Introduction to spefication and verification Lecture Notes, autumn 2011

Transcription

1 Introduction to spefiction nd verifiction Lecture Notes, utumn 2011 Timo Krvi UNIVERSITY OF HELSINKI FINLAND

2 Contents 1 Introduction The strting point Globl stte grph Verifiction bsed on equivlences Model Checking Prcticl Experiences Stte Trnsition Systems Alternting Bit Protocol Client/Server-system The Definition of Trnsition System Globl Stte Grph Introduction The Globl Stte Grph of the AB-protocol Prllel Opertor Properties of the Prllel Opertor Multisynchroniztion The Nture of the Synchroniztion Associtivity of the Prllel Opertor Implementing the Globl Stte Grph Globl Stte Grph s Dt Structure Bit Hshing nd Alterntives Bsic Principles in Modelling Non-determinism Chnnels nd Environments i

3 ii CONTENTS 5 Equivlences nd Verifictions Modelling Services Reltions Trce Equivlence Wek Bisimultion Equivlence Exmples AB-protocol FE-protocol Conclusions nd Problems Bsic Lotos Introduction Redy-Mde Processes Action Prefix Hiding Choice Prllel Opertor Sequentl Composition Disbling The Precedence of the Opertors Process Instntition Exit nd noexit Exmples Specifiction of Producer-Client System Counter A Client Server System CADP AB-protocol Model Checking Introduction Kripke Structures Liner Time Logic LTL Exmple

4 Chpter 1 Introduction 1.1 The strting point When strting to verify distributed systems, the first thing to do is to describe the system. For this, there re two min possibilities. First, it is possible to use highlevel specifiction lnguge. A progrmming lnguge is too cumbersome becuse of its mny detils, if the im is mthemticl verifiction. On the other hnd, it is possible to use progrmming lnguge if specil commments re dded into the code. These comments re used by verifiction softwre during its correctness nlysis. This ltter lterntive hs its supporters, but we concentrte in this course on the first lterntive. First we define trnsition systems with which we describe single processes. A trnsition system is directed grph with lbels dded to its rcs. These lbels re clled ctions. An ction describes either communiction with nother process or n internl computtion. It is usul tht in the distributed protocols it is not necessry to describe internl computtions in detiled wy, but only very bstrct descriptions re sufficient. Trnsition systems must be represented in one wy or nother, if they re given s input to the verifiction softwre. There re severl specifiction lnguges for this purpose. A simple specifiction lnguge just enumertes the nodes nd the lbelled rcs between the nodes. But usully lnguge contins dditionl fetures, s for exmple possibility to define internl computtions or the descriptions of infinite systems. An exmple of n older lnguge is Estelle which contins lot of fetures from Pscl. More modern lnguges re bsed on process lgebrs. In these lnguges, trnsition systems re represented by n lgebric nottion. This leds to compct representtions nd the syntx nd especilly semntics of the representtions re formlly defined. Lotos is n exmple of these lnguges nd we will study it in this course. It is bsed on the process lgebrs CCS nd CSP. There re still other possibilities for specifiction lnguges. Petri nets resemble trnsition systems, but re richer in their structure. Lnguges bsed on temporl 1

5 2 CHAPTER 1. INTRODUCTION logics re lso populr in prctice. 1.2 Globl stte grph A single process in distributed system is often quite simple. On the other hnd, it is hrd to nlyse system consisting of severl, lthough simple processes. There re new kind of errors such s dedlocks nd livelocks. Furthermore, often it is necessry to gurntee firness in the sense tht the processes of the system get recources eqully. It is not esy to qurntee these properties just by trditionl testing, becuse there re huge mount of vrious execution sequences. Itislso possibletomodel thebehvour oflrgesystem using singletrnsition system. In this cse, the stte is vector whose i th element represents the stte of the i th process. When the process i chnges its stte, the vector chnges t the sme time: the i th element chnges. A single process my chnge its stte when sending or receiving informtion, or when doing internl computtions. The first problem to be solved when modelling system with globl stte grph is how to tret true concurrency. If processes p nd q execute their ctions t the sme time, the items in the globl stte vector corresponding to p nd q should lso chnge t the sme step. But it is possible tht first p chnges nd only then q, or vice vers. Should we tke ll the possibilities into ccount? If this is done mechniclly, there would be huge number of different execution sequences. Tht is why so clled interleving semntics is pplied. In this pproch it is thought tht concurrent events hppen lwys in certin order nd truely concurrent events do not exist. This principle seems to work well in prctice nd most of the verifiction softwre tools re bsed on interleving semntics. In spite of the interleving semntics there re still lot of different execution sequences in the globl stte grph. It is clled stte explosion. In the interleving semntics, ll the execution orders re still visible nd most of the these orders led to the sme result. However, it is not esy to determine beforehnd, which orders re essentil nd which not. This is the reson why it is not possible to generte the globl stte grph completely for the lrge systems. There re some suggestions how to restrict the size of the globl stte grph. One possibility is to generte sttes or rther pths in the globl stte grph rndomly. It is lso possible tht the true concurrency semntics results, if cleverly pplied, in smller grph thn the interleving semntics. However, we do not consider these lterntives during this course. 1.3 Verifiction bsed on equivlences By using globl stte grph, it is possible to detect mny errors in the protocol. Dedlocks my be seen lredy when generting the globl stte grph. Livelocks correspond the components of the stte grph such tht it is no more possible to

