Behavioral Automata Composition for Automatic Topology Independent Verification of Parameterized Systems

Transcription

1 Bhavioral Automata Composition for Automatic Topology Indpndnt Vrification of Paramtrizd Systms Youssf Hanna Samik Basu Hridsh Rajan Computr Scinc, Iowa Stat Univrsity 226 Atanasoff Hall, Ams, IA, USA ABSTRACT Vrifying corrctnss proprtis of paramtrizd systms is a long-standing problm. Th challng lis in th lack of guarant that th proprty is satisfid for all instancs of th paramtrizd systm. Existing work on addrssing this challng aims to rduc this problm to chcking th proprtis on smallr systms with a bound on th paramtr rfrrd to as th cut-off. A proprty satisfid on th systm with th cut-off nsurs that it is satisfid for systms with any largr paramtr. Th major problm with ths tchniqus is that thy only work for crtain classs of systms with a spcific communication topology such as ring topology, thus laving othr intrsting classs of systms unvrifid. W contribut an automatd tchniqu for finding th cut-off of th paramtrizd systm that works for systms dfind with any topology. Givn th spcification and th topology of th systm, our tchniqu is abl to automatically gnrat th cut-off spcific to this systm. W prov th soundnss of our tchniqu and dmonstrat its ffctivnss and practicality by applying it to svral canonical xampls whr in som cass, our tchniqu obtains smallr cut-off valus than thos prsntd in th xisting litratur. Catgoris and Subjct Dscriptors D.2.4 [Softwar/Program Vrification]: Formal Mthods; D.2.4 [Softwar/Program Vrification]: Modl Chcking Gnral Trms Vrification Kywords paramtrizd modl chcking 1. INTRODUCTION Paramtrizd systms ar systms consisting of homognous procsss, whr th paramtr indicats th numbr of such procsss in th systm. A paramtrizd systm, thrfor, dscribs an infinit family of systms whr instancs of th family can b Prmission to mak digital or hard copis of all or part of this work for prsonal or classroom us is grantd without f providd that copis ar not mad or distributd for profit or commrcial advantag and that copis bar this notic and th full citation on th first pag. To copy othrwis, to rpublish, to post on srvrs or to rdistribut to lists, rquirs prior spcific prmission and/or a f. ESEC-FSE 09, August 23 28, 2009, Amstrdam, Th Nthrlands. Copyright 2009 ACM /09/08...$5.00. obtaind by fixing th paramtr. Vrification of corrctnss of such systms amounts to vrifying th corrctnss of vry mmbr of th infinit family dscribd by th systm. For xampl, for distributd mutual xclusion protocols [31], th objctiv is to vrify that th critical sction is accssd in a mutually xclusiv fashion rgardlss of th numbr of procsss participating in th protocol. Givn a paramtrizd systm sys(n) containing n procsss and a safty or livnss LTL\X proprty ϕ, vrification of whthr sys(n) satisfis ϕ (dnotd by n : sys(n) = ϕ) is undcidabl in gnral [4]. A numbr of sound but incomplt vrification tchniqus has bn proposd and dvlopd in th rcnt past,.g. thos that rly on abstraction [13,15,23,29] and/or smart rprsntation [1, 2, 6, 7, 10 12, 22, 26, 30] of th systm bhavior and th proprty. In ssnc, ths tchniqus dpnd on computing th invariant or th common global bhavior of sys(n) for all n and idntifying th smallst k < n such that sys(k) xhibits that bhavior. It can b shown that sys(k) = ϕ n k : sys(n) = ϕ, i.., vrification of an infinit family of systms is rducd to vrification of a singl instanc (th k-th instanc) of th family; whr k is rfrrd to as th cut-off. Our solution. W propos a nw tchniqu for idntifying such a cut-off k for a paramtrizd systm. Unlik most xisting work, our tchniqu is indpndnt of th communication topology btwn th procsss in th paramtrizd systm. Furthrmor, our tchniqu dos not dpnd on actual proprtis to b vrifid for th paramtrizd systm; th rsults of our tchniqu ar applicabl to any proprtis of th form ϕ(i) (involving any on procss) and ϕ(i, j) (involving any two procsss dpndnt on ach othr). Our tchniqu is automatic and uss standard automata-rprsntation of th protocol bhavior. Thr ar two stps in our tchniqu. First, using th fact that sys(n) = P P... P is th paralll composition of n procsss ach with bhavioral spcification P, w introduc th notion of 1E-bhavior capturing th bhavior of any on procss in any nvironmnt. In th scond stp, w numrat th bhavior of sys(m) for m = 2, 3,..., n, and idntify th smallst sys(k) whos projctd bhavior on any on of th participating procsss simulats th 1E-bhavior. W prov that for all proprtis involving on or two procsss, sys(k) satisfis th proprtis if and only if n k : sys(n) satisfis th sam proprtis, i.., k is th cut-off for th paramtrizd systm. Not that such a k may not xist in gnral, which will rsult in nontrmination of our tchniqu rndring it incomplt as xpctd. Contributions. In summary, contributions of this work ar: 1. W prsnt an automatd tchniqu for vrification of paramtrizd systm which is indpndnt of th communication topology of th procsss in th systm. W prov th soundnss of our tchniqu, i.., if our mthod trminats thn it trminats with th smallst cut-off k.

