Reasoning About Distributed Systems: WYSIWYG

Transcription

1 Resoning About Distributed Systems: WYSIWYG Aiswry Cyric 1 nd Pul Gstin 2 1 Uppsl University, Sweden iswry.cyric@it.uu.se 2 LSV, ENS Cchn, CNRS, INRIA, Frnce pul.gstin@lsv.ens-cchn.fr Abstrct There re two schools of thought on resoning bout distributed systems: one following interleving-bsed semntics, nd one following prtil-order/grph-bsed semntics. This pper compres these two pproches nd rgues in fvour of the ltter. An introductory tretment of the split-width technique is lso provided ACM Subject Clssifiction F.1.1 [Computtion by Abstrct Devices]: Models of Computtion, F.3.1 [Logics nd Menings of Progrms]: Specifying nd Verifying nd Resoning bout Progrms Keywords nd phrses Verifiction of distributed systems, Communicting recursive progrms, Prtil order/grph semntics, Split-width nd tree interprettion Digitl Object Identifier /LIPIcs.FSTTCS Ctegory Invited Tlk 1 Introduction Distributed systems form crucilly importnt but prticulrly chllenging domin. Designing correct distributed systems is demnding, nd verifying its correctness is even more so. The min cuse of difficulty here is concurrency nd interction (or communiction) between vrious distributed components. Hence it is importnt to provide frmework tht mkes esy the design of systems s well s their nlysis. In this pper we rgue in fvour of (visul) grph-bsed techniques towrds this end. The behviour of distributed system is often understood by mens of n interlevingbsed semntics. People re guided by this understnding when designing system, nd lso when formlly expressing properties for system verifiction. But interlevings obfuscte the interctions between components. This inherent compliction of interleving-bsed semntics mkes the design nd verifiction vulnerble to mny (humn) errors. Moreover, expressing distributed properties on interlevings is non-trivil nd sometimes lso impossible to chieve. In contrst, visul understnding of behviours of distributed systems would mke it less prone to errors in the understnding of the semntics, in the sttement of properties nd in verifiction lgorithms. Not only does the visul pproch help in providing right intuitions, but, we will demonstrte tht, it is lso very powerful nd efficient. Supported by LIA InForMel. Aiswry Cyric nd Pul Gstin; licensed under Cretive Commons License CC-BY 34th Int l Conference on Foundtions of Softwre Technology nd Theoreticl Computer Science (FSTTCS 2014). Editors: Venktesh Rmn nd S. P. Suresh; pp Leibniz Interntionl Proceedings in Informtics Schloss Dgstuhl Leibniz-Zentrum für Informtik, Dgstuhl Publishing, Germny

2 12 Resoning About Distributed Systems: WYSIWYG Wht you see is wht you understnd. A good exmple of the visul representtion of behviours is the ITU stndrd messge sequence chrts (MSCs) [20] which describe protocols involving messge exchnges. The events executed by locl process re linerly ordered, see e. g., Figure 3. The trnsmission of the messges is lso depicted. This visul description revels not only the interctions between components but lso the concurrency nd the cuslity reltions. The cuslity reltion corresponds to the trnsitive closure of the liner orders on processes nd of the messge reltion. Events tht re not cuslly ordered re concurrent. Another exmple which illustrtes the power of visul representtions is nested words [5] for the behviours of recursive progrms. The binry reltion mtching push-pop pirs, which is very fundmentl for resoning bout recursive (or pushdown) systems, is explicitly provided in nested word. Wht you see is wht you stte. One min dvntge of such visul representtion is the ese nd power of specifiction. The underlying grph structure provides richer frmework for forml specifiction. For exmple, mondic second order logic (MSO) my hve cuslity reltion, concurrency reltion, process ordering, messge trnsmissions, push-pop mtching reltion etc. s bsic predictes. Mny of these fundmentl reltions re very difficult (or even impossible) to recover if we settle for n interleving-bsed understnding. For exmple, the mondic second order logic over words cnnot express mtching push-pop reltion even when we ssume visible lphbet (one in which letter dicttes whether it is push position or pop position). This is becuse such reltion requires some implicit counting for which MSO over words is too wek. Wht bout LTL? Temporl logics nd nvigtion logics hve been studied over the intuitive visul descriptions, for instnce over nested words [4, 3], MSCs [8], nested trces [7], multiply nested words [24], etc. Such logics llow us to express the fundmentl reltions (cuslity, concurrency, messge mtching, push-pop mtching, etc.) s bsic modlities. Thus, properties of distributed systems cn be esily nd nturlly expressed. On the other hnd, if the behviour of distributed system is understood in terms of liner sequences of events, one is tempted to use LTL over words for specifictions. But the clssicl modlities of LTL re not suited to the distributed setting. For exmple, the temporl next modlity of LTL over words is nonsensicl in the ctul distributed behviour since concurrent/independent events cn be ordered rbitrrily by the opertionl semntics. So, LTL is sometimes deformed by removing the next modlity [28]. When does specifiction over lineriztions mke sense? In fct, specifiction of distributed systems given over lineristions (by mens of MSO or LTL) is meningful only if it is stisfied by ll or none of the equivlent lineristions of ny given distributed behviour. We sy distributed specifiction is closed if it stisfies this inevitble semntic closure condition. In some prticulr cses, it is decidble to check whether given specifiction, e. g., in LTL over words, is closed [29, 27]. But this does not provide convenient specifiction lnguge, which would syntcticlly ensure tht ll specifictions re closed. On the other hnd, logics over grph-bsed representtions nturlly eliminte this problem since the semntics is independent of the lineristions. Why cre beyond rechbility? Very often people cre only bout rechbility, nd not beyond it. One of the min resons is tht, in the cse of sequentil non-recursive systems,

