e,(O) be the first arc of S,(O) and (x, (0), r,(O)) be the subscript pair of the label of e,(O) [obviously, x,(O) = i]. Since, for 1~ i < r, (i) all xi (0)‘s are distinct, (ii) xi(O) + y,(O), and (iii) for y, (0) there exists x, (0) such that y, (0) = x,(O) (otherwise, the mi, ‘s could not be empty strings), we can get a circular group ci = { ei,, , e,,z,. . , e,, k, } such that e,, , is one of the e, (0)‘s for 1~ j < k,. Since all the channels of go are empty and d is reachable, there exists a global state g; = ([s(l),],[m(l),,])
such that go 2 g;. Let, for l< i < r,
(i) S,(l) be the sequence of arcs which is equal to S,(O) except that, if ei(0) is in ci , the first arc e, (0) of S, (0) is deleted in S,(l), and (ii) e, (1) be the first arc of S,(l). And let, for 1~ i < r, (x,(l), y,(l)) be the subscript pair of the label _of e,(l) [obviously, x;(l) = i].
PROTOCOL
VALIDATION
TECHNIQUE
305
If there exists an empty sequence S,,(l), then m(l),,. is an empty string for 1 G i Z$ N (otherwise, the m,,‘s could be empty strings), and y,(l) # u for 1~ i < r. Thus, for 1
contradiction. Assume that there does not exist such a global state g;. First, suppose c2 is a sending circular group. Then there exists an arc with type-3 error in cz. This implies that all the arcs in c1 are sending arcs with type-3 error, since (i) all L( m(l),,Y,)‘~ are the same (since g, is circularly reachable). (ii) all K r,v,‘~ are also the same, and (iii) all the arcs in c? are sending arcs, where (x,, y,) is the subscript pair of the label of ez,, for 1~ i Q k,. This also implies that d is not reachable. Next, suppose C~ is a receiving circular group. Then there exists a receiving arc labeled I,,,., in cz such that the first message of is an empty string. If m(l),,,.,, is not t, then, m (1) ‘;, is not t or m(l),,, obviously, d is not reachable. If m(1) ))i,, is an empty string, then d also cannot be reachable, since (i) all m(l),;,,‘s are empty strings (since m(l),,,, is an empty string and all L(m(l), 5 )‘s are the same), and (ii) all the arcs in cz arc receiving arcs. Finally, supposk >z is a mixed circular group, and let t,,. and t: , be the labels of the sending arc and the receiving arc in c?, respectively (by Lemma 1, there are only these two arcs in c?). Then the first message of the is an empty string and ~ t z t’. nonempty string m(l), )’ is not t’, or m(l),, This also implies that d may be reachable. We have shown that. for all cases of cz, d may not be reachable, which is a (‘2 contradiction. Thus there exists a global state g; such that g; 2 gi. Similarly, for j > 3, we can get the circular group c, such that gi_ , i gi, if there exists a nonempty
sequence of arcs S,( j - 1). This implies that there exists k such that
g,, 2
g; 2 g; 2 . . . 2 g; ,
where
g; = d.
Thus d is circularly reachable. “Op~ly if” part: Since the definitions of deadlock and type-l error are equivalent and, by Lemma 2, every circularly reachable global state is reachable, there exists a deadlock if Algorithm 1 detects type-l error. THEOREM
3. There exists an unspecified reception in a protocol iff Algorithm 1
detects a type-2 error from the protocol.
