524 R. Morin Popular, graphical, and poerful, MSCs are intuitive and easy to use. Hoever they may lead to specifications that do not correspond to the

Transcription

1 Recognizable Sets of Message Sequence Charts Rémi Morin Laboratoire d Informatique Fondamentale de Marseille Université de Provence, 39 rue F. Joliot-Curie, F Marseille cedex 13, France Abstract. High-level Message Sequence Charts are a ell-established formalism to specify scenarios of communications in telecommunication protocols. In order to deal ith possibly unbounded specifications, e focus on star-connected HMSCs. We relate this subclass ith recognizability and MSO-definability by means of a ne connection ith Mazurkieicz traces. Our main result is that e can check effectively hether a star-connected HMSC is realizable by a finite system of communicating automata ith possibly unbounded channels. Message Sequence Charts (MSCs) are a popular model often used for the documentation of telecommunication protocols. They profit by a standardized visual and textual presentation (ITU-T recommendation Z.120 [11]) and are related to other formalisms such as sequence diagrams of UML. An MSC gives a graphical description of communications beteen processes. It usually abstracts aay from the values of variables and the actual contents of messages. Hoever, this formalism can be used at a very early stage of design to detect errors in the specification [10]. In this direction, several studies have already brought up methods and complexity results for the model checking of MSCs vieed as a specification language [2,3,12,17,18]. Hoever, many undecidable problems arose by algebraic reductions to formal language theory [5] or relationships to Mazurkieicz trace theory [18,8]. Recently, several studies have investigated the subclass of regular languages of MSCs, a notion first formalized in [8]. These languages of MSCs are such that the set of associated sequential executions can be described by a finite automaton; therefore model checking becomes decidable and particular complexity results could be obtained [2,3,18]. Hoever regular languages of MSCs satisfy the channel-bounded property, that is, the number of messages stored in channels at any stage of any execution admits a finite upper bound. In this paper, e aim at removing this condition because it leads to rather strong restrictions on the associated high-level MSCs (HMSCs) [15]. Folloing the classical algebraic approach, e introduce recognizable languages of MSCs. In many ays, they appear as regular languages ithout any restriction on the channel capacities. Formally, e ill sho that a recognizable HMSC is regular if, and only if, it is channel-bounded. Whereas regular languages are precisely those hich are channel-bounded and MSO-definable [9], e ill also prove that recognizability is equivalent to MSO-definability. Supported by the INRIA cooperative research action FISC. H. Alt and A. Ferreira (Eds.): STACS 2002, LNCS 2285, pp , c Springer-Verlag Berlin Heidelberg 2002

2 524 R. Morin Popular, graphical, and poerful, MSCs are intuitive and easy to use. Hoever they may lead to specifications that do not correspond to the operational behavior of any system of processes. The important question hether a HMSC admits a realization has been investigated in different ays [1,2,5,9,16]. We observe first that any realizable HMSC is recognizable. Hoever, e prove that one cannot decide hether a HMSC is recognizable. That is hy e focus on c-hmscs: The latter have the property that iterations (or cycles) are alloed over connected MSCs only. We sho then that c-hmscs can simulate any recognizable HMSC. This justifies our main result: We can effectively check hether a c-hmsc is realizable. Finally, e stress that all our results rely on a ne connection beteen MSCs and Mazurkieicz traces [6], hich allos us to apply strong theorems from concurrency theory [14,19,20,21,22]. 1 Basic Notions and Results A pomset over an alphabet Σ is a triple t = (E,, ξ) here (E, ) is a finite partial order and ξ is a mapping from E to Σ ithout autoconcurrency: ξ(x) = ξ(y) implies x y or y x for all x, y E. Let t = (E,, ξ) be a pomset and x, y E. Then y covers x (denoted x y) if x y and x z y implies y = z. The elements x and y are concurrent or incomparable if (x y) (y x). A pomset can be seen as an abstraction of an execution of a concurrent system. In this vie, the elements e of E are events and their label ξ(e) describes the basic action of the system that is performed by the event. Furthermore, the order describes the causal dependence beteen the events. An order extension of a pomset t = (E,, ξ) is a pomset t = (E,, ξ) such that. A linear extension of t is an order extension that is linearly ordered. Linear extensions of a pomset t = (E,, ξ) can naturally be regarded as ords over Σ. By LE(t) Σ, e denote the set of linear extensions of a pomset t over Σ. An ideal of a pomset t = (E,, ξ) is a subset H E such that x H y x y H. The restriction t = (H, (H H), ξ (H Σ)) is called a prefix of t and e rite t t. For all z E, e denote by z the ideal of events belo z, i.e. z = {y E y z}. If H is a subset of E, e denote by # a (H) the number of events x H such that ξ(x) = a. Basic Message Sequence Charts. MSCs are defined by several recommendations that indicate ho one should represent them graphically [11]. More formally, they can be seen as particular labeled partial orders. Let I be a finite set of processes (also called instances) and Mes be a finite set of messages. For any instance i I, Σi int denotes a finite set of internal actions; the alphabet Σ i is then the disjoint union of the set of send actions Σ i! = {i!m j j I \ {i}, m Mes}, the set of receive actions Σ i? = {i? m j j I \ {i}, m Mes} and the set of internal actions Σi int. We shall assume that the alphabets Σ i are disjoint and e let Σ I = i I Σ i. Given an action a Σ I, e denote by Ins(a) the unique instance i such that a Σ i, that is the particular instance on hich each occurrence of action a takes place. Finally, for any pomset (E,, ξ) over Σ I e denote by Ins(e) the instance on hich the event e E occurs : Ins(e) = Ins(ξ(e)).