3 A. Cyric nd P. Gstin 13 the model-checking nd stisfibility problems reduce to rechbility. Most of the decision procedures proceed by building mchine which ccepts the models of the specifiction. This is then followed by boolen opertions on the mchine model nd finlly performing n emptiness checking on the resulting mchine which is nothing but rechbility test. However, for distributed systems, such trnsltions from specifictions to mchine models do not exist. Closure under boolen opertions lso does not hold in generl. Hence the model checking nd stisfibility problems in the distributed setting cnnot be reduced to rechbility. Thus, while it is necessry nd importnt to study the bsic rechbility problem, it is not sufficient. We need to devise techniques / verifiction procedures for specifictions given in logicl lnguges. But we hve techniques nd tools vilble for words. Wht bout grphs? In fct, grph theory is very well-studied nd mture discipline. We my use the insights nd results from grph theory to our dvntge. For exmple, generic logics on grphs serve s good specifiction formlism. Grph mesures such s tree-width (or clique-width or split-width) could offer good under-pproximtion prmeters towrds regining decidbility of our Turing powerful systems. The generic proof technique vi tree interprettions helps us in obtining efficient lgorithms. We explore these directions in this pper with the help of split-width. Split-width? Tree-interprettions? Split-width [16, 15, 2] offers n intuitive visul technique to decompose our behviour grphs such s MSCs nd nested words. The decomposition is minly divide-nd-conquer technique which nturlly results in tree decomposition. Every behviour cn now be interpreted over its decomposition tree. Properties over the behviour nturlly trnsfer into properties over the decomposition tree. This llows us to use tree-utomt techniques to obtin uniform nd efficient decision procedures for rnge of problems such s rechbility, model checking ginst logicl formlisms etc. Furthermore, the simple visul mechnism of split-width is s powerful s yrdstick grph mesures such s tree-width or clique-width. Hence it cptures ny clss of distributed behviours with decidble MSO theory. How efficient re the decision preocedures? Since grphs hve richer structure, nd llow richer specifictions, the verifiction problems re more chllenging in the cse of grphs s compred to words. However, our decision procedures for visul behviours vi split-width mtch the sme time complexity s the decision procedures bsed on the interleving semntics. In short, the visul technique solves more for the sme price. Wht you see in Tble 1 is wht you get. The rest of this rticle illustrtes this. 2 Communicting Recursive Progrms We im t nlysing complex distributed systems consisting of severl multithreded recursive progrms communicting vi chnnels. In this section, we introduce the bstrct model for such systems nd we give its opertionl semntics resulting in liner behviours. We lso recll some undecidbility results on these systems. The overll structure of system is given by its rchitecture, consisting of finite set of processes, nd finite set of dt structures. We re minly interested in stck nd queue dt structures, though we lso hndle bgs. F S T T C S

4 14 Resoning About Distributed Systems: WYSIWYG Tble 1 Compring interlevings nd grphs: WYSIWYG. WYG WYS Understnding (Behviours) Expressiveness (Specifictions) Efficiency (Complexity of lgorithms) Words interleved sequence of events. Interctions re obfuscted nd very difficult to recover. combintoril explosion (single distributed behviour results in huge number of interleved trces) too wek for mny nturl specifictions requires semnticl closure to be meningful: equivlent liner trces should gree on specifiction undecidble in generl decidble under restrictions reductions to sequentil word utomt mny tools vilble on the shelf good spce complexity Grphs visul description of events interctions re visible / self-explined no combintoril explosion powerful specifictions. trivil to express interctions independent of prticulr lineristion (i. e., nturlly meningful) undecidble in generl decidble under (more lenient) restrictions reductions to tree utomt vi treeinterprettions good time complexity Stck d 1 Queue d 2 Queue d 3 Bg d 4 Process p Process q Figure 1 An Architecture. It hs four dt structures nd two processes. Writer nd Reder of the dt structures re depicted by the incoming nd outgoing rrows respectively. An rchitecture. A is tuple (Procs, DS, Writer, Reder) consisting of finite set Procs of processes, finite set DS = Bgs Stcks Queues of dt structures nd functions Writer nd Reder which ssign to ech dt structure the process tht will write into it nd the process tht will red from it respectively. In the specil cse of communicting recursive progrms, we use stcks for recursion nd queues for FIFO messge pssing. Bgs re useful when no specific order is imposed on the messge delivery. Since stcks re used to model recursion, we ssume tht Writer(s) = Reder(s) for ll s Stcks. An rchitecture is depicted in Figure 1. Ech process is described s finite stte mchine in which trnsitions my either be internl, only modifying the locl stte of the mchine, or ccess dt structure. In the ltter cse, it is executing either write event, dding vlue to the dt structure, or red event, removing vlue from the dt structure. Since these dt structures permit only destructive reds, they induce binry mtching reltion between write events nd red events of behviour.

5 A. Cyric nd P. Gstin 15 Definition 1. A system of concurrent processes with dt structures (CPDS) over n rchitecture A nd n lphbet Σ of ction nmes is tuple S = (Locs, Vl, (Trns p ) p Procs, l in, Fin) where Locs is finite set of loctions, Vl is finite set of vlues tht cn be stored in the dt structures, l in Locs is the initil loction, Fin Locs Procs is the set of globl finl loctions, nd Trns p is the set of trnsitions of process p. Trns p my hve write (resp. red) trnsitions on dt structure d only if Writer(d) = p (resp. Reder(p) = d). For l, l Locs, Σ, d DS nd v Vl, Trns p hs internl trnsitions of the form l l, write trnsitions of the form l,d!v l with Writer(d) = p, nd red trnsitions of the form l,d?v l with Reder(d) = p. The opertionl semntics of CPDS S my be given s n infinite stte trnsition system T S. The infinite set of sttes of T S is Locs Procs (Vl ) DS. In the following, stte of T S is pir (l, z) where l = (l p ) p Procs nd z = (z d ) d DS. Such stte is initil if l p = l in for ll p Procs nd z d = ε for ll d DS. It is finl if l Fin nd z d = ε for ll d DS. The trnsitions of the CPDS S induce the trnsitions of T S s follows. (l, z) == p, (l, z) if l p l p in Trns p nd l q = l q for ll q p, (l, z) === p,,d! (l, z,d!v ) if l p l p in Trns p for some vlue v Vl nd l q = l q for ll q p, nd z d = z dv, nd z c = z c for ll c d, (l, z) ==== p,,d? (l, z,d?v ) if l p l p in Trns p for some vlue v Vl nd l q = l q for ll q p, nd z c = z c for ll c d, nd z d = uvw nd z d = uw for some u, w Vl. If d Queues (resp. d Stcks) we require in ddition tht u = ε (resp. w = ε). A run of T S is sequence of consecutive trnsitions, it is ccepting if it strts in the initil stte nd ends in some finl stte of T S. The liner trce of the run is the word obtined by conctenting the sequence of trnsition lbels. It is word over the lphbet Γ = (Procs Σ) (Procs Σ DS {!,?}). We denote by L lin (S) the set of liner trces ccepted by the opertionl semntics of S. Keeping the dt structure ccess in the liner trces llows us to recover the mtching reltion between write ctions nd corresponding red ctions for stcks or queues (but not for bgs). This requires some counting, hence it is not regulr reltion (n MSO definble reltion) on the liner trces. Undecidbility. Since the opertionl semntics is n infinite stte system, we cnnot nlyse it directly. The most bsic problem, rechbility, is lredy undecidble. This is in prticulr the cse for single process with self queue, or single process with two stcks, or two processes with two queues between them (the direction of the queues does not mtter), or two processes hving stck ech nd linked with queue (see, e. g., [15]). Chrcteriztions of decidble topologies hve been studied in the cse of relible nd lossy chnnels [12] or in the cse of FIFO chnnels nd bgs [13]. Since decidble rchitectures re much too restrictive, under-pproximtion techniques hve been developped. Decidbility is recovered by putting some restrictions on the possible behviours of the system. For instnce, very nturl restriction is to put bound on the dt structure cpcities. The opertionl semntics described bove becomes finite stte trnsition system. The nlysis in this cse is restricted to so-clled existentilly bounded behviours [18]. Mny other under-pproximtion clsses hve been studied, e. g., bounded context [30], bounded phse [21], bounded scope [23], etc. F S T T C S