SI-YEONG
306
HWANG
AND JUNG WAN CHO
Proof. “Zf” part: Let g = ([s,],[mij]) be a reachable global state with an unspecified reception. Then there exists a string mxy whose first message will not be received. Assume that any reachable global state g’ = ([s;],[ mij]), where is not circularly reachable. Then there exists a cirs’ = s and m’ such that (i) there exists a c’ularl~ reachabi: io%‘state g, = ([s(c)i],[m(c)jj]) sequence of arcs S = e,, e,, . . , , e, such that
for some global at least one of s( c>,] is not in the sequence S
states g,, . . . , g,_,, and (ii) for every circular group c, such that the two arcs e, and ey is in cz, and any arc from s(c), [or cL if e, [or ey] is not in c,, where e, [or ev] is the first arc of which is an arc from s(c), [or s(c),], there does not exist a
global state g, such that g, 2 g,. This implies that there is either type-l
error
or type-2 error in g,, or else every circular group c, is a sending circular group which contains an arc with type-3 error. Since g’ is reachable, there may not exist type-l error in g,. Since, for all (i, j)‘s in the set ((i, j)]there exists an arc are the same (since g, is labeled t,, in c,, for some t}, (i) L(m(c),,)‘s circularly reachable), (ii) all Ki, ‘s are also the same, and (iii) all the arcs in c, are sending arcs and one of them causes a type-3 error, all the arcs in c, are sending arcs with type-3 error. This implies that g’ is not reachable, which is a contradiction. Thus there exists a type-2 error in g, or there exists such a circularly reachable global state g’. Obviously, there is a type-2 error in such a circularly reachable global state g’. Thus Algorithm 1 detects type-2 error. “Only 0.” part: The “only if” part is true because, by Lemma 2, every circularly reachable global state is reachable and, obviously, there is an unspecified reception in a circularly reachable global state if there is a type-2 error in the circularly reachable global state. As well as type-l and type-2 errors, the type-3 error also contributes to the validation of a protocol; there is an overflow in a protocol if Algorithm 1 detects type-3 error from the protocol. The definition of overflow error is also in [5]. V.
THE IMPROVEMENTS
Since the complexity of a protocol validation technique based on the state exploration greatly depends on the size of the system interaction domain [5], i.e., the number of states to be explored, let us show that the protocol validation technique proposed in this paper, i.e., Algorithm 1, is much more efficient than the conventional perturbation technique in time and/or storage, by comparing
PROTOCOL
VALIDATION
307
TECHNIQUE
the numbers of global states generated by these two techniques. The number of global states generated by Algorithm 1, i.e., the number of circularly reachable global states, is not greater than the number generated by the perturbation technique, i.e., the number of reachable global states. This is because, by Lemma 2, every circularly reachable global state is reachable. Consider the protocol represented by the five FSMs F,, , F5, shown in Figure l(b), of the communication network with the topology shown in Figure
d
-323-32
11010
++&?EP3 -43’
&g”“32~ Type-2error (Cl
Type-i
error
Fig. 1. An example: (a) Topology of the communication network. (b) &, F, , F7, F4. and F,. (c) Validation result by Algorithm 1.
308
SI-YEONG
HWANG
AND JUNG WAN CHO
l(a), and assume that each channel of the communication network has a capacity of one. As shown in Figure l(c) (for convenience, all the strings of messages in each global state are omitted), Algorithm 1 generates 25 global states to validate the protocol, but the perturbation technique generates 302 states to obtain the same validation result (because it is difficult to draw, the reachability tree generated by the perturbation technique is not shown in this paper). Thus Algorithm 1 can reduce the execution time by a factor of about 12.1. Also, since the number of distinct states in Figure l(c) is 23, compared with 148 distinct states generated by the perturbation technique, Algorithm 1 can reduce the storage by a factor of about 6.4. Now let us find the two maximal bounds BP and Bc of the numbers of the global states that can be generated by the perturbation technique and by Algorithm 1, respectively. Let all the channels of the communication network be represented as C(X~,~,Y~.~),C(~~.~Y~,~),.~.,C(X~,~,,~~,~,),~(X~.~,~~,~)~..., c(x~.~,, Y~.~~),. .., c(.x,,i, Y&..., c(x~,~,,K,~,), where for 14 i d r and I 4 j < k, , (i) x,,, and Y,,, are distinct integers from 1 to N, (ii) c( x,., , y,,,) is the channel from F,,,, to F, , and (iii) { x,, 1, .v,,1>,(x,,, , y,,, ), . . , r,k,, y,,,,)} is circular. Since the’ perturbation technique generates all the (x reachable global states, BP = n(S) n ( M, ), where n(S) = n,% ifi, where f, is the number of states in F] for 1~ i d N, and n( M,) is the number of elements in the set {[mx,,,_v,,,l IU~x,,,V,.,)d Kx‘.,K,’ 1~ i < r, and 1
(4 Since,
for all circularly
reachable global states ([s,],[ m,,]), L(I~I,,,~~,,,) = L(m X,.ZY,.Z = . . . = UmX,,r,Y,,k ) for 1 Q i G I, we have Bc = n(S)n( MC), where n(M,) is the number of elements in the set {[m, ,,,_yl,,] (L(m, ,,,,y,,,) < min (K, ,,,.“,,) K,, 2y,.2y. . . y Kxn,* y,,k )? L(mxt ,y,,,) = L(mx,,2.,.2) = . . . = L(m x’,kv#.k’)* l Q >Q r, and 1 Q j’< I$ }. Since, for 1 Q i d r. K,,,,, , = Kx,,,y,,z = ... = x,.,* y,,*/ we have
From
(a) and (b), we can say that B, -=zBP, since Il:=,< K_,,,, + 1) e network with ,,,_y,,, + 1). As an example, for the communication shown in Figure l(a), n(S) = 2 X 2 X 3 X 2 X 2 = 48, n (M,) = 2’ =
I-K=,I$,(K, the topology
PROTOCOL
VALIDATION
TECHNIQUE
128 (there are seven channels in the communication 2”=8.Thus B,=48x128=6144and B,.=48x8=384. VI.