2 2. Our tchniqu is systm spcific and as such th computd cut-off is also systm spcific. This allows us to obtain diffrnt bounds to diffrnt typs of paramtrizd systms vn whn th undrlying communication topology of th systms undr considration ar idntical. Emrson and Namjoshi [19] provd that for paramtrizd systms with ring topology whr procsss communicat through a tokn, th cut-off k is 4 for proprtis of th form ϕ(i, j). W show that tightr bounds can b obtaind if th bhavior of th participating procsss in th paramtrizd systm is considrd. For xampl, using our tchniqu, simpl paramtrizd tokn ring protocol has th cut-off k = 2, whil dining philosophr problm has th cut-off k = 3 for proprtis ϕ(i, j) whr i and j ar dpndnt on ach othr. 3. W prsnt a numbr of cas studis of paramtrizd systms with diffrnt communication topologis and show th practical applicability of our tchniqu. Organization. Th rst of th papr is organizd as follows. Sction 2 discusss rlatd work. Sction 3 dscribs our tchniqu for spcifying a protocol using th Distributd Mutual Exclusion protocol as an illustrativ xampl. Sction 4 dscribs how th maximum bhavior of a procss in th contxt of any nvironmnt is gnratd. Sction 5 shows th procdur for gnrating th cut-off siz. Proof of soundnss of our tchniqu is prsntd in Sction 6. Sction 7 dscribs our cas studis and Sction 8 concluds. 2. RELATED WORK Tchniqus for vrifying paramtrizd systms can b catgorizd as follows. On class of solutions [13, 15, 23, 29] rlis on rducing th problm of paramtrizd systm vrification with infinit stats to vrification of its finit-stat abstractions. Anothr class of tchniqus analyz th bhavior of paramtrizd systms using smart rprsntation and vrification mchanisms such as rgular languags [1, 2, 10, 22], ptri-nts and graphgrammars [6,7,11,12,26,30]. Othrs [5,28,31] apply automatic induction to gnrat and vrify invariants of th paramtrizd systms. Closst to our tchniqu is th class of solutions that focus on computing a cut-off of th systm paramtr [8, 17 21, 25]. Abstraction tchniqus includ countr abstraction [23, 29] and nvironmntal abstraction [13, 15]. Th ida bhind countr abstraction is to abstract procss idntitis, whr vry abstract stat contains an abstract countr dnoting th numbr of procsss in th stat. Environmntal abstraction follows a similar approach; howvr, th counting is don for th numbr of procsss satisfying a givn prdicat. Typically ths tchniqus ithr rquir human guidanc for obtaining th appropriat abstraction or ar applicabl to a crtain rstrictd class of systms and/or proprtis (.g., univrsal path proprtis). Among th tchniqus that rly on smart rprsntation mchanism ar tchniqus basd on rgular languag [1, 2, 10, 22] or graph-basd [6, 7, 26, 30] rprsntations of th stat-spac of th paramtrizd systm. Ths approachs ar typically applicabl for th vrification of safty/rachability proprtis of paramtrizd systms. Rcntly, ptri nt basd rprsntation has bn proposd [12] whr tokns in th ptri nt ar usd to dnot th paramtr of th systm and a nw logic, colord markings logic (CML), is dvlopd to rason about such ptri nts. Th work provids a gnric framwork for rprsnting paramtrizd systms and idntifis a fragmnt of CML for which th satisfiability problm is dcidabl. Tchniqus basd on induction us ntwork invariants to rduc th problm of paramtrizd systm vrification to a finit stat modl chcking problm [14,31]. Th ida bhind ths tchniqus is to find a ntwork invariant I whr th invariant is prsrvd by all computation stps of th systm. Thrfor, if I satisfis th dsird proprty spcification ϕ thn th paramtrizd systm also satisfis ϕ. Whil in most sttings th invariant gnration rquirs manual guidanc, Pnuli t al. [28] prsnt a tchniqu whr invariants ar computd automatically onc th appropriat abstraction rlation is providd. Anothr intrsting approach, which aims to rduc th paramtrizd systm vrification problm to an quivalnt finit-stat on, is basd on finding an appropriat cut-off k of th paramtr of th systm. Th objctiv is to stablish that a proprty is satisfid by th systm with k procsss if and only if it is satisfid by any numbr ( k) procsss. Emrson and Namjoshi [19] provid such cut-off valus for diffrnt typs of proprtis of paramtrizd systms with ring topology. In contrast to th abov tchniqus, our approach is fully automatic, dos not dpnd on a spcific rprsntation mchanism of th systm and/or proprty and is indpndnt of th communication topology of th procsss in th systm. W prsnt an algorithm (sound but incomplt) which taks as input th dscription of th paramtrizd systm in trms of standard input/output automata and stablishs th cut-off of th paramtr valu. Whil Emrson and Namjoshi [19] stablish for th first tim th cut-off bound for any paramtrizd systm with ring topology givn a spcific typ of proprty; w show that by considring th paramtrizd systm bing vrifid in th computation of th cut-off, a tightr bound of th cut-off can b obtaind. For instanc, using Emrson and Namjoshi s approach [19], to vrify th proprty that in a paramtrizd systm with ring topology two procsss cannot ntr th critical sction at th sam, th cut-off siz is 4; whil th cut-off valu idntifid using our approach for a spcific paramtrizd systm with ring topology (tokn ring protocol) is only 2. In short, whil Emrson and Namjoshi [19] focus on obtaining a gnric cut-off for paramtrizd systms with a spcific topology, th cntral thm of our tchniqu is to dvlop a gnric approach that can b applid to paramtrizd systms indpndnt of th communication topology. 3. PARAMETERIZED SYSTEM A paramtrizd systm can b dscribd by th collctiv bhavior of n homognous procsss intracting with ach othr, whr n is th systm paramtr. Th ky ida bhind our approach is to provid a mchanism for spcifying th bhavior of a procss in th paramtrizd systm as a collction of atomic stps, which w call bhavioral automaton. An important proprty of our spcification tchniqu is that it nabls automatic composition of ths bhavioral automata to obtain th full-bhavior of a procss in an arbitrary nvironmnt. Th dirct bnfit of this proprty is that it hlps us rduc th problm of finding th cut-off valu k for th systm paramtr to an quivalnc dtction problm btwn th full-bhavior of a procss in an arbitrary nvironmnt and th paramtrizd systm of siz k. As w show in Sction 5, by providing a sound (but incomplt) algorithm, this problm can b asily automatd. To illustrat th trminology usd in this papr, w will us th distributd mutual xclusion (DME) protocol [31] as th running xampl. Th goal of this protocol is to nsur that for a distributd systm of n procsss in a ntwork with ring topology, only on procss in th systm is in th critical sction at a givn point of tim. A tokn is passd btwn th diffrnt procsss in th ring. Th procss who holds th tokn is th only procss abl to ntr th critical sction. Onc it is out of th critical sction, it can pass