6 16 Resoning About Distributed Systems: WYSIWYG d 1 p b b d 1 d 1 b b b d 2 d 3 d 2 d 2 q b b b b b b d 4 d 4 d 4 d 4 Figure 2 A CBM over the rchitecture given in Figure 1 nd lphbet {, b}. 3 Distributed Behviours In this section, we introduce the distributed semntics of CPDSs. We relte the distributed semntics nd the opertionl semntics by showing tht the liner trces rising from the ltter re exctly the lineristions of the grphs defined by the former. We illustrte the benefits of considering the distributed semntics in the rest of this pper. As first exmple, the grph on Figure 2 provides visul description of the behviour of CPDS. On such grph, clled concurrent behviour with mtching (CBM), the horizontl lines describe the liner behviour of ech process of the system, the other edges describe the mtching reltions between writes nd corresponding reds. The CBM in Figure 2, is over the rchitecture of Figure 1. The curved rrows on process p nd process q form the mtching reltions of stck d 1 nd bg d 4 respectively. The mtching reltions induced by queues re shown by the rrows between the processes. As comprison, the opertionl semntics genertes lineristions of this behviour such s Lin 1 = (p, )(p, b, d 1,!)(p,, d 3,!)(p, b, d 1,!)(q,, d 4,!)(q, b, d 2,!)(q, b, d 4,!) (q,, d 4,!)(q,, d 2,!)(q, b, d 4,?)(q,, d 3,?)(q, b, d 4,?)(q,, d 2,!) (q, b, d 4,!)(q, b, d 4,?)(q,, d 4,?)(p,, d 2,?)(p, b, d 1,?)(p,, d 1,!) (p,, d 2,?)(p,, d 1,?)(p, b, d 1,?)(p, b, d 2,?)(p, ) Lin 2 = (p, )(q,, d 4,!)(p, b, d 1,!)(q, b, d 2,!)(p,, d 3,!)(q, b, d 4,!)(p, b, d 1,!) (q,, d 4,!)(p, b, d 1,?)(q,, d 2,!)(p,, d 2,?)(q, b, d 4,?)(p,, d 1,!) (q,, d 3,?)(p,, d 2,?)(q, b, d 4,?)(p,, d 1,?)(q,, d 2,!) (p, b, d 1,?)(q, b, d 4,!)(p, b, d 2,?)(q, b, d 4,?)(p, )(q,, d 4,?) from which it is much hrder to get n intuition of the interctions going on in this behviour. Actully, when we hve bgs, we cnnot uniquely reconstruct CBM from lineristion. Hence, for distributed systems, grphs provide visul nd intuitive description of behviours well-suited for humn beings. In the next sections, we discuss further the benefits of describing behviours s directed grphs. Here, we define these CBMs. The intuition is esy, we hve one liner trce for ech process nd in ddition binry mtching reltions relting write events to corresponding reds. The forml definition hs to stte dditionl properties so tht the mtching reltions comply with the ccess policies of dt structures. Definition 2. A concurrent behviour with mtching (CBM) over rchitecture A nd lphbet Σ is tuple M = ((w p ) p Procs, ( d ) d DS ) where w p Σ is the sequence of events

7 A. Cyric nd P. Gstin 17 on process p nd d is the binry reltion mtching write events on dt structure d with their corresponding red events. We let E p = {(p, i) 1 i w p } be the set of events on process p Procs nd E = p Procs E p. For n event e = (p, i) E p, we set pid(e) = p nd λ(e) be the ith letter of w p. We write for the successor reltion on processes: (p, i) (p, i + 1) if 1 i < w p. The mtching reltions should comply with the rchitecture: d E Writer(d) E Reder(d) for ll d DS nd dt structure ccesses re disjoint: if e 1 d e 2 nd e 3 d e 4 re different edges (d d or (e 1, e 2 ) (e 3, e 4 )) then they re disjoint ( {e 1, e 2, e 3, e 4 } = 4). Finlly, writes should precede reds, so we require the reltion < = ( ) + to be strict prtil order on the set E of events, where = d DS d is the set of ll mtching edges. There re no dditionl constrints for bgs, but for stcks or queues we hve to impose in ddition d Stcks, d conforms to LIFO: if e 1 d f 1, e 2 d f 2 nd e 1 < e 2 < f 1 then f 2 < f 1, d Queues, d conforms to FIFO: if e 1 d f 1, e 2 d f 2 nd e 1 < e 2 then f 1 < f 2. We let CBM(A, Σ) be the set of CBMs over A nd Σ. A run of CPDS S on CBM M is simply lbelling ρ : E Locs of events by sttes which is comptible with the trnsition reltion. We denote by ρ : E Locs the mp tht ssocites with ech event the stte which lbels its predecessor: ρ (e) = ρ(e ) if e e nd ρ (e) = l in if e is miniml on its process. Then, the mp ρ is run if (T 1 ) for ll e d f, there exists some vlue v Vl such tht ρ (e) λ(e),d!v ρ(e) in Trns pid(e) nd ρ (f) λ(f),d?v ρ(f) in Trns pid(f), (T 2 ) for ll internl events e we hve ρ (e) λ(e) ρ(e) in Trns pid(e). A run ρ is ccepting if lst ρ Fin where lst ρ Locs Procs gives the finl loction of the run for ech process: lst ρ p = l in if E p = nd lst ρ p = ρ(mx(e p )) otherwise. We denote by L cbm (S) the set of CBMs ccepted by S. We explin now the reltionship between the distributed semntics nd the sequentil opertionl semntics. Intuitively, the liner trces of the opertionl semntics re precisely the lineristions of the CBMs ccepted by the distributed semntics. Let us mke this sttement more precise. Consider CBM M nd define the lbelling γ : E Γ where Γ = (Procs Σ) (Procs Σ DS {!,?}) by γ(e) = (pid(e), λ(e)) if e is n internl event, nd if e d f then γ(e) = (pid(e), λ(e), d!) nd γ(f) = (pid(f), λ(f), d?). A lineristion of M is given by totl order lin on the set E of events which is comptible with the cuslity reltion: < lin. It defines the word γ(e 1 )γ(e 2 ) γ(e n ) Γ if the liner order on E is e 1 lin e 2 lin lin e n. We denote by Lin(M) Γ the set of lineristions of M. Theorem 3. We hve Lin(L cbm (S)) = L lin (S). However, there re lso subtle differences between these two semntics. As seen bove, it is possible to derive the liner trces from the CBMs, but the converse is not possible in generl. For instnce, if the dt structure d is bg, then the liner trce (p, 1, d!)(p, 2, d!)(p, 3, d?)(p, 4, d?) is both lineristion of the CBM M 1 which mtches 1 with 3 nd the CBM M 2 which mtches 1 with 4. Hence, some specifictions involving the mtching reltions my not be expressible on the lineristions. If we only hve stcks nd queues, then we cn unmbiguously reconstruct CBM from liner trce w L lin (S). This is chieved s follows. For ech p Procs, the sequence of ctions executed by process p is the word w p Σ obtined s the projection on Σ of the subword of w consisting of the letters whose first component is process p. This yields the F S T T C S