309 network),
and n( MC) =
CONCLUSIONS
To reduce the number of states generated by the conventional state exploration (i.e., the perturbation technique), we have proposed another variation of state exploration called the circular exploration. This exploration is applicable to the protocols represented by N (N > 2) communicating finite-state machines (it is equivalent to the exploration proposed by Rubin and West [2] when there are only two finite-state machines in the protocol). A protocol validation algorithm based on the circular exploration has also been proposed in this paper. The algorithm can save time and/or storage in comparison with the perturbation technique, but it is applicable only to the protocols in the restricted class of communication networks. Namely. the topology of each of the communication networks contains only one elementary path from one node to any other node. REFERENCES 1. P. M. Merlin, Specification and validation of protocols. IEEE Truns, Comm. Corn-27, No 11, (Nov. 1979). 2. J. Rubin and C. H. West, An improved protocol validation technique, Comput. Ntirwork.~6. No. 2 (Apr. 1982). 3. Mohamed G. Gouda and Yao-Tin Yu, Protocol validation by maximal progress state exploration, IEEE Trans. Comm. Corn-32, No. 1 (Jan. 1984). 4. Yao-Tin Yu and Mohamed G. Gouda, Deadlock detection for a class of communicating finite state machines, IEEE Trans. Comm. Corn-30. No. 12 (Dec. 1982). 5. C. H. West, General technique for communication protocol validation, IBM J. Re.c. Deoelop. 22, No. 4 (July 1978). Receiraed 13 Muy 1985; rewed 20 August 1985
SCIENCES
39.299-310
299
(1986)
An Improved Protocol Validation Technique for a Class of Communication Models SI-YEONG
HWANG
and JUNG
WAN
CHO
Department of Computer Science, Korea Advanced Institute P. 0. Box 1.50, Cheongryang-ri, Seoul, 131. Koreu
of Snence und Technology.
ABSTRACT
The topology of a communication network is often represented by a directed labeled graph in which there exists one and only one elementary path from one node to any other node. where nodes and arcs in the graph represent the processes in the communication network and the links between the processes, respectively. In this paper, we propose an algorithm for the validation of the protocols, represented by N (N > 2) communicating finite state machines, in the restricted class of the communication networks with such topology. The algorithm can detect deadlocks and unspecified with the conventional perturbation
I.
receptions, technique.