6 1.3. VERIFICATION BASED ON EQUIVALENCES 3 go out of the component to the min cycle. These kind of mistkes re found, for exmple, with the help of depth-first serch. There re other kind of mistkes which re difficult to find just by exmining the stte grph. For exmple, it my be erroneous to perform some ctions in wrong order. In order to detect mistkes in ction orders it is necessry to compre execution sequences in the stte grph to rel execution sequences. These rel sequences must thus be represented in some wy or nother. First we introduce verifiction bsed on equivlences. In this cse the strting point is s follows. The opertion of system cn often be described from the viewpoint of n outsider. This outsider sees the ctions trnsmitted between the prticipnts, but it does not see, t lest not exctly, internl opertions performed by the processes. In other words, the observer sees wht hppens in the interfces of the processes. The behviour of the interfces cn be described with the help of trnsition systems. We cll this description service. It is lso often the cse tht the service cn be constructed from the definition of the protocol. Thus the service forms reference with which the behviour of the system or protocol cn be compred. This comprison is done s follows. First we specify the protocol using some specifiction lnguge. This mens in prctice tht every process in the protocol, such s sender, receiver, nd timers, is written for exmple in Lotos. After this, the globl stte grph is generted. This stte grph is itself trnsition system nd it is constructed utomticlly using softwre which understnds the specifiction lnguge in use. The rcs of the stte grph show ctions which re performed by the protocol. The sme is done for the service. Thus the service is described in Lotos nd the globl stte grph is formed. Usully the stte grph of the service is much smller thn the grph of the protocol. Next we hide ll the ctions in the stte grph of the protocol which re not present in the service. This hiding mens tht we chnge the nme of the ction to specil nme which represents n internl ction. Now we compre the grphs. There re vrious equivlences for this purpose. Often it does not mtter which of the equivlences we use, but sometimes the choice of the equivlence is importnt, becuse some equivlences re corser thn the other. For exmple, some equivlences do not py ttention on cycles which consist of internl ctions. In some situtions it my be necessry to consider these kind of cycles, for exmple in rel time pplictions. One of the most populr equivlences is wek bisimilrity. Processes P nd Q re wekly bisimilr, if the other process cn simulte the visible ctions of the other. In ddition, the simultion order cn be chnged on the fly. This mens tht for exmple P simultes first Q, but in the middle of the simultion Qstrts to simulte P from the point tht ws reched in the previous simultion. In order to be efficient, the equivlence must be clculted quickly, in polynomil time. Bisimilrity is such n equivlence. There re other equivlences, for exmple trce-bsed equivlences, which demnd n exponentil time in the worst cse, but in prctice they perform quickly, in liner or polynomil time. Such equivlences

7 4 CHAPTER 1. INTRODUCTION re useful, too. If it possible to show tht protocol nd its service re equivlent, the protocol is consired correct. In this pproch the computer mkes most of the work. The tsk of humns is to write the specifictions nd to choose right equivlence. Extr work is sometimes needed, if the chosen equivlence does not detect ll the possible mistkes. For exmple, firness my be verified using other methods, for exmple temporl logic. Another reson why verifiction is sometimes difficult is the sizes of globl stte grphs. These re often too lrge in prcticl situtions. There re vrious methods to try to tckle this problem: prtitioning the stte grph or just performing rndom wlk in the grph. 1.4 Model Checking Model checking is n lterntive pproch to the verifiction insted of equivlencebsed pproch. It mens usully tht temporl logic is used to check some properties of the system. Properties re expressed by logicl formuls, stte grph is formed, nd then it is checked if the formuls re vlid in the grph, i.e. in the model. In this wy it is esy to express only certin properties tht re to be verified. On the other hnd, the totl correctness is not so esily reched s in the equivlence nd serviced bsed pproch. There re mny kinds of temporl logics. Two of the most common re liner time logic (LTL) nd brnching time logic (CTL). In LTL, the vlidity of formuls depends on ll the pths in the grph. In CTL, the vlidity my depend only on some pths. These logics re independent in the sense tht both cn express properties which cnnot be expressed by the other. Tht is why stronger logics hve been developed, for exmple CTL*. It contins both LTL nd CTL. Trditionlly, the bsic model to represent timed systems is grph, where the rcs do not contin lbels, i.e. ctions. Insted, the sttes hve properties or structures. If we use grphs generted from process lgebric formuls, the sttes hve no structure, but the rcs contin lbels. Tht is one reson why other kind of formlisms hve been developed. There is ACTL which is developed from CTL. Others re Hennessy-Milner logic nd µ-clculus. In this course, we concentrte only on LTL nd CTL. 1.5 Prcticl Experiences Forml methods hve been pplied for more thn 20 yers. Much of the pplictions hve been done in cdemic reserch projects, but industry hs been interested, too. The best results in industry seem to be in hrdwre design. For exmple, Intel hs verifiction tem. The verifiction is done minly with the help of model checking. Also protocols hve been verified succesfully. The best known exmples re s

8 1.5. PRACTICAL EXPERIENCES 5 follows. IEEE Futurebus nd cche coherence protocols hve been found to contin errors.verifiction methods found 122 mistkes in ISDN/SUP protocol. A big error ws found in Active structurl control system. It could hve worsen the effects of vibrtions. The serious problem in prcticl verifiction is tht the methods demnd deep understnding. Compnies re not willing to invest such sums for specilists, becuse it tkes long time to nlyse systems nd the results re not lwys complete. Forml verifiction methods hve been tried to pply in security protocols s well. Some mistkes hve been found, but this ppliction re is more difficult to model nd nlyse thn communiction protocols or hrdwre systems. The whole re is still in ctive resech phse.

9 6 CHAPTER 1. INTRODUCTION

10 Chpter 2 Stte Trnsition Systems 2.1 Alternting Bit Protocol Before defining formlly stte trnsition systems, we show n exmple how prcticl dt link protocol cn be specified with the help of trnsition systems. Alternting bit protocol (AB protocol) is one of those simple protocols which hve been nlysed lot in scientific literture of this re. It is elegnt mthemticlly nd non-trivil logiclly. The protocol consists of sender process S nd receiver process R. These processes chnge messges through hlf duplex chnnel. The chnnel my drop or distort messges. It is hlf duplex, which mens tht the messges cn pss from S to R nd from R to S, but there cn not be messges in the chnnel which trvel in opposite directions t the sme time. The order of the messges in the chnnel cnnot be chnged. Also, messge cnnot duplicte in the chnnel. A receiver of messge is ble to detect, if the messge is distorted. This is prcticl ssumption which cn be implemented with the help of modern codes, for exmple using the CRC field. Thegoloftheprotocolistomkesurethtthereceiver getsthemessgessentby S correctly. Clerly S must get some informtionbout thedt messges dfromr: hs R received d correctly or not? This informtion comes s n cknowledgement which is sent by R. Only positive cknowledgements re used. If messge is distorted, R does not sent n cknowledgement. The following digrm shows the behviour of the protocol. 7