3 Recognizable Sets of Message Sequence Charts 525 Definition 1.1. A message sequence chart (MSC) is a pomset M = (E,, ξ) over Σ I such that M 1 : e, f E: Ins(e) = Ins(f) (e f f e) M 2 : # j?mi (E) # i!mj (E) for all instances i and j and all messages m M 3 : ( ξ(e) = i! m j ξ(f) = j? m i # i!mj ( e) = # j?mi ( f) ) e f M 4 : [e f Ins(e) Ins(f)] [ ξ(e) = i! m j ξ(f) = j? m i # i!mj ( e) = # j?mi ( f) ]. An MSC is basic if # i!mj (E) = # j?mi (E) for all instances i and j and all messages m. By M 1, events occurring on the same instance are linearly ordered: Hence nondeterministic choice cannot be described ithin an MSC. Condition M 2 makes sure that each reception corresponds to a message. Thus there is no duplication of messages in the channels and M 2 formalizes partly the reliability of the channels. Folloing the recommendation Z.120, e allo overtaking (Fig. 1) but forbid any reversal of the order in hich to identical messages m sent from i to j are received by j. Thus M 3 formalizes simply that the reception of any message ill occur after the corresponding send event. Finally, by M 4, causality in M consists only in the linear dependency over each instance and the ordering of pairs of corresponding send and receive events. We remark that any prefix of an MSC is an MSC, too. Note that an MSC is basic if each message m sent from i to j is associated to a reception event on j. We shall use non-basic MSCs as a natural ay to describe partial executions of basic MSCs. Indeed, any MSC can be seen as a prefix of a basic MSC. Rationality and Recognizability. Let (M, ) be a monoid ith unit 1. For any subsets L and L of M, the product of L by L is L L = {x x x L x L }. We let L 0 = {1} and for any n IN, L n+1 = L n L; then the iteration of L is L = n IN Ln, also denoted L M. Note that L M is a submonoid of M. A language L M is finitely generated if there is a finite subset Γ of M such that L Γ M. A subset of M is rational if it can be obtained from the finite subsets of M by means of unions, products and iterations. Any rational language is finitely generated. A subset L of M is recognizable if there exists a finite monoid M and a monoid morphism η : M M such that L = η 1 η(l). Equivalently, L is recognizable if, and only if, there exists a finite M-automaton recognizing L because the collection of all sets L/x = {y M x y L} is finite. In particular the set of recognizable subsets of any monoid is closed under union, intersection and complement. We denote by bmsc the set of (isomorphism classes) of basic MSCs. The asynchronous concatenation of to basic MSCs M 1 = (E 1, 1, ξ 1 ) and M 2 = (E 2, 2, ξ 2 ) is M 1 M 2 = (E,, ξ) here E = E 1 E 2, ξ = ξ 1 ξ 2 and the partial order is the transitive closure of 1 2 {(e 1, e 2 ) E 1 E 2 Ins(e 1 ) = Ins(e 2 )}. It is easy to check that the asynchronous concatenation of to basic MSCs is a basic MSC. This concatenation can be shon to be associative and admits the empty MSC (,, ) as unit. Therefore e shall refer to bmsc as the monoid of basic message sequence charts. This concatenation enables us to

4 526 R. Morin msc Overtaking i j msc M i j {M} bmsc i! x j j? y i i! y j j? x i i! x j j? x i bmsc \ {M} 0 1 Fig. 1. Overtaking Fig. 2. Basic MSC M Fig. 3. A bmsc-automaton compose specifications in order to describe sets of basic MSCs. In that ay, e obtain high-level message sequence charts. Definition 1.2. A high-level message sequence chart (HMSC) is a rational expression of basic MSCs, that is, an expression built from basic MSCs by use of union, product and iteration. We follo here the approach adopted, e.g., in [2,3,5,8,12,16,18] here HMSCs are hoever often flattened into message sequence graphs. Regularity vs Rationality. A language L of basic MSCs is regular [8] if its set of linear extensions LE(L) = M L LE(M) is recognizable in the free monoid. All regular languages are recognizable in bmsc, but the converse fails. Σ I Example 1.3. We consider here the basic MSC M of Fig. 2 and the rational language {M}. The latter is recognizable in bmsc (it is accepted by the bmscautomaton of Fig. 3), but not regular. It is even not channel-bounded [8]. As proved in [8, Th. 4.6], it is undecidable to kno hether a HMSC H is regular (that is to say, hether its corresponding language L H is regular). Yet, one can ensure the regularity of languages associated to high-level message sequence charts by restricting to locally synchronized [18] or bounded [3] HMSCs hich are called sc-hmscs belo. Recall first that the communication graph of a basic MSC M = (E,, ξ) is the directed graph (I M, ) here I M is the set of active instances of M: I M = {i I e E, Ins(e) = i}, and such that (i, j) if there is an event e E such that ξ(e) = i!j. Thus there is an edge from i to j if M shos a communication from i to j. No a highlevel MSC is called an sc-hmsc if iteration occurs only over sets of MSCs hose communication graphs are strongly connected. Consider finally a finitely generated language L of basic MSCs. Putting together results from [18,3,8], e kno that L is regular if, and only if, it is the language L H of an sc-hmsc H. 2 Recognizability vs. Rationality In this section e sho a ne relationship beteen basic MSCs and Mazurkieicz traces. This allos us to infer results on recognizability analogous to those mentioned above for regularity. Differently from [18,3,8,15], e do not restrict to sc-hmscs and e assume no limit to the channel capacities.

5 Recognizable Sets of Message Sequence Charts 527 Let us first recall some basic notions of Mazurkieicz trace theory [6]. The concurrency of a distributed system can be represented by an independence relation over the (possibly infinite) alphabet of actions Σ, that is a binary, symmetric and irreflexive relation Σ Σ. The associated trace equivalence is the least congruence over Σ such that a, b Σ, a b ab ba. A trace [u] is the equivalence class of a ord u Σ. We denote by M(Σ, ) the set of all traces.r.t. (Σ, ). Traces can easily be composed in the folloing ay: [u] [v] = [u.v]. Then M(Σ, ) appears as a monoid ith the empty trace [ε] as unit. A trace language is a subset L M(Σ, ). It is easy to see that a trace language L is recognizable in M(Σ, ) iff the set of associated ords {u Σ [u] L} is recognizable in the free monoid Σ. Let u Σ ; then the trace [u] is precisely the set of linear extensions LE(t) of a unique pomset t = (E,, ξ), that is, [u] = LE(t). That is hy traces can be seen as pomsets and e put LE(L) = {u Σ [u] L} for any trace language L M(Σ, ). A natural independence relation comes to light hen e consider basic MSCs ith respect to their concatenation. For all basic MSCs M and M, e put M M if I M I M =. Clearly, M M implies that M M = M M. A non-empty basic MSC M is called prime if M = M 1 M 2 implies M 1 = 1 or M 2 = 1. Clearly, any basic MSC is a product of primes [7]. The next lemma shos that this decomposition is unique up to the commutation of independent primes. Lemma 2.1. Let Γ be a (possibly infinite) subset of prime basic MSCs. Then the morphism R Γ : M(Γ, ) Γ bmsc hich maps each trace [a 1...a n ] to the basic MSC a 1... a n is an isomorphism. Proof (sketch). The map R Γ is ell-defined since u v implies R Γ [u] = R Γ [v]. Clearly the morphism R Γ is onto. We sho by induction on n = u that if R Γ [u] = R Γ [v] then u v. The claim is clear if u = 0. We let u = a 1...a n and v = b 1...b m be to ords of Γ and assume that R Γ [u] = R Γ [v]. We denote by M = (E,, ξ) the basic MSC R Γ [u]. Then a 1... a n and b 1... b m are to decompositions of M in prime basic MSCs. Let e be a minimal event in the MSC a 1 and M = (E, E, ξ E ) denote the least basic prefix of M that contains e. The event e belongs to b s for some s [1, m]. By means of a close analysis of M, e can sho that a 1 = M = b s. Then I bk I bs = for all k [1, s 1] because E is an ideal of M. Thus, b 1... b m = b s b 1... b s 1 b s+1... b m = a 1... a n. Since a 1 = b s and bmsc is cancellative, e have b 1... b s 1 b s+1... b m = a 2... a n. By induction hypothesis, b 1...b s 1.b s+1...b m a 2...a n hence u v. We can no translate results from trace theory as follos (see also Th. 4.1). Theorem 2.2. It is undecidable to kno hether a HMSC is recognizable. Proof. We proceed by reduction to the recognizability of rational trace languages, hich is knon to be undecidable [21]. For any finite independence alphabet (Σ, ), e can find a finite set of prime basic MSCs Γ = {M a a Σ} such that a b M a M b. Then the morphism ψ : M(Σ, ) Γ bmsc defined by ψ(a) = M a is an isomorphism (Lemma 2.1). Therefore, L M(Σ, ) is recognizable (resp. rational) iff ψ(l) is recognizable in bmsc (resp. rational).

6 528 R. Morin This result shos that e have to face a similar problem as ith regularity [8, Th. 4.6]. We say that an MSC is connected if its communication graph is a connected (undirected) graph. Then a HMSC is called a c-hmsc if iteration occurs only over sets of connected MSCs. Theorem 2.3. Let L be a finitely generated language of basic MSCs. Then L is recognizable if, and only if, it is the language L H of a c-hmsc H. Proof. We have L Γ bmsc for a finite set Γ of prime basic MSCs. By Lemma 2.1, L is recognizable in bmsc if, and only if, R 1 Γ (L) is recognizable in M(Γ, ), hich means that R 1 Γ (L) is c-rational [19]. Since prime basic MSCs are connected, this is also equivalent to say that L is described by a c-hmsc. This result shos that, in order to specify a recognizable language of basic MSCs by some HMSC, one can restrict to c-hmscs ithout loss of expressive poer. Example 1.3 shos that c-hmscs can describe behaviors ith unbounded channels differently from sc-hmscs [15, Cor. 2.9]. As justified by [12, Th. 1], such infinite systems can still be model-checked. Our interest in recognizable languages also stems from the next section; e ill see that if a rational language is realizable then it has to be recognizable. 3 Recognizability vs. Realizability In this section, e focus on the HMSCs hose language can be seen as the behaviors of a distributed system hose processes communicate through reliable FIFO channels. Recall no that e allo overtaking of messages (Fig. 1). Consequently, e consider one channel for each pair of distinct instances associated ith a message type. Formally, the set of channels Chan consists of all triples (i, j, m) I I Mes such that i j. Furthermore a channel state is formalized by a map χ : Chan IN that describes the queues of messages ithin the channels at some stage of an execution. The empty channel state χ 0 is such that each channel maps to 0. Definition 3.1. A message-passing automaton (MPA) over Σ I is a family S = (A i ) i I such that each component A i is a transition system (Q i, ı i, i, F i ) here Q i is a set of i-local states, ith initial state ı i Q i and final states F i Q i, and i (Q i Σ i Q i ) is the i-local transition relation. A global state is a pair (s, χ) here s i I Q i is a tuple of local states and χ is a channel state. The initial global state is the pair ı = (s, χ) such that s = (ı i ) i I and χ = χ 0 is the empty channel state. The system of global states associated to S is the transition system A S = (Q, ı,, F ) here Q is the set of global states, F = ( i I F i) {χ0 } is the set of final global states, and the global transition relation Q Σ I Q satisfies: for any internal action a Σi int a, ((q k ) k I, χ) ((q k ) k I, χ ) if χ = χ, a q i i q i and q k = q k for all k I \ {i}; for all distinct instances i and j, ((q k ) k I, χ) i!m j ((q k ) k I, χ ) if

7 Recognizable Sets of Message Sequence Charts 529 i! m j 1. q i i q i and q k = q k for all k I \ {i}, 2. χ (i, j, m) = χ(i, j, m)+1 and χ(x) = χ (x) for all x Chan \{(i, j, m)}; for all distinct instances i and j, ((q k ) k I, χ) j?m i ((q k ) k I, χ ) if j? m i 1. q j j q j and q k = q k for all k I \ {j}, 2. χ(i, j, m) = 1+χ (i, j, m) and χ(x) = χ (x) for all x Chan \{(i, j, m)}. As usual ith transition systems, for any u = a 1...a n ΣI u, e rite q q if there are some global states q 0,..., q n Q such that q 0 = q, q n = q and for a each r [1, n], q r r 1 qr. We stress that like [1] but unlike [9] the set of i-local states in a message passing automaton might be infinite. An execution sequence of S is a ord u ΣI u such that ı q in A S for some global state q. Then u is a linear extension of some MSC. The latter is a basic MSC if, and only if, q has an empty channel-state. We say that u is a u final execution sequence if ı q for some final global state q. The language L S of S consists of the basic MSCs M such that LE(M) contains a final execution sequence of S. Finally, a language L bmsc is realizable if L = L S for some message passing automaton S. In order to characterize hich HMSCs describe realizable languages, e need some more notations. For any instance i I, the projection on i [1,5] is the map ( i) : ΣI Σ i defined inductively by (ε i) = ε and (.a i) = ( i).a if Ins(a) = i and ( i) otherise. We extend this map from ords to MSCs and from MSCs to HMSCs. First, (M i) = ( i) for any linear extension LE(M) of the MSC M. This is ell-defined due to M 1. Second, e define inductively (H 1 H 2 i) = (H 1 i) (H 2 i), (H 1 + H 2 i) = (H 1 i) + (H 2 i), and (H i) = (H i) for all HMSCs H 1, H 2 and H. Note that (H i) is a rational expression of Σi : It describes a recognizable language of ords. Noteorthy, e observe by an immediate structural induction on H that (H i) describes the set (L H i) of projections on instance i of all MSCs in L H. A basic observation no is that for any MSC M and any linear extension LE(M), e have ((ı i ) i I, χ 0 ) ((q i ) i I, χ) in A S for some channel-state ( i) χ iff ı i q i for all instances i I. Consequently, a basic MSC belongs to the language L S of the MPA S if all its linear extensions are final execution sequences of S. It follos also that a language L of basic MSCs is realizable if, and only if, it satisfies the folloing condition [1]: CC 2 : For all basic MSCs M: ( i I, M i L, (M i) = (M i i)) M L. Thus, although e consider a slightly different architecture, the realizability notion studied in this paper corresponds precisely to the eak realizability investigated in [1,2]. Furthermore e obtain the folloing result. Proposition 3.2. Let L be a language of basic MSCs. Consider for any instance i a transition system A i hose language is (L i) = {(M i) M L}. Then L is realizable if, and only if, L is the language of the MPA S = (A i ) i I. This implies that any realizable rational language of basic MSCs is recognizable, because it can be realized by an MPA ith finitely many local states. Thus, in order to specify realizable languages by HMSCs, e can restrict to c-hmscs

8 530 R. Morin ithout loss of expressive poer (Th. 2.3). Based on Lemma 2.1 again, e present no an algorithm to check hether the language L H of a c-hmsc H is realizable. Theorem 3.3. Checking hether a c-hmsc is realizable is decidable. Proof. Let H be a c-hmsc. We may assume that H is based on a finite set of prime basic MSCs Γ. In particular, L H Γ bmsc. From H, e can build the MPA S = (A i ) i I here A i is the minimal automaton of (L H i). Applying Prop. 3.2, e check hether L S = L H. For this, e proceed in to steps: First e check that L S Γ bmsc = L H and next that L S Γ bmsc. 1 We denote by A = (Q, ı,, F ) the system of global states of S. We can build the transition system A Γ = (( i I Q i) {χ 0 }, ı, Γ, F ) over the alphabet Γ such that q M Γ q if q q in A for some linear extension of M Γ. Note that A Γ is finite because each A i has finitely many i-local states. It is easy to see that a ord u Γ belongs to the language L(A Γ ) of A Γ if, and only if, R Γ [u] L S Γ bmsc. Thus L(A Γ ) = LE(R 1 Γ (L S Γ bmsc )). Since H is a c-hmsc, e have a c-rational expression that describes R 1 Γ (L H) (Lemma 2.1). Therefore, e can compute a finite automaton A H that recognizes LE(R 1 Γ (L H)) [14,18]. Then, e need simply to check that A H and A Γ describe the same language of Γ to kno hether L S Γ bmsc = L H. 2 Recall that if q is a global state hose channel-state is empty and if a ord ΣI satisfies q q in A then is a linear extension of a unique MSC hich ill be denoted M. Furthermore, q has also an empty channel-state if, and only if, M is a basic MSC. Let Q 0 be the subset of global states q ( i I Q i) {χ0 } such that there u exists a linear extension u of a basic MSC M Γ bmsc for hich ı q in A. Observe here that q Q 0 if, and only if, q is reachable from ı in A Γ. Therefore, e can effectively compute Q 0. Assume first that L S \ Γ bmsc is not empty and consider M L S \ Γ bmsc. Then e have a decomposition of M in prime basic MSCs M = M 1... M n M n+1... M m ith M 1,...,M n Γ and M n+1 Γ. Let u u LE(M 1... M n ). Then ı q 0 for some q 0 Q 0. Thus, to kno hether L S Γ bmsc, it is sufficient to check that for all q 0 Q 0, the folloing property holds: P 1 (q 0 ) : For all prime basic MSCs M Γ, if q 0 q1 in A ith LE(M) then no final global state is reachable from q 1. A basic observation here is that S can be simulated by a Place/Transition net. Clearly each A i can be simulated by a 1-safe net hose reachable markings contain only one token that describes the current local state; and, additionally, e can use one place ith infinite capacity to model each channel. Therefore e can decide hether there is a path in A from q 1 to q 2 here q 1 and q 2 are to given global states (or markings) [13,20]. In the sequel, e fix q 0 Q 0 and proceed in to steps. Let C be the maximal number of events in an MSC of Γ. Consider first a prime basic MSC M Γ ith at most (C + 2).Card(I) events and LE(M). We can check hether there is a path q 0 q1 in A for some q 1 ( i I Q i) {χ0 } and if there is a final global state q 2 reachable from q 1. If this happens, Property P 1 (q 0 ) fails (for

9 Recognizable Sets of Message Sequence Charts 531 this M). We actually check this for all primes ith less than (C + 2).Card(I) events. If P 1 (q 0 ) does not fail for these MSCs, then P 1 (q 0 ) becomes equivalent to the folloing property: P 2 (q 0 ) : For all prime basic MSCs M Γ ith at least (C + 1).Card(I) events, if q 0 q1 in A ith LE(M) then no q 2 F is reachable from q 1. Define the levels of an MSC M = (E,, ξ) inductively as follos. First l 0 (M) = min (E), and for all integer k, l k+1 (M) = min (E \ k i=0 l i(m)). Observe that each level l k (M) is an antichain of M. We denote by N the maximal number of non-empty levels in an MSC of Γ. Noteorthy N C. We say that a prefix M = (E,, ξ ) of M respects the levels in M if E = k i=0 l i(m) for some k. We shall see that e can build effectively the finite set L(q 0 ) of all ords ΣI such that (N + 1).Card(I), q 0 q1 in A for some global state q 1, M has exactly N + 1 non-empty levels, and v q 1 q 2 in A for some final global state q 2 and a ord v ΣI such that M respects the levels in the basic MSC M.v. Assume that fulfills the three first conditions and let χ be the channel state v of q 1. In case q 1 q 2 F in A then v satisfies the fourth condition iff 1. if l N+1 (M ) contains no event on instance i then (v i) is empty or its first action is not a local action, nor a send action; 2. if l N+1 (M ) contains no event on instance j and if χ (i, j, m) 2 for some i then (v j) is empty or its first action is not j? m i; 3. if l N+1 (M ) contains no event on instance j and if χ (i, j, m) = 1 for some i and l N+1 (M ) contains no send action i! m j then (v j) is empty or its first action is not j? m i. Based on l N+1 (M ) and χ, e can compute for each instance hich actions cannot occur first. Then, e can adapt the simulation of S by Petri nets in order to forbid these actions as first local action. In that ay e can check hether there exists a sequence v that satisfies the fourth condition. Thus, e can effectively compute L(q 0 ). Consider no Property P 3 (q 0 ): P 3 (q 0 ) : For all L(q 0 ), for all minimal event e of the MSC M, there is a basic MSC M Γ isomorphic to a prefix of M that contains e. To conclude, e shall prove P 1 (q 0 ) P 3 (q 0 ) and P 3 (q 0 ) P 2 (q 0 ). Recall that e are in the special case here P 1 (q 0 ) P 2 (q 0 ). Therefore, it is no sufficient to check P 3 (q 0 ) to kno hether P 1 (q 0 ) holds. P 1 (q 0 ) P 3 (q 0 )? Let L(q 0 ). Then q 0 q1 q 2 F in A. Let e be a minimal event of the MSC M. Since M is a prefix of M.v, e is also a minimal event of the basic MSC M.v. Let M be the least basic prefix of M.v that contains e. Then M.v = M M and M is prime. Consider LE(M ) and v LE(M ). We have q 0 q v q 2 in A. Since P 1 (q 0 ) holds, e get M Γ and M has at most N non-empty levels. Since M respects the levels in M.v and M has N + 1 non-empty levels, M is also a prefix of M. v

10 532 R. Morin We sho finally that P 2 (q 0 ) implies P 3 (q 0 ). Let M be a prime basic MSC v not in Γ ith at least (C + 1).Card(I) events such that q 0 q1 q 2 F for some LE(M). Then M has at least (N + 1).Card(I) events, hence at least N + 1 non-empty levels. Since M = M is a prefix of M.v, M.v has at least N + 1 non-empty levels too. Let M be the restriction of M.v to its N + 1 first levels and LE(M ). Then M respects the levels in M.v. We have q 0 q v q 2 ith.v LE(M.v ) and M.v = M.v. Since M has N + 1 non-empty levels, e have (N + 1).Card(I). Hence L(q 0 ). Consider no the prefix M of M = M consisting of its N + 1 first levels. Then M is also a prefix of M. Let e be a minimal event of M ; this is also a minimal event of M. We proceed no by contradiction. Assume that there exists M Γ hich is (isomorphic to) a prefix of M = M that contains e. Then the intersection beteen M and M contains e, is an ideal of M.v, M and M, and corresponds to a basic MSC because M and M are basic, contain e and are prefixes of M.v. Since M and M are prime, this implies M = M hence M Γ. Contradiction. Observe no that any bounded MSC-graph [2,3] can be translated effectively into an sc-hmsc. Therefore realizability of bounded MSC-graphs is also decidable. As shon in [2, Th. 1], this result fails if one assumes that no overtaking occurs both in the languages to be realized and in the behavior of any MPA. We stress finally that our technique can be adapted to check safe realizability [1,2] of c-hmscs even if overtaking is forbidden: The reason is that e need no longer to check the reachability of final states from some stages. In that ay, safe realizability of (unbounded) connected MSC-graphs is also decidable. 4 Recognizability vs. MSO-Definability Recognizable languages of basic MSCs form a particularly interesting frameork for the specification of realizable protocols in particular, for those ith unbounded channel size. Differently from rational languages, e can specify a system by means of typical executions together ith forbidden ones and still remain in the field of recognizable languages, because they are closed by complement and intersection. Admittedly, logical formulae are another natural ay to express pathological or critical behaviors too. This motivates the study of the relationship beteen recognizability and logical definability. Consider a finite alphabet Σ. Formulae of the MSO language over Σ that e consider involve first-order variables x, y, z... for events and second-order variables X, Y, Z... for sets of events. They are built up from the atomic formulae P a (x) for a Σ (hich stands for the event x is labeled by the action a ), x y, and x X by means of the boolean connectives,,,, and quantifiers, (both for first order and for set variables). We denote by MSO(Σ) the set of all formulae of the MSO language. Formulae ithout free variables are called sentences. The satisfaction relation = beteen the set of pomsets and the set of sentences of monadic second order logic is defined canonically ith the understanding that first order variables range over events of E and second order

11 Recognizable Sets of Message Sequence Charts 533 Rational languages Subsets of basic MSCs Channel-bounded languages Regular languages Finitely generated languages Recognizable languages MSO-definable languages Fig. 4. Comparison beteen Theorem 4.1 and [9, Th. 4.3] variables over subsets of E. The class of pomsets hich satisfy a sentence ϕ is denoted by Mod(ϕ). We say that a class of pomsets P is MSO-definable if there exists a monadic second order sentence ϕ such that P = Mod(ϕ). By means of Lemma 2.1, e apply once again results from trace theory to get a Büchi-like theorem hoever for finitely generated languages only. Theorem 4.1. Let L be a finitely generated language of basic MSCs. Then L is recognizable