and saves time and/or
storage
in comparison
INTRODUCTION
The applicability of a protocol validation technique depends on the characteristics of the protocol, on the model used to specify the protocol, and on the properties to be validated [l]. The topology of a communication network can be represented by a directed labeled graph. In this graph, a node represents a process in the communication network, and an arc represents a link which allows the transmission of a message between the processes represented by the starting node of the arc to the final node of the arc. As investigated by Merlin [l], the topology of a communication network is one of the important characteristics of the protocol, but the increase in its complexity precludes the applicability of a protocol validation technique in general. In this paper, we consider a restricted class of communication networks such that there exists only one elementary path, i.e., there exists only one sequence of arcs which does not traverse the same node more than once. from one node to QElsevier Science Publishing Co., Inc. 1986 52.Vanderbilt Ave., New York, NY 10017
0020-0255/86/$03.50
300
SI-YEONG HWANG AND JUNG WAN CHO
any other in the topology of each of the communication networks. In practice, there are a lot of applications for this restricted class of communication networks. For example, any hierarchical network or any unidirectional ring network belongs to this class of communication networks. Moreover, the decentralized networks composed of some of the hierarchical networks and unidirectional ring networks also belong to this class. In this paper, we propose an algorithm for the validation of protocols [protocols are represented by N (N > 2) communicating finite state machines] in such a restricted class of communication networks. The motivation for the development of such a validation algorithm is to reduce the execution time and storage required by the conventional state exploration (i.e., the perturbation technique). Although some efficient state explorations have been proposed [2, 31, they are applicable only to protocols represented by two finite state machines. The validation algorithm proposed in this paper is based on another variation of state exploration, which is applicable to protocols represented by not only two but also more than two finite state machines. The validation algorithm can detect deadlocks and unspecified receptions, but it cannot always detect all the overflows.
II. N COMMUNICATING
FINITE-STATE
DEFINITION 1. A communicating finite-state sented by a directed labeled graph where
MACHINES machine
(FSM) can be repre-
(i) nodes are referred to as states; (ii) each of the arcs is labeled t, y, and is referred to as a sending arc if t is a negative integer, and as a receiving arc otherwise, where the absolute value It] of z is a positive integer called a message, and x and y are distinct positive integers from 1 to N; and (iii) one of the states is identified as the initial state, and all the states in the FSM are reachable by directed paths from the initial state. It is assumed that there are N nodes n,, n2,. . . , nN represented by N FSMs FN, respectively, in the topology of the communication network, and F,,F,,..., the subscript x of an arc labeled t,, means that the arc is in F,. The following definitions within this section are similar to those in [4]. DEFINITION 2. A global state of Fi,. . . , FN is a pair (S, M) where (i) S is a l-by-N matrix [s,], where s, is a state in F, for 1~ i < N, and (ii) M is an N-by-N matrix [m,,], where m,, is a string of messages such that L(m,,) < Kij, where L(m,,) represents the length of the string m,,, and K,, is a positive integer called the channel capacity from F] to F,.
PROTOCOL
VALIDATION
301
TECHNIQUE
It is also assumed that all the channel capacities in the set X are the same. where X is a set of channel capacities such that ((i, j)]K,, E X} is circular (circular sets are defined in Definition 5 in Section III). A global state ([si],[m,,]) is called the initial global state iff s, is the initial state of 4 and m,, is an empty string (i.e.. the channel from F; to F; is empty) forl,
state s, labeled
t,,.. Then a globalstate
g’ is said to follow g over e. denoted
by g L g’, iff the following two conditions
are satisfied:
(i) if e is a sending arc from s, to s: in F,. then L(m,,.)< K,,, and g’=([a,],[b,,]), where [a,]=[s,] except that u, =s;, and [h,,]=[m,,] except that b,,. = m,;~t~, where - is the concatenation operator; and (ii) if e is a receiving arc from s, to s: in F,, then g’ = ([a,], [ h,,]), where [a,] = [s;] except that a, = s_;, and [b,,] = [m,,] except that m,,, = t.h,.,. DEFINITION 4. A global state g is called reachable iff g = g, or there exists a sequence of global states g,, g,, . . . , gk suchthat g=g, and,forl
g,-I
f; g,
for some arc e, ,
where g,, is the initial global state. The perturbation technique explores all the reachable global states, but in Section III, we propose another variation of state exploration.
III. CIRCULAR
EXPLORATION
DEFINITION 5. Let 1 be a finite set of pairs of positive integers. Then I is called circular if there exists an ordered set ((i,, jx)](in ,,jn) E f) with ir elements such that:
(9 i, = j,, (ii) i,.+,=j, forl
((1,3),(3,4),(4,1))
is circular.