11 8 CHAPTER 2. STATE TRANSITION SYSTEMS d S d R.. Thus S must wit for ncknowledgement beforeit cnsend next messge. If the cknowledgement disppers, the sender sends no more, even if there re messges witing for sending. Tht is why the protocol hs timer. The timer times out, if n cknowledgement does not come fter certin time. We get the following scenrio: d S timeout d d R Thereisnowpossibilitythtthesmemessgeissent twotimesndthereceiver does not recognise this, but considers the messges different. This dupliction is the result of cknowledgments. We must dd some informtion to messges nd cknowledgements so tht different successive messges cn be seprted. It is enough to dd only 0 or 1 to messges. We cn now write the previous scenrio s follows: d0 0 S timeout d1 1 d1 1 R

12 2.1. ALTERNATING BIT PROTOCOL 9 Let us model the sender nd receiver s trnsition systems. We must first solve some detils: Do we mrk, if n ction is send or receive ction? For exmple, if sender d sends dt messge d, we hve trnsition S i S j. Should we use only d on the rc or some other nottion, like d to point out tht d is sent, not received? How is the timer modeled? How do we model the distortion or disppering of pckets? We solve the questions s follows. We do not mrk, if n ction is send or receive ction. This must follow from the context. Send nd receive ctions re seprted explicitly only, when we strt to use specifiction lnguge, for exmple Lotos, insted of trnsition systems. In this first exmple we model the timer s prt of the sender process. Lter we consider cses, where timers re modelled seprtely. The dispperence of messge is modelled with the help of so clled internl or silent ction. It mkes possible for process to move from one stte to nother so tht other processes do not notice it. The internl ction hs n importnt role in other contexts, too. In ddition, we use non-determinism. Non-determinism models situtions, where more thn one kind of n event my hppen nd process cnnot lone decide the event tht relly hppens. We get the following sender system S: S1 1 S4 t d0 t d1 S2 0 S3

13 10 CHAPTER 2. STATE TRANSITION SYSTEMS Receiver R: R1 d1 1 R4 d1 d0 d1 R2 0 R3 d0 d0 We hve now written single processes prticipting in the system. Lter we will see how to nlyse the whole system s single trnsition system. 2.2 Client/Server-system Let us consider one more exmple which consists of unlimited number of processes. There re server process S nd n client processes C i, i = 1,,n. A client C i sks service from S with messge csi. S sends the nswer sbi into the buffer B i, nd the client cn tke it from there with the help of messge bci. The protocols follows the round robin principle. This mens tht token moves from one client to nother. Every time client gets the token, it sks for the service. After this the client gives the token to the other client. The token is modelled using messges. When client C i receives the messge ti, it cn sk for service. After this it sends the messge t(i+1) to C i+1. The ddition is interpreted so tht n+1 = 1. Client C i s trnsition system: t(i+1) C4 bci C1 ti C2 csi C3 bci C5 t(i+1) The strting stte is C1 except in C 1, where it is C2. Thus round robin strts in C 1.

14 2.3. THE DEFINITION OF A TRANSITION SYSTEM 11 Server S: S1 sbn cs1 sb1 cs2 Sn S0 S2.. csn sb3. S3 cs3 sb2 Buffer B i : B1 sbi bci B2 2.3 The Definition of Trnsition System We consider the sitution where system consists of two or more processes. Process mens the sme s in the operting systems, i.e. Process is progrm, whose execution hs strted nd not yet finished. The sme code my generte severl processes. A process proceeds with discrete steps from one stte to nother. Stte is defined using the vlues of vribles nd the next instruction or instructions we llow non-determinism. A process proceeds by performing ctions which cn be for exmple internl computtion (updting vribles etc), sending or receiving of messge, some other ction involving other processes.

15 12 CHAPTER 2. STATE TRANSITION SYSTEMS One exmple of the lst cse is synchroniztion. Of course, synchroniztion is possible lso in sending or receiving. Usully we use high level of bstrction when describing systems with trnsition systems. It mens in prctice tht the min point is the communiction of the processes. Internl events re bstrcted s much s possible. On the other hnd, some specifiction lnguges offer mny possibilities to represent internl events, while in trnsition systems the internl computtions must be reduced to the minimum. Definition 1 A lbelled trnsition system is structure (S,A,,s 0 ), where S is the set of sttes; A is the set of ctions which contins the internl or silent ctions. S A S is the trnsition reltion; s 0 is the initil stte. Often S nd A re finite, but they could be enumerbly infinite in principle. The elements in A represent ctions which re involved in the communiction of processes. We do not mrk in ny wy, when messge is sent or received in the processes. We could define the sending nd receiving seprtely, but we focus on formlism which is comptible with the specifiction lnguge Lotos. (In full Lotos, the ctions re ports or gtes through which the processes communicte by sending dt. In our first formlism we do not distinguish between ports nd dt messges.) A trnsition system shows how the process proceeds. The execution strts from the initil stte. The trnsition reltion dicttes the lterntives the process cn next perform. At the end of this chpter we define some forml concepts needed lter. 1. If in trnsition system (s 1,,s 2 ), then we usully write s 1 s If -pth s 1 s 2 s n, ε strts from stte S 1, then we write s 1 = s n. The nottion = ε covers lso ε the cse when there re no movement from the stte. Thus lwys s 1 = s The nottion s 1 = s n mens tht s 1 ε = s k s r ε = s n. 4. The ction sequence u = 1 2 n leds from stte r to stte s, if there is pth r= r ε 1 ε 1 s1 = r 2 ε ε 2 s2 = = r n ε n sn = s. The we use the nottion r u = s.