3 Figur 1: Bhavioral Automata for th DME Protocol th tokn to its nighbor. Th procss may rciv th tokn and pass it dirctly to its nighbor without ntring th critical sction. 3.1 A Procss as Bhavioral Automata A homognous procss in our work is spcifid in trms of a bhavioral automaton, which dscribs an atomic sid-ffct fr action that th procss can do. Each bhavioral automaton is dfind in trms of th input/output bhavior and th corrsponding obsrvabl vnts of th atomic action of th procss as follows: DEFINITION 3.1 (BEHAVIORAL AUTOMATON). A bhavioral automaton A = (Q, Q I, Q F,, I, F, M), whr Q is a nonmpty st of stats, Q I Q is a nonmpty st of initial stats, Q F Q is a nonmpty st of final stats, Q M Q is th transition rlation, I M Q I is th initial transition rlation, F Q F M is th final transition rlation, M is a nonmpty st of vnts. Notations. W writ q q if (q,, q ), q if (, q) I and q if (q, ) F. To illustrat, considr th bhavioral automata for th DME protocol shown in Figur 1. In th figurs, psilon labls on transitions ar omittd. Th first automaton SND in th figur modls th protocol initiation, whr a procss gnrats and passs th tokn to th nxt procss. Typically th procss that would gnrat th tokn is dcidd using othr distributd algorithms such as a ladrlction algorithm, which w do not modl hr. Upon rciving a tokn (modld as th automaton RCV) a procss may choos to xhibit th bhavior dscribd by ithr th automaton PASS or ENTER, ffctivly passing th tokn forward (modld as th output vnt tokn) or ntring th critical sction (modld as gnrating th output vnt in that can only b consumd by a procss in th critical sction). Th last automaton LEAVE modls th bhavior of a procss laving th critical sction by consuming vnt in and passing forward th tokn. Formally, th first automaton SND would b rprsntd by th st of stats Q = (Start, Idl). Th transition rlations for SND ar ǫ Start I, whr th ladr procss gnrats a tokn without any input vnt, Start ǫ Idl, whr th procss changs its stat Start of bing th ladr procss to Idl whr it will wait for th tokn from its nighbor, and finally Idl tokn F, whr th procss snds th tokn to its nighbor. Now th procss is in stat Idl, it can do nothing but wait for th tokn (rprsntd by th automaton RCV). Procding furthr, a protocol spcification is dfind as follows: DEFINITION 3.2 (PROTOCOL SPECIFICATION). A Protocol Spcification is a st Prot = {A 1, A 2,..., A m} such that i,1 i m : ǫ q Ii 3.2 A Paramtrizd Systm Nxt, w dscrib th bhavior of a paramtrizd systm, sys(n), containing n procsss ach xcuting according to a givn protocol Prot. Intuitivly, in sys(n) w considr that at any instanc of th paramtrizd systm th procsss can b at any stat in any automaton in Prot. Th intraction btwn th two procsss occur whn on of thm is at a stat rady to initiat an output vnt and th othr is at a stat that can consum that vnt. For xampl, if a procss is at stat q 1 of th automaton SND in Figur 1 and th othr is at a stat q 0 of th automaton RCV, thy can communicat via th vnt tokn. Howvr, to initiat th bhavior of th systm, it is ncssary to hav at last on procss to b in a stat of an automaton in Prot which can mov without any xtrnal triggr, i.., without bing triggrd by any input vnt providd by th output of anothr procss. Th condition in Dfinition 3.2 stablishs that thr xists such an automaton in th spcification which can mak a mov without any xtrnal triggr (absnc of input triggr bing rprsntd by ǫ). Initially, at last on of th procsss in sys(n) must follow this automaton bhavior. DEFINITION 3.3 (TOPOLOGY). Givn a protocol spcification Prot = {A 1, A 2,..., A m}, a topology is a st of tupls, Topo M N N such that M = {M i m[ : M i is st of vnts in A i Prot} and N is th st of procsss in a paramtrizd systm. A tupl (, i, j) Topo implis that output from i-th procss can b consumd by th j-th procss. A topology srvs to rstrict procss communication pattrns. For xampl, in th DME protocol, whn a procss i snds th vnt tokn, only th procss on its right i + 1 is abl to consum this vnt, (tokn, i, i + 1). For sys(2), th topology is trivially simpl; howvr, for othr protocols (.g. th dining philosophrs protocol dscribd in Sction 7.1) th topology plays a major rol in distinguishing btwn th procsss. DEFINITION 3.4 (CONFIGURATION OF i-th PROCESS). Givn a protocol spcification Prot = {A 1, A 2,..., A m}, a configuration of th i-th procss s = (Q Prot M), such that m[ Q = {Q i : Q i is st of stats in A i Prot} M = i=1 i=1 m[ {M i : M i is st of vnts in A i Prot} i=1 Th configuration of a procss dtrmins what th procss is abl to do at a crtain point of tim. For instanc, th initial configuration for th procss that is gnrating th tokn in th distributd mutual xclusion protocol is (Start, SND, ), whr is th st of output vnts producd by this procss, and it is mpty bcaus it has not producd th output vnt (tokn) to b consumd by anothr procss yt. Th initial configuration of th rst of th procsss is (Idl, RCV, ), whr th procsss ar idl and waiting to rciv th tokn. In th following, w prsnt th formal dfinition of sys(n). ny W us th following notation: for a st {(Q Prot M}, i=1

4 any mmbr s in th st contains n tupls whr th first, scond and third lmnts of th tupl blong to th sts Q, Prot and M rspctivly. W us q i(s), a i(s) and m i(s) to dnot th valu q Q, A Prot and M rspctivly of th i-th tupl, i.., th i-th tupl of s is (q i(s),a i(s), m i(s)). DEFINITION 3.5 (PARAMETERIZED SYSTEM). Givn a protocol spcification Prot = {A 1, A 2,..., A m}, a paramtrizd systm sys(n) with n procsss, ach of which bhavs according to Prot, is dfind as (S, S I, T, Topo), whr s S contains n tupls and th i-th lmnt of th tupl rprsnts th configuration of th i-th procss in sys(n), s I S I rprsnts th initial configuration of th procsss, T rprsnts th transition rlation btwn on configuration of th procsss to anothr and finally Topo is th topology of th systm. Hr, S, S I, and T ar dfind as: ny S (Q Prot M) i=1 S I S, whr s S I, 1 i n : m i(s) = T S M M S W say that s / s T if on of th following holds: 1. 2 i [1, n] : A x : = ǫ q i(s) Ix 6 4 q i(s ) = q q F x a i(s ) = A x m i(s ) = m i(s) { } j [1, n], j i : q j(s) = q j(s ) a j(s) = a j(s ) m j(s) = m j(s ) 2. i, j [1, n] : A x : 2 m j(s) 3 q i(s) Ix q i(s ) = q q F x a i(s ) = A x 6 m i(s ) = m i(s) { } m j(s ) = m j(s)\{} 7 4 q j(s ) = q j(s) a j(s ) = a j(s) 5 (, j, i) Topo k [1, n], k i, k j : q k (s) = q k (s ) a k (s) = a k (s ) m k (s) = m k (s ) Th transition rlations in th abov dfinition can b xplaind as follows. Th first condition rprsnts an autonomous mov of th i-th procss without any input vnt. Whatvr vnt th i-th procss snds du to that autonomous mov is kpt in th st of output vnts to b consumd by procsss (following th topology). Th configurations of th othr procsss j i rmain unaltrd. Th scond condition rprsnts th cas whr i-th procss consums an output vnt in th list of outstanding vnts of th j-th procss, whr it is statd in Topo that procss i is th nighbor to procss j that can consum such an vnt. Procss i puts in its st of outputs th output vnt rsulting from such an action. To illustrat our dfinition of a paramtrizd systm, lt us considr a systm of two procsss (sys(2)) that ar