8 18 Resoning About Distributed Systems: WYSIWYG first component (w p ) p Procs of the CBM M ssocited with w. Notice tht there is nturl bijection between the set of positions of w nd the set E of events of M. To define the mtching reltions, consider two events e, f ssocited with positions i, j of w. Then, e d f iff the letters of w t positions i nd j re w(i) Procs Σ {d!} nd w(j) Procs Σ {d?} nd if d Queues then the number of writes to d before i equls the number of reds from d before j, if d Stcks then j is the miniml position fter i such tht between i nd j, the number of writes to d equls the number of reds from d. Notice tht, even in the cse of stcks nd queues for which the mtching reltions cn be unmbiguously recovered from liner trces, these reltions re not MSO definble on the liner trces. Hence, even with the powerful MSO logic, we cnnot specify properties involving mtching reltions on liner trces. We will discuss this more precisely in the next section. 4 Specifictions The simplest specifictions consist of locl stte rechbility or globl stte rechbility: is there run of S which reches given locl stte l Locs on some process p Procs or given globl stte l Locs Procs. To express more elborte properties, we need some specifiction lnguges, such s first-order logic, mondic second-order logic, temporl logic, propositionl dynmic logic, etc. Here it mkes big difference whether we work with the sequentil opertionl semntics or the distributed semntics. In the first cse, trces re words nd the logics will refer to the liner order lin, wheres in the ltter cse, behviours re grphs nd the logic will hve direct ccess to the cusl ordering < s well s to the process successor reltion nd the mtching reltions d. The process successor reltion cn be esily recovered from the liner order lin. This is not the cse for d, hence lso for the cusl ordering <, in the logics mentioned bove. Actully, recovering reltion d is possible if d is stck or queue but it requires some counting s explined bove. This counting is not possible, even in the powerful MSO logic, unless the cpcity of the dt structure d is bounded by some fixed vlue B. In this cse, it is possible to express d in MSO, though the formul is non-trivil nd depends on the bound B. Hence, we fvour specifiction logics on CBMs rther thn on liner trces. The prtil order < = ( ) + tht comes with CBM M = ((w p ) p Procs, ( d ) d DS ) describes the cuslity reltion between events. Some specifictions rely on this cuslity reltion. For instnce, distributed system my receive requests on some process p, do some internl computtion involving severl other processes, nd finlly deliver n nswer on some other process q. A nturl specifiction is tht every request should be nswered. Indeed, the nswer to request should be in its cusl future. Such specifiction is esy to write on CBMs where the cusl ordering is vilble. For instnce, it corresponds to the first order formul ϕ = x (request(x) = y (x < y response(y))) or to the locl LTL formul G(request = F response) (where G mens for ll events in the cusl future nd F mens for some event in the cusl future). The CBM M depicted in Figure 3 does not stisfy this specifiction s Request 2 is not responded. Request 1 hs Response 2 in its future, though not Response 1. Recll tht, by Theorem 3, liner trces re liner extensions of CBMs nd events tht re concurent in M my be ordered rbitrrily in liner trce. Therefore, Lin(M) includes mny lineristions in which the responses follow the requests nd from which it is not esy to see whether the specifiction is stisfied or not.

9 A. Cyric nd P. Gstin 19 p p 1 p 2 p 3 p 4 q req 1 req y resp 1 resp 2 Figure 3 A request/response scenrio. As explined bove, recovering the cusl order < from the totl order lin is not possible, even with very expressive specifiction lnguges such s MSO over words. As conclusion, simple nd nturl specifiction such s the request/response property, cnnot be reduced to rechbility problem on the opertionl semntics in generl. Such reduction is possible when the dt structures re restricted to bounded stcks nd bounded queues (no bgs), but it is non-trivil. The sme rgument holds for specifictions tht involve the mtching reltion ssocited with stck. For instnce, we my specify tht fter receiving request, the process clls recursive procedure nd when this cll returns it immeditely delivers the response. Agin, mtching cll with the corresponding return requires counting which is not regulr property unless the cll depth is bounded. As nother exmple, specifiction my require tht when n ccess to some criticl section is denied, there is good reson for tht, sy some concurrent event is ccessing the criticl section. Agin, concurrency which is the bsence of cusl ordering cnnot be expressed on the liner trces in generl. We introduce below two powerful specifiction lnguges on CBMs. First, mondic second-order logic over CBM(A, Σ) is denoted MSO(A, Σ). It follows the syntx: ϕ ::= flse (x) p(x) x y x d y x y x X ϕ ϕ ϕ x ϕ X ϕ where p Procs, d DS nd Σ. The semntics is s expected. Every sentence ϕ in MSO defines lnguge L cbm (ϕ) CBM(A, Σ) consisting of ll CBMs tht stisfy tht sentence. A lnguge L CBM(A, Σ) is MSO definble if L = L cbm (ϕ) for some sentence ϕ MSO(A, Σ). Remrk. The set CBM(A, Σ) is MSO definble in the clss of grphs over the signture ssocited with (A, Σ). More precisely, there is n MSO(A, Σ) sentence Φ cbm such tht grph G = (E,, ( d ) d DS, pid, λ) stisfies Φ cbm iff it is CBM over (A, Σ). It is esy to obtin the formul Φ cbm from Definition 2, including the LIFO nd FIFO conditions for stcks nd queues. Remrk. The lnguge L cbm (S) of CPDS S is definble with n existentil MSO sentence Φ S. Intuitively, with n existentil prefix (X p,τ ) p Procs,τ Trnsp the formul guesses for ech trnsition τ Trns p the set of events from process p Procs tht will execute this trnsition, nd then checks with first-order formul tht this guess defines n ccepting run of S. Remrk. Notice tht CBM-grphs hve degree bounded by 3 since ny event my tke prt in t most one mtching reltion. Therefore, on CBMs, the logic MSO 2 in which we my lso quntify over edges (individul vribles or set vribles) hs the sme expressive power s MSO. F S T T C S