16 Chpter 3 Globl Stte Grph 3.1 Introduction In the previous chpter we modelled single processes. We see the messges sent nd reveived by every process, but it is impossible to figure out if the whole system behves correctly. However, it turns out tht the behviour of the whole system cn lso be modelled s trnsition system which is constructed from the grphs of the single processes. This trnsition system is clled globl stte grph. A stte in globl stte grph is vector, whose components re sttes of the single processes. Thus stte in globl stte grph describes the sttes of every process in the system t tht prticulr moment. Before we re ble to give n exct definition, we must decide how we will model concurrency. In principle, we hve two lterntives. If the modelling is bsed on true concurrency, the model shows wht events hppen concurrently nd wht sequentilly. There re formlisms bsed on true concurrency, but they re complicted nd they demnd time-consuming lgorithms. True concurrency is, however, n importnt concept. The other method is bsed on interleving. In this pproch we ssume tht two events cn lwys be ordered temporlly, i.e. two events cn never hppen simultneously. This principle seems t first incredible, but it works well in prctice. Nerly ll the verifiction progrms re bsed on this ssumption, becuse it simplifies definitions nd lgorithms. Our globl stte grph is bsed on interleving. 3.2 The Globl Stte Grph of the AB-protocol Before defining globl stte grphs formlly we show concrete exmple bsed on the AB-protocol. In this protocol, sender S sends messges d0 nd d1 to receiver R. Receiver R sends cknowledgements 0 nd 1 to S. Suppose tht the communiction between S nd R is rendezvous-type. Thus before sender cn send, 13

17 14 CHAPTER 3. GLOBAL STATE GRAPH reveiver must be redy to receive. If receiver is not redy, sender cnnot send. For exmple, if S sends d0, S moves to next stte with the ction d0 nd t the sme time R moves to the next stte with d0. The internl trnsition does not cuse other processes to chnge their sttes. Similrly, the timer ction t chnges only the stte of the sender. A stte in the globl stte grph is pir (Si,Rj), where Si is stte of the sender nd Rj is stte of the receiver. Let us drw now the globl stte grph. We mke no ssumptions bout the timer. It my timeout too erly, but this should cuse no problems. t S1 R1 S2 R1 1 d0 d0 S2 R2 t S1 R2 0 S2 R3 t S1 R3 S3 R3 d1 t d1 S4 R3 d0 S4 R4 t S3 R4 S4 R1 t d1 S3 R1

18 3.3. PARALLEL OPERATOR 15 The globl stte grph shows tht there re no dedlocks. Also the bsic cycle of the protocol is visible. Communiction errors nd timer ctions led wy from the bsic cycle, but in every cse it is possible to return to the bsic cycle. Thus the globl stte grph seems to show tht the protocol works properly. 3.3 Prllel Opertor Next we define the globl stte grph formlly with the help of the prllel opertor. Let P j Q be trnsition systems. Suppose tht the sttes in P re P 1,P 2,,P m nd the sttes in Q re Q 1,Q 2,,Q n. The initil stte of the whole system is (P 1,Q 1 ), where P 1 is the initil stte in P nd Q 1 is the initil stte in Q. The sttes in the globl stte grph re of the form (P i,q j ), i = 1,,m, j = 1,,n. We write P i P i, if there is trnsition from P i to P i with n ction. Similrly in the cse of Q. The globl stte grph P [ 1,, k ] Q of the processes P nd Q is defined now formlly by giving the rules which show how to move from one stte to nother. The ctions 1,, k re synchronizing ction. If one process is to perform i, then the other synchronizes nd performs it, too. If the other cnnot perform i, then neither the first nor the second cn perform it. Other ctions cn nd must be performed without synchroniztion. We define now the trnsitions between the sttes. This is done with the help of so clled prllel opertor [ 1,, k ]. It is demnded tht i for ll i = 1,,k. Ifwepplytheprllelopertortothesttepir(P i,q j ),thesynchronizing ctions re mrked by writing P i [ 1, 2,, k ] Q j. The following rules define wht trnsitions re possible from given globl stte, i.e. from stte pir (P i,q j ). 1. If { 1,, k }, P i P i nd Q j Q j, then P i [ 1, 2,, k ] Q j 2. If { 1,, k } nd P i P i, then P i [ 1, 2,, k ] Q j 3. If { 1,, k } nd Q j Q j, then P i [ 1, 2,, k ] Q j P i [ 1, 2,, k ] Q j. P i [ 1, 2,, k ] Q j. P i [ 1, 2,, k ] Q j. The ppliction determines wht is suitble synchronizing set. If k = 0, i.e. no ction synchronizes, we spek bout complete interleving nd use the nottion. If the synchronizing set consists of ll the visible ctions, we use the nottion. The finl globl stte grph consists only of those sttes tht cn be reched from the initil stte. If we use the prllel opertor to construct the globl stte grph of the AB-protocol, we strt from the formul S [d0, d1, 0, 1] R

19 16 CHAPTER 3. GLOBAL STATE GRAPH nd deduce ll the other sttes nd trnsitions from this formul. The result s grph is the sme s before. Some more exmples: P: P1 Q: Q1 P2 Q2 P3 P4 P [ ] Q: P Q: P1 Q1 P1 Q1 P1 Q2 P3 Q2 P2 Q1 P4 Q2 P3 Q1 P2 Q1 P4 Q1 P2 Q2 P3 Q2 P4 Q2

20 3.4. PROPERTIES OF THE PARALLEL OPERATOR 17 P: P1 Q: P2 Q1 Q2 b P [,b ] Q: P1 Q1 3.4 Properties of the Prllel Opertor Multisynchroniztion It is possible to synchronize severl processes t the sme time. For exmple, in the formul P [] (Q [] R) the ction cn hppen in Q nd R only if both processes perform tht ction t the sme time. On the other hnd, Q [] R is process, too, nd thus cn hppen in it nd in P only if ll the three processes perform it t the sme time The Nture of the Synchroniztion Synchroniztion is symmetric. We do not distinguished which process strts it. Thus the sender nd receiver re equl when messge is sent: both must be redy nd perform n ction. Synchroniztion is nmeless. If process offers synchroniztion, ny process with n suitble ction my tke prt in the synchroniztion. It is not possible for process to demnd tht synchroniztion is directed to prticulr process. This property hs dvntges nd drwbcks in pplictions Associtivity of the Prllel Opertor In generl, the prllel opertor is not ssocitive. Thus it is not tht P A 1 (Q A 2 R) = (P A 1 Q) A 2 R.