running th DME protocol. Figur 2 shows part of this systm. For this systm, th topology is dfind as follows. Topo = {(tokn, 1,2),(tokn, 2,1), (in,1, 1),(in,2,2), (choos, 1, 1),(choos, 2, 2)} Th first transition in th figur is an xampl of a transition following itm 1 of th transition rlation in Dfinition 3.5. Th procss that is gnrating th tokn is at th initial stat Start, its Figur 2: Part of sys(2) for DME. Full sys(2) is in our TR [24]. automaton is SND and its st of output vnts to b consumd by othrs is mpty. Th othr procss is waiting for an output vnt, so it is in stat Idl, in automaton RCV, also with an mpty st of output vnts. Without any input, th first procss starts by snding th output vnt tokn. Th st of output vnts for that procss now has th vnt tokn. Th configuration of th othr procss configurations rmains th sam as this transition concrns only th first procss. Th scond transition in th figur is an xampl whr a procss consums an vnt snt by anothr procss. Procss 1 has th vnt tokn pnding in th st of output vnts, so according to th topology of th protocol, th procss on its right (2) can consum this vnt. Thrfor, procss 2 taks tokn as input, so now th st of output vnts of procss 1 is. Procss 2 dos not nd to chang its automaton sinc th currnt automaton is allowd to rciv a tokn vnt whil in stat Idl. Aftr consuming this vnt, procss 2 maks an autonomous transition that changs its stat from Idl to Ncs and producs th output vnt choos that allows to choos ithr to pass th tokn (top right stat of th figur) or ntr th critical sction (bottom right stat). DEFINITION 3.6 (PROJECTION). Givn a paramtrizd systm sys(n) = (S, S I, T, Topo), its projctd bhavior w.r.t. procsss in R is sys(n) R = (S R, S I R, T R, Topo), such that S R [ {q i(s)} [ {a i(s)} [ {m i(s)} i R,s S i R,s S i R,s S S I R [ [ [ {q i(s)} {a i(s)} {m i(s)} i R,s S I i R,s S I i R,s S I s R m/m s R T R s m/m s T q i(s) q i(s ) a i(s) a i(s ). In Figur 2, th projction against th 1st procss sys(2) {1} will includ th first transition (q ǫ/tokn q ) and th top right transition q ) in th figur bcaus ths transitions affct th stat and/or automaton of th first procss (th ffct of th top right transitions is not shown in th figur, whr th first procss rcivs th tokn and changs its automaton from SND to RCV and its stat from Idl to Ncs). Projction against th scond procss sys(2) {2} will includ all th transitions in th figur xcpt for (q tokn/choos th first on and th top right on (q tokn/choos q ), sinc ths 2 transitions do not affct th stat and/or automaton of procss PROCESS WITH ANY ENVIRONMENT At its cor, our approach dpnds on th computation of th bhavior of on procss in th paramtrizd systm in th contxt of any nvironmnt. If sys(n) = P 1 P 2 P 3... P n is a paramtrizd systm containing n numbr of procsss, ach of which

5 Figur 3: Th Bhavior of a Procss in any Environmnt for th Distributd Mutual Exclusion Protocol [31] bhavs according to a givn protocol Prot, thn any nvironmnt of a procss P i (i [1, n]) is rprsntd by any numbr of othr procsss ( {P j : j [1, n] j i}) in any stat of Prot. Intuitivly, this capturs th maximal bhavior of P i in any nvironmnt as pr th protocol spcification Prot. W will rfr to such bhavior of any procss in th contxt of any nvironmnt for a paramtrizd systm sys(n) as 1E-bhavior of sys(n). W introduc th notion -composition (Dfinition 4.1) of automata in Prot and subsquntly comput th 1E-bhavior (Dfinition 4.2). DEFINITION 4.1 ( -COMPOSITION). Givn A x, A y Prot, w dfin A x A y as a tupl (Q xy, Q Ixy, Q Fxy, xy, Ixy, Fxy, M xy), whr Q xy = [Q x {A x}] [Q y {A y}] Q Ixy = [Q Ix {A x}] [Q Iy {A y}] Q Fxy = [Q Fx {A x}] [Q Fy {A y}] 2 {(q, A i) (q 3, A i) : i {x, y} q q i} S xy = {(q, A i) (q, A j) : i, j {x, y} 5 q Fi q Ij } Ixy = { Fxy = {(q, A i) M xy = M x M y (q, A i) : i {x, y} q i} : i {x, y} q i} In this dfinition, th stats of A x A y includ th stats of A x and A y coupld with th corrsponding automaton. Th initial and final stat-sts ar similarly dfind. Th transition rlation xy dnoting autonomous transitions of th automaton A x A y includs th autonomous transitions of th individual transitions (first argumnt of th union opration) and also th transitions rsulting from chaining th output of on automaton to th input of th othr. A ky proprty of this dfinition is that it is gnral nough to allow loops via input/output chaining of th participating automata. Th input and output transitions of A x A y contain th input and th output transitions of individual automaton. Intuitivly, this implis that -composition kps th rsulting automaton A x A y opn to communicat with othr automaton in subsqunt -composition via th input/output vnts of A x and A y. Th vnt st of A x A y is th union of th vnt st of A x and A y. DEFINITION 4.2 (1E-BEHAVIOR). Givn a protocol spcification Prot = {A 1, A 2,..., A m}, 1E-bhavior is obtaind from m i=1a i and is dfind as a tupl (Q 1E, Q I1E, 1E), whr Q 1E of st of stats in m i=1a i Q I1E, th st of start stats, of st of start stats in m i=1a i 1E Q 1E IO-Evnts Q 1E such that IO-Evnts = {τ} (M M), and q / q 1E A x : q Fx q Ix τ q q 1E A x, A y, x y : q Fx q Iy Th 1E-bhavior of a protocol capturs th maximum bhavior of a procss i in th contxt of any nvironmnt for th paramtrizd systm sys(n). As pr Dfinition 4.2, for vry transition q / q, is th input vnt for q and is th output vnt for q. Figur 3 shows th 1E-bhavior of th distributd mutual xclusion protocol. Th first stat in th figur (Start, SND) taks ǫ as input vnt and stat (Idl,SND) producs th output vnt tokn, thrfor thr is a transition q ǫ/tokn q btwn ths 2 stats (which modls th bhavior of th automaton SND in Figur 1). Th τ transition btwn th stats (Idl, SND) and (Idl, RCV) mans that th output of th formr is th sam as th input of th lattr. This modls chaining th output vnt of automaton SND with input vnt of automaton RCV in Figur 1. Th ky proprty of th 1E-bhavior is capturd by th following thorm. THEOREM 1. Givn a protocol spcification Prot = {A 1, A 2,..., A m} and a paramtrizd systm sys(n) containing n procsss bhaving as pr Prot, 1E-bhavior capturs th bhavior of any procss in sys(n) in th contxt of any nvironmnt. Proof Sktch: W prov that vry squnc of bhavior in sys(n) {i} in trms of input/output vnts is a subsqunc of vnts from som start stat in 1E-bhavior. Lt th first vnt in sys(n) {i} b / ( ǫ). This must b prsnt in 1E-bhavior for th following rason. sys(n) {i} is abl to mak a mov on input bcaus thr xists som othr procss that can provid th vnt as output. I.., thr xists som bhavioral automata A x Prot, with a transition q F x. Furthrmor, as / is th input/output vnt-pair prformd by th i-th procss, thr xists an automaton A y Prot such that q Iy and q F y (s itm 2 in Dfinition 3.5). Thrfor, from th transition rlation of 1E-bhavior (Dfinition 4.2), thr xists th sam / in 1E-bhavior. Procding furthr, lt th nxt vnt in sys(n) {i} b b/b. Th 1E-bhavior will also provid this input/output vntpair. As th input b to th i-th procss will b providd by som othr procss, following th sam rasoning as abov, a chaining of bhavioral automata in Prot can b ralizd to obtain th sam input/output vnt-pair in 1E-bhavior. 5. FINDING THE CUT-OFF In this sction, w dscrib th procdur to comput th cutoff k of a paramtrizd systm sys(n) xcuting a givn protocol Prot. Informally, th cut-off k is such that satisfiability of proprtis by sys(n) for any n k can b infrrd from th rsults