10 20 Resoning About Distributed Systems: WYSIWYG We re interested in two decision problems: stisfibility of specifiction nd model checking of system ginst specifiction. Given n rchitecture A, n lphbet Σ nd n MSO sentence ϕ MSO(A, Σ), the stisfibility problem sks whether M = ϕ for some M CBM(A, Σ). For the model checking problem, we re lso given CPDS S nd we sk whether the specifiction is stisfied for ll (or for some) behviours of the system: M = ϕ for ll M L cbm (S). Since rechbility (or equivlently emptiness) is undecidble in generl for CPDSs, both stisfibility nd model checking re undecidble for ny specifiction lnguge tht cn express rechbility, in prticulr MSO. This is trivil for model checking: the specifiction flse is stisfied iff the lnguge of S is empty, i. e., if the finl sttes re not rechble. For stisfibility, it follows from the remrk bove since Φ S is stisfible iff the set of finl sttes is rechble in S. Remrk. We hve seen bove tht rechbility reduces to model-checking or to stisfibility. In the cse of finite sequentil systems, the converse holds since, for ny MSO formul ϕ, we cn compute n utomton A ϕ which ccepts exctly the models of ϕ [11, 17, 32]. Then, the model-checking problem reduces to the emptiness problem for the intersection of the system nd the negtion of the formul. But this pproch fils for distributed systems becuse it is not possible in generl to compute n utomton equivlent to given formul. Indeed, we hve lredy seen tht the mtching reltion, hence lso the prtil order, cnnot be computed by n utomton on the lineristions. Even if we sty in the distributed semntics, n MSO formul cnnot be trnslted to CPDS in generl. This is becuse even the simpler clss of messge pssing utomt (i. e., when DS = Queues) is not closed under complementtion [9]. Therefore the model-checking problem for CPDSs nd MSO does not reduce to rechbility in generl. Is MSO the ultimte logic? MSO is very expressive logic for specifictions. Its drwbck is tht, even when we recover decidbility by restricting to some under-pproximtion clss, the complexity of the decision procedure in non-elementry. This is lredy the cse for words or trees. To get better complexity, one should use other formlisms such s Temporl Logics or Propositionl Dynmic Logic (PDL). Towrds expressing properties of CBMs, the clssicl LTL over words hs been extended to visible behviours such s nested words [4, 3], MSCs [8], nested trces [7], multiply nested words [24], etc. These temporl logics hve explicit modlities tht llow one to retrieve mtching edges or to follow the prtil order. Below, we describe propositionl dynmic logic which embeds ll these logics nd provides powerful nvigtionl bilities. In PDL, there re two types of formuls. Stte formuls (σ) describe the properties of events in behviours, hence they hve n implicit first-order free vrible ssigned to the current event. Atomic propositions such s p or ssert tht the current event is on process p Procs or is lbelled Σ. In ddition to boolen connectives, we hve pth modlity π σ climing the existence of pth following π from the current node to n event stisfying σ. A pth formul π hs two implicit first-order free vribles ssigned to the end points of the pth. They re built from bsic moves following edges of the grph (in our cse nd d ), either forwrds or bckwrds, using rtionl expressions tht my use intersection in ddition to the clssicl union, conctention nd itertion. In ddition, we my check stte formul σ long pth. Formlly, the syntx of ICPDL(A, Σ) is given by σ ::= flse p σ σ σ π σ π ::= test(σ) d π 1 π + π π π π π π

11 A. Cyric nd P. Gstin 21 where p Procs, d DS nd Σ. If intersection π π is not llowed, the frgment is PDL with converse (CPDL) 1. 5 Grph theoretic pproch to verifiction In this section, we show how results from grph theory my help in designing decidble under-pproximtion techniques for the verifiction of CPDSs. The distributed semntics defines the behviours s grphs, hence we re interested in checking properties of the set of grphs L cbm (S) ccepted by CPDS. More precisely, our im is to solve the model checking problem: given system S nd specifiction ϕ MSO(A, Σ), does S = ϕ, i. e., is the formul ϕ vlid on L cbm (S)? Let us fix some rchitecture A nd the set Σ of ction lbels. Decidbility of the modelchecking problem is equivlent to decidbility of the MSO theory of the set CBM(A, Σ) of CBM-grphs. Indeed, we hve seen in Remrk 4 tht from CPDS S we cn compute formul Φ S which defines L cbm (S). Therefore, S = ϕ iff Φ S ϕ is vlid on CBM(A, Σ). Hence, decidbility of model-checking reduces to decidbility of the MSO theory of CBM(A, Σ). For the converse, it suffices to consider universl CPDS S with L cbm (S) = CBM(A, Σ). We hve seen in Section 2 tht rechbility, the most bsic model-checking problem, is undecidble for CPDS, even for very simple rchitectures such s two processes communicting vi FIFO chnnels (with no stcks) or single process with two stcks. Hence, the MSO theory of CBM(A, Σ) is undecidble in generl, which cn be seen lso directly since CBMs hve unbounded tree-width (or clique-width) in generl. Still, it is extremely chllenging to develop correct progrms for distributed multi-threded recursive systems. Hence, techniques for pproximte verifiction hve been extensively developed recently. We will not discuss over-pproximtion techniques in the present pper. An under-pproximtion technique restricts the problems (rechbility, stisfibility or model-checking) to decidble subclss C CBM(A, Σ) of behviours. Often the subclss C m is prmetrised with some integer m. We cover more behviours by incresing the prmeter m. The pproximtion fmily (C m ) m 0 is complete or exhustive if CBM(A, Σ) = m C m. Hence, the im of under-pproximte verifiction is to define nd study meningful clsses C CBM(A, Σ) with decidble MSO theory. Decidbility of the MSO theory (or equivlently decidbility of the MSO stisfibiliy problem) for clsses C of grphs hs been extensively studied. We recll now some importnt results tht will be useful for our purpose (see [14, Chpter 1] for survey). Recll tht CBM-grphs hve degree bounded by 3 since ny event my tke prt in t most one mtching reltion. Hence, we restrict our ttention to results for clsses C of bounded degree grphs. The following fct summrizes some of the min results (see Theorem 4). An MSO definble clss C of bounded degree grphs hs decidble MSO theory iff it cn be interpreted 2 in the clss of binry (lbelled) trees. 1 If bckwrd pths π 1 re not llowed the frgment is clled PDL with intersection (IPDL). In simple PDL neither bckwrds pths nor intersection is llowed. 2 There re severl equivlent wys to define n interprettion of grph G = (V, E) in lbelled tree T. We describe the MSO-trnsductions of Courcelle, but one my, for exmple, lso use the regulr pth descriptions of Engelfriet nd vn Oostrom. An MSO-interprettion is given by tuple of MSO formuls. We will give concrete exmple in Section 6. Intuitively, not ll lbelled trees dmit vlid grph interprettion, hence, we use sentence Φ vlid to select the good trees. The vertices of the grph re some nodes of the tree, nd we use formul Φ vertex(x) to select those nodes of T which should be interpreted s vertices of G: V = {u T T = Φ vertex(u)}. Finlly, formul Φ edge (x, y) encodes F S T T C S