21 18 CHAPTER 3. GLOBAL STATE GRAPH In the following cses the prllel opertor is, however, ssocitive: 1. CSP s cse. Let P, Q nd R be processes nd A P, A Q, A R the ction sets of the processes. Then P A P (A Q A R ) (Q A Q A R R) (P A P A Q Q) (A P A Q ) A R R, where mens tht the corresponding trnsition systems re the sme, only the nmes of the sttes re different (notice tht when using the prllel opertor stte in globl stte grph contins tht opertor). 2. If B is n rbitrry ction set, then P B (Q B R) (P B Q) B R. 3. With synchronizing sets B 1 nd B 2 we hve if A P B 2 = nd A R B 1 =. P B 1 (Q B 2 R) (P B 1 Q) B 2 R, Proof of the item 1. It is enough to prove tht every trnsition in P A P (A Q A R ) (Q A Q A R R) corresponds exctly the sme trnsition in (P A P A Q Q) (A P A Q ) A R R ndvicevers. Itispossibletofollowtwostrtegiesintheproof. Inthefirststrtegy we exmine single trnsition with nd deduce wht ction sets belongs to. In the other strtegy we we exmine wht components in the system chnge their sttes nd deduce wht kind of trnsition tkes plce in the other system. Let us follow the second strtegy. In wht follows we denote by postrophe the process tht chnges in the trnsition. We hve to check severl lterntives. ) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R). b) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R). c) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R ). d) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R). e) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R ). f) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R ). g) P A P (A Q A R ) (Q A Q A R R) P A P (A Q A R ) (Q A Q A R R ).

22 3.5. IMPLEMENTING THE GLOBAL STATE GRAPH 19 Cse ). In this cse the trnsition tkes plce only inside P. Thus A P j A Q A R. Hence A P A Q nd (A P A Q ) A R, nd we cn deduce tht the trnsition hppens lso in (P A P A Q Q) (A P A Q ) A R R only in P. And the trnsition is the sme. Cses b) nd c) re proved in the sme wy s ). Cse d) Now the trnsition hppens both in P nd in Q. Thus A P nd A Q A R, but A Q A R, hence A Q nd A R. We cn deduce tht A P A Q, but (A A Q ) A R. Becuse of this, the trnsition with in the globl stte grph (P A P A Q Q) (A P A Q ) A R R hppens only in P nd Q, nd they chnge in the sme wy s in the grph P A P (A Q A R ) (Q A Q A R R). Cses e) j f) re proved in the sme wy s d). Cse g). Now ll the processes chnge their sttes nd thus A P (A Q A R ) j A Q A R. Hence A P, A Q nd A R. Furthermore, A P A Q nd (A P A Q ) A R. Thus the trnsition tkes plce in the grph (P A P A Q Q) (A P A Q ) A R R in ll the processes nd exctly in the sme wy s in P A P (A Q A R ) (Q A Q A R R). Item 2) is proved in the sme wy s 1). Item 3) is modifiction of item 1). 3.5 Implementing the Globl Stte Grph Globl Stte Grph s Dt Structure The globl stte grph is used in two wys. In some pplictions, it is enough to trverse the grph without constructing it completely. In some other pplictions, it is necessry to construct the whole grph explicitly. In this ltter lterntive there is problem tht the grph my be too lrge. As mtter of fct, mny prcticl protocols nd systems led to such lrge grph tht it is not possible to generte it completely. For exmple, it hs not been esy to nlyse formlly the collbortion of severl lyers in network environments. The globl stte grph is usully sprse. Thus there re only few out-going rcs from the sttes. Hence mtrix representtions re not promising, but djjency list representtions perform better. Usully the genertion nd nlysis is done depthfirst. Thus we strt from the initil globl stte nd generte ll the sttes one step wy fromthe initil stte. These new sttes repushed into stck. Then continue sfollows s longs thestck isnon-empty: Tke sttefromthe stck, genertell the neighbours of the chosen stte, push the neighbours into the stck nd drw the rcs from the chosen stte to the neighbours. It is necessry to check lwys during the genertion of new sttes, if the new sttes re relly new or lredy generted. Usully this check is done with the help of hshing.

23 20 CHAPTER 3. GLOBAL STATE GRAPH Bit Hshing nd Alterntives Becuse globl stte grph is often lrge, we need lrge hsh tble, too. It would be temptting to use the virtul memory, but this brings problems. The reson is tht during the genertion of sttes new nd old sttes come in unpredictble order. This leds to the fct tht it is necessry to fetch pges continully from the disk. This mkes the processing too slow. Tht is why one tries to use only the centrl memory. The solution of G. Holzmnn ws to use bit hshing. In this method, globl stte is interpreted s bit string nd furthermore s n integer. Reserve now boolen rry, whose size is such tht the index spce includes the lrgest integer corresponding globl stte. This kind of n rrycn be used efficently for hshing nd one stte demnds only one bit. The whole trnsition system cn be represented in n lterntive wy. Boolen functions cn be represented in compct wy nd trnsition system cn be represented with the help of boolen functions. This representtion is clled BDD or binry decision digrm. Neither is this solution universl: in some situtions BDD s help to compress the globl stte grph, but not lwys. Moreover, mny lgorithms work esier with djjency lists thn with BDD s.