in bmsc if, and only if, L is MSO-definable. Proof (sketch). Consider a finite set of prime basic MSCs Γ = {M 1,..., M n } such that L Γ bmsc. Assume first that L is MSO-definable by a sentence φ. For each k [1, n], e choose u k LE(M k ). We consider the language L ΣI hich consists of the ords = u k1...u km such that M = M k1... M km L. We claim that L is MSO-definable by a sentence ψ that e can easily obtain from φ : The reason is that e can recover the partial order of events in M from the total order of. By Büchi s Theorem [4], L is recognizable in the free monoid ΣI. We use then the minimal Σ I-automaton that recognizes L to sho that L is recognizable in Γ bmsc hence in bmsc. We assume no that L is recognizable in bmsc. We observe first that Γ bmsc is MSO-definable because each M Γ is connected. By Lemma 2.1, L = R 1 Γ (L) is recognizable in M(Γ, ). By [22], the corresponding set of pomsets is definable by an MSO-sentence φ L. We infer from φ L a formula that defines L ithin Γ bmsc. Given M = M k1... M km, e can recover hich events belong to the same prime component. Then e simply need to choose one representative event in each component M kl and to recover the partial order beteen those events that corresponds to R 1 Γ (M). By means of φ L, e can then formalize hether M L. This relationship is depicted on Fig. 4. It completes [9, Th. 4.3] hich asserts that a language is regular if, and only if, it is MSO-definable ith bounded channels. It follos that a finitely generated language is regular if, and only if, it is recognizable and channel-bounded.

12 534 R. Morin Acknoledgments. I am grateful to M. Droste for draing my attention on [2,12]. Thanks also to D. Kuske for motivating discussions about these papers. References 1. Alur R., Etessami K. and Yannakakis M.: Inference of message sequence charts. 22nd Intern. Conf. on Softare Engineering, ACM (2000) Alur R., Etessami K. and Yannakakis M.: Realizability and verification of MSC graphs. LNCS 2076 (2001) Alur R. and Yannakakis M.: Model Checking of Message Sequence Charts. CON- CUR 99, LNCS 1664 (1999) Büchi J.R.: Weak second-order arithmetic and finite automata. Z. Math. Logik Grundlagen Math. 6 (1960) Caillaud B., Darondeau Ph., Hélouët L. and Lesventes G.: HMSCs as partial specifications... ith PNs as completions. LNCS 2067 (2001) Diekert V. and Rozenberg G.: The Book of Traces. (World Scientific, 1995) 7. Hélouët L. and Le Maigat P.: Decomposition of Message Sequence Charts. Proc. SAM 2000 (Verimag, Grenoble, 2000) 8. Henriksen J.G., Mukund M., Narayan Kumar K. and Thiagarajan P.S.: On message sequence graphs and finitely generated regular MSC language. LNCS 1853 (2000) Henriksen J.G., Mukund M., Narayan Kumar K. and Thiagarajan P.S.: Regular collections of message sequence charts. LNCS 1893 (2000) Holzmann G.J.: Early Fault Detection. TACAS 96, LNCS 1055 (1996) ITU-TS: Recommendation Z.120: Message Sequence Charts. (Geneva, 1996) 12. Madhusudan P.: Reasoning about Sequential and Branching Behaviours of Message Sequence Graphs. LNCS 2076 (2001) Mayr, E.W.: Persistence of Vector Replacement Systems is Decidable. Acta Informatica 15 (1981) Métivier Y., Richomme G. and Wacrenier P.: Computing the Closure of Sets of Words under Partial Commutations. LNCS 974 (1995) Morin R.: On Regular Message Sequence Chart Languages and Relationships to Mazurkieicz Trace Theory. FoSSaCS 2001, LNCS 2030 (2001) Mukund M., Narayan Kumar K. and Sohoni M.: Synthesizing distributed finitestate systems from MSCs. LNCS 1877 (2000) Muscholl A.: Matching Specifications for Message Sequence Charts. FoSSaCS 99, LNCS 1578 (1999) Muscholl A. and Peled D.: Message sequence graphs and decision problems on Mazurkieicz traces. LNCS 1672 (1999) Ochmański E.: Regular behaviour of concurrent systems. Bulletin of the EATCS 27 (Oct. 1985) Reutenauer C.: The Mathematics of Petri Nets. (Masson, 1988) 21. Sakarovitch J.: The last decision problem for rational trace languages. LNCS 583 (1992) Thomas W.: On logical definability of trace languages. Technical University of Munich, report TUM-I9002 (1990)