DEFINITION6. A finite set C of arcs is called a circular
{(x,
y ) 1there exists an arc labeled f, ~ in C } is circular.
group iff the set
SI-YEONG
302
HWANG
AND JUNG WAN CHO
If all the arcs in a circular group are sending (or receiving) arcs, then the circular group is called a sending (or receiving) circular group; otherwise, it is called a mixed circular group. For example, { -l,,, - 234, - 341}, + 243 }, { l,, , + l,, } are a sending circular group, a receiving {+314,+1X, circular group, and a mixed circular group, respectively. DEFINITION 7. Let g = ([s,],[ m,,]) and g’ be two global states, and let c be a circular group consisting of arcs from s or s2 or . . . or sN. Then g’ is said to I! circularly follow g over c, denoted by g * g’, iff there exists a sequence of arcs
e,, . . , ek, where e, E c for 1~ i < k and k is the number of elements in c, such that e2 g2gl + ...
e,-1 --,
2
gk-1
g’
for some global states g,, , . . , g,_ i. DEFINITION 8. A global state g is called circularly
there exists a sequence l,
g;-,
reachable iff g = g, or of global states g, ,. . . , & such that g = gk and, for
2 g, for some circular
group ci, where g, is the initial global
state. The validation technique proposed in this paper explores all the circularly reachable global states rather than all the reachable global states. This exploration is called the circular exploration. In Section IV, an algorithm is proposed to validate a protocol using the circular exploration. IV.
PROTOCOL
VALIDATION
ALGORITHM
DEFINITION 9. For a circularly reachable define the following three types of errors:
global state g = ([ s,],[ m,, I), we
(a) Type-l error: All the arcs from state s, are receiving arcs for 1~ i d N, and all m,,‘s are empty strings. (b) Type-2 error: There exists a nonempty string m,, or a sending arc from s, labeled t, “, but for all arcs e from sy, e is a receiving arc which satisfies one of the following three conditions: (i) t’ is not equal to the first message of the nonempty string m,,,, (ii) there does not exist a sending arc from s, labeled 1;; such that m,, is an empty string and t’ = - r”, and (iii) mxv is an empty string, r = x, and t’ # - t, where ‘hr is the label of e. (c) Type-3 error: there exists a sending arc from s, labeled t,,., but L( m,,) K,,.
>
PROTOCOL
VALIDATION
TECHNIQUE
303
Algorithm 1 below presents the protocol validation procedure using circular exploration. For the convenience of writing the validation algorithm, we define a follower of a global state g as a global state which circularly follows g over c. for some circular group c. ALGORITHM1 (Algorithm
for protocol validation
by the circular exploration).
Step 1. Let G be a set of circularly reachable global states, initially containing only the initial global state. Step 2. Find an element g of G whose followers have not been determined. If no such element exists, terminate the algorithm. as the validation is completed. Step 3. Check whether or not g contains some types of errors (report the types of errors, if they exist). Step 4. Calculate the set G, of global states consisting of all the followers of g. Step 5. Add all the elements of G,? which are not already in G to the set G. Step 6. Repeat from step 2.
THEOREM1. Algorithm 1 always terminates. Proof. Since the set of states and the set of arcs in the FSM are finite, and the capacities of all channels are also finite, the set of circularly reachable global states must be finite. Therefore the only case that would not terminate is the sequence involving a loop. But this sequence cannot be repeated, since each of the created circularly reachable global states is checked against all of the previously generated circularly reachable global states. Thus the algorithm will terminate.
Theorem 2 and Theorem 3 below show that Algorithm 1 can detect deadlocks and unspecified receptions. The exact definitions of these two types of errors are in [5]. LEMMA1. A mixed circular group consists of on!v two arcs: a sending arc and a receiving arc. Proof. Let c be a mixed circular group with k elements e,, . . ek , and let, for 1~ i < k, (x,, yi) be the subscript pair of the label of e,. Assume k >, 3. Then, since c is a mixed circular group with more than two elements, there are two arcs e, and e, in c such that (i) e, and ej are a sending arc and a receiving arc, respectively, (ii) y, = x,, and (iii) x, + y,. This implies that there are two distinct elementary paths p1 and pz consisting of only the arcs from n, to nX, and from n to nxr respectively, in the topology of the communication network. Singe, by the characteristics of the topology, there is an elementary path p from n,, to n,,, there are two elementary paths from n,, to n,!: the
SI-YEONG
304
HWANG
AND JUNG WAN CHO
path pi, and one via ny, (i.e., the concatenated path pp2). This violates the characteristics of the topology. Thus k G 2. This implies that, by definition of the mixed circular group, there are two arcs, a sending arc and a receiving arc, in c. LEMMA 2. A circularly reachable global state is reachable. Proof. Let g and g, be a circularly reachable global state and the initial global state, respectively. Then, by Definitions 7 and 8, there exists a sequence of global states g,, g,, . . . , g, suchthat g=g,, and,forl
g,-1
Thus, by Definition
+
g,
for some arc e,
4, g is reachable.
THEOREM 2. There is a deadlock in a protocol iff Algorithm 1 detects a type-l error from the protocol. Proof. “If” part: Since the definitions of deadlock and type-l error are equivalent, the “if” part can be proven by showing that a reachable deadlock state is circularly reachable. Let d = ([s, ],[ mij]) be a reachable deadlock state. Then, by Definitions 4 and 9, the m;, ‘s are empty strings and there exists a sequence of arcs S = e,, e2,. . . , e, such that
for some global g, = d. Let, for eliminating all generality, we
states g,, g,, . . . , g,_ i, where go is the initial global state and 1~ i G N, S,(O) be the sequence of arcs generated from S by the arcs in S which are not in E]. Then without loss of can assume that there are r nonempty sequences S,(O),
S, (O), . . ., 8 (0). Let, for 1 Q i d r, e,(O) be the first arc of S,(O) and (x, (0), r,(O)) be the subscript pair of the label of e,(O) [obviously, x,(O) = i]. Since, for 1~ i < r, (i) all xi (0)‘s are distinct, (ii) xi(O) + y,(O), and (iii) for y, (0) there exists x, (0) such that y, (0) = x,(O) (otherwise, the mi, ‘s could not be empty strings), we can get a circular group ci = { ei,, , e,,z,. . , e,, k, } such that e,, , is one of the e, (0)‘s for 1~ j < k,. Since all the channels of go are empty and d is reachable, there exists a global state g; = ([s(l),],[m(l),,])
such that go 2 g;. Let, for l< i < r,
(i) S,(l) be the sequence of arcs which is equal to S,(O) except that, if ei(0) is in ci , the first arc e, (0) of S, (0) is deleted in S,(l), and (ii) e, (1) be the first arc of S,(l). And let, for 1~ i < r, (x,(l), y,(l)) be the subscript pair of the label _of e,(l) [obviously, x;(l) = i].
PROTOCOL
VALIDATION
TECHNIQUE
305
If there exists an empty sequence S,,(l), then m(l),,. is an empty string for 1 G i Z$ N (otherwise, the m,,‘s could be empty strings), and y,(l) # u for 1~ i < r. Thus, for 1
contradiction. Assume that there does not exist such a global state g;. First, suppose c2 is a sending circular group. Then there exists an arc with type-3 error in cz. This implies that all the arcs in c1 are sending arcs with type-3 error, since (i) all L( m(l),,Y,)‘~ are the same (since g, is circularly reachable). (ii) all K r,v,‘~ are also the same, and (iii) all the arcs in c? are sending arcs, where (x,, y,) is the subscript pair of the label of ez,, for 1~ i Q k,. This also implies that d is not reachable. Next, suppose C~ is a receiving circular group. Then there exists a receiving arc labeled I,,,., in cz such that the first message of is an empty string. If m(l),,,.,, is not t, then, m (1) ‘;, is not t or m(l),,, obviously, d is not reachable. If m(1) ))i,, is an empty string, then d also cannot be reachable, since (i) all m(l),;,,‘s are empty strings (since m(l),,,, is an empty string and all L(m(l), 5 )‘s are the same), and (ii) all the arcs in cz arc receiving arcs. Finally, supposk >z is a mixed circular group, and let t,,. and t: , be the labels of the sending arc and the receiving arc in c?, respectively (by Lemma 1, there are only these two arcs in c?). Then the first message of the is an empty string and ~ t z t’. nonempty string m(l), )’ is not t’, or m(l),, This also implies that d may be reachable. We have shown that. for all cases of cz, d may not be reachable, which is a (‘2 contradiction. Thus there exists a global state g; such that g; 2 gi. Similarly, for j > 3, we can get the circular group c, such that gi_ , i gi, if there exists a nonempty
sequence of arcs S,( j - 1). This implies that there exists k such that
g,, 2
g; 2 g; 2 . . . 2 g; ,
where
g; = d.
Thus d is circularly reachable. “Op~ly if” part: Since the definitions of deadlock and type-l error are equivalent and, by Lemma 2, every circularly reachable global state is reachable, there exists a deadlock if Algorithm 1 detects type-l error. THEOREM
3. There exists an unspecified reception in a protocol iff Algorithm 1
detects a type-2 error from the protocol.
SI-YEONG
306
HWANG
AND JUNG WAN CHO
Proof. “Zf” part: Let g = ([s,],[mij]) be a reachable global state with an unspecified reception. Then there exists a string mxy whose first message will not be received. Assume that any reachable global state g’ = ([s;],[ mij]), where is not circularly reachable. Then there exists a cirs’ = s and m’ such that (i) there exists a c’ularl~ reachabi: io%‘state g, = ([s(c)i],[m(c)jj]) sequence of arcs S = e,, e,, . . , , e, such that
for some global at least one of s( c>,] is not in the sequence S
states g,, . . . , g,_,, and (ii) for every circular group c, such that the two arcs e, and ey is in cz, and any arc from s(c), [or cL if e, [or ey] is not in c,, where e, [or ev] is the first arc of which is an arc from s(c), [or s(c),], there does not exist a
global state g, such that g, 2 g,. This implies that there is either type-l
error
or type-2 error in g,, or else every circular group c, is a sending circular group which contains an arc with type-3 error. Since g’ is reachable, there may not exist type-l error in g,. Since, for all (i, j)‘s in the set ((i, j)]there exists an arc are the same (since g, is labeled t,, in c,, for some t}, (i) L(m(c),,)‘s circularly reachable), (ii) all Ki, ‘s are also the same, and (iii) all the arcs in c, are sending arcs and one of them causes a type-3 error, all the arcs in c, are sending arcs with type-3 error. This implies that g’ is not reachable, which is a contradiction. Thus there exists a type-2 error in g, or there exists such a circularly reachable global state g’. Obviously, there is a type-2 error in such a circularly reachable global state g’. Thus Algorithm 1 detects type-2 error. “Only 0.” part: The “only if” part is true because, by Lemma 2, every circularly reachable global state is reachable and, obviously, there is an unspecified reception in a circularly reachable global state if there is a type-2 error in the circularly reachable global state. As well as type-l and type-2 errors, the type-3 error also contributes to the validation of a protocol; there is an overflow in a protocol if Algorithm 1 detects type-3 error from the protocol. The definition of overflow error is also in [5]. V.
THE IMPROVEMENTS
Since the complexity of a protocol validation technique based on the state exploration greatly depends on the size of the system interaction domain [5], i.e., the number of states to be explored, let us show that the protocol validation technique proposed in this paper, i.e., Algorithm 1, is much more efficient than the conventional perturbation technique in time and/or storage, by comparing
PROTOCOL
VALIDATION
307
TECHNIQUE
the numbers of global states generated by these two techniques. The number of global states generated by Algorithm 1, i.e., the number of circularly reachable global states, is not greater than the number generated by the perturbation technique, i.e., the number of reachable global states. This is because, by Lemma 2, every circularly reachable global state is reachable. Consider the protocol represented by the five FSMs F,, , F5, shown in Figure l(b), of the communication network with the topology shown in Figure
d
-323-32
11010
++&?EP3 -43’
&g”“32~ Type-2error (Cl
Type-i
error
Fig. 1. An example: (a) Topology of the communication network. (b) &, F, , F7, F4. and F,. (c) Validation result by Algorithm 1.