24 Chpter 4 Bsic Principles in Modelling 4.1 Non-determinism Let P nd Q be trnsition systems nd n ction. There re three wys to model non-determinism in trnsition systems: 1 1 P Q P Q 1 P Q In the cse 1 the environment hs chnce to interct with the system, if hppens before the internl ction. In the cse 2, the system itself decides, t the sme time when the environment rects, which one of s it chooses. The cse 3 sys tht the system decides internlly, if it behves ccording to P or Q. For exmple when modelling communiction chnnel it is best to choose the lterntive 3, if P represents the delivery of messge nd Q the loss of messge. The environment, in this cse the sender nd receiver, cnnot ffect the behviour of the chnnel. The delivery or loss of pcket is only dependent on the chnnel. If we used the lterntive 1, the environment could in some cses ffect the behviour of the chnnel, wht could not led to relistic modelling. 21

25 22 CHAPTER 4. BASIC PRINCIPLES IN MODELLING The second exmple is the set reservtion system of irlines, whose one feture is described by the following trnsition system: 1 Set Confirmed No Sets Avilble 6 System Not Avilble 7 Thus the result of set reservtion is totlly unpredictble from the point of view of customer, becuse norml customer does not know, how the system is built or re there free sets vilble. The incpbility of customer to ffect the system is modelled using internl trnsitions. 4.2 Chnnels nd Environments Communiction in the computer networks is not ususlly synchronized. The prllel opertor, however, demnds synchroniztion. It is possible to produce synchronous communiction by specifying chnnel s trnsition system. A process sends messge into the chnnel synchronously nd continues then its computtion. When it is redy, nother process tkes the messge from the chnnel synchronously. In this wy there is n synchronous communiction between the two processes. For this synchronous communiction one hs to py price: the size of the globl stte increses, sometimes considerbly. This increse depends on the mount of pckets which cn trvel simultneously in the chnnel. Sometimes it is lso necessry to model the environment of protocol. For exmple, it is possible to ssume in the AB-protocol tht the sender gets the dt in get messge from the environment, i.e. from the upper lyer or other process, nd tht the receiver gives the dt in give messge to its own environment. We model now the AB-protocol in more orthodox wy with the help of chnnels nd environments. In ddition, the timer is now seprte process. We mke the following greements: The sender sends the messges d0 nd d1 into the chnnel. The receiver tkes the messges dd0 nd dd1 from the chnnel. The receiver sends the cknowledgements 0 nd 1 into the chnnel. The sender tkes the cknowledgements 0 nd 1 from the chnnel.

26 4.2. CHANNELS AND ENVIRONMENTS 23 The sender nd environment communicte synchonously with the messge get. The receiver nd environment communicte synchronously with messge give. The sender sets the timer synchronouosly with the help of messge sett. The timer informs the sender bout the timeout synchronously with the help of messge timeout. The sender informs the timer synchronously with messge reset tht the timer cn return to its initil stte. Below the processes re represented s trnsition systems.it is ssumed of the chnnel tht it cn contin only one messge t time. Furthermore, it is the tsk of the chnnel to lose or distort messges. dd1 S: S1 reset S10 1 S9 R: R1 1 R6 dd1 get sett dd0 give S2 0 S8 R2 R5 timeout d0 S3 timeout d1 S7 1 dd0 give R3 0 dd1 R4 sett 0 S4 S5 reset get S6 dd0 There re some new trnsitions in the sender process (sttes S2 nd S7), where cknowledgements re received. This is becuse of the chnnel nd the timer which my send timeout even if n cknowledgement is in the chnnel. It is necessry to tke ll the messges from the chnnel so tht the chnnel cn send new messges. If some messge styed in the chnnel, it would block ll the trffic nd the result would be dedlock. The timer cn be represented with the help of two sttes. timeout T: T1 sett reset T2

27 24 CHAPTER 4. BASIC PRINCIPLES IN MODELLING The chnnel hs been modelled in such wy tht the environment cnnot ffect if messges dispper or not. It is thought tht the chnnel tkes the dt messges d0 nd d1 from the sender nd delivers them s messges dd0 nd dd1. Notice tht it is not possible to tke nd deliver exctly the sme messge forms, becuse this would disturb the synchronous communiction. The sme is true with the cknowledgements: 0 nd 1 re tken by the chnnel nd 0 nd 1 re delivered. C: dd1 dd0 C5 C4 d1 C1 d0 C2 C3 0 C6 0 1 C8 1 C7 C9 AB=((S [timeout, reset, sett] T) [ d0,d1,0,1 ] C) [ dd0,dd1,0,1 ] R The globl stte grph is now combintion of four processes. It is essentilly more complicted thn the erlier globl stte grph nd tht is why it is not wise to drw it completely mnully. The strt of the the grph is seen below.

28 4.2. CHANNELS AND ENVIRONMENTS 25 S1 T1 C1 R1 (0) get timeout S2 T1 C1 R1 (1) 11 d0 sett S3 T1 C1 R1 (4) S3 T1 C2 R1 (0) S3 T1 C3 R1 (5) dd0 S3 T1 C1 R2 (9) sett sett give S4 T2 C1 R1 (7) timeout S4 T2 C2 R1 (3) S2 T1 C2 R1 (6) S3 T1 C1 R3 (12) timeout S4 T2 C3 R1 (8) S2 T1 C3 R1 (10) 0 S3 T1 C6 R4 (15) dd0 dd0 timeout S4 T2 C1 R2 (11) S2 T1 C1 R2 (13) sett.... give d0 give S4 T2 C1 R3 (14) 0 timeout sett

29 26 CHAPTER 4. BASIC PRINCIPLES IN MODELLING

30 Chpter 5 Equivlences nd Verifictions 5.1 Modelling Services The globl stte grph cn be generted mechniclly from the descriptions of the processes in the system. If the grph is smll, let us sy less thn one million sttes, it is possible to exmine the grph systemticlly nd serch for mistkes, for exmple dedlocks, livelocks (it is not possible to bck to min cycle) etc. It is difficult, however, to find ll the mistkes in this wy. Messges my dispper without dedlocks, the sme messge my be delivered two times to receiver etc. If grph is too lrge or even infinite, it is still possible to mke rndom wlk in the grph. If there is mistke in specifiction, it turns out often in mny plces in the globl stte grph. Even if we exmine only 5 percent of the nodes, prcticl experiments hve shown tht most of the mistkes re reveled. If we wnt to verify the specifiction more completely, we need different pproch. There re two bsic pproches: equivlences nd temporl logics. We consider first methods bsed on equivlences. The centrl concept in the methods bsed on equivlences is service description. This is trnsition system which describes the service the protocol gives to its user (environment, observer). Let us exmine two exmple. The AB-protocol offers dt trnsfer service. The protocol tkes dt pckets from the environment (upper lyer) nd delivers them to receiving prticipnt (gin upper lyer in nother computer). Thus it is esy to describe the service of the AB-protocol: AB_P1 get AB_P2 give 27