12 22 Resoning About Distributed Systems: WYSIWYG In the light of this fct, under-pproximtion clsses re obtined by MSO definitions together with tree interprettions. Then, verifiction problems re reduced to problems on tree utomt, yielding efficient lgorithms. Such tree interprettions cn be defined specificlly for some clss C CBM(A, Σ). This is for instnce the cse for bounded phse behviours of multi-pushdown utomt [21] where multiply nested words of bounded phse re interpreted in binry trees clled stck-trees. Another exmple is given by the interprettion of some clsses of multiply nested words in visibly (k-)pth trees in order to prove decidbility of emptiness nd closure under complement of multi-pushdown utomt when restricted to some clsses of behviours tht cn be interpreted in these pth-trees [25]. A higher level pproch is to prove some combintoril property on the clss C which ensures the existence of tree interprettion. For instnce, one my show tht the clss C hs bounded tree-width (nd is MSO definble). This is the pproch tken in [26], where decidbility of severl under-pproximtion clsses is estblished by proving tht they re MSO definble nd hve bounded tree-width. For most of the clsses considered in [26] the decidbility hd been lredy proved directly. Hence, [26] provides unifying pproch s well s efficient lgorithms bsed on tree interprettions. Alterntive combintoril properties my be more convenient, for instnce bounded clique-width, which is equivlent to bounded tree-width on clsses of bounded degree grphs. In [16, 2] nother decomposition technique, clled split-width, is defined specificlly for CBMs (see Section 6). On clsses of CBMs, bounded tree-width, bounded clique-width nd bounded split-width re ll equivlent. We believe tht, for clss of CBMs, estblishing bound on split-width is esier thn the other mesures. Also, we will see in Section 6 tht split-width gives n esy nd nturl interprettion of CBMs in binry trees. Hence, split-width provides convenient, necessry nd sufficient condition, to estblish decidbility of the MSO theory of n under-pproximtion clss. The following theorem summrizes some of the relevnt results. For more detils, the reder is referred to [14, Chpter 1] nd [16, 15]. Theorem 4. Let C be clss of bounded degree grphs which is MSO definble. TFAE 1. C hs decidble MSO theory, 2. C cn be interpreted in binry trees, 3. C hs bounded tree-width, 4. C hs bounded clique-width, 5. C hs bounded split-width (if C CBM(A, Σ) is clss of CBMs). In order to define good under-pproximtion clss, one my show tht it is MSO definble nd tht it stisfies one of the conditions of Theorem 4. We will introduce splitwidth in the next section nd show tht it is convenient tools for CBMs. Proving MSO definbility is often esy. This is the cse for mny under-pproximtion clsses, like bounded context, bounded phse, bounded scope, ordered etc. for multi-pushdown systems. Also, for distributed systems, it is esy to give n MSO definition for universlly bounded MSCs, or the bounded context nd well-queuing ssumption of [22, 19]. the edge reltion of G: T = Φ edge (u, v) iff (u, v) E. We my lso interpret vertex-lbelled grphs by refining Φ vertex in tuple of formulæ Φ (x) which selects those vertices/nodes tht re lbelled. Finlly, in cse of edge-lbelled grphs, the formul Φ edge (x, y) is refined in tuple of formulæ Φ d (x, y) one for ech edge-lbel d.

13 A. Cyric nd P. Gstin 23 6 Split-width In this section, we introduce split-width. We explin the ssocited tree-interprettions nd infer the decidbility nd complexity of collection of verifiction problems when prmetrised by split-width. We lso discuss how to use split-width in order to obtin similr results for vrious under-pproximtion clsses. With K. Nryn Kumr, we introduced split-width in [16] for multiply nested words. The technique ws lter extended to CBMs in [15, 2]. The ide is to decompose grph in tomic pieces consisting of mtching write/red pirs, see Figure 4. This cn be seen s two-plyer turn-bsed gme with fixed budget k which will be the width of the decomposition. The existentil plyer (Eve), trying to prove the existence of decomposition of width t most k, hs to disconnect the CBM grph by splitting t most k process edges. For instnce, the root of Figure 4 is lbelled with CBM M over the rchitecture A of Figure 1. The grph M cnnot be disconnected by splitting only one or two process edges. So Eve splits three process edges tht re shown s dshed red edges in the split-cbm M. The universl plyer (Adm) will now choose one of the connected components of M nd the gme continues. M hs two connected components M 1 nd M 2, providing two choices for Adm. If M 2 is chosen, Eve splits the two process edges nd the resulting grph M 2 hs now two connected components. Whichever is chosen by Adm is n tomic write/red edge, which is winning position for Eve. Assume now tht M 1 is chosen. Note tht M 1 hs two blocks of events on process q with one hole between them. The first block consists of single event lbelled b nd the second one consists of three events lbelled cdc. A block of events in split-cbm is mximl sequence of events on single process. For instnce, M hs two blocks on process p nd three blocks on process q. Clerly, the number of holes on some process is the mximum of zero nd the number of blocks minus one on tht process. The budget k of Eve is reduced by the number of holes. For instnce, M 1 hs one hole (on process q) hence Eve is only llowed two (3 1) more splits to disconnect M 1 without exceeding her budget. Her choice is depicted in M 1. One connected component of M 1 is mtching edge which is winning for Eve. So Adm should choose M 3 lest he lose immeditely. Eve splits the remining process edge nd wins regrdless of Adm s choice. To summrize, Eve wins ply if it ends in n tomic CBM, i. e., single internl event or mtching write/red edge. She loses if she cnnot disconnect non-tomic grph without introducing more thn k split-edges (holes). The split-width of CBM is the minimum budget k for which Eve hs winning strtegy. A winning strtegy for Eve with budget 3 is depicted in Figure 4 for the CBM M t the root. As explined bove, M cnnot be disconnected with only two splits, hence its split-width is exctly 3. We denote by CBM k split(a, Σ) the set of CBMs over A nd Σ with split-width bounded by k. Exmple 5. Nested words hve split-width t most 2. Nested words [5] re CBMs over n rchitecture with single process nd single stck. The bound on split-width cn be seen esily since nested word w is () either the conctention of two nested words in which cse Eve splits the edge between the two nested words, (b) or is of the form w b where w is nested word, in which cse Eve splits the first nd lst process edges, (c) or is n tomic CBM. Exmple 6. Existentilly k-bounded CBMs hve split-width t most k + 1. A CBM M is existentilly k-bounded if it dmits lineriztion such tht the number of unmtched F S T T C S

14 24 Resoning About Distributed Systems: WYSIWYG M p q b c d b c d c M p q b c d b c d c M 1 p q b c d c M 2 b c d M 1 p q b c d c M 2 b c d c b d M 3 b c d c M 3 b c d c b d Figure 4 A split decomposition of width 3. writes t ny point is bounded by k. For instnce, the CBM M t the root of Figure 4 is existentilly 3-bounded. Let the liner order witnessing the existentil bound be lin. The strtegy of Eve is to detch the first k + 1 events of M with respect to lin by splitting the corresponding outgoing process edges. The resulting split-cbm M must be disconnected. Indeed, the detched events cnnot ll be write events, otherwise the bound k is exceeded. If red event is detched, then the corresponding write is lso detched since it must come erlier in ny lineriztion. Therefore, the split-cbm M contins some connected components which re tomic CBMs nd t most one connected component M 1 which is non-tomic. Adm must choose the component M 1 to void losing the gme immeditely. Then, Eve proceeds by splitting some more process edges until k + 1 events re detched in the lin order. As bove, the resulting split-cbm must be disconnected nd t most one of its connected component is non-tomic. Eve pplies the sme strtegy s long s there is non-tomic connected component. Exmple 7. Multiply nested words with t most m phses hve split-width t most 2 m. Multiply nested words (MNWs) re CBMs over n rchitecture with single process nd severl stcks. A phse in MNW is fctor in which ll red events re from the sme stck.

15 A. Cyric nd P. Gstin 25 (n) (n ) split- (m, mm) div- (lr, lrl) split- div- (n 1) split- (m, im) (n 1) div- (lr, llr) (n 2) split- (mm, ε) (n 2) div- (rlr, l) split- div- split- div- d2 d3 d2 c split- div- d4 d1 c b d (n 3) split- (ε, im) (n 3) div- (l, rlr) d2 (l, r) d3 (ε, lr) d2 (l, r) (n 5), p c, q d4 (r, l), q c, p d1 (lr, ε) b, p d, p c b d (n 4), p c, q b, q d, q Figure 5 A split term s (left) nd lbelled term t (right) corresponding to Figure 4. M p q b c d b c d c M p q b c d c b c d Figure 6 Two CBMs tht cn be decomposed with the split-term s of Figure 4. A MNW is m-phse bounded if it is the conctention of t most m phses [21]. All m-phse bounded MNWs hve split-width t most 2 m [16]. The bounded phse under-pproximtion hs been extended to distributed systems in [15, 1]. In fct, n upper bound on split-width hs been estblished for mny under-pproximtion clsses. See [16] for mny clsses of multi-pushdown systems such s bounded scope [23], ordered [10, 6], etc. For mny clsses of communicting (multi-pushdown) systems, see [15, 1, 2]. Split-lgebr. The split-gme introduced bove gives the decomposition view (top-down) which is useful to estblish bound on split-width. A winning strtegy of Eve for some CBM M cn be represented with tree s in Figure 4. Dully, there is lso split-lgebr which constructs CBMs in bottom-up fshion strting from tomic ones using two opertions: shuffle (opposite of divide) nd merge (opposite of split). The terms of the split-lgebr over A nd Σ follow the syntx: s ::= d b (s) s s with, b Σ nd d DS. The split-term s corresponding to Figure 4 is given on the left of Figure 5 (recll tht the rchitecture is tken from Figure 1). F S T T C S

16 26 Resoning About Distributed Systems: WYSIWYG Severl CBMs my dmit decomposition vi the sme split-term. For instnce, the split-term s on the left of Figure 5 llows us to decompose both the CBMs M nd M of Figure 6. The min reson is tht shuffle node does not specify how the blocks of the two children re shuffled, nd merge node does not specify which holes of the child re mended into process edges. This mbiguity cn be removed with n extr lbelling s shown on tree t on the right of Figure 5 corresponding to the decomposition of Figure 4. At shuffle node, the lbelling consists of tuple of words (w p ) p Procs, where w p {l, r} describes how the blocks on process p of the children re shuffled. For instnce, the shuffle node (n ) of t is lbelled (w p, w q ) = (lr, lrl) which mens tht the first block of M corresponding to node (n ) on process p comes from the left child M 1 corresponding to (n 1 ) nd the second block comes from the right child M 2 corresponding to (n 2 ). On process q there re 3 blocks, first nd third coming from M 1 nd second coming from M 2. The sme kind of lbelling is used t -nodes. Now, for merge node, the lbelling is lso tuple of words (w p ) p Procs, but now word w p {i, m} tells whether the holes (split edges) of the child re kept s such (i for inherited) or re turned into process edges (m for mended). For instnce, node (n 1 ) corresponding to M 1 is lbelled (m, im) which mens tht from its child M 1 corresponding to (n 1) the hole of process p is mended, the first split edge of q is inherited nd the second one is mended. Also, ech lef is lbelled with its corresponding process. Note tht, the width of decomposition cn be recovered from the lbelled split-term (but not from the unlbelled split-term). Indeed, the lbelling of merge node directly gives the number of holes of its child, nd the lbelling of shuffle node, or -node, gives the number of blocks from which we cn infer the number of holes. Tree-interprettions. Ech CBM tht cn be decomposed with split-term s dmits n MSO-interprettion (cf. Footnote 2) in the tree s, which is defined by tuple of formuls over binry trees (Φ vlid, (Φ ) Σ, (Φ p ) p Procs, (Φ d ) d DS, Φ ). The interprettion guesses (with set vribles) lbelling to dismbigute the split term s explined bove. Not ll lbelled split-terms llow n interprettion, so we use formul Φ vlid to check the vlidity of the lbelling. Essentilly, we hve to check tht, for ech process p, the number of blocks t node is comptible with tht of the children. For instnce, lbel w p {l, r} t shuffle node ssumes w p l (resp. w p r ) blocks on process p from the left (resp. right) child. A lbel w p {i, m} t merge node ssumes w p holes on process p from the child. For d node with p = Writer(d) nd q = Reder(d), we request tht the children re leves lbelled p (left) nd q (right), nd if p = q then we request w p = lr nd w s = ε for s p, nd if p q then we request w p = l, w q = r nd w s = ε for p s q. In ddition, for stck or queue dt structures, the formul Φ vlid hs to check tht the LIFO or FIFO conditions re respected. To do so, we need to enrich further the lbelling. If d Stcks then we mintin the d reltion between blocks of process p = Reder(d) = Writer(d): i d j if e d f for some e in the ith block of process p nd some f in the jth block of process p. This informtion cn be esily computed by deterministic bottom-up tree utomton. At shuffle node, we mke sure tht the LIFO condition is respected by rejecting shuffles tht would result in d reltion between blocks tht is not well-nested. Hence we obtin n EMSO formul to check the LIFO condition for dt structure d. We proceed similrly for queues. We denote by DST k vlid the set of split-terms dismbiguted by vlid lbelling of width t most k. Ech tree t DST k vlid encodes unique CBM of split-width t most k, denoted cbm(t). Conversely, every M CBM k split is encoded by some, often mny, trees t DST k vlid. Vertices of cbm(t) re leves of t hence we let Φ vertex (x) = lef(x). The vertex lbelling in cbm(t) is the corresponding lef lbelling in t. Hence, formulæ Φ (x) nd Φ p (x) stte tht

17 A. Cyric nd P. Gstin 27 lef x is lbelled nd p in t. The mtching reltion lso dmits trivil interprettion: for d DS, Φ d (x, y) sttes tht x nd y re leves with comon fther lbelled d. The process reltion is slightly hrder to recover. This is where the dditionl lbelling is needed. Intuitively, Φ (x, y) sttes tht from lef x it is possible to wlk up the tree to some merge node m, then wlk down the tree to lef y, nd tht the split edge from x to y hs been mended t node m. It is esy to check this property with tree utomton nd to deduce the (EMSO) formul Φ (x, y). More precisely, the deterministic bottom-up tree utomton keeps in its sttes the block B x of which x is the right-most event, nd the block B y of which y is the left-most event. It goes to n ccepting stte only if the hole between B x nd B y is mended into process edge t some merge node. For instnce, the process edge from lef (n 4 ) to lef (n 5 ) is estblished t merge node (n 1 ). Tree-width, clique-width nd split-width. On CBMs, split-width is mesure tht is very similr to clique-width or tree-width. It is shown in [16, 15] tht for CBMs, bound on split-width implies (liner) bound on clique-width or tree-width nd vice vers. More precisely, if CBM hs split-width k then it hs clique-width t most 2(k + Procs ) + 1 nd tree-width t most 2(k + Procs ) 1. Conversely, if CBM hs clique-width c or tree-width t then it hs split-width bounded by 2c 3 or 120(t + 1). Verifiction procedures for bounded split-width. Most verifiction problems become decidble with resonble complexity when prmetrised by bound on split-width. Intuitively, the tree-interprettion provided by split-width llows us to uniformly reduce collection of problems on CBMs of bounded split-width to problems on trees, which re then solved with tree utomt techniques. More precisely, let S be CPDS over (A, Σ) nd ϕ MSO(A, Σ) be specifiction. The model checking problem restricted to the clss CBM k split of CBMs with split-width bounded by k sks whether L cbm (S) CBM k split L cbm (ϕ). Similrly, the emptiness problem for S (resp. the stisfibility problem for ϕ) restricted to CBM k split sks whether L cbm (S) CBM k split = (resp. L cbm (ϕ) CBM k split ). We reduce these problems to the emptiness problem for tree utomt s follows. First, we cn build tree utomton A k vlid of size 2O(k2 A ) which ccepts DST k vlid. Next, we cn build tree utomton A k S of size S O(k+ Procs ) which ccepts tree t DST k vlid if nd only if cbm(t) L cbm (S). Therefore, the emptiness problem for the CPDS S restricted to CBM k split reduces to the emptiness problem of the tree utomton A k vlid Ak S. Now, let ϕ be sentence in MSO(A, Σ). Using the MSO interprettion (Φ vlid, Φ vertex, (Φ ) Σ, (Φ p ) p Procs, (Φ d ) d DS, Φ ) for k-bounded split-width, we cn construct formul ϕ k from ϕ such tht for ll trees t DST k vlid, we hve t = ϕ k if nd only if cbm(t) = ϕ. By [31], from the MSO formul ϕ k we cn construct n equivlent tree utomton A k ϕ. Therefore, the stisfibility problem for the MSO formul ϕ restricted to CBM k split reduces to the emptiness problem of the tree utomton A k vlid Ak ϕ. Finlly, we deduce esily tht L cbm (S) CBM k split L cbm (ϕ) if nd only if t = ϕ k for ll trees t ccepted by A k vlid Ak S. Therefore, the model checking problem S = ϕ restricted to CBM k split reduces to the emptiness problem for the tree utomton A k vlid Ak S Ak ϕ. We hve described bove uniform decision procedures for n rry of verifiction problems. We refer to [16, 15, 2] for more detils nd we summrise the computtionl complexities of these procedures in Tble 2. F S T T C S