308
SI-YEONG
HWANG
AND JUNG WAN CHO
l(a), and assume that each channel of the communication network has a capacity of one. As shown in Figure l(c) (for convenience, all the strings of messages in each global state are omitted), Algorithm 1 generates 25 global states to validate the protocol, but the perturbation technique generates 302 states to obtain the same validation result (because it is difficult to draw, the reachability tree generated by the perturbation technique is not shown in this paper). Thus Algorithm 1 can reduce the execution time by a factor of about 12.1. Also, since the number of distinct states in Figure l(c) is 23, compared with 148 distinct states generated by the perturbation technique, Algorithm 1 can reduce the storage by a factor of about 6.4. Now let us find the two maximal bounds BP and Bc of the numbers of the global states that can be generated by the perturbation technique and by Algorithm 1, respectively. Let all the channels of the communication network be represented as C(X~,~,Y~.~),C(~~.~Y~,~),.~.,C(X~,~,,~~,~,),~(X~.~,~~,~)~..., c(x~.~,, Y~.~~),. .., c(.x,,i, Y&..., c(x~,~,,K,~,), where for 14 i d r and I 4 j < k, , (i) x,,, and Y,,, are distinct integers from 1 to N, (ii) c( x,., , y,,,) is the channel from F,,,, to F, , and (iii) { x,, 1, .v,,1>,(x,,, , y,,, ), . . , r,k,, y,,,,)} is circular. Since the’ perturbation technique generates all the (x reachable global states, BP = n(S) n ( M, ), where n(S) = n,% ifi, where f, is the number of states in F] for 1~ i d N, and n( M,) is the number of elements in the set {[mx,,,_v,,,l IU~x,,,V,.,)d Kx‘.,K,’ 1~ i < r, and 1
(4 Since,
for all circularly
reachable global states ([s,],[ m,,]), L(I~I,,,~~,,,) = L(m X,.ZY,.Z = . . . = UmX,,r,Y,,k ) for 1 Q i G I, we have Bc = n(S)n( MC), where n(M,) is the number of elements in the set {[m, ,,,_yl,,] (L(m, ,,,,y,,,) < min (K, ,,,.“,,) K,, 2y,.2y. . . y Kxn,* y,,k )? L(mxt ,y,,,) = L(mx,,2.,.2) = . . . = L(m x’,kv#.k’)* l Q >Q r, and 1 Q j’< I$ }. Since, for 1 Q i d r. K,,,,, , = Kx,,,y,,z = ... = x,.,* y,,*/ we have
From
(a) and (b), we can say that B, -=zBP, since Il:=,< K_,,,, + 1) e network with ,,,_y,,, + 1). As an example, for the communication shown in Figure l(a), n(S) = 2 X 2 X 3 X 2 X 2 = 48, n (M,) = 2’ =
I-K=,I$,(K, the topology
PROTOCOL
VALIDATION
TECHNIQUE
128 (there are seven channels in the communication 2”=8.Thus B,=48x128=6144and B,.=48x8=384. VI.
309 network),
and n( MC) =
CONCLUSIONS
To reduce the number of states generated by the conventional state exploration (i.e., the perturbation technique), we have proposed another variation of state exploration called the circular exploration. This exploration is applicable to the protocols represented by N (N > 2) communicating finite-state machines (it is equivalent to the exploration proposed by Rubin and West [2] when there are only two finite-state machines in the protocol). A protocol validation algorithm based on the circular exploration has also been proposed in this paper. The algorithm can save time and/or storage in comparison with the perturbation technique, but it is applicable only to the protocols in the restricted class of communication networks. Namely. the topology of each of the communication networks contains only one elementary path from one node to any other node. REFERENCES 1. P. M. Merlin, Specification and validation of protocols. IEEE Truns, Comm. Corn-27, No 11, (Nov. 1979). 2. J. Rubin and C. H. West, An improved protocol validation technique, Comput. Ntirwork.~6. No. 2 (Apr. 1982). 3. Mohamed G. Gouda and Yao-Tin Yu, Protocol validation by maximal progress state exploration, IEEE Trans. Comm. Corn-32, No. 1 (Jan. 1984). 4. Yao-Tin Yu and Mohamed G. Gouda, Deadlock detection for a class of communicating finite state machines, IEEE Trans. Comm. Corn-30. No. 12 (Dec. 1982). 5. C. H. West, General technique for communication protocol validation, IBM J. Re.c. Deoelop. 22, No. 4 (July 1978). Receiraed 13 Muy 1985; rewed 20 August 1985