31 28 CHAPTER 5. EQUIVALENCES AND VERIFICATIONS If we bse our verifiction on equivlences, the next step is compre the globl stte grph of the AB-protocol to the globl stte grph of the service. If they re sme in some respect (specified lter in more detil), the AB-protocol cn be considered correct. It seems cler tht we must bstrct wy mny detils from the grph of the AB-protocol. How this is done depends on the equivlence. Our second exmple is the client/server system shown in the chpter 2, when there re four clients. The whole system cn be described with the help of the prllel opertor: SystemRR := Server [cs1, sb1, cs2, sb2, cs3, sb3, cs4, sb4] ((Client1 [bc1] Buffer1 ) [t1, t2] ((Client2 [bc2] Buffer2 ) [t3] ((Client3 [bc3] Buffer3 ) [t4] (Client4 [bc4] Buffer4 )))) Suppose now tht we re interested in the round robin principle. The principle is relized in the system, if the tokens ti trvel in the following order: t2, t3, t4, t1. Thus the round robin principle is described by the following process. t1 t2 t3 t4 RR1 RR2 RR3 RR4 We could now generte the globl stte grph of the process SystemRR nd exmine, if the token trvels in tht order. If we do not wnt to exmine the grph mnully, we shoul write progrm tht does the tsk. This would be time-consuming. A quicker method is to compre the process SystemRR to the process RR. The round robin principle is relized in the system, if the functioning of SystemRR, bstrcted in suitble wy, corresponds the functioning of RR. In this cse, suitble bstrction is such tht ll the ctions except t1, t2, t3 j t4 re chnged to invisible ction. If fter this chnge we trverse the pths in the globl stte grph of SystemRR, then the ctions ti should pper in the RR-order nd ll the other ctions re invisible. A strong side of the process lgebrs is tht it is possible to define severl equivlences for different purposes. Moreover, these equivlences cn be effectively computed, t lest in most cses. The simplest equivlence is the trce equivlence. One

32 5.2. RELATIONS 29 of the most used equivlence is the wek bisimultion equivlence which is sufficient for the most purposes. It cn be computed effectively nd it is included nerly in ll the verifiction progrms. We consider only these two in this course. 5.2 Reltions The Definition of Reltion Let A nd B be sets. Every set R A B is clled reltion from the set A to the set B. The set is the domin of R nd the set M R = {x A y B such tht (x,y) R} A R = {y B x A such tht (x,y) R} is its rnge or codomin. If R A A, i.e. if R is reltion from A to A, then it is sid tht R is reltion in A. If R reltion in A nd if (x,y) R, then we usully use the nottion xry. Equivlence Reltions Define first some concepts tht re useful when defining equivlence reltions. Sets A nd B re disjoint, if A B =. If I is set, whose elements re sets, then I is disjoint, if ny two elements in I re lwys disjoint. If H is collection of subsets of X, then it is prtition of X, if it stisfies the following conditions: H1. Every A H is non-empty, H2. the union of the sets in H is X, H3. H is disjoint.

33 30 CHAPTER 5. EQUIVALENCES AND VERIFICATIONS The concept of prtition is closely connected to the equivlence reltions which re defined next. Definition 2 The reltion R in X is n equivlence, if it stisfies the following conditions: E1. R for every X (reflexive); E2. if Rb, then br (symmetric); E3. if Rb nd brc, then Rc (trnsitive). If X, then the set R() = {x X Rx} is the equivlence clss of with respect to the equivlence R. Theorem. If R is n equivlence in X, then the set X/R of the equivlence clsses is prtition in X. For elements nd b in X, Rb if nd only if nd b belong to the sme equivlence clss. Proof. Let us go through the proof, lthough the sme is done in the elementry courses in mthemtics. Let X. Becuse R, then R(). It follows tht every equivlence clss is non-empty nd tht the union of the clsses is X. In order to prove condition H3 it is enough to show tht given two equivlence clsses, they re either identicl or disjoint. Suppose tht R() R(b). Then there exits n element c R() R(b). Let x R(), i.e. Rx. Becuse c R(), it follows Rc nd lso cr, becuse every equivlence reltion is symmetric. Becuse cr nd Rx, then crx, becuse of trnsitivity. Becuse c R(b), lso brc. This shows tht R() R(b). Exctly in the sme wy it is shown tht R(b) R(). Thus R() = R(b) nd the union of the equivlence clsses is prtition of X. Let Rb. Then b R(), nd thus nd b belong to the sme equivlence clss R(). Coversely, suppose tht j b belong to the sme clss R(c). Then R(c) R() nd hence R(c) R(). Now the first prt of the proof shows tht R(c) = R(). It follows b R(c) = R() or Rb. Thus the ltter clim is true, too Theorem. Let H be prtition of X. If we define for elements nd b of X tht R H b if nd only if nd b belong to the sme set U H, then R H is n equivlence reltion of X such tht the union of ll the R H -equivlence sets is H. Proof. Let X. Becuse H is prtition of X, there exists set U H such tht U. Now nd belong to the sme set U so tht R H. Thus the reltion R H is reflexive.