6 of vrifying th proprtis against sys(k). W focus on proprtis that involv on paramtrizd procss or two paramtrizd procsss that ar dpndnt on ach othr. Proprtis of concrn ar safty (somthing bad dos not happn) and livnss (somthing good will vntually happn). DEFINITION 5.1 (CUT-OFF). Givn a protocol spcification Prot = {A 1, A 2,..., A m} and a paramtrizd systm sys(k) containing k procsss bhaving as pr Prot, k is said to b th cut-off if and only if th following holds: i,1 i k : sys(k) = ϕ(i) n k, i,1 i n : sys(n) = ϕ(i) i, j,1 i, j k, i j : sys(k) = ϕ(i, j) n k, i, j,1 i, j n, i j : sys(n) = ϕ(i, j) whr ϕ(i) and ϕ(i, j) rprsnt proprtis involving on (th i- th procss) and two (i-th and j-th procsss) in th paramtrizd systm rspctivly, and in cas of ϕ(i, j), th i-th and j-th procsss ar dpndnt on ach othr or communicat through a non-paramtrizd procss. In th nxt sction, w will prov that k is a cut-off if and only if sys(k) can rplicat all possibl bhavior capturd by 1E-bhavior obtaind from th Prot spcification. Spcifically, if sys(k) simulats 1E-bhavior, thn k is a cut-off. Th simulation rlation btwn two stats is dfind as follows. DEFINITION 5.2 (SIMULATION [27]). Givn a labld transition systm (a systm whr transitions ar labld with vnts), stat s is said to b simulatd by a stat t, dnotd by s t, if and only if,s : s s t : t t s t (1) W say that a labld transition systm LTS 1 is simulatd by a labld transition systm LTS 2, dnotd by LTS 1 LTS 2, if and only if for all start stats s of LTS 1, thr xists a start stat t in LTS 2, such that s t. Procding furthr, our algorithm for computing th cut-off basd on th abov simulation rlation is implmntd in Procdur CutOff. Procdur CutOff (Prot) Comput 1E-bhavior from Prot k 2 whil tru do if stat s in sys(k) : 1E-bhavior s thn rturn k; ls k++; nd if nd whil Procdur CutOff numrats for diffrnt valus of k th bhavior of sys(k), whr ach procss bhavs according to protocol spcification Prot, and chcks whthr sys(k) contains a stat that simulats 1E-bhavior for th givn Prot. If for a spcific valu of k such a stat is prsnt, thn that valu of k is th cut-off. Rcall from Dfinition 4.2 that 1E-bhavior contains τ transitions rprsnting chaining of output from on automaton to th input of anothr. Howvr, such transitions ar not prsnt in th sys(k) dfinition (Dfinition 3.5). Furthrmor, for som paramtrizd systms, thr can b on procss that is not paramtrizd. In othr words, thr is only on procss of that typ in all instancs of th paramtrizd systm. For instanc, if n procsss hav accss to a shard mmory, thn th shard mmory is a non-paramtrizd procss in th systm. Thrfor, sinc w only car for proprtis rlatd to paramtrizd procsss, any transition q / q in th 1E-bhavior and th sys(k) of ths systms such that A x : q Fx q Ix whr A x is a bhavioral automaton for th non-paramtrizd procss is substitutd with a τ transition. An xampl of a paramtrizd systm with a non-paramtrizd procss is prsntd in Sction 7.2. W us th following variation of Equation 1 in our dfinition of simulation., s : s τ s 1E-bhavior t : t τ t sys(k) s t In th abov, τ rprsnts movs of zro or mor τ transitions followd by an transition. As th vrification of paramtrizd systm is undcidabl [4], our procdur may not trminat; howvr, if it trminats, it will rturn th smallst cut-off valu k for th corrsponding protocol spcification Prot. W will prov th soundnss of th procdur in Sction 6. Figur 2 shows part of th sys(2), two procsss xcuting DME protocol as spcifid by Figur 1. Th systm sys(2) simulats th corrsponding 1E-bhavior (s Figur 3) of th protocol. Thrfor, for th DME protocol in a ring topology, k = 2 is th cut-off. It is worth mntioning that [19] providd a gnral cut-off valuation of 4 for vrifying mutual xclusion proprty of any paramtrizd systm with ring topology (.g., DME protocol). Howvr, as w considr th systm dscription (sys(k)) in our tchniqu, w ar abl to idntify a tightr cut-off valu for th DME protocol. 6. PROOF OF SOUNDNESS W prov that givn a protocol spcification Prot and a paramtrizd systm sys(n), th output k of Procdur CutOff dscribd in Sction 5 is th cut-off for protocol Prot as pr th Dfinition 5.1. Th following lmmas will form th basis of our proof. LEMMA 1. For any paramtrizd systm sys(k), i,1 i k : sys(k) = ϕ(i) sys(k) {i} = ϕ(i) Proof: Th proof is immdiat from th natur of th proprty ϕ(i) and th projction opration (Dfinition 3.6). Th proprty is only concrnd with th configurations and th vnts rlatd to th i-th procss and as such, configurations and th vnts rlatd solly to th procsss j i ar irrlvant for th satisfiability of th proprty by sys(k). LEMMA 2. k,1 k n, i,1 i k : sys(k) {i} sys(n) {i} Proof: Th proof is ralizd by contradiction. Assum that thr xists a stat s {i} in sys(k) {i} rachabl from its start stat aftr a squnc of vnts (of th i-th procss) such that s {i} is not simulatd by any of th stats in sys(n) {i} rachabl from its start stat via th sam squnc of vnts. As th sam vnt squnc is considrd from th rspctiv start stats, thr xists som t {i} in sys(n) {i} rachabl via this vnt squnc, such that th configuration of th i-th procss in t {i} is th sam as that of th i-th procss in s {i}. Howvr,

7 as s {i} is not simulatd by t {i}, thr xists at last on action of th i-th procss from s {i} that is not prsnt from t {i}. This action cannot solly b output vnt (of th form ǫ/) of th i-th procss; ths typs of vnts do not dpnd on th nvironmnt of th procss and can always occur as long as th procss is in a suitabl configuration. Thrfor, th action must involv an input vnt whr th i-th procss rlis on its nvironmnt to provid such an input. In othr words, at stat s {i} of sys(k) {i}, th i-th procss can mov on an input vnt whil at stat t {i} of sys(n) {i}, th i-th procss cannot mak a mov on th sam input vnt. This implis that th nvironmnt of th i-th procss at stat s in sys(k) provids th rquird input, whil th nvironmnt of th i-th procss at any stat t in sys(n) is unabl to provid th sam input. Lt th nighbor of th i-th procss, as pr th topology of th systm, rsponsibl for providing this input b j 1-th procss. Thrfor, in sys(k), th j 1-th procss is abl to provid th input at stat s, whil th j 1-th procss in sys(n) is unabl to do so as it is waiting for its own nighbor, say j 2-th procss. Procding furthr, th input to th i-th procss at all stats t (s.t. t {i} = s {i}) in sys(n) is disabld as it is waiting for j 1, j 2, j 3,... procsss to mov to thir rspctiv configurations such that j 1-th procss can provid th input. Howvr, that is not th cas at stat s in sys(k). As procsss in both sys(k) and sys(n) bhav according to th sam protocol spcification Prot, th abov can only happn whn n < k. This lads to contradiction proving that our initial assumption is incorrct. THEOREM 2. Givn a protocol spcification Prot and a paramtrizd systm sys(n) whr ach procss bhavs as dscribd in Prot, stat s in sys(k) : 1E-bhavior s ( i,1 i k : sys(k) = ϕ(i) n k, i,1 i n : sys(n) = ϕ(i)) In th abov, 1E-bhavior is computd from th spcification Prot. Proof: Lt s = (c 1, c 2,..., c k ) b th stat in sys(k) that simulats 1E-bhavior and c j (1 j k) b th configuration (Dfinition 3.4) of th j-th procss at s. Thrfor, using Thorm 1, s capturs all possibl bhavior of som procss in sys(k) and its nvironmnt. For th l-th procss with configuration c l in s, lt E l dnot its nvironmnt, i.., k[ E l = {c p : p l}. (2) p=1 As all procsss in th paramtrizd systm sys(k) bhav according to th sam protocol spcification Prot, for a spcific procss, th i-th procss, thr xists at most k diffrnt stats s 1, s 2,..., s k in sys(k) such that for ach l (1 l k), th i-th procss is in th configuration c l with th nvironmnt E l (Equation 2) at stat s l. Thrfor, all possibl bhavior of som procss and its nvironmnt as capturd by 1E-bhavior of th Prot, is xhibitd by th i-th procss in sys(k). I.., sys(k) {i} xhibits all possibl bhavior of i-th procss in sys(k) ( i,1 i k : sys(k) {i} = ϕ(i) sys(k) = ϕ(i) (From Lmma 1) ( i,1 i k : sys(k) {i} = ϕ(i) n, n k, i,1 i k : sys(n) {i} = ϕ(i)) (From Lmma 2) ( i,1 i k : sys(k) = ϕ(i) n, n k, i,1 i k : sys(n) = ϕ(i)) (From Lmma 1) Nxt w prov th following thorm THEOREM 3. Givn a protocol spcification Prot and a paramtrizd systm sys(n) whr ach procss bhavs as dscribd in Prot, stat s in sys(k) : 1E-bhavior s ( i, j,1 i, j k, i j : sys(k) = ϕ(i, j) n k, i, j, 1 i, j n, i j : sys(n) = ϕ(i, j)) whr th bhavior of on procss (say th j-th procss) is dpndnt on th othr (say th i-th procss) or both procsss i and j communicat through a non-paramtrizd procss. Proof: Th proof of th thorm rlis on th following obsrvations. For brvity, w omit th proofs of th statmnts; th proofs bing similar to Lmmas 1 and 2. i, j,1 i, k, i j : sys(k) = ϕ(i, j) sys(k) {i, j} = ϕ(i, j) k,1 k n, i, j,1 i, j k, i j : sys(k) {i, j} sys(n) {i, j} (3) Rcall that 1E-bhavior capturs th bhavior of any procss i and its nvironmnt. It dos not distinguish btwn th procsss in th nvironmnt, i.., th nvironmnt compriss of all th procsss with which th procss i intracts dirctly or indirctly. Thrfor, a stat s in sys(k) simulating 1E-bhavior implis that th stat capturs all possibl bhavior of a procss i and its nvironmnt containing anothr procss j dpndnt on i. As in Thorm 2, w considr nvironmnts of pairs of procsss in stat s. Procding furthr, w fix th pair i, j and stat that thr xists at most k diffrnt stats for this pair of procsss which collctivly capturs all possibl bhavior of pair of procsss as pr th 1Ebhavior. Finally, th proof follows from th statmnts in Equation 3. THEOREM 4 (SOUNDNESS). If Procdur CutOff trminats, th rturn valu k is th cut-off as pr th Dfinition 5.1. Proof: Th proof follows from Thorms 2 and 3. REMARK 1. Th proposd algorithm addrsss th problm of vrifying proprtis of th form ϕ(i, j) whr i and j ar paramtrizd procsss and th bhavior of procss (say th j-th procss) is dpndnt on th othr procss (say th i-th procss). In othr words, actions by j-th procss ar don as a dirct rsult (or in rspons) to actions don by th i-th procss, or thy communicat with ach othr through a non-paramtrizd procss (xampl in Sction 7.2). Not that procsss i and j nd not b nighbors. For instanc, in th DME protocol, procss j cannot start any bhavior until rciving a tokn gnratd by procss i, thrfor th bhavior of procss j is dpndnt on procss i; howvr procss j nd not b dirctly connctd to procss i whr th tokn can b passd by n 2 procsss bfor raching procss j. 7. CASE STUDIES W hav workd svral nontrivial xampls to validat our approach: th dining philosophr protocol [16] and Spin lock, a locking protocol for mutual xclusiv accss to an objct [3]. W compard our rsults with that obtaind using xisting work. W found that th cut-off obtaind by our tchniqu is ithr smallr or qual to th cut-off producd by xisting tchniqus. Furthrmor, in contrast to xisting tchniqus which ar ithr applicabl to paramtrizd systms with spcific topology or rly on smart rprsntation and/or abstraction of th systm bhavior, our tchniqu

8 (a) Figur 4: (a) Th Bhavioral Automata for th Dining Philosophrs Protocol. (b) Part of th Bhavior of a Philosophr Procss (b) uniformly handls systms with diffrnt topologis and is basd on a standard transition systm basd rprsntation. 7.1 Dining Philosophrs Protocol Dining philosophrs protocol [16] modls a classic multiprocss synchronization problm. Among othrs, Emrson and Kahlon [17] hav usd it as a candidat paramtrizd systm. For this protocol, th numbr of philosophrs is th systm paramtr. Th standard dfinition modls procsss as philosophrs sitting in a circl (a ring topology) with a fork btwn ach 2 philosophrs. Th main objctiv of a philosophr procss is to acquir th fork to its lft and right and start ating. W modl this protocol using th bhavioral automata shown in Figur 4 (a). Th first automaton LFT in this figur rprsnts th bhavior of a philosophr whn it dcids that it wants th lft fork and asks its nighbor for it. Th automaton contains Q = (q 0, q 1) whr q 0 = NotEating, and q 1 = WaitLft. Th transition rlations ar ǫ q 0 I, whr th philosophr initiats this bhavior without any input vnt, q 0 q 1, whr th philosophr dcids ǫ that it wants th lft fork so it changs its stat from NotEating ask_lft to WaitLft, and finally q 1 F, whr th philosophr snds th rqust for th lft fork to its nighbor. Othr automata ar similar in natur. Givn this protocol spcification, using our tchniqu, w would lik to find th smallst numbr of procsss (k) for this paramtrizd systm such that vrifying any corrctnss proprty on a systm with k procsss is ncssary and sufficint to say that th proprty is tru for any systm involving n procsss for any n > k. Bhavior of a Procss in Any Environmnt. To that nd, th first stp in our tchniqu is to find th bhavior of a procss in any nvironmnt (s Sction 4). To comput this, on would start by composing th automata dscribd in Figur 4(a) in accordanc with th dfinition of th composition oprator ( ). This will b rpatd until all th automata in Figur 4(a) ar composd and th composition satisfis th Dfinition 4.2 for 1E-bhavior. Figur 4(b) shows part of this 1E-bhavior. Th transition btwn stat (NotEating, LFT_FREE_NE) on th bottom lft of th figur and stat (NotEating, LFT_FREE_NE) on th bottom right modls an intrnal transition in automaton LFT_FREE_NE in Figur 4(a)). Th τ transition btwn th stats (WaitLft, LFT) and (NotEating, LFT_FREE_NE) modls th chaining btwn automata LFT and LFT_FREE_NE, whr th output vnt of th formr is qual to th input vnt of th lattr. Cut-off Valu for th Systm Paramtr. Onc th 1E-bhavior dscribing th bhavior of on philosophr in th contxt of any nvironmnt is gnratd, th nxt stp is to find th smallst ntwork that a philosophr can actually xhibit this bhavior. Th siz of such ntwork is th cut-off. In ordr to find this cut-off, w follow Procdur CutOff dscribd in Sction 5, whr w start building a systm of 2 philosophrs (sys(2)) and chck if thr is a stat in this systm that simulats 1E-bhavior. Until w find a systm with a stat that simulats 1E-bhavior, w incras th numbr of philosophrs of th systm. Figur 5: Part of sys(2). Full sys(2) is in our TR [24]. Part of th systm sys(2) for 2 philosophrs is displayd in Figur 5. Th first stat in th figur is th initial configuration whr all philosophrs ar not ating. Th first transition is an xampl whr th scond philosophr snds a rqust for th lft fork. Th changs in th stat configurations ar highlightd in bold. Unlik th DME protocol, 1E-bhavior for dining philosophrs is not simulatd by sys(2). Th rason is that for 2 philosophrs, som stats in 1E-bhavior ar not simulatd in sys(2). For instanc, in 1E-bhavior in Figur 4(b), from stat (WaitLft, LFT) both th stats (NotEating, LFT_FREE_NE) and (Eat, LFT_BUSY_EAT) ar rachabl through τ transitions whr transitions (NotEating, LFT_FREE_NE) ask_lft/lft_fr q and (Eat, LFT_BUSY_EAT) ask_lft/lft_takn q ar thn possibl. Thrfor, for sys(2) to simulat 1E-bhavior, thr should b a stat s in sys(2) with both output transitions s ask_lft/lft_fr s and s ask_lft/lft_takn s. No stat in sys(2) can hav both ths output transitions. Sinc only 2 philosophrs and 2 forks xist in th systm, th rply for a rqust of th lft fork will ithr b that th fork is busy or fr, but no on stat can hav both rplis as output transitions. In cas thr ar 3 philosophrs, this is possibl bcaus of th asynchronous natur of our modling; so 2 philosophrs can rciv 2 rqusts for lft fork from thir nighbors, whr on of th rcipints is ating and th othr is not ating. Thrfor, thr will b on stat in sys(3) whr it is possibl to hav both output transitions: on corrsponding to th philosophr ating that rplis that th fork is busy and th othr to th on that is not ating that rplis that th fork is fr. Sys(3) can simulat 1E-bhavior, thrfor th cut-off for this protocol is 3 (sys(3) is prsntd in our rport [24]).

9 Topology of th Systm. For th paramtrizd systm sys(k) to xhibit th intndd bhavior of th protocol, th protocol topology nds to b statd whil building th systm. Considr in th Dining philosophr protocol if w hav 3 philosophrs and no topology was statd, thn a philosophr can ask its sam nighbor for lft and right forks, whil this is not possibl. Th rason is that th bhavioral automata dos not nforc any kind of topology in ordr to nsur that th composition of automata will prsnt th bhavior of on procss in th contxt of any nvironmnt. Thrfor, th topology of th systm nds to b statd whn building th paramtrizd systm sys(k). For xampl, whn philosophr i snds th vnt ask_lft, only th philosophr on its lft i 1 is abl to consum this vnt, whr (ask_lft, i, i 1) Topo. As for vnt ask_right, th philosophr on th right of philosophr i, th (i + 1)-th philosophr, is th on who can rciv this vnt from philosophr i, dnotd as (ask_right, i, i + 1). Comparison with othr work. Emrson and Kahlon [17] prsnt th first fully automatd vrification for th dining philosophrs protocol. A systm in thir tchniqu is dfind using two sts, on for procsss (philosophrs) and on for tokns (forks). Thy prov that rasoning about dadlock charactristics, safty and livnss proprtis for a pair of adjacnt procsss for arbitrary rings can b rducd to a ring of siz at most 5. Howvr, w obtain a tightr cut-off valu 3 du to th fact that th bhavior of th participating procsss is considrd in our tchniqu. Whil Emrson and Namjoshi [19] found that th cut-off for systms with ring topologis for proprtis ϕ(i, i+1) (proprtis of nighboring pairs of procsss) is 3, th tchniqu in [19] rquirs a tokn passing modl, whr a singl tokn is transmittd in a clockwis dirction, thus it is not applicabl to th dining philosophrs that dos not follow such a modl. 7.2 Spin Lock Spin locks [3] offr a simpl mchanism to raliz mutually xclusiv accss of objcts by thrads. Th objct can hav two stats: not-busy (whn is not accssd by any thrad, stat NB) and busy (whn it accssd by som thrad, stat B). A not-busy objct, upon rciving a rq from a thrad, rplis back with an ack mssag and bhavs lik a busy objct. A busy objct, on th othr hand, dnis all rqusts from thrads using a nack mssag or gos to a not-busy stat on rciving a rl (rlas) signal from th lock rlasing thrad. Each thrad procss can lock an objct if it rcivs ack in rspons to a rq signal. This systm follows a star topology, whr all procsss ar connctd to th objct. Th bhavioral automata for thrads and th objcts in th Spin Lock ar displayd in Figur 6(a) and (b) rspctivly. Bhavior of a Procss in Any Environmnt. Unlik th DME and Dining Philosophrs protocol, th bhavior of th systm in Spin Lock is dpndnt on an objct that is not a paramtr of th systm. In othr words, thr can b n procsss in th systm, but only on objct can b prsnt in th systm. Sinc th bhavior of th procsss is dpndnt on th bhavior of th objct, building th 1E-bhavior of th systm rquirs th prsnc of th objct. Thrfor, building th 1E-bhavior of such systm with procsss that ar not paramtrs is don in 2 stps. First, th 1E-bhavior of th systm that includs th objct is built. Thn, for any transition that blongs to th objct consuming an vnt and producing anothr vnt, ths objct transitions ar rplacd by a τ transition. Figur 7 displays part of th 1E-bhavior of Spin Lock with th objct bhavior includd. Th transitions highlightd by th box blong to th actions whr th objct rcivs a rqust and snds ithr an acknowldgmnt that it is not-busy or a nack saying it is busy. Sinc w only car about th bhavior of paramtrizd (a) (b) Figur 6: Automata for Spin Lock: (a) Procss. (b) Objct. procsss, ths 2 transitions ar going to b substitutd by a τ transition. Th full 1E-bhavior of this systm is prsntd in our tchnical rport [24]. Figur 7: Part of th Bhavior of a Procss in Spin Lock Figur 8: Part of sys(2) for Spin Lock Cut-off Valu for th Systm Paramtr. Building sys(k) for systms with on or mor procsss that ar not paramtrs to th systm is similar to building th 1E-bhavior of ths systms. First, th sys(k) of th systm with th objct is built. Scond, th transitions that blong to actions don by th procss that is not a paramtr ar rplacd with τ transitions. Part of sys(2) for th Spin Lock protocol with 2 thrads and th objct is displayd in Figur 8, whr th transition q rq/ack q is to b substitutd by a τ transition sinc it blongs to th nonparamtrizd procss (th objct). Our tchniqu found that th cut-off valu for this systm is 2, whil Basu and Ramakrishnan [9] tackling th sam problm found th cut-off to b 3. In contrast to our tchniqu, th mthod proposd in [9] is basd on fixd point computation and abstraction-basd acclration of proprtis of nvironmnt. As such, rsults obtaind using Basu and Ramakrishnan s tchniqu [9] dpnd on th quality of th abstraction and may not always trminat with smallst cut-off valu.

10 8. CONCLUSION AND FUTURE WORK Vrification of corrctnss proprtis for paramtrizd systms is an important problm [13, 15, 18, 19, 21, 23, 29]. Considring that this problm is undcidabl in gnral [4], tchniqus and huristics for solving it for a subst of scnarios is an qually important problm. To that nd, computing th cut-off of th systm paramtr is shown to b an ffctiv tchniqu for solving th paramtrizd vrification problm [18, 19, 21]. In contrast to th xisting tchniqus, our approach, basd on bhavioral-automata composition, can b applid to any paramtrizd systms indpndnt of th communication topology. It provids a fully-automatic mthod for obtaining systm cut-off for a paramtrizd systm xprssd using a standard automata-basd modling approach. Furthrmor, ffctivly utilizing systm dscriptions allows us to obtain a systm-spcific cut-off, which in at last 3 cass is found to b lowr than prviously discovrd bounds (DME protocol, Dining Philosophrs Protocol and Spin Lock). A systm cut-off, to a larg xtnt, dictats th stat spac that nds to b xplord by a formal vrification tchniqu. Th systmatic approach of finding this cut-off that our approach provids is thus an important and foundational advanc towards improvd scalability of formal vrification tchniqus. Futur work includs xtnding th thortical and practical tratmnt of bhavioral-automata composition in svral dirctions. W plan to xplor mor xprssiv rprsntation of protocols that can captur synchronous communication btwn procsss and paramtrizd systms with infinit-domain data. 9. ACKNOWLEDGEMENTS This work was supportd in part by th US National Scinc Foundation undr grants CNS , CNS , and CAREER Thanks to David Samulson and anonymous ESEC/FSE 09 rviwrs for critical fdback on th draft. 10. REFERENCES [1] P. A. Abdulla, G. Dlzanno, N. B. Hnda, and A. Rzin. Rgular modl chcking without transducrs (on fficint vrification of paramtrizd systms). In TACAS, pags , [2] P. A. Abdulla, B. Jonsson, M. Nilsson, and J. d Orso. Rgular modl chcking mad simpl and fficint. In CONCUR, pags , [3] T. E. Andrson. Th prformanc of spin lock altrnativs for shard-mmory multiprocssors. IEEE Trans. Paralll Distrib. Syst., 1(1):6 16, [4] K. R. Apt and D. C. Kozn. Limits for automatic vrification of finit-stat concurrnt systms. Inf. Procss. Ltt., 22(6): , [5] T. Arons, A. Pnuli, S. Ruah, J. Xu, and L. D. Zuck. Paramtrizd vrification with automatically computd inductiv assrtions. In CAV, pags , [6] P. Baldan, A. Corradini, and B. König. A framwork for th vrification of infinit-stat graph transformation systms. Inf. Comput., 206(7): , [7] P. Baldan, B. König, and A. Rnsink. Graph grammar vrification through abstraction. In Dagstuhl Sminar Procdings 04241, [8] T. Ball, S. Chaki, and S. K. Rajamani. Paramtrizd vrification of multithradd softwar libraris. In TACAS, pags , [9] S. Basu and C. R. Ramakrishnan. Compositional analysis for vrification of paramtrizd systms. Thor. Comput. Sci., 354(2): , [10] A. Bouajjani, B. Jonsson, M. Nilsson, and T. Touili. Rgular modl chcking. In CAV, pags , [11] A. Bouajjani, Y. Jurski, and M. Sighiranu. Rasoning about dynamic ntworks of infinit-stat procsss with global synchronization. HAL - CCSD, [12] A. Bouajjani, Y. Jurski, and M. Sighiranu. A gnric framwork for rasoning about dynamic ntworks of infinit-stat procsss. In TACAS, pags , [13] E. Clark, M. Talupur, and H. Vith. Environmnt abstraction for paramtrizd vrification. In VMCAI, , [14] E. M. Clark, O. Grumbrg, and S. Jha. Vrifying paramtrizd ntworks using abstraction and rgular languags. In CONCUR, pags , [15] E. M. Clark, M. Talupur, and H. Vith. Proving ptolmy right: Th nvironmnt abstraction framwork for modl chcking concurrnt systms. In TACAS, pags 33 47, [16] E. Dijkstra. Two starvation fr solutions to a gnral xclusion problm. EWD 625, Plataanstraat 5, 5671 AL Nunn, Th Nthrlands. [17] E. A. Emrson and V. Kahlon. Modl chcking larg-scal and paramtrizd rsourc allocation systms. In TACAS, pags , [18] E. A. Emrson and V. Kahlon. Exact and fficint vrification of paramtrizd cach cohrnc protocols. In CHARME, pags , [19] E. A. Emrson and K. S. Namjoshi. Rasoning about rings. In POPL, pags 85 94, [20] E. A. Emrson and K. S. Namjoshi. Automatic vrification of paramtrizd synchronous systms (xtndd abstract). In CAV, pags 87 98, [21] E. A. Emrson, R. J. Trflr, and T. Wahl. Rducing modl chcking of th fw to th on. In ICFEM, pp , [22] D. Fisman, O. Kupfrman, and Y. Lustig. On vrifying fault tolranc of distributd protocols. In TACAS, , [23] S. M. Grman and A. P. Sistla. Rasoning about systms with many procsss. J. ACM, 39(3): , [24] Y. Hanna, S. Basu, and H. Rajan. Bhavioral automata composition for automatic topology indpndnt vrification of paramtrizd systms. Tchnical Rport 09-17, Computr Sc., Iowa Stat U., [25] C. N. Ip and D. L. Dill. Vrifying systms with rplicatd componnts in murphi. In CAV, pags , [26] M. Llorns and J. Olivr. Introducing structural dynamic changs in ptri nts: Markd-controlld rconfigurabl nts. In ATVA, pags , [27] R. Milnr. A Calculus of Communicating Systms. Springr-Vrlag Nw York, Inc., [28] A. Pnuli, S. Ruah, and L. D. Zuck. Automatic dductiv vrification with invisibl invariants. In TACAS 01, [29] A. Pnuli, J. Xu, and L. D. Zuck. Livnss with (0, 1, infty)-countr abstraction. In CAV, pp , [30] M. Saksna, O. Wibling, and B. Jonsson. Graph grammar modling and vrification of ad hoc routing protocols. In TACAS, pags 18 32, [31] P. Wolpr and V. Lovinfoss. Vrifying proprtis of larg sts of procsss with ntwork invariants. In th Intrnational Workshop on Automatic Vrification Mthods for Finit Stat Systms, pags 68 80, 1990.