34 5.2. RELATIONS 31 Let R H b. Then nd b belong to the sme set U H nd hence br H. Thus the reltion is symmetric. Suppose now R H b nd br H c. There exists sets U nd V H such tht nd b U, nd b nd c V. Becuse b U V, we hve U V nd hence U = V, becuse H is disjoint. Thus nd c belong to the sme set U = V H, nd hence R H c. The reltion R H is thus trnsitive nd it is n equivlence reltion. Let R H () be n rbitrry R H -equivlence clss. Becuse the union of the sets in H is X, there exits U H such tht U. If x U, then nd x belong to the sme set U H, hence R H x or x R H (). Coversely, suppose x R H () or R H x. Then nd x belong to the sme set V H. Becuse U V, we hve U V, nd furthermore U = V, becuse H disjoint. Hence x V = U. The results show tht R H () = U. Conversely, if U H, then U. If U, then, becuse of the previous, R H () H. Becuse R H () U, we hve U = R H (). Thus the union of ther H - equivlence clsses is the sme s H. Trnsitive Closure Let R be reltion in set V. Define the powers of reltion s follows: = {(,) V}, R 1 = R, R 2 = {(,c) b V : Rb j brc}, R n = R(R n 1 ), n > 2. R 0 Trnsitive closure is now defined with the help of the powers of reltion. The reflexive trnsitive closure of reltion R, R, is the set R = R i, nd trnsitive closure R + is the set R + = i=0 R i. Writing out the formuls recursively we see tht R b, if there exists elements = c 1,c 2,,c n = b in V such tht c i Rc i+1, i = 1,,n 1. Reltion R in set V cn be represented s directed grph: The node set of the grph is V nd if Rb, then (,b) is n rc in the grph. The trnsitive closure hs n illustrtive interprettion in the grph. Tht is, R + mens ll the pirs (,b) V V such tht there is pth from to b in the grph R. Similrly, R R + with rcs dded from every node to itself. i=1

35 32 CHAPTER 5. EQUIVALENCES AND VERIFICATIONS There re mny lgorithms to compute the trnsitive closure of given reltion. However, in mny situtions in verifiction, it is not necessry to compute trnsitive closure beforehnd, but on the fly. This mens tht when one needs to trverse the rcs of the trnsitive closure strting from one node, depth-first serch is strted from this node nd it finds ll the pths from tht node. It my seem tht this method is very time consuming, but it behves very well in prctice. 5.3 Trce Equivlence The simplest process equivlence is bsed on the comprisons of event sequences. Let A be the set of ctions. We ssume in wht follows tht the ctions of ll the processes belong to this set. Definition 3 Let u (A\{}) be n ction sequence. Sequence u is trce of P, if P= P u for some process P. We denote the set of ll the trces of P by tr(p). Definition 4 Processes P nd Q re trce equivlent, P tr Q, if tr(p) = tr(q). Clerly tr is n equivlence reltion. It lso is compositionl with respect to the prllel opertor. Thus if P tr P j Q tr Q, then P [ 1,, n ] Q tr P [ 1,, n ] Q (exercise). If P tr Q, then there my be dedlocks in P even if Q is dedlock-free. For exmple, the processes P nd Q below re trce equivlent. P1 P2 b P3 b Q1 Q2 Q3 P4 c c It is generlly thought tht dedlocks re the most serious errors in distributed systems. Tht is why the trce equivlence is not lwys pproprite when compring protocol nd its service. However, the trce equivlence revels other types of mistkes quite effectively. In ddition, dedlocks re esy to detect lredy when generting globl stte grphs. Thus the trce equivlence my be used sometimes. We will see its usefulness when nlysing mutul exclusion lgorithms. Furthermore, the trce equivlence is strting point for the whole fmily of so clled decorted trce equivlences which includes filure nd test equivlences. 5.4 Wek Bisimultion Equivlence The bisimultion equivlence ws invented by Robin Milner nd further developed by Dvid Prk t the end of the 70 s nd erly 80 s. If P nd Q re processes, then

36 5.4. WEAK BISIMULATION EQUIVALENCE 33 the ide of the equivlence is to simulte the behviour of visible ctions in P by Q nd vice vers. If the simultion succeeds ll the time, the processes re equivlent. In order to define this precisely, we need uxiliry concepts. Let be n ction,. Remember the nottion P = P, which mens tht there is trnsition chin P = P 1 P 2 P k P k+1 P k+2 P k+3 P k+m = P, k 1, m 0. In other words, P= P, if there is pth from the initil stte of P to the in initil stte of P nd one of the rcs belonging to the pth contins, nd others. We cn lso write P= P ε if P = P or there is chin of trnsitions k > 1. P = P 1 P 2 P k = P, Exmple. Consider the the following trnsition system. P1 P2 P3 P6 b b P4 P5 P7 There re the following pths from P1: P1= P6, ε P1= P2, P1= P5, P1= P7, P1= P7, b P1= P3, ε P1= P1. ε Definition. Let P nd Q be processes nd A the ction set of P nd Q. Processes P nd Q re wekly bisimilr, P wbis Q, if there is set R, wek bisimultion, consisting of process pirs such tht for every ction (A\{}) {ε}: 1. (P,Q) R; 2. if (P 1,Q 1 ) R j P 1 = P 2, there exists Q 2 such tht Q 1 = Q 2 j (P 2,Q 2 ) R; 3. if (P 1,Q 1 ) R j Q 1 = Q 2,there exists P 2, such tht P 1 = P 2 j (P 2,Q 2 ) R.

37 34 CHAPTER 5. EQUIVALENCES AND VERIFICATIONS Exmple. The following processes re wekly bisimilr, P wbis Q: P1 b P2 P3 Q2 b Q1 Q3 b P4 b Equivlencefollows, becuser = {(P1,Q1),(P2,Q2),(P3,Q3),(P4,Q1)}iswek bisimultion nd (P,Q) R (P = P1, Q = Q1). Exmple. The following processes re not wekly bisimilr: P1 b Q1 P2 P3 Q4 Q2 b Q3 If we try to construct wek bisimultion R, then the pir (P1,Q1) must belong to tht reltion. Let us use next the condition 3 in the definition: Q mkes trnsition from Q1 to Q2 using n internl ction. The only wy to simulte this trnsition in P is such tht we must sty in P1. Hence the pir (P1,Q2) must belong to the bisimultion reltion R. After this, we pply the condition 2 to the pir (P1,Q2): P moves from P1 with to P2. Now Q cnnot simulte this trnsition, becuse there re no -trnsitions from Q2. Thus there cnnot exists wek bisimultion between P nd Q nd hence the processes re not bisimilr. Exmple. The following processes re wekly bisimilr: