Non-Sequential Theory of Distributed Systems
Lecture MPRI M2
Benedikt Bollig & Paul Gastin
October 18, 2016
Contents
1 Introduction
1
1.1
Synthesis and Control . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2
Modeling behaviors as graphs . . . . . . . . . . . . . . . . . . . . .
6
1.3
Underapproximate Verification . . . . . . . . . . . . . . . . . . . .
9
2 Concurrent Processes with Data Structures
12
2.1
The Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
2.2
Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . .
14
2.3
Graph Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
3 Logic
20
3.1
Monadic Second-Order Logic . . . . . . . . . . . . . . . . . . . . .
20
3.2
Expressive Power of MSO Logic . . . . . . . . . . . . . . . . . . . .
22
3.3
Propositional Dynamic Logic . . . . . . . . . . . . . . . . . . . . .
26
3.4
Expressive Power of ICPDL . . . . . . . . . . . . . . . . . . . . . .
29
3.5
Satisfiability and Model Checking . . . . . . . . . . . . . . . . . . .
35
4 Underapproximate Verification
37
4.1
Principles of Underapproximate Verification . . . . . . . . . . . . .
37
4.2
Graph-Theoretic Approach
. . . . . . . . . . . . . . . . . . . . . .
39
4.3
Graph (De)composition and Tree Interpretation . . . . . . . . . . .
40
4.4
Split-Width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
i
4.5
Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
4.6
Special tree terms and tree interpretation . . . . . . . . . . . . . .
47
4.7
Split-width and Special tree-width . . . . . . . . . . . . . . . . . .
50
4.8
Tree automata and Decision procedures . . . . . . . . . . . . . . .
52
4.9
ICPDL model checking . . . . . . . . . . . . . . . . . . . . . . . . .
57
5 Distributed systems with shared resources
66
5.1
Architecture for shared resources . . . . . . . . . . . . . . . . . . .
66
5.2
Asynchronous automata . . . . . . . . . . . . . . . . . . . . . . . .
68
5.3
Traces as graphs or partial orders . . . . . . . . . . . . . . . . . . .
71
5.4
Checking Closure of DFAs . . . . . . . . . . . . . . . . . . . . . . .
77
5.5
Star-Connected Regular Expressions . . . . . . . . . . . . . . . . .
77
5.6
Logic Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .
78
ii
CHAPTER
1
Introduction
1st Lecture
D
L
Pi examples of the kind of problems
Before we go into formal definitions, we give some
that are treated in the lecture.
P1 ! on
P2 ! on
1.1 Synthesis and Control
D ? on
L ! on
P1 ? on
P2 ? on
1.1.1 A simple protocol
on
P1 ? off
off
D ? off
L ! off
P1 ! off
P2 ? off
In this lecture, weP2
consider
systems
that
consist
of
a
fixed
finite
number
of
processes
! off
that are connected via communication media. Consider the following architecture
and assume that communication is synchronous.
P1
D
L
P2
Consider a process D (the device), which communicates with two processes, P1 and
P2, sending them regularly its current status (on or off ). Every status message
is forwarded, by P1 or P2, to L (a lamp, or display). The latter is either on or
off and, upon reception of a message, may change (or not) the current status. For
simplicity, we will assume rendez-vous (i.e., handshake) communication. A naive
implementation looks as follows:
1
D
L
Pi
P1 ! on
P2 ! on
P1 ! off
P2 ! off
D ? on
L ! on
P1 ? on
P2 ? on
on
D ? off
L ! off
P1 ? off
P2 ? off
off
However, this may result in the following communication scenario, which yields the
“wrong” output:
D
P1
L
P2
on
on
off
on
on
on
on
off
off
The problem is that L does not know which of the last two messages that it receives
is the latest one.
Suppose we are not allowed to change the architecture of the system. We are
only allowed to add local and deterministic controllers to each process that add
additional message contents. In particular, a controller should not block any of the
possible actions of the given system. Is there still a way to control the protocol in
a way such that L shows the correct result?
2
1.1.2 A first solution.
A first, rather obvious solution would consist in using timestamps. Strictly increasing timestamps are sent by D along with a status message, forwarded by P1 and
P2, and then compared by L with its latest knowledge.
D
L
Pi
P1 ! on(x:=x+1)!
P2 ! on(x:=x+1)
D ? on(x)
P1 ? on(x)!
P2 ? on(x)
L ! on(x)
x:=0
x>y
on
y:=x
x≤y
noop
x>y
off
y:=x
x≤y
noop
y:=0
D ? off(x)
P1 ! off(x:=x+1)
P2 ! off(x:=x+1)
P1 ? off(x)
P2 ? off(x)
L ! off(x)
It is easy to see that the protocol is correct in the sense that L does not update
its display based on outdated information. The following scenario shows that the
error from the previous solution is indeed avoided.
D
P1
L
P2
on(1)
x y
on(1)
1 0
off(2)
on
on(3)
on(3)
3 1
on
off(2)
2 3
noop
3
D
P1
L
P2
on
1.1.3 Towards finite-state solutions
on
off
The previous solution uses infinitely many states, since time stamps are strictly
on
increasing. This may notonbe adequate in the realm of reactive processes, which are
supposed to run forever. However, finding a finite-state solution
is difficult. It is
on
actually impossible for the above specification.
on
Fortunately, there are guaranteed solutions
off in the case where every message is
immediately followed by an acknowledgment. So, let us assume the following arnoop
chitecture:
P1
D
L
P2
Moreover, the allowed communication scenarios look as follows, i.e., every message
is immediately followed by an acknowledgment (which can be augmented with
additional messages):
D
P1
L
P2
on
on
off
on
on
on
on
off
noop
In this particular case, we get a finite-state local controller. However, it is not
P1
always easy to come up with a solution.
D
Exercise 1.1. Try to find a finite-state controller.
L
P2
♦
The process of finding a controller is actually error-prone. So, it is natural to ask
the following question:
Is there an automatic way to generate a controller from a specification?
The answer is YES, provided that the specification satisfies some properties.
4
In our example, the specification Lspec ⊆ Σ∗ could be a word language over the
following alphabet:
on
on
off
off
off
off
Σ = {hD P1i , hD P2i , hD P1i , hD P2i}
on
on
∪ {hP1 Li , hP2 Li , hP1 Li , hP2 Li}
∪ {on, off , noop}
Let ΣP1 ⊆ Σ be the subalphabet containing those actions involving P1. Moreover,
let ΣP2 ⊆ Σ contain those with P2, and so on. In particular, {on, off , noop} ⊆ ΣL .
With this, Lspec is the set of words w ∈ Σ∗ satisfying the following:
(R1) The projection of w to ΣP1 is contained in
on
off
on
off
(hD P1ihP1 Li + hD P1ihP1 Li)∗ .
(R2) The projection of w to ΣP2 is contained in
on
off
on
off
(hD P2ihP2 Li + hD P2ihP2 Li)∗ .
(R3) The projection of w to ΣL is contained in
∗
off
off
on
on
(hP1 Li + hP2 Li + hP1 Li + hP2 Li)(on + off + noop) .
(R4) “The display is updated iff the last (previous) status message emitted by
D that has already been followed by a forward was not yet followed by a
corresponding update by L.”
Exercise 1.2. Formalize the requirement (R4) in terms of a finite automaton or
an MSO formula.
♦
Here are some example words to illustrate Lspec :
on
off
off
on
• hD P1ihD P2ihP2 Lioff hP1 Linoop ∈ Lspec ,
on
on
on
on
on
off
on
on
• hD P1ihP1 LihD P1ion
6∈ Lspec ,
off
• hD P1ihP1 LihD P2ionhP2 Lioff
off
off
• hD P1ihP1 LionhD P2ihP2 Lioff
∈ Lspec ,
∈ Lspec .
Obviously, Lspec is a regular language. Moreover, it is closed under permutation
rewriting of independent events. The latter means that changing the order of
neighboring independent actions in a word does not affect membership in Lspec .
This seems natural, since the order of independent event cannot be enforced by a
distributed protocol. Here, two actions are said to be independent if they involve
distinct processes. For example,
5
on
• hD P1i and on are independent,
on
on
• hD P1i and hP2 Li are independent,
on
off
• hD P1i and hD P2i are not independent,
on
on
• hD P2i and hP2 Li are not independent.
Exercise 1.3. Show that Lspec is closed under permutation rewriting.
♦
The following is a fundamental result of concurrency theory (yet informally stated):
Theorem [Zielonka 1987]:
Let L be a regular set of words that is closed under permutation rewriting of independent events. There is a deterministic finite-state distributed protocol that realizes
L.
Thus, the specification Lspec could indeed be realized as a distributed program.
There are, however, regular specifications that are not realizable (and, therefore,
are not closed under permutation rewriting). Consider the language
on
on
L = (hD P1ihP2 Li)∗ .
Though L is regular, it is not closed under permutation rewriting. Even worse, the
closure under permutation is not regular anymore. Specification L says that there
are as many messages from D to P1 as from P2 to L. Intuitively, it is clear that
this cannot be realized by a finite-state system in a distributed fashion: There is
no communication going on between D/P1 on the hand, and P2/L on the other
hand.
1.2 Modeling behaviors as graphs
1.2.1 Partial orders
Requirement (R4) from the last section is somehow awkward to write down. The
reason is that a word over Σ imposes an ordering of events that, actually, are not
causally related in the corresponding execution. When we say “last”, this refers to
the “last” position in the word. Consider, for example, the word
on
on
on
on
off
w = hD P1ihP1 LihD P2ion
off
hD P1ihP1 LionhP2 Linoop ∈ Lspec .
The “last position” right before the on in the first line is actually in no way related
to on. So, it is not natural (and not needed) to include it in what we mean by
6
“last”. In our reasoning, a more relaxed ordering has to be recovered from the word
ordering. So, why not directly reason about the causal order as it is imposed by a
distributed system?
In the following, we do not consider an execution of a system as a word, i.e., a total
order, but rather as a partial order. The partial order is already suggested by the
message diagrams that we used to argue about our distributed protocols. Consider
the execution below, whose partial order is represented by its Hasse diagram. It
corresponds to the above word w.
D
P1
L
P2
on
on
off
on
on
on
on
off
noop
Suppose this partial order is denoted by ≤. Then, (R4) can be conveniently
rephrased (as we do not need the part “... that has already been followed by
...” anymore):
(R4’) “When L performs on (off , respectively), then the last (wrt. ≤) status message sent by D should also be on (off , respectively). Moreover, a display
operation should be noop iff there has already been an acknowledgement
between the latest status message and that operation.”
This can very easily be expressed in monadic second-order (MSO) logic over partial
orders, using the partial order ≤.
Exercise 1.4. Give an MSO formula for (R4’).
♦
An advantage of MSO logic that is directly interpreted over partial orders is the
following theorem:
Theorem [Thomas 1990]:
Let L be an MSO-definable set of partial orders. There is a finite-state distributed
protocol that realizes L.
7
1.2.2 Reasoning about recursive processes
The previous discussion somehow motivates the naming of our lecture. However,
in our modeling we will go a step further. One single behavior is not just a partial
order, but an (acyclic) graph, which is more general. The edges reflect causal
dependencies, but they provide even more information. For example, they may
connect a procedure call with the corresponding return, or the sending of a message
with its receive.
Consider a system of two processes, P1 and P2, connected by two unbounded
FIFO channels (one in each direction). From time to time, P1 sends requests to
P2. The latter, when receiving a request, calls a procedure, performs some internal
actions, and returns from the procedure, before it sends an acknowledgment. In
the scope of a procedure, it may call several subprocedures. Thus, P1 performs
actions from the alphabet Σ1 = {h!reqi, h?acki} and P2 performs actions from
Σ2 = {h?reqi, h!acki, hcalli, hreti}. Let Σ = Σ1 ∪ Σ2 .
Let us try to model the protocol in terms of a word language L. It should say
that, whenever a request is received, P2 should start a subroutine and send the
acknowledgment immediately after returning from this subroutine. Thus, we shall
have
w1 = h!reqi h?reqi hcalli hcalli hreti hcalli hreti hreti h!acki h?acki ∈ L .
On the other hand, we should have
w2 = h!reqi h?reqi hcalli hcalli hreti hcalli hreti h!acki h?acki hreti 6∈ L .
But how do we express this in a specification language over words such as MSO
logic? Unfortunately, there is no such formula, since L is a non-regular property.
Exercise 1.5. Prove that L is not regular.
♦
The solution is to equip a word with additional information, which allows us to
“jump” from a call to its associated return position. In other words, we add an
edge from a call to the corresponding return:
Then, w1 corresponds to:
cr
cr
?req
call
call
cr
ret
call
ret
ret
!ack
msg
msg
!req
?ack
cr
Moreover, w2 corresponds to:
cr
?req
msg
call
call
cr
ret
8
call
ret
!ack
ret
msg
?req
call
call
ret
call
ret
ret
!ack
msg
msg
!req
?ack
cr
cr
?req
call
call
cr
ret
call
ret
!ack
ret
msg
msg
!req
?ack
From this point of view, we can now express our property easily in a suitable MSO
logic:
lenging research area. Variousmeans of interaction between the concurrent
h?reqi(x)
⇒ ∃y1 , y2 , zby
x→
y1 ∧ cr(y1 , of
y2 )which
∧ y2 →two
z ∧prominent
h!acki(z) ones are
processes ∀x
have
been considered
researchers,
‘shared-variable communication’ and ‘communication via channels’.
It is for similar obvious reasons that, in an asynchronous setting, we connect a send
Different processes running on the same machine may employ ‘shared-variable
with a receive event.
communication’ as the main method of interaction, while physically distributed
programs rely on communication channels. The former corresponds to ‘synchronous
communication’ while
the latter gives rise to ‘asynchronous communi1.3 Underapproximate
Verification
cation’.
Welecture
will consider
generic
which
incorporate
both
these methods
The
is concerned
withsystems
distributed
systems
with a fixed
architecture:
There of
communication
(cf.
see
the
figure
below).
We
will
be
considering
physically
is a finite set of processes, which are connected via some communication media.
distributed
machines
which
communicate
(possibly
reliable
first-inWe will consider
stacks,
FIFO
channels, andvia
bags
(with theseveral)
restriction
that stacks
1
first-out
of these
areofcapable
running potentially
connectqueues.
a processEach
with itself,
withmachines
the purpose
modelingofrecursion).
A priori, werecursive
multi-threaded
These
withinoraexpressivity
machine use
shared
assume
that all media programs.
are unbounded.
Toprograms
get decidability
results,
however,
may sometimes impose
bound onconsisting
channels orofstacks.
Recall
that,comin
variable
forwe
communication.
Such aamachine
a set of
threads
the introductory
example,
we assumed
communication,
which roughly
municating
by shared
memory
can besynchronous
formally modelled
as a multi-pushdown
corresponds
with
0.
system.
Thus to
weFIFO
have channels
a network
of capacity
multi-pushdown
systems communicating via
FIFO
queues. figure
Moreover,
these
may use stacks
and
queuesCyriac’s
as dataThe following
illustrates
oneprograms
possible architecture
(source:
Aiswarya
structures
thesis): to aid their local computation. We call such a system a system of
concurrent processes with data-structures (CPDS).
Queue 1
Stack 1
Stack 2
Queue 5
Process 2
Process 1
Process 3
Queue 2
Queue 6
Queue 3
Queue 7
Queue 4
Stack 3
This
models
real-world
several
computers as
connected
via awith
localIn the
following,
we willsystems
actuallylike
depict
an architecture
a finite graph
area-network.
Each
of
these
computers
may
run
several
recursive
programs
directed edges of three types, depending on the type of the communication medium
concurrently,
which
mayfollow
communicate
among
themselves via shared memory
they represent.
We will
the following
convention:
access.
A
computer
may
also
provide
several
data-structures
to the programs
1
We do not consider lossy channels. Cf. Cours 2.9.1.
for the storage and retrieval of data. These computers may access the network
to communicate with its peers, via first-in-first-out
channels.
9
1
2
3
The behaviours of such system may be modelled
by unifying message sequence charts [IT11] and
nested-words [AM09]. We call them MSCNs.
The behaviour of each process can be seen as
c
FIFO channel
s
stack
b
bag
c
c
1 the reachability problem, i.e., to askc1whether
FIFO channel
The most basic verification
c)
c)
a)questioncis
some control
statestack
of some process is reachable. Let us examine the decidability
s
status of the reachability problem for
c2 the following architectures:
c2
b
c
b)
c1
c)
d)
s
d)
s1
e)
c2
f)
s1
c2
c
s2
c
s
f)
s1
g)
s1
s2
h)
b1
c
b2
a) Undecidable. A system can simulate a Turing machine TM as follows: Via c1 ,
process 1 (on the left) sends the current configuration of the TM to process
2. Process 2 only sends every message that it receives immediately back
to 1. When 1 receives the configuration, it locally modifies it simulating a
transition of TM.
b) Undecidable. Similarly to a), the process sends the current configuration
through the channel c. When receiving a configuration from c, it modifies it
locally.
c) Undecidable. This can be shown by reduction from PCP (Post’s correspondence problem). Process 1 guesses a solution (a sequence of indices, and it
sends the corresponding words via channels c1 and c2 , respectively. Process
2 will then just check if the sequences send through c1 and c2 coincide. To
do this, it reads alternately from both channels and checks whether both
symbols coincide.
d) Decidable. This case can be reduced to synchronous communication and,
therefore, reachability in a finite-state system.
e) Decidable. This case corresponds to emptiness of pushdown automata.
f) Undecidable. One can easily simulate a two-counter machine. Equivalently,
we may use the concatenation of two stacks to simulate the unbounded tape
of a Turing machine.
10
b1
b2
s2
c
g)
c
s2
e)
c
bag
c1
a)
d)
g) Undecidable. We may use a reduction from the intersection-emptiness problem for two pushdown automata. Modify the two pushdown automata (e.g.,
using Greibach’s normal form) such that they write nondeterministically
some accepted word on the stack. So, both pushdown automata will first
both choose words w1 and w2 , respectively. While doing so, process 1 clears
its stack sending w1 letter by letter to process 2. Whenever process 2 receives
a letter, it compares it with its stack content, which is then removed.
h) Undecidable. We use a reduction from case b). Process 1 simulates send
transitions through channel c. To simulate a receive transition through c, it
puts a token into bag b1 , whose value is the message to be received, say m.
Process 1 can then only proceed when it finds an acknowledgment token in
bag b2 . The latter is provided by process 2 after removing m from c. Note
that this procedure can be implemented even when communication between
both processes is synchronous.
We conclude that almost all verification problems are undecidable even for very
simple system architectures.
In this lecture, we therefore perform underapproximate verification: We restrict the
behavior of a given system in a non-trivial way that still allows us to reason about
it and deduce correctness/faultiness wrt. interesting properties. Let us illustrate
some restrictions using some of the undecidable architectures above:
• In all cases, we may assume that communication media have capacity B
(existentially B-bounded), for some fixed B.
• In case f), assuming an order on the stacks, we can only pop from the first
nonempty stack.
• In case f), we may also impose a bound on the number of contexts. In turn,
there are several possible definitions of what is allowed in a context:
– We can only touch one stack.
– We can only pop from one stack.
– Many more ...
Under all these restrictions, most standard verification problems (even model checking against MSO-definable properties) becomes decidable, with varying complexities.
In the lecture, we will take a uniform approach to underapproximate verification.
11
CHAPTER
2
Concurrent Processes with Data Structures
Notation is taken from [AG14].
2.1 The Model
Definition 2.1 (Architecture). An architecture is a tuple
A = (Procs, DS, Writer, Reader)
• Procs
finite set of processes
• DS = Stacks ] Queues ] Bags
finite set of data structures
• Writer : DS → Procs
• Reader : DS → Procs
such that Writer(s) = Reader(s) for all s ∈ Stacks.
♦
Example 2.2. Consider the following architecture:
Stack d1
Queue d2
Process p1
Queue d3
Bag d4
Process p2
We have Procs = {p1 , p2 }, Stacks = {d1 }, Queues = {d2 , d3 }, and Bags = {d4 }.
E.g., Writer(d1 ) = Reader(d1 ) = p1 .
♦
12
Definition 2.3 (CPDS). A system of concurrent processes with data structures
(CPDS) over A and an alphabet Σ is a tuple
S = (Locs, Val, (→p )p∈Procs , `in , Fin)
• Locs
nonempty finite set of locations
nonempty finite set of values
• Val
• `in ∈ Locs
initial location
• Fin ⊆ LocsProcs
global final locations
transitions of p
• →p
– internal transition
– write transition
– read transition
a
`−
→p `0
a,d!v
` −−−→p `0 with Writer(d) = p
a,d?v
` −−−→p `0 with Reader(d) = p
where `, `0 ∈ Locs, a ∈ Σ, d ∈ DS, and v ∈ Val
We let CPDS(A, Σ) be the set of CPDSs over A and Σ.
♦
Example 2.4. Let A be given by Procs = {p1 , p2 }, Queues = {c1 , c2 }, Stacks =
{s}, Bags = ∅, with Writer(c1 ) = Reader(c2 ) = p1 and Writer(c2 ) = Reader(c1 ) = p2
and Writer(s) = Reader(s) = p2 . Moreover, let Σ = {a, b}. Consider the clientserver system Scs over A and Σ given as follows:
c1
s
p2
p1
c2
3
a, s ? a
or
a, c2 ! a
a, c1 ! a
b, c1 ! b
b, c1 ? b
a, c1 ? a
0
0
1
or
or
a, c2 ? a
b, c2 ? b
a, c2 ! a
a, s ! a
or
b, s ? b
b, c2 ! b
b, s ! b
b, c2 ! b
4
13
2
Process p1 , the client, sends requests of type a or b to process p2 , the server. The
latter may acknowledge the request immediately, or put it on its stack (either,
because it is busy or because the request does not have a high priority). At any
time, however, the server may pop a task from the stack and acknowledge it.
We have Locs = {0, 1, 2, 3, 4}, `in = 0, Fin = {(0, 0)}, and Val = {a, b}.
♦
2.2 Operational Semantics
S defines (infinite) automaton AS = (States, =⇒, sin , F ) over Γ = (Procs × Σ) ∪
(Procs × Σ × DS × {!, ?})
• States = LocsProcs × (Val∗ )DS
for (`, z) ∈ States, we denote ` = (`p )p∈Procs and z = (zd )d∈DS
• sin = ((`in , . . . , `in ), (ε, . . . , ε))
• F = Fin × {ε}DS
• =⇒ ⊆ States × Γ × States
p,a
– internal transition (`, z) ==⇒ (`0 , z)
a
if `p −
→p `0p and `0q = `q for all q 6= p,
p,a,d!
– write transition (`, z) ===⇒ (`0 , z 0 )
if there is v ∈ Val:
a,d!v
`p −−−→p `0p and `0q = `q for all q 6= p and
zd0 = zd v and zc0 = zc for all c 6= d
p,a,d?
– read transition (`, z) ===⇒ (`0 , z 0 )
if there is v ∈ Val:
a,d?v
`p −−−→p `0p and `0q = `q for all q 6= p

 d ∈ Stacks: zd = uv and zd0 = u
d ∈ Queues: zd = vw and zd0 = w

d ∈ Bags:
zd = uvw and zd0 = uw
and zc0 = zc for all c 6= d
and


for some u, w ∈ Val∗

We let Lop (S) := L(AS ) ⊆ Γ∗ (discarding the empty word).
Example 2.5. In our client-server system, Lop (Scs ) contains:
• (p1 , a, c1 !)(p2 , a, c1 ?)(p2 , a, c2 !)(p1 , a, c2 ?)
• (p1 , a, c1 !)(p1 , b, c1 !)(p2 , a, c1 ?)(p2 , a, s!)(p2 , b, c1 ?)(p2 , b, c2 !)
(p1 , b, c2 ?)(p2 , a, s?)(p2 , a, c2 !)(p1 , a, c2 ?)
♦
Exercise 2.6. Show that Lop (Scs ) is not regular.
♦
14
2.2.1 Nonemptiness/Reachability Checking
For an architecture A and an alphabet Σ, consider the following problem:
Nonemptiness(A, Σ):
Instance:
Question:
S ∈ CPDS(A, Σ)
Lop (S) 6= ∅ ?
Theorem 2.7. Let A be any of the following architectures: a, b, c, f, g, h.
c
Then, Nonemptiness(A,
Σ) is undecidable.
FIFO channel
s
stack
b
bag
c
c1
a)
b)
c1
c)
c2
e)
s
d)
c
c2
f)
s1
g)
s1
s2
c
s2
h)
b1
c
b2
The following table summarizes some special cases:
15
A
automata type
CBM
Nonemptiness(A, Σ)
|Procs| = 1
|DS| = 0
finite automaton
word
decidable
|Procs| = |DS| = 1
DS = Stacks
(visibly)
pushdown automaton
nested word
decidable
|Procs| = 1
|DS| ≥ 2
DS = Stacks
multi-pushdown
automaton
multiply
nested word
undecidable
DS = Bags
≈ Petri net
|Procs| ≥ 2
DS = Queues
= Procs × Procs
\{(p, p) | p ∈ Procs}
Writer(p, q) = p
Reader(p, q) = q
decidable
message-passing
automaton
message
sequence
chart (MSC)
undecidable
2.3 Graph Semantics
Example 2.8. Let us represent behaviors as graphs. We start with an example.
p2
p1
a
a
a
b
b
b
b
b
b
b
a
a
a
a
b
b
b
a
a
a
♦
16
2nd Lecture
Definition 2.9. A concurrent behavior with matching (CBM) over A and Σ is a
tuple
M = ((wp )p∈Procs , (Bd )d∈DS )
• wp ∈ Σ∗
sequence of actions on process p
Notation:
Ep = {(p, i) | 1 ≤ i ≤ |wp |} events of process p
S
E = p∈Procs Ep
(p, i) → (p, i + 1) if 1 ≤ i < |wp |
for e = (p, i) ∈ Ep , let pid(e) = p and λ(e) ∈ Σ be the i-th letter of wp
• Bd ⊆ EWriter(d) × EReader(d) such that:
0
– if e1 Bd e2 and e3 Bd e4 are different edges (d 6= d0 or (e1 , e2 ) 6= (e3 , e4 )),
then they are disjoint (|{e1 , e2 , e3 , e4 }| = 4)
– < = (→ ∪ B)+ ⊆ E × E is a strict partial order
S
where B = d∈DS Bd
– ∀d ∈ Stacks (LIFO):
e1 Bd f1 and e2 Bd f2 and e1 < e2 < f1
– ∀d ∈ Queues (FIFO):
e1 Bd f1 and e2 Bd f2 and e1 < e2
=⇒ f2 < f1
=⇒ f1 < f2
We let CBM(A, Σ) be the set of CBMs over A and Σ.
Run:
Consider a mapping ρ : E → Locs.
Define ρ− : E → Locs by
(
ρ(e0 ) if e0 → e
ρ− (e) =
`in
if e is minimal on its process
Now, ρ is a run of S on M if the following hold:
• for all internal events e:
λ(e)
ρ− (e) −−→pid(e) ρ(e)
• for all e Bd f , there is v ∈ Val such that:
λ(e),d!v
– ρ− (e) −−−−−→pid(e) ρ(e) and
λ(f ),d?v
– ρ− (f ) −−−−−→pid(f ) ρ(f )
17
♦
Accepting:
A run ρ is accepting if (`p )p∈Procs ∈ Fin where
(
`in
if Ep = ∅
`p =
ρ((p, |wp |)) otherwise
We let L(S) denote the set of CBMs accepted by S.
Example 2.10. The following figure depicts a run of Scs :
p2
p1
0
a
a
0
b
b
1
0
2
0
b
b
0
0
b
b
0
a
a
2
0
1
0
a
a
0
a
b
4
b
0
b
b
a
0
a
0
3
a
0
♦
Relation between operational and graph semantics:
Every CBM M = ((wp )p∈Procs , (Bd )d∈DS ) defines a set of words over Γ.
Let γM : E → Γ
= (Procs × Σ) ∪ (Procs × Σ × DS × {!, ?})
be defined by


if e is internal
(pid(e), λ(e))
γM (e) = (pid(e), λ(e), d!) if e Bd f


(pid(e), λ(e), d?) if f Bd e
18
A linearization of M is any (strict) total order @ ⊆ E × E such that < ⊆ @.
(recall that < = (→ ∪ B)+ ).
Suppose E = {e1 , . . . , en } and e1 @ . . . @ en .
Then, @ induces the word γM (e1 ) . . . γM (en ) ∈ Γ∗ .
Let Lin(M) ⊆ Γ∗ be the set of words that are induced by the linearisations of M.
Remark 2.11.
• If Bags = ∅, then for every w ∈ Γ∗ , there is at most one
M ∈ CBM(A, Σ) such that w ∈ Lin(M).
• If Bags = {d}, this is not the case: (p, a, d!)(p, a, d!)(p, a, d?)(p, a, d?) is a
linearization of two different CBMs.
Example 2.12. Let M be the following CBM.
p2
p1
a
a
a
b
b
b
b
a
a
a
Then, Lin(M) contains:
• (p1 , a, c1 !)(p1 , b, c1 !)
(p2 , a, c1 ?)(p2 , a, s!)(p2 , b, c1 ?)(p2 , b, c2 !)(p2 , a, s?)(p2 , a, c2 !)
(p1 , b, c2 ?)(p1 , a, c2 ?)
• (p1 , a, c1 !)(p2 , a, c1 ?)(p2 , a, s!)(p1 , b, c1 !)
(p2 , b, c1 ?)(p2 , b, c2 !)(p2 , a, s?)(p2 , a, c2 !)
(p1 , b, c2 ?)(p1 , a, c2 ?)
Actually, M has 9 linearizations.
♦
Theorem 2.13. For all S ∈ CPDS(A, Σ), we have Lin(L(S)) = Lop (S).
Without proof.
19
CHAPTER
3
Logic
3.1 Monadic Second-Order Logic
Example: ∀x(a(x) ⇒ ∃y(x B y ∧ b(y)))
Syntax:
Let Var = {x, y, . . .} be an infinite set of first-order variables.
Let VAR = {X, Y, . . .} be an infinite set of second-order variables.
The set MSO(A, Σ) of formulas from monadic second-order logic is given by the
grammar:
ϕ ::= a(x) | p(x) | x = y | x Bd y | x → y | x ∈ X | ϕ ∨ ϕ | ¬ϕ | ∃x ϕ | ∃X ϕ
where x, y ∈ Var, X ∈ VAR, a ∈ Σ, p ∈ Procs, d ∈ DS.
The fragment EMSO(A, Σ) consists of the formulas of the form ∃X1 . . . ∃Xn ϕ where
ϕ is a first-order formula, i.e., it does not contain any second-order quantification.
Semantics:
Let M = ((wp )p∈Procs , (Bd )d∈DS ) be a CBM. An M-interpretation is a function I
that maps every
• x ∈ Var to some element of E
• X ∈ VAR to some subset of E
20
Satisfaction M |=I ϕ is defined inductively as follows:
• M |=I a(x)
if λ(I(x)) = a
• M |=I p(x)
if pid(I(x)) = p
• M |=I x = y
if I(x) = I(y)
• M |=I x Bd y
if I(x) Bd I(y)
• M |=I x → y
if I(x) → I(y)
• M |=I x ∈ X
if I(x) ∈ I(X)
• M |=I ϕ ∨ ψ
if M |=I ϕ or M |=I ψ
• M |=I ¬ϕ
if M 6|=I ϕ
• M |=I ∃xϕ
if there is e ∈ E such that M |=I[x7→e] ϕ
• M |=I ∃Xϕ
if there is E ⊆ E such that M |=I[X7→E] ϕ
Here, I[x 7→ e] maps x to e and coincides with I on (Var \ {x}) ∪ VAR.
When ϕ is a sentence, then I is irrelevant, and we write M |= ϕ instead of M |=I ϕ.
We let L(ϕ) := {M ∈ CBM(A, Σ) | M |= ϕ}.
Example 3.1. We use the following abbreviations:
• ϕ ∧ ψ = ¬(¬ϕ ∨ ¬ψ)
W
• x B y = d∈DS (x Bd y)
• write(x) = ∃y(x B y)
∀xϕ = ¬∃x¬ϕ
ϕ ⇒ ψ = ¬ϕ ∨ ψ
read (x) = ∃y(y B x)
• local (x) = ¬write(x) ∧ ¬read (x)
• min(x) = ¬∃y(y → x)
max (x) = ¬∃y(x → y)
• “Ep = ∅ ” = ¬∃x p(x)
• x ≤ y = ∀X(x ∈ X ∧ ∀z∀z 0 ((z ∈ X ∧ (z → z 0 ∨ z B z 0 )) ⇒ z 0 ∈ X) ⇒ y ∈ X)
• On CBMs, the latter formula is equivalent to
∃X [
x∈X
∧ y∈X
∧ ∀z ∈ X :
z = y ∨ ( ∃z 0 ∈ X : z → z 0 ∨ z B z 0 ) ) ]
21
♦
Example 3.2. We consider some formulas for Scs :
• ϕ1 = ∀x(a(x) ⇒ ∃y(x ≤ y ∧ b(y)))


∃x1 , x2 (x Bc1 x1 → x2 Bc2 y)

• req-ack (x, y) = p1 (x) ∧ 
∨ ∃x1 , . . . , x4 (x Bc1 x1 → x2 Bs x3 → x4 Bc2 y)
• ϕ2 = ∀x, y req-ack (x, y) ⇒ (a(x) ∧ a(y)) ∨ (b(x) ∧ b(y))
For the client-server system Scs from the previous chapter, we have L(Scs ) 6⊆ L(ϕ1 )
and L(Scs ) ⊆ L(ϕ2 ).
♦
3.2 Expressive Power of MSO Logic
Recall a theorem from the sequential case:
Theorem 3.3 (Büchi-Elgot-Trakhtenbrot [Büc60, Elg61, Tra62]).
Suppose |Procs| = 1 and DS = ∅. Let L ⊆ CBM(A, Σ), which can be seen as a
word language L ⊆ Σ∗ . Then, the following are equivalent:
• There is S ∈ CPDS(A, Σ) such that L(S) = L.
• There is a sentence ϕ ∈ MSO(A, Σ) such that L(ϕ) = L.
The theorem also holds for |Procs| = 1, |DS| = 1, and DS = Stacks [AM09].
One direction is actually independent of achitecture:
Theorem 3.4. For every S ∈ CPDS(A, Σ), there is a sentence ϕ ∈ EMSO(A, Σ)
such that L(ϕ) = L(S).
22
Proof. Fix S = (Locs, Val, (→p )p∈Procs , `in , Fin) ∈ CPDS(A, Σ). We let
h
ϕ = ∃(X` )`∈Locs ∃(Yv )v∈Val
Partition((X` )`∈Locs )
∧ Partition((Yv )v∈Val )
V
W
∧ ∀x, y d∈DS x Bd y ⇒ v∈Val (x ∈ Yv ∧ y ∈ Yv )
!
V
W
p ∈ P Ep = ∅
∧
V
`=(`p )p∈Procs ∈ Fin
∧
p ∈ Procs\P ∃x (p(x) ∧ max (x) ∧ x ∈ X`p )
P ⊆ Procs
∀p∈P : `p = `in
where
W
0
a
∧ ∀x, y x → y ∧ local (y) ⇒ ` −
→p `0 trans `,a,p,` (x, y)
W
a
∧ ∀x min(x) ∧ local (x) ⇒ ` −
trans 0a,p,` (x)
→
`
p
in
W
0 (x, y) ∧ data d,v (y))
∧ ∀x, y x → y ∧ write(y) ⇒
(trans
a,d!v
`,a,p,`
`−
−−→p `0
W
∧ ∀x min(x) ∧ write(x) ⇒
(trans 0a,p,` (x) ∧ data d,v (x))
a,d!v
`in −
−−→p `
W
∧ ∀x, y x → y ∧ read (y) ⇒
(trans `,a,p,`0 (x, y) ∧ data d,v (y))
a,d?v
0
` −−−→p `
i
W
∧ ∀x min(x) ∧ read (x) ⇒
(trans 0a,p,` (x) ∧ data d,v (x))
a,d?v
`in −−−→p `
W
Partition((X` )`∈Locs ) = ∀x( `∈Locs x ∈ X` ) ∧
V
`6=`0
¬∃x(x ∈ X` ∧ x ∈ X`0 )
trans `,a,p,`0 (x, y) = x ∈ X` ∧ a(y) ∧ p(y) ∧ y ∈ X`0
trans 0a,p,` (x) = a(x) ∧ p(x) ∧ x ∈ X`
data d,v (x) = x ∈ Yv ∧ ∃z(x Bd z ∨ z Bd x)
This completes the construction of the formula ϕ. We have L(ϕ) = L(S).
Unfortunately, the other direction does not hold in general:
Unfortunately, the other direction does not hold in general:
Theorem 5. Suppose ⌃ Theorem
= {a, b, c}. 3.5.
Suppose
that A
byc}.
Procs
= {p1 , pthat
Suppose
Σ is=given
{a, b,
Suppose
2 } A is given by Procs =
and DS = Queues = {c1 , c{p
Writer(c
) =Queues
Reader(c
Writer(c
p2 } and
DS 1=
=2 ){c=1 ,pc12 }and
with
Writer(c
2 }1 ,with
2) =
1 ) = Reader(c2 ) = p1 and
Reader(c1 ) = p2 :
Writer(c2 ) = Reader(c1 ) = p2 :
c1
c1
p2
p1
c2
p2
p1
c2
There is a sentence ϕ ∈ MSO(A, Σ) such that, for all S ∈ CPDS(A, Σ), we have
There is a sentence ' 2 MSO(A, ⌃) such that, for all S 2 CPDS(A, ⌃), we have
L(S) 6= L(ϕ).
L(S) 6= L(').
23
Proof. To illustrate the proof idea, we consider pictures over ⌃ = {a, b, c}. Here is
Chapter 2. Graphs, Words, Traces, and Pictures
an example:
Proof. To illustrate the proof idea, which goes back to [Tho96] we consider pictures
over Σ = {a, b, c}. Here is an example:
a
b
b
c
a
b
b
b
a
a
c
b
a
a
b
b
a
c
b
b
a
Consider the set P= of pictures that are of the form ACA where
• A is a nonempty square picture with labels in {a, b}, and
• C is a c-labeled column.
The above picture is a member of P= .
The language P= is definable by an MSO formula Φ= over pictures using predicates:
go-right(x, y)
go-down(x, y)
The formula Φ= is easy to obtain once we have a “matching” predicate µ(x, y)
that relates two coordinates x and y iff they refer to identical positions in the two
different square grids.
Essentially, µ(x, y) says that there are sets X, Y and nodes x1 , x2 , x3 such that
• X contains all those nodes that are in the same row as x,
• x1 is the topmost node on the same column as x,
• x2 is on the intersection of the bottom row and the right-down diagonal
starting from x1 ,
• x3 is reached from x2 by going two steps to the right,
• Y contains all those nodes that are in the same column as x3 .
Then, we have µ(x, y) iff y ∈ X ∩ Y . The idea for µ(x, y) is illustrated below:
24
' 2 MSO(A, ⌃) such that, for all S 2 CPDS(A, ⌃), we have
There is⌃)
a sentence
2 MSO(A,
such that,
forhave
all S 2 CPDS(A, ⌃), we have
There is a sentence ' 2 MSO(A,
such that,' for
all S 2 ⌃)
CPDS(A,
⌃), we
L(S)
=
6
L(').
L(S) 6= L(').
he proof idea, we consider pictures over ⌃ = {a, b, c}. Here is
Chapter 2. Graphs,
Words,
andthe
Pictures
Proof.
ToTraces,
illustrate
proof idea, we consider pictures over ⌃ = {a, b, c}. Here is
Proof. To illustrate the proof idea, we consider pictures over ⌃ = {a, b, c}. Here is
an example:
Chapter 2. Graphs, Words, Traces, and Pictures
an example:
Y
a
c
b
c
b
cb
a
b
a
a
b
b
a
a
a
b
b
b
c
b
b
b
c
a
b
x1
b
X
a
a
a
b
y
x
b
b
a
x2
x3
Consider
the
c set P
b
b = of pictures
b
bthat areb of the form ACA where
Next, we encode pictures into CBMs over A and Σ. The above picture is encoded
re
2.9: Dividing
a picture
over
b,isc}a where
•{a,
AGCG
nonempty square picture with labels in {a, b}, and
f pictures
such that
are of the
form
as follows:
• b},
C and
is a c-labeled column.
y square picture with labels in {a,
Figure
2.9:
Dividing
a picture
over
{a,GCG
b, c} where
Consider the set P= of pictures such that
are of the
form
column.
The above picture is a member of P= .
corresponding sentence just has to require that, for any a
• G is a nonempty square picture with labels in {a, b}, and
b
aw,member
of P=to. be a suitable counterpart y that is also
there has
b
, but• on
of the c-labeled column. MoreC the
is aopposite
c-labeledside
column.
a
O[]
corresponding
sentence
has
to
require
that,
for
any
( ) -definable.
ow x and
y have to A
coincide.
The latter
can be just
easily
b
The
language
P
is
definable
by
an
MSO
formula
over
pictures using predicates:
=
=
The
above
picture
is
a
member
of
P
.
b
ent
x
on
the
first
row,
there
has
to
be
a
suitable
counterpart
y
that
is
also
redicates 1 and 2 (with the obvious
= meaning, i.e., 2
b
able
an to
MSO
formula
over
pictures
using
predicates:
rombyleft
right),
which,
in on
turn,
definable
only
in c-labeled
=
cated
on
the
first
row,
but
theare
opposite
side
of the
column.
More-y)
go-right(x,
y)
go-down(x,
c
Ler,cannot
be EMSObelow
if we
suppose aThe latter can be easily
( ) -definable.
the columns
x andy) Because,
y have to
coincide.
go-right(x,
y)
go-down(x,
according
to
Theorem
2.2.13
and
Lemma
2.5.2,
there
isobtain
ca “matching”
The
formula
is
easy
to
once
we have i.e.,
predicate µ(x, y)
rmalized using the predicates 1 and =2 (with
the
obvious
meaning,
2
a
(Q,
S, proceeding
Occ) is
over
( from
, {1,that
2})
such
that
Rcoordinates
= 1, Occ
relates
two
and yare
iffusing
they predicates:
refer only
to identical
positions in the two
26definable
TheR,language
by
an
MSO
formula
pictures
ands
for
left
to
right),
which,
in isxturn,
definable
in
= over
c
true, and L ( ) (B) = L. Indifferent
any accepting
of B on a
square run
grids.
rms of . However, L cannot be EMSO ( ) -definable.
a Because, if we suppose
go-right(x,
y)
go-down(x,
y)
nformation carried from G
to H is already
present
in
thethere
Essentially,
µ(x,
y)
says
that
are sets 2.5.2,
X, Y and
b nodes
2
EMSO
,
then,
according
to
Theorem
2.2.13
and
Lemma
there
is x1 , x2 , x3 such that
( )
ciated to the single column C. For a given column length b
graphsequences
acceptoris |Q|
B =
{1, 2}) such that R = 1, aOcc is
n (Q, R, S, Occ) over
26 ( of, distinct
state
. In contrast, the number
26
n
equivalent
to ntrue,
(B) = L.exceeds
In anyb accepting
run of B on a
( )therefore,
sgically
over {a,
b} of length
is 22 and1 L
and,
0
0
cture
GCH,
theaninformation
carried
fromforGsome
to H is already presentb in the
ge
n. So
we canallfind
accepting run
on G CH
b
induce different
of columntowords.
quence
of statessets
associated
the single column C. For a given column length
b
b
a
the number of those state sequences is |Q|n . In contrast,
the number of distinct
n
ure is given if is a singleton, which allows us to omit 2the
nempty sets of words over {a, b} of length n is 2
1 and, therefore, exceeds
hen
n rather speak of a grid. Given n, m 2 IN 1 , the (n, m)- a
| for sufficiently large n. So we can find an accepting run on G0 CH 0 for some
m columns)
is the structure G(n, m) := ([n] ⇥[m], S1 , S2 ) 2
, H 0 2 ({a, b}) that induce different sets of column words.
as in the picture case, S1 , S2 ✓ ([n]⇥[m])2 contain the pairs
⇥ [m])2 and ((i, j), (i, j + 1)) 2 ([n] ⇥ [m])2 , respectively.
special
case ofThe
a picture
is is
given
if in
is Figure
a singleton,
et
of all grids.
(3,5)-grid
depicted
2.10 onwhich allows us to omit the
beling
rather
speak
of abygrid.
n, m Σ)
2 INfor1 ,the
theencodings
(n, m)- of the above picture
f= Given
tion Rfunction.
✓ IN 1 ⇥We
IN then
be
represented
the
grid
We
obtain
a formula
Φ
∈ MSO(A,
1 may
id
(with
n rows
m function
columns)
structure G(n, m) := ([n] ⇥[m], S1 , S2 ) 2
language
inductively:
, m)
2 R}.
As a and
unary
f is
:PIN
=the
1 ! IN 1 can be
2})
where,
in the
picture
relation,
define
theas
grid
language
G(fcase,
) of fS1to, Sbe
the([n]⇥[m])2 contain the pairs
H ( , {1,we
2 ✓
2
g
• ∃xϕ
∧ ϕ)
e
Ni, j),
and =
((i,∃x(write(x)
j), (i, j + 1))
2 ([n] ⇥ [m])2 , respectively.
1 }. (i + 1, j)) 2 ([n] ⇥ [m])
y
, we denote the set of all grids. The (3,5)-grid is depicted in Figure 2.10 on
^ y) = ∃z(x B z → y)
• go-right(x,
e next page. A relation R ✓ IN 1 ⇥ IN 1 may be represented by the grid
nguage {G(n, m) | (n, m) 2• R}.
As a unary
f :∧IN(x 1→!y ∨IN∃z(x
^
1 can
go-down(x,
y) = function
¬bottom(x)
→ zbe→ y ∧ ¬write(z)))
nsidered as a binary relation, we define the grid language G(f ) of f to be the
t {G(n, f (n)) | n 2 IN 1 }.
25
Here, bottom(x) says that x is an element that is located on the last row (left as
an exercise). Other formulas remain unchanged.
Using Theorem 3.4, we can moreover determine a formula ψpict that describes the
encodings of (arbitrary) pictures.
f= .
Let ϕ = ψpict ∧ Φ
Towards a contradiction, suppose that there is S = (Locs, Val, (→p )p∈Procs , `in , Fin) ∈
CPDS(A, Σ) such that L(S) = L(ϕ).
An accepting run of S has to transfer all the information it has about the upper
part of the CBM along the middle part of size 2n (where n is the length of a
column), to the lower part.
However, there are
2
• 2n square pictures of width/height n, and
• |Locs|2n -many assignments of states to the middle part.
Thus, for sufficiently large n, we can find an accepting run of S on a CBM M
whose upper part and lower part do not match, i.e., M 6∈ L(ϕ).
However, there is a fragment of MSO that allows for a positive result (we do not
present the proof).
Theorem 3.6 ([BL06]). Suppose DS = Queues. Then, for every sentence ϕ ∈
EMSO(A, Σ), there is a CPDS S such that L(S) = L(ϕ).
Exercise 3.7. Prove that CPDSs are, in general, not closed under complementation: Suppose Σ = {a, b, c} and assume the architecture A from Theorem 3.5.
Show that there is S ∈ CPDS(A, Σ) such that, for all S 0 ∈ CPDS(A, Σ), we have
L(S 0 ) 6= CBM(A, Σ) \ L(S).
♦
Exercise 3.8. Show that Theorem 3.5 also holds when |Procs| = 1, |DS| = 2, and
DS = Stacks.
♦
3.3 Propositional Dynamic Logic
Example: A a ⇒ h(→ +
d ∗
d∈DS B ) ib
P
≡ ∀x(a(x) ⇒ ∃y(x ≤ y ∧ b(y)))
∈ PDL(A, Σ)
26
Syntax:
The syntax of ICPDL(A, Σ) is given by
Φ ::= Eσ | Φ ∨ Φ | ¬Φ
σ ::= p | a | σ ∨ σ | ¬σ | hπiσ
π ::= Bd | → | test(σ) | π −1 | π + π | π ∩ π | π · π | π ∗
where p ∈ Procs, d ∈ DS and a ∈ Σ. We call
• σ a state formula or node formula, and
• π a path formula.
If intersection π ∩ π is not allowed, the fragment is PDL with converse (CPDL). If
backward paths π −1 are not allowed the fragment is called PDL with intersection
(IPDL). In simple PDL neither backwards paths nor intersection are allowed.
Let M = ((wp )p∈Procs , (Bd )d∈DS ) ∈ CBM(A, Σ).
Semantics of ICPDL formulas:
We write M |= Eσ if [[σ]]M 6= ∅. Here, the semantics [[σ]]M ⊆ E of state fomulas is
given below. For Φ ∈ ICPDL(A, Σ), we let L(Φ) := {M ∈ CBM(A, Σ) | M |= Φ}.
Semantics of state formulas:
The semantics of a state formula σ wrt. M is a set [[σ]]M ⊆ E, inductively defined
as follows:
[[p]]M := Ep
[[a]]M := {e ∈ E | λ(e) = a}
[[σ1 ∨ σ2 ]]M := [[σ1 ]]M ∪ [[σ2 ]]M
[[¬σ]]M := E \ [[σ]]M
[[hπiσ]]M := {e ∈ E | there is f ∈ [[σ]]M such that (e, f ) ∈ [[π]]M }
The relation [[π]]M ⊆ E × E is defined below.
27
Semantics of path formulas:
The semantics of a path formula π wrt. M is a set [[π]]M ⊆ E × E, inductively
defined as follows:
[[Bd ]]M := Bd
[[→]]M := →
[[test(σ)]]M := {(e, e) | e ∈ [[σ]]M }
[[π −1 ]]M := [[π]]−1
M = {(f, e) | (e, f ) ∈ [[π]]M }
[[π1 + π2 ]]M := [[π1 ]]M ∪ [[π2 ]]M
[[π1 ∩ π2 ]]M := [[π1 ]]M ∩ [[π2 ]]M
[[π1 · π2 ]]M := [[π1 ]]M ◦ [[π2 ]]M
[[π ∗ ]]M
= {(e, g) ∈ E × E | ∃f ∈ E : (e, f ) ∈ [[π1 ]]M and (f, g) ∈ [[π2 ]]M }
S
:= [[π]]∗M = n∈N [[π]]nM
Example 3.9. Consider the following abbreviation/examples:
• Aσ = ¬E¬σ
• [π]σ = ¬hπi¬σ
• true = p ∨ ¬p
P
• B = d∈DS Bd
(ICPDL formula)
(state formula)
(state formula)
(path formula)
(state formula)
• Φ1 = A a ⇒ h(→ + B)∗ ib ∈ PDL(A, Σ)
• write = hBitrue
• req-ack = (test(p1 ) · Bc1 · → · Bc2 ) + (test(p1 ) · Bc1 · → · Bs · → · Bc2 )
(path formula; cf. client-server system from previous chapter)
• Φ2 = A(a ⇒ [req-ack]a) ∧ A(b ⇒ [req-ack]b)
∈ PDL(A, Σ)
≡ A([test(a) · req-ack]a) ∧ A([test(b) · req-ack]b) ∈ PDL(A, Σ)
≡ ∀x, y req-ack (x, y) ⇒ (a(x) ∧ a(y)) ∨ (b(x) ∧ b(y))
∈ MSO(A, Σ)
We have L(Scs ) 6⊆ L(Φ1 ) and L(Scs ) ⊆ L(Φ2 ).
28
♦
3.4 Expressive Power of ICPDL
One can show that ICPDL is no more expressive than MSO:
Exercise 3.10. Show that, for every formula Φ ∈ ICPDL(A, Σ), there is a sentence
ϕ ∈ MSO(A, Σ) such that L(ϕ) = L(Φ).
♦
Unfortunately, the other direction does not hold in general:
Unfortunately, even IPDL is too expressive to be translatable into CPDSs:
Theorem 5. Suppose ⌃ = {a, b, c}. Suppose that A is given by Procs = {p1 , p2 }
and DS = Queues = {c1 , c2 } with Writer(c1 ) = Reader(c2 ) = p1 and Writer(c2 ) =
Theorem 3.11. Suppose Σ = {a, b, c} and let A be given as follows:
Reader(c1 ) = p2 :
c1
c1
p2
p1
p2
p1
c2
c2
There is⌃)
Φ such
∈ IPDL(A,
Σ)all
such
for all
∈ CPDS(A,
Σ), we have L(S) 6=
There is a sentence ' 2 MSO(A,
that, for
S 2that,
CPDS(A,
⌃),S we
have
L(Φ).
L(S) 6= L(').
Exercise
3.12.
Provepictures
Theorem
3.11
the
in is
the proof of Theorem 3.5.♦
Proof. To illustrate the proof
idea, we
consider
over
⌃ using
= {a, b,
c}.idea
Here
Chapter
2.
Graphs,
Words,
Traces,
and
Pictures
an example:
a
b
b
a
b
b
The exact relation between CPDL and CPDS is unknown. However, every PDL formula can be translated into a CPDS (the special case DS = Queues was considered
c
a
a
b
b
in a[BKM10]):
c
a
c
b
a
b
b
b For every Φ ∈ PDL(A, Σ), there is S ∈
Theorem
3.13 ([AGNK14]).
CPDS(A, Σ) such that L(S) = L(Φ).
b
b
b
b
Proof. For a state formula σ, we construct, inductively,
2.9: Dividing
aSpicture
over
{a,
b,pc}
Consider the set Figure
P= of pictures
such that
are
the
form
GCG
where
(Locs,
Val,
(→
)p∈Procs
, `in , Fin) ∈ CPDS(A, Σ)
σ = of
together
withwith
a mapping
: Locs
→ {0, 1} such that
• G is a nonempty square
picture
labels inγσ{a,
b}, and
• C is a c-labeled column.
• L(S ) = CBM(A, Σ) and,
σ
[] ( ) -definable. A corresponding
sentence just has to require that, for any
The
above
picture
is
a
member
of
P
.
nt x on the first row, there
hasall=toMbe∈ CBM(A,
a suitable
thatρ of
is Salso
• for
Σ),counterpart
all acceptingyruns
σ on M, and all events e of
have side of the c-labeled column. Moreated on the first row, but on M,
the we
opposite
∈ [[σ]]latter
γσ (ρ(e))
= 1.
M iff can
r, the columns below x and y have to coincide. eThe
be easily
malized using the predicates 1 and 2 (with the obvious meaning, i.e., 2
The language
is definable
an to
MSO
formula
pictures
predicates:
nds
for proceeding
frombyleft
right),
which,
in turn,
are using
definable
only in
= over
ms of . However, L cannot be EMSO ( ) -definable. Because, if we suppose
go-right(x, y)
go-down(x, y)
29 2.5.2, there is
2 EMSO ( ) , then, according to Theorem 2.2.13 and Lemma
raph acceptor B = (Q, R, S, Occ) over
26 ( , {1, 2}) such that R = 1, Occ is
ically equivalent to true, and L ( ) (B) = L. In any accepting run of B on a
ture GCH, all the information carried from G to H is already present in the
CPDS Sa for a ∈ Σ:
We let Sa = (Locs, Val, (→p )p∈Procs , `in , Fin) where
• Locs = {0, 1}
Val = {v}
• transitions:
a
`in = 1
Fin = {0, 1}Procs
b
– `−
→p 1 and ` →
−p 0
a,d!v
b,d!v
with Writer(d) = p
a,d?v
b,d?v
with Reader(d) = p
– ` −−−→p 1 and ` −−−→p 0
– ` −−−→p 1 and ` −−−→p 0
for all ` ∈ Locs, b 6= a, and d ∈ DS
Moreover, γa (0) = 0 and γa (1) = 1.
CPDS Sp for p ∈ Procs:
We let Sp = (Locs, Val, (→q )q∈Procs , `in , Fin) where
• Locs = {0, 1}
Val = {v}
`in = 1
Fin = {0, 1}Procs
• transitions:
a
– `−
→p 1
– ` −−−→p 1
a,d!v
with Writer(d) = p
– ` −−−→p 1
a,d?v
with Reader(d) = p
a
– `−
→q 0
– ` −−−→q 0
a,d!v
with Writer(d) = q
a,d?v
– ` −−−→q 0
with Reader(d) = q
for all ` ∈ Locs, a ∈ Σ, d ∈ DS, and q 6= p
Again, we let γp (0) = 0 and γp (1) = 1.
CPDS S¬σ :
Suppose Sσ = (Locs, Val, (→p )p∈Procs , `in , Fin) with associated mapping γσ : Locs →
{0, 1}. We set S¬σ = Sσ and let γ¬σ (`) = 1 − γσ (`) for all ` ∈ Locs.
30
CPDS Sσ1 ∨σ2 :
Suppose Sσi = (Locsi , Vali , (→ip )p∈Procs , `iin , Fini ), for i ∈ {1, 2}.
We define Sσ1 ∨σ2 = (Locs, Val, (→p )p∈Procs , `in , Fin) as follows:
• Locs = Locs1 × Locs2
• Val = Val1 × Val2
• `in = (`1in , `2in )
• Fin = {((`p1 , `p2 ))p∈Procs ∈ LocsProcs | (`pi )p∈Procs ∈ Fini for all i ∈ {1, 2}}
• transitions:
a
a
→ip `0i for all i ∈ {1, 2}
– (`1 , `2 ) −
→p (`01 , `02 ) if `i −
a,d!(v1 ,v2 )
a,d!vi
a,d?(v1 ,v2 )
a,d?vi
– (`1 , `2 ) −−−−−−→p (`01 , `02 ) if `i −−−→ip `0i for all i ∈ {1, 2}
– (`1 , `2 ) −
−−−−−−→p (`01 , `02 ) if `i −−−→ip `0i for all i ∈ {1, 2}
Finally, we let γσ ((`1 , `2 )) = max{γσ1 (`1 ), γσ2 (`2 )}.
Let us turn to the case of formulas hπiσ.
hπiσ ≡ hπ·test(σ)itrue. Hence, we may assume that if hπiσ appears as a subformula
then σ is true. Furthermore, we simply denote it by hπi (which means hπitrue).
p1 the
Example 3.14. Let us illustrate the idea by means of an example. Consider
PDL path formula
∗
{0,1,2} a
π = test(a) · (→ + B) · test(b) .
p2
a {0,1,2}
We translate π into a finite automaton over the alphabet {B, →, test(a),
test(b)}
c as
{1,2}
follows:
{0,1,2} a
◃
→,
a {0,1,2}
a {2}
0
1
test(b)
c {1,2}
2
{0,1,2} a
test(a)
The CPDS Shπi will now label each event of a CBM with the set of states from
which one “can reach a final state”, starting from the maximal events wrt. < (in
the example, the only b-labeled one):
31
b {0,2}
p2
p1
a {0,1,2}
{0,1,2} a
{1,2} c
{0,1,2} a
◃
→,
a {2}
0
1
a {0,1,2}
b
c {1,2}
2
{0,1,2} a
a
b {0,2}
This can indeed be achieved by a CPDS. To do so, the CPDS has to “inspect”, at
each event e, the states at the immediate →- and Bd -successors of e. In particular,
at a write event, it will have to guess what will be the state at the corresponding
read event. Finally, an event satisfies hπi iff the initial state 0 is contained in the
labeling.
♦
CPDS Shπi :
Let Tests(π) = {test(σ1 ), . . . , test(σn )} be the set of tests appearing in π.
Now, π can be seen as a regular expression over the alphabet
Ω = Tests(π) ∪ {Bd | d ∈ DS} ∪ {→} .
Let B = (S, δ, ι, F ) be a finite automaton over Ω for π, i.e., such that L(B) = L(π) ⊆
Ω∗ . Note that we can assume |S| = |π|. Given s ∈ S, we set Bs = (S, δ, s, F ), i.e.,
Bs is essentially B, but with new initial state s.
Let πs be a rational expression over Ω that is equivalent to Bs (in particular,
πι = π).
For a CBM M = ((wp )p∈Procs , (Bd )d∈DS ), we want to compute ν : E → 2S such
that
ν(e) = {s ∈ S | e ∈ [[hπs i]]M } .
Let H(e) = {test(σi ) | e ∈ [[σi ]]M } ⊆ Ω.
For K ⊆ Ω∗ and T ⊆ S, let
δ −1 (K, T ) = {s ∈ S | δ(s, w) ∈ T for some w ∈ K} .
(
ν(f ) if e → f
Let ν + (e) =
∅
if e is maximal on its process.
Lemma 3.15.
(i) If e is not a write event, then
ν(e) = δ −1 (H(e)∗ , F ) ∪ δ −1 (H(e)∗ →, ν + (e)) .
32
(ii) If e Bd f , then
ν(e) = δ −1 (H(e)∗ , F ) ∪ δ −1 (H(e)∗ →, ν + (e)) ∪ δ −1 (H(e)∗ Bd , ν(f )) .
Exercise 3.16. Prove Lemma 3.15.
♦
Remark 3.17. If e is maximal wrt. <, then ν(e) = δ −1 (H(e)∗ , F ) can be computed directly.
We are looking for a CPDS that computes ν.
Problem: The computation of ν goes backward, whereas a CPDS run goes forward.
Solution: Guess ν nondeterministically and check afterwards whether the guess was
correct.
We define Shπi = Sσ1 × . . . × Sσn × SB . By induction, the (Sσi )1≤i≤n are given.
|
{z
}
computes H
as input
for SB
From accepting runs (ρi )1≤i≤n of (Sσi )1≤i≤n , we get
H(e) = {test(σi ) | γσi (ρi (e)) = 1} ,
which, by induction, equals {test(σi ) | e ∈ [[σi ]]M }.
We define SB = (Locs, Val, (→p )p∈Procs , Init, Fin) as follows:
• Locs = 2S × 2S
In (U, V ) ∈ Locs, U represents ν(e), and V represents the “guessed” ν + (e).
• Val = 2S
Here, U ∈ Val represents ν(f ) when e Bd f .
• Init = ({∅} × 2S )Procs = {(∅, V ) | V ⊆ S}Procs
We assume a set of global initial states, which is a generalization compared
with single local initial states, but can be simulated with nondeterminism.
• Fin = (2S × {∅})Procs = {(U, ∅) | U ⊆ S}Procs
Now, we turn to the transitions.
In the following, let
Θ(G, V ) = δ −1 (G∗ , F ) ∪ δ −1 (G∗ →, V ) and
Ψd (G, V, W ) = Θ(G, V ) ∪ δ −1 (G∗ Bd , W ).
33
• internal:
G
if U = Θ(G, V )
G,d!W
if U = Ψd (G, V, W )
G,d?U
if U = Θ(G, V )
(U 0 , U ) −
→p (U, V )
• write (Writer(d) = p):
(U 0 , U ) −−−−→p (U, V )
• read (Reader(d) = p):
(U 0 , U ) −−−−→p (U, V )
Remark 3.18. If we see the CPDS working backward, then it is deterministic
(forward modalities = backward deterministic).
Finally, we set
(
1 if ι ∈ U
γB (U, V ) =
0 otherwise,
and γhπi (`1 , . . . , `n , U, V ) = γB (U, V ).
The correctness proof for Shπi is by induction on the partial order induced by a
CBM, starting from the maximal events.
It remains to define automata for PDL formulas Φ ∈ PDL(A, Σ). Without loss of
generality, we assume that Φ is a positive boolean combination of formulas of the
form Eσ or Aσ. Disjunction and conjunction are easy to handle, since CPDSs are
closed under union and intersection (exercise).
For the case Aσ, suppose we already have Sσ = (Locs, Val, (→p )p∈Procs , `in , Fin)
with associated mapping γσ : Locs → {0, 1}. Without loss of generality, we assume
γσ (`in ) = 1. Then, the CPDS for Aσ is simply the restriction of S to those locations
` such that γσ (`) = 1.
The case Eσ is left as an exercise.
Exercise 3.19. Consider the following extension of PDL(A, Σ), which we call
PDL−1 (A, Σ):
Φ ::= Eσ | Φ ∨ Φ | ¬Φ
σ ::= p | a | σ ∨ σ | ¬σ | hπiσ | hπ −1 iσ
π ::= Bd | → | test(σ) | π + π | π · π | π ∗
where p ∈ Procs, d ∈ DS and a ∈ Σ. Show that Theorem 3.13 even holds for the
logic PDL−1 (A, Σ):
For every Φ ∈ PDL−1 (A, Σ), there is S ∈ CPDS(A, Σ) such that L(S) = L(Φ). ♦
34
Since PDL is closed under complementation (negation), while CPDSs are not (for
certain architectures), we obtain, as a corollary, that CPDSs are strictly more
expressive than PDL.
3.5 Satisfiability and Model Checking
For an architecture A and an alphabet Σ, consider the following problems:
MSO-Satisfiability(A, Σ):
Instance:
Question:
ϕ ∈ MSO(A, Σ)
L(ϕ) 6= ∅ ?
(IC)PDL-Satisfiability(A, Σ):
Instance:
Question:
Φ ∈ (IC)PDL(A, Σ)
L(Φ) 6= ∅ ?
MSO-ModelChecking(A, Σ):
Instance:
Question:
S ∈ CPDS(A, Σ) ; ϕ ∈ MSO(A, Σ)
L(S) ⊆ L(ϕ) ?
(IC)PDL-ModelChecking(A, Σ):
Instance:
Unfortunately, the other directionQuestion:
does not hold in general:
S ∈ CPDS(A, Σ) ; Φ ∈ (IC)PDL(A, Σ)
L(S) ⊆ L(Φ) ?
Theorem 5. Suppose ⌃ = {a, b, c}. Suppose that A is given by Procs = {p1 , p2 }
and DS = Queues = {c1 , c2 } with Writer(c1 ) = Reader(c2 ) = p1 and Writer(c2 ) =
Theorem 3.20. Let A be given as follows (and Σ be arbitrary):
Reader(c1 ) = p2 :
c1
c1
p2
p1
p2
p1
c2
c2
Then, all⌃)the
abovementioned
are⌃),
undecidable.
There is a sentence ' 2 MSO(A,
such
that, for all S problems
2 CPDS(A,
we have
L(S) 6= L(').
By Theorem 3.13, we obtain the following positive result:
Proof. To illustrate the proof idea, we consider pictures over ⌃ = {a, b, c}. Here is
Chapter 2. Graphs, Words, Traces, and Pictures
an example:
35
a
b
a
c
b
a
a
b
b
a
b
c
a
b
b
a
Theorem 3.21. Suppose DS = Bags. Then, the problems
PDL-Satisfiability(A, Σ) and
PDL-ModelChecking(A, Σ)
are both decidable.
36
CHAPTER
4
Underapproximate Verification
Recall that most verification problems such as nonemptiness, global-state reachability, and model checking are undecidable even for very simple architectures.
4.1 Principles of Underapproximate Verification
To get decidability, we will restrict decision problems to a subclass C ⊆ CBM(A, Σ)
of CBMs:
MSO-Validity(A, Σ, C):
Instance:
Question:
ϕ ∈ MSO(A, Σ)
C ⊆ L(ϕ) ?
MSO-ModelChecking(A, Σ, C):
Instance:
Question:
S ∈ CPDS(A, Σ) ; ϕ ∈ MSO(A, Σ)
L(S) ∩ C ⊆ L(ϕ) ?
For example, we may only consider the CBMs that can be executed when the data
structures have bounded capacity:
Definition 4.1. Let k ≥ 0. A CBM M is called k-existentially bounded (k-∃B for
short) if there is a linearization w ∈ Lin(M) such that, for every prefix u of w, the
number of unmatched writes in u is at most k. A class C ⊆ CBM(A, Σ) is k-∃B if
M is k-∃B for every M ∈ C. Finally, C is called ∃B if it is k-∃B for some k. ♦
37
Example 4.2. We will give some examples:
(a) The CBM from Example 2.8 is 3-∃B.
…
…
(b) The class of nested words (|Procs| = 1, |DS| = 1, and DS = Stacks) is not
∃B, as illustrated by the following figure:
…
…
…
…
…
…
…
…
(c) The class of MSCs (|Procs| ≥ 2, DS = Queues = Procs × Procs \ {(p, p) | p ∈
Procs}, Writer(p, q) = p, and Reader(p, q) = q) is not ∃B:
♦
Exercise 4.3. Consider the encoding of pictures as CBMs from Section 3.2. Show
that the encoding of a picture of height k yields a CBM that is k-∃B.
♦
We are looking for “reasonable” classes of CBMs that are suitable for underapproximate verification.
Definition 4.4. Let C = (Ck )k≥0 with Ck ⊆ CBM(A, Σ) be a family of classes of
CBMs. Then, C is called
• monotone if Ck ⊆ Ck+1 for all k ≥ 0,
S
• complete if k≥0 Ck = CBM(A, Σ),
• decidable if the usual decision problems are decidable when the domain of
CBMs is restricted to Ck ,
• MSO-definable if, for all k ≥ 0, there is a sentence ϕk ∈ MSO(A, Σ) such
that L(ϕk ) = Ck , and
38
• CPDS-definable if, for all k ≥ 0, there is a CPDS Sk ∈ CPDS(A, Σ) such
that L(Sk ) = Ck .
♦
Below, we first present a generic family, which is based on the notion of split-width.
4.2 Graph-Theoretic Approach
In the following, we will use tools from graph theory. Actually, the pair (A, Σ)
defines a signature of unary and binary relation symbols. Thus, one can consider
general graphs over (A, Σ), with node labels from Σ and edge labels from {proc} ∪
DS. Here, proc stands for process successor, and d ∈ DS is the labeling of an edge
that connects a write and a read event. Those graphs that satisfy the axioms from
Definition 2.9 can then be considered as CBMs.
Proposition 4.5. The class CBM(A, Σ) is MSO-definable, i.e., there is a sentence
ϕcbm ∈ MSO(A, Σ) such that, for all graphs G over (A, Σ), we have
G |= ϕcbm
iff G is a CBM over (A, Σ) .
Proposition 4.6. Fix a class C ⊆ CBM(A, Σ). The following problems are interreducible:
1. MSO-Validity(A, Σ, C)
2. MSO-ModelChecking(A, Σ, C)
Proof. For the reduction from 1. to 2., let ϕ ∈ MSO(A, Σ) be a sentence. Let Suniv
be the universal CPDS, satisfying L(Suniv ) = CBM(A, Σ). Note that we can define
Suniv such that |Locs| = 1 = |Val| and where we have full transition tables. We
have:
C ⊆ L(ϕ) iff L(Suniv ) ∩ C ⊆ L(ϕ)
For the reduction from 2. to 1., let S ∈ CPDS(A, Σ) and ϕ ∈ MSO(A, Σ). Let
ϕS ∈ MSO(A, Σ) such that L(ϕS ) = L(S) (cf. Theorem 3.4). We have:
iff
iff
L(S) ∩ C ⊆ L(ϕ)
L(ϕS ) ∩ C ⊆ L(ϕ)
C ⊆ L(ϕ ∨ ¬ϕS )
The decidability of the MSO theory of classes of graphs has been extensively studied
(cf. the book by Courcelle and Engelfriet [CE12]):
Theorem 4.7. Let C be a class of bounded degree graphs which is MSO-definable.
The following statements are equivalent:
1. C has a decidable MSO theory.
2. C can be interpreted in binary trees.
39
3. C has bounded tree-width.
4. C has bounded clique-width.
5. C has bounded split-width1 (if C is a class of CBMs).
For a class C ⊆ CBM(A, Σ) that is MSO-definable, we prove bounded split-width
• to get decidability,
• to get the interpretation in binary trees,
• to reduce verification problems to problems on tree automata, and
• to get efficient algorithms with optimal complexity.
In the theorem above, graphs are interpreted in binary trees. We need to identify
which trees are valid encodings, i.e., do encode graphs in the class C. This is why
we assumed the class of graphs to be MSO-definable. From this, we can build a
tree automaton for the valid encodings. Actually, we can replace MSO-definability
of the class C by the existence of a tree automaton AC for the valid encodings of
CBMs in C. It is often better to define the tree automaton directly. Its size has a
direct impact on the decision procedures arising from the tree-interpretation.
4.3 Graph (De)composition and Tree Interpretation
We will illustrate the concept of tree interpretation by means of cographs. Undirected and labeled cographs are generated by cograph terms. A cograph term is
built from the grammar (cograph algebra)
C ::= a | C ⊕ C | C ⊗ C
where a ∈ Σ. A term C defines a cograph [[C]] = (V, E, λ) as follows:
• [[a]] is the graph ({1}, ∅, 1 7→ a) with one a-labeled vertex and no edges
• if [[Ci ]] = (Vi , Ei , λi ) for i = 1, 2, with V1 ∩ V2 = ∅, then
[[C1 ⊕ C2 ]] = (V1 ∪ V2 , E1 ∪ E2 , λ1 ∪ λ2 )
• if [[Ci ]] = (Vi , Ei , λi ) for i = 1, 2, with V1 ∩ V2 = ∅, then
[[C1 ⊗ C2 ]] = (V1 ∪ V2 , E1 ∪ E2 ∪ (V1 × V2 ) ∪ (V2 × V1 ), λ1 ∪ λ2 )
|
{z
}
undirected graphs
(this is called the complete join)
1
Split-width will be defined below.
40
Example 4.8. Consider the cograph term C = ((a ⊗ a) ⊗ b) ⊗ (a ⊕ (a ⊗ b)). The
figure below shows a tree representation of C as well as the cograph [[C]] defined
by C.
×
b
×
×
a
+
×
a
a
a
a
a
b
b
a
b
a
Note that the tree representation offers a top-down decomposition of a cograph.♦
Remark 4.9. One can also include edge labelings d, using operators ⊗d with the
expected meaning.
Clearly, the set of cograph terms (considered as trees) is a regular tree language:
Lemma 4.10. The set of cograph terms is MSO-definable in binary trees.
Alternatively, there is a tree automaton which accepts the set of binary trees that
are cograph terms.
Proof. The set of “valid” binary trees is defined by the sentence
!
W
leaf (x) → a∈Σ a(x)
ϕcograph = ∀x
.
∧ ¬leaf (x) → ⊕(x) ∨ ⊗(x)
Tree interpretation:
Next, we demonstrate that a cograph can be recovered from its cograph term using
MSO formulas, i.e., an MSO interpretation. Let C be a cograph term (i.e., a binary
tree), and let G = [[C]] = (V, E, λ).
• The nodes in V correspond to the leaves of C:
ϕvertex (x) = leaf (x) = ¬∃y(x ↓0 y ∨ x ↓1 y)
where ↓0 stands for “left child” and ↓1 for “right child”.
• The set E of edges is defined by
ϕedge (x, y)
= “least-common-ancestor (x, y) is labeled ⊗ ”
z ↓0 x0 ∧ z ↓1 y 0
0
0
= ∃z, x , y
∧ (x0 ↓∗ x) ∧ (y 0 ↓∗ y) ∧ ⊗(z)
∨ z ↓1 x0 ∧ z ↓0 y 0
41
Proposition 4.11. MSO formulas over cographs can be “translated” to MSO formulas over cograph terms: For all sentences ϕ ∈ MSO(Σ, E), there is a sentence
ϕ
e ∈ MSO(Σ∪{⊕, ⊗}, ↓0 , ↓1 ) such that, for every cograph term C, say with G = [[C]],
we have
G |= ϕ iff C |= ϕ
e.
Proof. We proceed by induction on ϕ:
g = a(x)
• a(x)
g = ϕedge (x, y)
• xEy
• x^
∈X=x∈X
• x
^
= y = (x = y)
• ¬ϕ
f = ¬ϕ
e
• ϕ^
f1 ∨ ϕ
f2
1 ∨ ϕ2 = ϕ
g = ∃x(ϕvertex (x) ∧ ϕ)
• ∃xϕ
e
] = ∃X((∀x(x ∈ X → ϕvertex (x))) ∧ ϕ)
• ∃Xϕ
e
Note that, in the correctness proof, we have to deal with free variables. Actually,
the inductive statement is as follows: For all ϕ ∈ MSO(Σ, E), there is ϕ
e ∈ MSO(Σ∪
{⊕, ⊗}, ↓0 , ↓1 ) such that, for every cograph term C and every interpretation I of
Var ∪ VAR in Leaves(C) = Vertices(G = [[C]]), we have G |=I ϕ iff C |=I ϕ.
e
Corollary 4.12. The MSO theory of cographs is decidable.
Proof. Let ϕ ∈ MSO(Σ, E). Then, ϕ is valid on cographs iff ϕcograph → ϕ
e is
valid on binary trees (cf. Lemma 4.10). Note that, moreover, ϕ is satisfiable on
cographs iff ϕcograph ∧ ϕ
e is satisfiable on binary trees. The result from the corollary
follows, since MSO validity is decidable on binary trees. Indeed, the problem can
be reduced to tree-automata emptiness [TW68].
42
4.4 Split-Width
Next, we give a short account of split-width. See also Section 6 of [AG14]. We
start with some definitions. A split-CBM is a CBM in which behaviors of processes
may be split in several factors.
Definition 4.13. A graph M = (E, →, (Bd )d∈DS , pid, λ) is a split-CBM if it is
possible to obtain a CBM (E, → ] 99K, (Bd )d∈DS , pid, λ) by adding some missing
process edges 99K ∈ E 2 . Missing edges are called splits (or holes). A factor (or
block) of M is a maximal sequence of events connected by process edges. The
width2 of M is its number of factors. It is denoted width(M).
♦
We say that M is connected if the graph (E, → ∪ B) is connected. A connected
component of M is a split-CBM induced by a connected component of (E, → ∪ B).
An atomic split-CBM is a connected split-CBM with no process edges (→ = ∅).
Hence, an atomic split-CBM consists of either a single internal event, or a pair of
events linked with a matching edge from B.
`
We may also describe a split-CBM as a tuple M = ((wp1 , . . . , wpp )p∈Procs , (Bd )d∈DS )
with wpj ∈ Σ+ such that M = ((wp )p∈Procs , (Bd )d∈DS ) is a CBM, where wp =
P
`
wp1 · · · wpp for each p ∈ Procs. The width of M is p∈Procs `p .
Example 4.14. The split-CBM M0 depicted below has 3 holes and 5 factors. It
has two connected components: M1 and M2 . It may be obtained with 3 splits
either from the CBM M or from the CBM M00 below.
p
a
a
b
c
d
q
b
a
c
d
c
M′
p
a
a
M1
q
p
c
b
a
a
b
d
c
b
c
d
M2
c
a
d
p
b
c
d
a
a
q
a
b
c
d
c
M′′
M
q
b
a
c
d
c
♦
The split-game is a two player turn based game G = (V∃ ] V∀ , E) where Eve’s
set of positions V∃ consists of all connected split-CBMs and Adam’s set of positions
V∀ consists of non-connected split-CBMs. The edges E of G reflect the moves of the
players. Eve’s moves consist in splitting a factor in two, i.e., removing one process
2
In [AG14], the width is the number of splits and not the number of factors. For each nonempty
process p (Ep 6= ∅), the number of factors on process p is one plus the number of splits on process
p. Hence, the number of factors is at most the number of splits plus the number of processes.
43
edge in the graph. Adam’s moves amount to choosing a connected component of
the split-CBM. Atomic split-CBMs are terminal positions in the game: neither Eve
nor Adam can move from an atomic split-CBM.
A play on a split-CBM M is path in G starting from M and leading to an atomic
split-CBM. The cost of the play is the maximum width of any split-CBM encountered in the path. Eve’s objective is to minimize the cost and Adam’s objective is
to maximize the cost.
A strategy for Eve from a split-CBM M can be described with a split-tree T which
is a binary tree labeled with split-CBMs satisfying:
1. The root is labeled by M = cbm(T ).
2. Leaves are labeled by atomic split-CBMs.
3. Eve’s move: Each unary node is labeled with some connected split-CBM M
and its child is labeled with some M0 obtained by splitting a factor of M in
two, i.e., by removing one process edge. Thus, width(M0 ) = 1 + width(M).
4. Adam’s move: Each binary node is labeled with some non connected splitCBM M = M1 ] M2 where M1 and M2 are the labels of its children. Note
that width(M) = width(M1 ) + width(M2 ).
The width of a split-tree T , denoted width(T ), is the maximum width of the splitCBMs labeling the tree T . A k-split-tree is a split-tree of width at most k.
Definition 4.15 (split-width). The split-width of a split-CBM M is the minimal width of all split-trees for M.
Let CBMk-sw (A, Σ) denote the set of CBMs with split-width bounded by k.
♦
Example 4.16. A split-tree is given in Figure 4.1 The intermediate nodes in a
sequence of moves by Eve are not shown. The width of the split-tree is 5.
♦
Remark 4.17. Any subtree of a split-tree is also a split-tree.
Example 4.18. We consider some examples:
• Atomic CBMs have split-width 1 or 2.
• Nested words have split-width ≤ 3.
• k-∃B CBMs have split-width at most k + 2.
• Consider the set of MSCs L suggested in Example 4.2(c). Then, every MSC
from L has split-width 4.
♦
44
p
a
a
b
c
d
q
b
a
c
d
c
p
a
a
b
c
d
q
b
a
c
d
c
M
M′
a
p
a
M1
q
b
p
a
c
c
c
M′2
c
b
a
d
M3
c
d
c
d
c
d
b
c
d
a
c
a
b
b
a
a
M′1
q
d
M2
c
a
a
M′3
b
a
c
b
d
Figure 4.1: A split decomposition of width 5.
45
b
d
4.5 Main Results
Consider the following problems:
sw-Nonemptiness(A, Σ):
Instance:
S ∈ CPDS(A, Σ) ; k ≥ 0
L(S) ∩ CBMk-sw 6= ∅ ?
Question:
sw-Inclusion(A, Σ):
Instance:
Question:
S, S 0 ∈ CPDS(A, Σ) ; k ≥ 0
L(S) ∩ CBMk-sw ⊆ L(S 0 ) ?
sw-Universality(A, Σ):
Instance:
S ∈ CPDS(A, Σ) ; k ≥ 0
CBMk-sw ⊆ L(S) ?
Question:
sw-Satisfiability(A, Σ):
Instance:
ϕ ∈ MSO(A, Σ); k ≥ 0
L(ϕ) ∩ CBMk-sw 6= ∅ ?
Question:
sw-ModelChecking(A, Σ):
Instance:
Question:
S ∈ CPDS(A, Σ) ; ϕ ∈ MSO(A, Σ); k ≥ 0
L(S) ∩ CBMk-sw ⊆ L(ϕ) ?
In the following, we will prove the following:
Theorem 4.19. All these problems are decidable.
The proof technique is via an interpretation of CBMk-sw in binary trees and reduction to problems on tree automata. This is actually similar to decidability for
cographs as explained in Section 4.3.
In the following, we introduce
• special tree terms: these terms allow to denote graphs such as CBMs. Moreover there is a tree-interpretation of CBMs in special tree terms, viewed as
binary trees.
k-sw
• Ak-sw
.
cbm : a tree automaton for special tree terms denoting graphs in CBM
46
• Ak-sw
: a tree automaton for S ∈ CPDS(A, Σ) accepting a special tree term
S
τ ∈ L(Ak-sw
cbm ) iff cbm(τ ) ∈ L(S).
• Ak-sw
ϕ : a tree automaton for ϕ ∈ MSO(A, Σ) accepting a special tree term
τ ∈ L(Ak-sw
cbm ) iff cbm(τ ) |= ϕ.
4.6 Special tree terms and tree interpretation
In this section, we introduce special tree terms (STTs) and their semantics as
labeled graphs. A special tree term using at most k colors (k-STT) defines a graph
of special tree-width at most k − 1. Special tree-width is similar to tree-width.
See [Cou10] for more details on special tree-width and tree-width. We also give an
MSO interpretation of the graph Gτ defined by a special tree term τ in the binary
tree associated with τ .
A (Σ, Γ)-labeled graph is a tuple G = (V, (Eγ )γ∈Γ , λ) where λ : V → Σ is the vertex
labeling and Eγ ⊆ V 2 is the set of edges for each label γ ∈ Γ.
Special tree terms form an algebra to define labeled graphs. The syntax of
k-STTs over (Σ, Γ) is given by
τ ::= (i, a) | Addγi,j τ | Forgeti τ | Renamei,j τ | τ ⊕ τ
where a ∈ Σ, γ ∈ Γ and i, j ∈ [k] = {1, . . . , k} are colors.
Each k-STT represents a colored graph [[τ ]] = (Gτ , χτ ) where Gτ is a (Σ, Γ)-labeled
graph and χτ : [k] → V is a partial injective function assigning a vertex of Gτ to
some colours.
• [[(i, a)]] consists of a single a-labeled vertex with color i.
• Addγi,j adds a γ-labeled edge to the vertices colored i and j (if such vertices
exist).
Formally, if [[τ ]] = (V, (Eγ )γ∈Γ , λ, χ) then [[Addαi,j τ ]] = (V, (E 0γ )γ∈Γ , λ, χ) with
(
Eα
if {i, j} 6⊆ dom(χ)
E 0γ = Eγ if γ 6= α and E 0α =
Eα ∪ {(χ(i), χ(j))} otherwise.
• Forgeti removes color i from the domain of the color map.
Formally, if [[τ ]] = (V, (Eγ )γ∈Γ , λ, χ) then [[Forgeti τ ]] = (V, (Eγ )γ∈Γ , λ, χ0 )
with dom(χ0 ) = dom(χ) \ {i} and χ0 (j) = χ(j) for all j ∈ dom(χ0 ).
• Renamei,j exchanges the colors i and j.
Formally, if [[τ ]] = (V, (Eγ )γ∈Γ , λ, χ) then [[Renamei,j τ ]] = (V, (Eγ )γ∈Γ , λ, χ0 )
with χ0 (`) = χ(`) if ` ∈ dom(χ) \ {i, j}, χ0 (i) = χ(j) if j ∈ dom(χ) and
χ0 (j) = χ(i) if i ∈ dom(χ).
47
• Finally, ⊕ constructs the disjoint union of the two graphs provided they use
different colors. This operation is undefined otherwise.
Formally, if [[τi ]] = (Gi , χi ) for i = 1, 2 and dom(χ1 ) ∩ dom(χ2 ) = ∅ then
[[τ1 ⊕ τ2 ]] = (G1 ] G2 , χ1 ] χ2 ). Otherwise, τ1 ⊕ τ2 is not a valid STT.
The special tree-width of a graph G is the least k such that G = Gτ for some
(k + 1)-STT τ .
For CBMs, we have process edges and data edges, so we take Γ = {→} ∪ DS. Also,
vertices of CBMs are labeled with a letter from Σ and a process from Procs. Hence
the labels of vertices are pairs in Σ × Procs and the atomic STTs used to define
CBMs are of the form (i, a, p) with i ∈ [k], a ∈ Σ and p ∈ Procs.
Example 4.20. The 4-STT below defines the CBM M2 of Figure 4.1.
c2
→
s
τ = Forget2 Add→
2,4 Add3,2 (Add1,2 ((1, a, q) ⊕ (2, c, p)) ⊕ Add3,4 ((3, b, p) ⊕ (4, d, p)))
♦
Forget2
Add→
2,4
Add→
3,2
⊕
2
Addc1,2
Adds3,4
⊕
⊕
(1, a, q)
(2, c, p)
(3, b, p)
(4, d, p)
We show now that a graph G defined by a STT τ can be interpreted in the binary
tree τ . Notice that the vertices of G are in bijection with the leaves of τ . The main
difficulty is to interpret the edge relations Eγ of G in the tree τ .
Let us denote by Λk the alphabet of k-STTs:
Λk = {⊕, (i, a), Addγi,j , Forgeti , Renamei,j | i, j ∈ [k], a ∈ Σ, γ ∈ Γ} .
Clearly, the set of k-STTs considered as binary trees over Λk is a regular tree
language.
k
Lemma 4.21. There is a formula Φk-stt
valid ∈ MSO(Λ , ↓0 , ↓1 ) which defines the set
of valid k-STTs.
Proof. First, the binary tree is correctly labeled: leaves should have labels in [k]×Σ,
unary nodes should have labels in {Addγi,j , Forgeti , Renamei,j | i, j ∈ [k] and γ ∈ Γ}
and binary nodes should be labeled ⊕. Moreover, for the k-STT to be valid, the
48
children of a binary node should have disjoint sets of active colors. This can be
expressed with
_
P(i,a) (x) ∧ P(j,b) (y) ∧ Sameki,` (x, z) ∧ Samekj,` (y, z) ∧ ⊕(z)
¬∃x, y, z
1≤i,j,`≤k
a,b∈Σ
where sameki,` (x, z) is a macro stating that z is an ancestor of x in the tree and
that the vertex colored i at node x of the STT is colored ` at node z. This formula
can be written in MSO with a transitive closure.
Proposition 4.22 (MSO interpretation). For all sentences ϕ ∈ MSO(Σ, Γ)
and all k > 0, there is a sentence ϕ
ek ∈ MSO(Λk , ↓0 , ↓1 ) such that, for every kSTT τ with [[τ ]] = (G, χ), we have
G |= ϕ iff τ |= ϕ
ek .
Proof. We proceed by induction on ϕ. Hence we also have to deal with free variables. We denote by I an interpretation of variables to (sets of) vertices of G which
are identified with leaves of τ . Hence, we prove by induction that for all formulas
ϕ ∈ MSO(Σ, Γ) and all k > 0, there is a formula ϕ
ek ∈ MSO(Λk , ↓0 , ↓1 ) such that,
for all k-STT τ with [[τ ]] = (G, χ), and all interpretations I in vertices of G, we
have
G |=I ϕ iff τ |=I ϕ
ek .
The difficult case is to translate the edge relations. We define
_
x^
Eγ y = ∃z
P(i,a) (x) ∧ P(j,b) (y) ∧ Sameki,i0 (x, z) ∧ Samekj,j 0 (y, z) ∧ Addγi0 ,j 0 (z) .
1≤i,j≤k
1≤i0 ,j 0 ≤k
a,b∈Σ
The other cases are easy:
_
fa k (x) =
P
P(i,a) (x)
1≤i≤k
¬ϕ
fk = ¬ϕ
e
k
ϕ^
f1 ∨ ϕ
f2
1 ∨ ϕ2 = ϕ
k
g k = ∃x (ϕ
∃xϕ
ek ∧ leaf(x))
x^
∈X =x∈X
k
] = ∃X (ϕ
∃Xϕ
ek ∧ ∀x(x ∈ X → leaf(x)))
k
x
^
= y = (x = y)
This conlcudes the proof.
Corollary 4.23. The MSO theory of graphs of special tree-width at most k is
decidable.
Proof. Let ϕ ∈ MSO(Σ, Γ). Then, ϕ is valid on graphs of special tree width at most
k−1 iff Φk-stt
ek is valid on binary trees. The result of the corollary follows, since
valid → ϕ
MSO validity is decidable on binary trees. Indeed, the problem can be reduced to
tree-automata emptiness [TW68]. Note that, moreover, ϕ is satisfiable on graphs
of special tree width at most k − 1 iff Φk-stt
ek is satisfiable on binary trees.
valid ∧ ϕ
49
Exercise 4.24. Construct a tree automaton Akγ with O(k 2 ) states which accepts
a k-STT τ with two marked leaves x and y iff there is a γ-edge between x and y
in the graph [[τ ]].
♦
Solution: Akγ is a deterministic bottom-up tree automaton. It keeps in its state a
pair of colors (i, j) ∈ {0, 1, . . . , k}2 where i is the color at the current node of leaf
x, with i = 0 if x is not in the current subtree. Same for j and y. The state is
initialized at leaves. It is updated at ⊕-nodes and Rename-nodes. The automaton
goes to an accepting state if it is in state (i, j) when reading a node labeled Addγi,j .
On the other hand, it goes to a rejecting state at a node Forget` if it is in state
(i, j) with ` ∈ {i, j}.
Exercise 4.25. Construct a walking tree automaton Bγk with O(k) states which
runs on a k-STT τ starting from a leaf (say x) and accepts when reaching a leaf
(say y) such that there is a γ-edge between x and y in the graph [[τ ]].
♦
Solution: First, walking up the tree, the automaton Bγk keeps in its state the
color of the leaf x. It updates the color at Rename-nodes, makes sure that the color
is not forgotten, until it reaches a node labeled Addγi,j where i is the color in its
state. Then, it updates its state with color j and it enters a second phase where
it walks down the tree (non-deterministically at ⊕-nodes), updating the color at
Rename-nodes, making sure that the color is not forgotten, until it reaches a leaf
having the color which is in its state.
Remark: The automaton Bγk can be made deterministic if there is at most one γ
edge with source x. Indeed, walking up the tree is deterministic and we can search
for the target leaf y using a DFS.
4.7 Split-width and Special tree-width
Here we show that CBMs of bounded split-width are graphs of bounded special
tree-width. Actually, the converse also holds: CBMs of bounded special tree-width
have bounded split-width (see [Cyr14]), but we do not need this direction for the
decision procedures.
Let M = (E, →, (Bd )d∈DS , pid, λ) be a split-CBM. We denote by EP(M) the subset
of events that are endpoints of factors of M. A left endpoint is an event e ∈ E
such that there are no f with f → e. We define similarly right endpoints. Note
that an event may be both a left and right endpoint. The number of endpoints is
at most twice the number of factors: |EP(M)| ≤ width(M).
We associate with every split-tree T of width at most k a 2k-STT T such that
[[T ]] = (M, χ) where M = cbm(T ) is the label of the root of T and the range of χ
is the set of endpoints of M: Im(χ) = EP(M). Notice that dom(χ) ⊆ [2k] since T
is a 2k-STT. The construction is by induction on T .
Assume that cbm(T ) is atomic. Then it is either an internal event labeled (a, p) ∈
Σ × Procs. Then we let T = (1, a, p). Or, it is a matching write/read pair of events
50
eBd f and we let T = Addd1,2 ((1, λ(e), pid(e))⊕(2, λ(f ), pid(f ))). We call such STTs
atomic:
atomicSTT ::= (1, a, p) | Addd1,2 ((1, a, Writer(d)) ⊕ (2, b, Reader(d)))
with a, b ∈ Σ, p ∈ Procs and d ∈ DS.
If the root of T is a binary node and the left and right subtrees are T1 and T2 then
cbm(T ) = cbm(T1 ) ] cbm(T2 ). By induction, for i = 1, 2 the STT T i is already
defined and we have [[T i ]] = (cbm(Ti ), χi ). We first rename colors that are active in
both STTs. To this end, we choose an injective map f : dom(χ1 )∩dom(χ2 ) → [2k]\
(dom(χ1 ) ∪ dom(χ2 )). This is possible since |dom(χi )| = |Im(χi )| = |EP(cbm(Ti ))|.
Hence, |dom(χ1 )| + |dom(χ2 )| = |EP(cbm(T ))| ≤ 2k.
Assuming that dom(f ) = {i1 , . . . , im }, we define
T = T 1 ⊕ Renamei1 ,f (i1 ) · · · Renameim ,f (im ) T 2 .
Finally, assume that the root of T is a unary node with subtree T 0 . Then, cbm(T 0 )
is obtained from cbm(T ) by splitting one factor, i.e., removing one process edge,
say e → f . We deduce that e and f are endpoints of cbm(T 0 ), respectively right
and left endpoints. By induction, the STT T 0 is already defined. We have [[T 0 ]] =
(cbm(T 0 ), χ0 ) and e, f ∈ Im(χ0 ). So let i, j be such that χ0 (i) = e and χ0 (j) = f .
0
We add the process edge with Add→
i,j T . Then we forget color i if e is no more an
endpoint, and we forget j if f is no more an endpoint.
Example 4.26. Consider the split-tree rooted at node M2 in Figure 4.1. The
associated 4-STT is given below.
♦
Forget2
Add→
2,4
Add→
3,2
⊕
2
Addc1,2
Rename2,4
⊕
Rename1,3
(1, a, q)
Adds1,2
(2, c, p)
⊕
(1, b, p)
(2, d, p)
Corollary 4.27. A CBM of split-width k has special tree-width at most 2k.
51
4.8 Tree automata and Decision procedures
Recall that for an STT τ we write [[τ ]] = (Gτ , χτ ).
We have seen in the previous section that all CBMs of split-width at most k can
be denoted with 2k-STTs. On the other hand, not all 2k-STTs τ define graphs
Gτ which are CBMs, and even if Gτ is a CBM we do not know its split-width. In
order to use the tree interpretation in STTs to solve problems on CBMs of bounded
split-width, the following result is crucial.
O(k
Proposition 4.28. There is a tree automaton Ak-sw
cbm of size 2
L(Ak-sw
cbm ) ⊆ 2k-STT
and
2 |A|)
such that
CBMk-sw = {Gτ | τ ∈ L(Ak-sw
cbm )} .
Notice that, to satisfy the statement above, Ak-sw
cbm needs not accept all 2k-STTs τ
such that Gτ is a CBM of split-width at most k (and the automaton constructed
in the proof below will not). But, for each M ∈ CBMk-sw , the automaton Ak-sw
cbm
should accept at least one 2k-STT τ such that Gτ = M. To this end, we will
construct Ak-sw
cbm so that it accepts all 2k-STTs T associated with k-split-trees T
(See Section 4.7).
Notice also that Ak-sw
cbm checks two independent properties, being a CBM and having
split-width at most k. The first one can be expressed by an MSO(A, Σ) formula.
Hence, using the MSO-interpretation of Proposition 4.22, we can obtain an equivalent tree automaton on 2k-STTs. But to achieve the size of the automaton stated
in the proposition above, we give a (non-trivial) direct construction.
Proof. The tree automaton Ak-sw
cbm will accept 2k-STTs of the following form
τ ::= atomicSTT | Add→
i,j τ | Forgeti τ | Renamei,j τ | τ ⊕ τ
in which write/read matching pairs are given by atomic STTs and later only
process edges are added. Hence, the bottom-up automaton Ak-sw
cbm first checks
that the tree is build from atomic 2k-STTs. Then, it keeps in its state a tuple
s = (F, pid, c− , c+ , (Rd )d∈DS , B) where:
• F is the set of factors in the graph (split-CBM) associated with the current
subterm. Since we want the split-width to be bounded by k, we will have
|F | ≤ k so we may assume F ⊆ [k].
We denote by left(x) and right(x) the left and right endpoints of factor x in
the associated graph.
• pid : F → Procs the process of each factor.
• c− , c+ : F → [2k] the colors of the left/right endpoints of the factors.
• ∀d ∈ DS, a relation Rd ⊆ [n]2 .
We will maintain as an invariant the fact that a pair (x, y) of factors belongs
to Rd if x 6= y and in the associated graph there is an edge e Bd f from some
event e in factor x to some event f in factor y.
52
• B ⊆ F 2 ⊆ [k]2 an irreflexive binary relation on factors: x B y means that
factor x is before factor y. This relation will be used to check that the LIFO
and FIFO conditions are respected and that there are no cycles in the relation
< = (→ ∪ B)+ of the split-CBM. The invariant is that for all x, y ∈ F , if
x 6= y and left(x) < right(y) in the associated graph then x B y. The before
relation should satisfy the following:
1. If (x, y) ∈ Rd then x B y.
2. B is a total order on the factors pid−1 (p) ⊆ F of each process p ∈ Procs.
3. B needs not be an order relation. It should be irreflexive but it needs not be
antisymmetric (the first condition above may impose simultaneously x B y
and y B x). Also, B needs not be transitive but it should satisfy the following
closure properties: ∀x, y, y 0 , z ∈ F with pid(y) = pid(y 0 ), we have
x B y B y 0 B z ∧ x 6= z ⇒ x B z
x B y B y 0 ∧ x 6= y 0 ⇒ x B y 0
y B y 0 B z ∧ y 6= z ⇒ y B z
Finally, B should respect the FIFO and LIFO conditions:
4. FIFO: ∀d ∈ Queues, for all (x, y), (x0 , y 0 ) ∈ Rd if x B x0 then ¬(y 0 B y).
5. LIFO: ∀d ∈ Queues, for all (x, y), (x0 , y 0 ) ∈ Rd , ¬(x B x0 B y B y 0 ).
O(k
The number of states of Ak-sw
cbm is thus 2
Now, we describe the transitions of
2 |A|)
.
Ak-sw
cbm .
• the state at an atomic STT of the form Addd1,2 (−⊕−) can easily be computed.
In particular, we have F = {1, 2}, pid(1) = Writer(d), pid(2) = Reader(d),
c− (1) = c+ (1) = 1, c− (2) = c+ (2) = 2, Rd = {(1, 2)} and B = {(1, 2)}.
− +
• If the current node is labeled Add→
i,j . Let s = (F, pid, c , c , (Rd )d∈DS , B)
be the state at the child. We check that there are two factors x, y ∈ F
such that c+ (x) = i, c− (y) = j and x, y are consecutive factors on process
p = pid(x) = pid(y) according to the guessed ordering B: we have x B y and
¬(x B z B y) for all z ∈ F with pid(z) = p.
The new state s0 = (F 0 , pid0 , c0− , c0+ , (Rd0 )d∈DS , B 0 ) is computed as follows.
We use x to represent the merged factor, so we let F 0 = F \ {y}. pids are
preserved. Then, c0+ (x) = c+ (y) and the other colors are unchanged. For
each d ∈ DS we let Rd0 = Rd ∪ {(z, x) | z 6= x ∧ (z, y) ∈ Rd } ∪ {(x, z) | (y, z) ∈
Rd }. Finally, B 0 = (B ∩ F 02 ) ∪ {(z, x) | x 6= z B y}.
We can check that the new state s0 satisfies all conditions (1-5) on B 0 .
53
• Assume the current node is labeled ⊕ hence the subterm is τ = τ1 ⊕ τ2 .
Let s1 and s2 be the states at τ1 and τ2 respectively. We may rename the
factors in s2 so that F1 ∩ F2 = ∅. The state s is obtained from s1 and s2 by
taking the union of its components: F = F1 ∪ F2 , pid = pid1 ∪ pid2 , etc. For
the before relation, we guess B ⊆ F 2 which satisfies all conditions (1-5) and
which is compatible with the before relations of s1 and s2 , i.e., B1 ∪ B2 ⊆ B.
In particular, we have to guess for each process p ∈ Procs how factors of τ1
and τ2 on process p will be shuffled.
• If the current node is labeled Forgeti and the state at its child is s =
(F, pid, c− , c+ , (Rd )d∈DS , B) then we check that i ∈
/ c− (F ) ∪ c+ (F ): the color
of an endpoint should not be forgotten. The new state is simply s.
• If the current node is labeled Renamei,j and the state at its child is s =
(F, pid, c− , c+ , (Rd )d∈DS , B) then we exchange colors i and j in c− and c+ to
obtain the new state.
A state s = (F, pid, c− , c+ , (Rd )d∈DS , B) is accepting if we have at most one factor
per process.
Claim 4.29. If a 2k-STT τ admits an accepting run in Ak-sw
cbm then the graph Gτ
is a CBM and its split-width is at most k.
d
Assume that Ak-sw
cbm has an accepting run on τ and let Gτ = (E, →, (B )d∈DS , pid, λ)
be the graph defined by τ . We have to check that Gτ satisfies all conditions of
Definition 2.9. First, it is clear from atomic STTs that Bd ⊆ EWriter(d) × EReader(d)
and that matching edges are pairwise disjoint. Also, we add → edges only between
events of the same process.
We can check by induction that, at each subterm τ which is labeled with state
s = (F, pid, c− , c+ , (Rd )d∈DS , B) in the accepting run, we have for all x, y ∈ F , if
x 6= y and left(x) < right(y) in the associated graph Gτ then x B y. Since the
disjoint union induced by ⊕ does not add any ordering between the split-CBMs
defined by the two children, the above condition is satisfied by induction as soon
as B1 ∪ B2 ⊆ B. We can also show by induction that the property is preserved at
Add→
i,j nodes using condition (3) of the before relations.
Next, we show that < in Gτ is antisymmetric. Towards a contradiction assume
that at some Add→
i,j node, we add a process edge right(x) → left(y) and that we
had left(y) < right(x) at the child node. By the property above of B this implies
y B x at the child. This is impossible since the transition checks that x B y and,
by condition 2, B is a total order on the factors of every process.
It is easy to check by induction that → defines a total order on the events of each
factor. Since at the root we are in an accepting state, there are at most one factor
per process. Hence, → defines a total order on Ep for all processes p ∈ Procs.
Finally, we can check by induction that for all data-structures d ∈ DS, the relation
Rd in a state consists in the set of pairs of factors x 6= y such that e Bd f for some
events e in factor x and f in factor y of the associated graph.
54
Let d ∈ Queues and e1 Bd f1 , e2 Bd f2 in Gτ with e1 < e2 . The least common ancester
of the atomic STTs corresponding to these matching paris is a node labeled ⊕. At
that node, the four factors x1 , y1 , x2 , y2 of the events e1 , f1 , e2 , f2 are distinct. Since
e1 < e2 we get x1 B x2 by the above property. If we had f2 < f1 then we would
get y2 B y1 , again by the above property. But this is not allowed by the transition
at a ⊕ node since the guessed relation B satisfies condition (4).
The proof is similar for stacks. Let d ∈ Stacks and e1 Bd f1 , e2 Bd f2 in Gτ . Assume
that e1 < e2 < f1 < f2 . The the least common ancestor is again a ⊕ node and
from the ordering above we deduce that the corresponding factors should satisfy
x1 B x2 B y1 B y2 , a contradiction.
We deduce that Gτ is a CBM. From the 2k-STT τ we obtain a strategy for Eve
in the split-game, i.e., a split-tree T for Gτ . We need not have τ = T , but the
labels of the nodes of T correspond to graphs defined by subterms of τ . Since these
graphs have at most k factors, we deduct that the width of T is at most k. Hence,
Gτ ∈ CBMk-sw which concludes the proof of the claim.
k-sw
. The converse inclusion follows
We deduce that {Gτ | τ ∈ L(Ak-sw
cbm )} ⊆ CBM
from the next claim.
Claim 4.30. If T is a k-split tree for some CBM M then the associated 2k-STT
T is accepted by Ak-sw
cbm .
Each split-CBM M labeling some node of T has an induced before relation on its
factors inherited from M: if x 6= y are factors of M then x BM y if left(x) <
right(y) in M. We can easily check that BM satisfies conditions (1–5).
The run of Ak-sw
cbm on T is constructed bottom-up. All transitions are deterministic
except for ⊕ nodes. Consider a subterm τ = τ1 ⊕ τ2 of T . Then Gτ is a split-CBM
labeling the corresponding node in T . We use the relation BGτ to construct the
transition at this ⊕ node.
We can check that we obtain a valid run of Ak-sw
cbm on T . In particular, we can check
by induction that for all subterms τ of T the before relation in the state at τ is
exactly BGτ . We deduce that, when a process edge is added between two factors,
then these factors are always consecutive factors on some process, hence transitions
at Add→
i,j nodes are valid. Also, the color of an endpoint is never forgotten in T ,
hence transitions at Forgeti nodes are valid.
This concludes the proof of Proposition 4.28.
Proposition 4.31. Given k > 0 and an MSO formula ϕ ∈ MSO(A, Σ), we can
construct a tree automaton Ak-stt
such that for all k-STT τ we have
ϕ
τ ∈ L(Ak-stt
ϕ )
iff
Gτ |= ϕ .
Proof. From ϕ ∈ MSO(A, Σ), we construct ϕ̃2k ∈ MSO(Λ2k , ↓0 , ↓1 ) using Proposition 4.22. Using [TW68] we obtain an equivalent tree automaton Ak-stt
ϕ .
Corollary 4.32. The problem sw-Satisfiability(A, Σ) is decidable.
55
Proof. The problem reduces to checking nonemptiness of a tree automaton. Given
2k-stt ) 6= ∅.
k > 0 and ϕ ∈ MSO(A, Σ), we have L(ϕ) ∩ CBMk-sw 6= ∅ iff L(Ak-sw
cbm ∩ Aϕ
Indeed, given M ∈ CBMk-sw such that M |= ϕ, we find τ ∈ L(Ak-sw
cbm ) ⊆ 2k-STT
2k-stt ) by Proposition 4.31.
with Gτ = M by Proposition 4.28. We obtain τ ∈ L(Aϕ
2k-stt ) then G ∈ CBMk-sw by Proposition 4.28 and
Conversely, if τ ∈ L(Ak-sw
τ
cbm ∩ Aϕ
Gτ |= ϕ by Proposition 4.31.
Proposition 4.33. Given a CPDS S, we can construct a tree automaton Ak-sw
of
S
2)
O(k
k-sw
size |S|
such that for all τ ∈ L(Acbm ) we have
τ ∈ L(Ak-sw
)
S
iff
Gτ ∈ L(S) .
Proof. Let S = (Locs, Val, (→p )p∈Procs , `in , Fin) be a CPDS. The tree automaton
k-sw is a tuple (F, c− , c+ , ρ− , ρ+ )
Ak-sw
is a modified version of Ak-sw
S
cbm . A state of AS
− +
where F, c− , c+ are as in Ak-sw
cbm . The maps ρ , ρ : F → Locs are such that for
−
+
every factor x, S has a run from ρ (x) to ρ (x) reading factor x.
For an atomic STT (1, a, p) for an internal event, we have F = {1} and c− (1) =
a
c+ (1) = 1. We guess a transition ` −
→p `0 and we store the locations ρ− (1) = ` and
ρ+ (1) = `0 .
For an atomic STT Addd1,2 ((1, a, p) ⊕ (2, b, q)) for a matching write/read pair, we
have F = {1, 2}, c− (1) = c+ (1) = 1 and c− (2) = c+ (2) = 2. We guess a value
a,d!v
b,d?v
v ∈ Val and two matching transitions `1 −−−→p `01 and `2 −−−→q `02 . We store the
locations ρ− (1) = `1 , ρ+ (1) = `01 , ρ− (2) = `2 and ρ+ (2) = `02 .
k-sw . The locations ρ− , ρ+
The components F, c− , c+ are updated bottom-up as in Acbm
are unchanged at Forgeti and Renamei,j nodes. We take the disjoin union of these
− + − +
maps at ⊕ nodes. Finally, consider an Add→
i,j node. Let (F, c , c , ρ , ρ ) be the
state at the child. We find x, y ∈ F such that c+ (x) = i and c− (y) = j. We
check that ρ+ (x) = ρ− (y) to ensure that the two runs on factors x and y can be
concatenated. In the new state, we have ρ0− (x) = ρ− (x) and ρ0+ (x) = ρ+ (y).
Finally, the automaton Ak-sw
accepts if the state at the root has at most one factor
S
−
per process, and ρ (x)
( = `in for all x ∈ F , and the tuple (`p )p∈Procs ∈ Fin is
ρ+ (x) if x ∈ F and pid(x) = p
accepting, where `p =
`in
if p ∈
/ pid(F )
Corollary 4.34. The problem sw-Nonemptiness(A, Σ) is decidable in ExpTime.
The procedure is only polynomial in the size of the CPDS.
Proof. The problem reduces to checking nonemptiness of a tree automaton. Given
k-sw ) 6= ∅.
k > 0 and a CPDS S over A, we have L(S) ∩ CBMk-sw 6= ∅ iff L(Ak-sw
cbm ∩ AS
Indeed, given M ∈ L(S) ∩ CBMk-sw , we find τ ∈ L(Ak-sw
cbm ) with Gτ = M by
Proposition 4.28. We obtain τ ∈ L(Ak-sw
)
by
Proposition
4.33. Conversely, if
S
k-sw
k-sw
k-sw
τ ∈ L(Acbm ∩ AS ) then Gτ ∈ CBM
by Proposition 4.28 and Gτ ∈ L(S) by
Proposition 4.33.
56
Corollary 4.35. The problem sw-ModelChecking(A, Σ) is decidable in ExpTime. The procedure is only polynomial in the size of the CPDS.
Proof. The problem reduces to checking nonemptiness of a tree automaton. Given
k > 0, a CPDS S, and a formula ϕ ∈ MSO(A, Σ) we have L(S) ∩ CBMk-sw ⊆ L(ϕ)
k-sw ∩ A2k-stt ) = ∅.
iff L(Ak-sw
¬ϕ
cbm ∩ AS
4.9 ICPDL model checking
In the previous sections, we showed that model checking CPDSs against MSO
formulas is decidable when we restrict to behaviors of bounded split-width. However, the transformation of an MSO formula into a tree automaton is inherently
non-elementary, and this non-elementary lower bound is in fact inherited by the
model-checking problem. We will, therefore, turn to the logic ICPDL and consider
the following problem, for a given architecture A (and alphabet Σ):
sw-ICPDL-ModelChecking(A, Σ):
Instance:
S ∈ CPDS(A, Σ) ; Φ ∈ ICPDL(A, Σ); k ≥ 0
L(S) ∩ CBMk-sw ⊆ L(Φ) ?
Question:
Here, we suppose that k is given in unary.
Decidability of this problem follows from decidability of MSO and the statement
of Exercise 3.10, saying that every ICPDL formula can be (effectively) translated
into an MSO sentence. Unfortunately, this does not give us an elementary upper
bound. We will rather proceed as follows:
Proposition 4.36. Given Φ ∈ ICPDL(A, Σ), and k > 0, we can construct a nondeterministic tree automaton (NTA) Ak-sw
of doubly exponential size such that,
Φ
)
(denoting
by
cbm(τ
)
the
graph Gτ defined by τ ), we have:
for all τ ∈ L(Ak-sw
cbm
τ ∈ L(Ak-sw
Φ ) iff cbm(τ ) |= Φ
This will yield the following result:
Theorem 4.37 ([CGNK14]). sw-ICPDL-ModelChecking(A, Σ) is solvable in doubly exponential time (when the bound k on the split-width is encoded
in unary).
This theorem follows from Proposition 4.36 since we have
k-sw ) ∩ L(Ak-sw ) = ∅, and
• L(S) ∩ CBMk-sw ⊆ L(Φ) iff L(Ak-sw
) ∩ L(Acbm
S
Φ
57
• emptiness of NTAs can be checked in polynomial time.
The rest of this section is devoted to the proof of Proposition 4.36.
Towards an NTA for a given ICPDL formula Φ, we first translate local ICPDL
formulas σ into an intermediate model, called alternating two-way (tree) automata
(A2As). An A2A “walks” in a tree, similarly to a path formula from ICPDL. In
addition, it can spawn several copies of an automaton, which all have to accept
the input. This spawning is dual to non-deterministic choice, hence the name
alternating.
Recall that 2k-STTs are binary trees over the alphabet Λ2k as defined in Section 4.6.
In the following, Ω is an arbitrary alphabet for binary trees. When our trees are
2k-STTs, then we will take Ω = Λ2k .
Definition 4.38 (A2A). An alternating two-way (tree) automaton ( A2A) over
an alphabet Ω is a triple A = (S, δ, ι, acc)
• S
nonempty finite set of states
• ι∈S
initial state
• δ : S × Ω × 2D → B+ (D × S) is the transition function such that
δ(s, α, β) ∈ B+ (β × S) for all (s, α, β) ∈ S × Ω × 2D
• acc : S → N is the acceptance condition, assigning to each state a priority ♦
The transition function δ needs some explanation. First, the set
D = {., &, %, -, id}
is the set of directions available at a node of a binary tree.3 This is indicated by
the type type(u) ⊆ D of a node u. We assume that type(u) always contains id.
Moreover, when u is a leaf, then type(u) ∩ {., &} = ∅. When a node has only one
child, then we assume that the child is the left successor, following .. Moreover,
B+ (D × S) is the set of positive boolean formulas over D × S, built according to
the grammar
B ::= true | false | (d, s) | B ∨ B | B ∧ B
where (d, s) ∈ D × S is an atomic formula.
An example formula from B+ (D × S) is B = (%, s1 ) ∨ ((., s2 ) ∧ (id, s3 )). Intuitively, this means that, being at a left child, the A2A can (i) go to the father
and continue in state s1 , or (ii) spawn two copies, one going to the left child and
starting in s2 , the other one staying at the current node and starting in s3 . We
will consider that {(%, s1 )} and {(., s2 ), (id, s3 )} are models of B, in the obvious
sense. That is, a model is a set M of atomic formulas such that B is evaluated to
3
For convenience, we write . and & instead of ↓0 and, respectively, ↓1 .
58
true when atoms from M are evaluated to true, and all other atoms are evaluated
to false. We then write M |= B.
Let t be an Ω-labeled binary tree (say, with set of nodes V and labeling function
λ : V → Ω), and let u ∈ V be a node of t. A run of the A2A A on (t, u) is a
nonempty finite (unranked) (V × S)-labeled tree ρ such that the following hold:
• the root of ρ is labeled with (u, ι)
• for all nodes x of ρ, say with label (v, s), there is a model
{(d1 , s1 ), . . . , (dn , sn )} |= δ(s, λ(v), type(v))
such that x has n children, with labels (d1 (v), s1 ), . . . , (dn (v), sn ), respectively. Hereby, di (v) is defined in the expected manner. For example, .(v)
is the left child of v, whereas id(v) is v itself.
Since a run is finite, this definition implies that, if a leaf is labeled with some (v, s),
then δ(s, λ(v), type(v)) is equivalent to true.
The acceptance condition acc applies to infinite branches: run ρ is accepting if,
for every of its infinite branches (starting at the root), say with associated infinite sequence (u0 , s0 )(u1 , s1 )(u2 , s2 ) . . . of labels, the minimal number that occurs
infinitely often in the sequence acc(s0 )acc(s1 )acc(s2 ) . . . is even.
Finally, we let L(A) = {(t, u) | there is an accepting run of A on (t, u)}.
We will now translate a node formula σ into an A2A Aσ over Λ2k such that, for
all τ ∈ L(Ak-sw
cbm ) and all leaves u of τ , the following holds:
(τ, u) ∈ L(Aσ ) iff cbm(τ ), u |= σ
Recall that in the tree interpretation of cbm(τ ) in the tree τ , vertices of cbm(τ )
are identified with leaves of τ . Moreover, cbm(τ ), u |= σ stands for u ∈ [[σ]]cbm(τ ) .
A2A Aa for a ∈ Σ:
We let Aa = ({s}, δ, s, s 7→ 1) where
(
true if α ∈ {(i, a, p) | i ∈ [2k], p ∈ Procs}
δ(s, α, β) =
false otherwise.
A2A Ap for p ∈ Procs:
59
We let Ap = ({s}, δ, s, s 7→ 1) where
(
true if α ∈ {(i, a, p) | i ∈ [2k], a ∈ Σ}
δ(s, α, β) =
false otherwise.
A2A Aσ1 ∨σ2 :
Suppose Aσi = (Si , δi , ιi , acc i ), for i ∈ {1, 2}.
We let Aσ1 ∨σ2 = (S1 ] S2 ] {ι}, δ, ι, acc 1 ∪ acc 2 ∪ {ι 7→ 1}) where


(id, ι1 ) ∨ (id, i2 ) if s = ι
δ(s, α, β) = δ1 (s, α, β)
if s ∈ S1


δ2 (s, α, β)
if s ∈ S2
A2A A¬σ :
Suppose Aσ = (S, δ, ι, acc).
We let A¬σ = (S, δ 0 , ι, acc 0 ) where
δ 0 (s, α, β) = δ(s, α, β)
Here, the dual B of a positive boolean formula is defined as follows:
• true = false
• false = true
• (d, s) = (d, s) for all (d, s) ∈ D × S
• B1 ∨ B2 = B1 ∧ B2
• B1 ∧ B2 = B1 ∨ B2
Moreover, we let acc 0 (s) = acc(s) + 1 for all s ∈ S.
A2A Ahπiσ :
This is the most difficult case. Similarly to the translation of a PDL formula
into a CPDS (cf. Section 3.4), where a path formula is first translated into a finite
automaton, we will first translate π into a variant of an A2A, which we call walking
(tree) automaton (WA). A WA also walks in a tree, but does not have alternation
capabilities. The main difference with A2A is that a WA does not recognize pairs
(t, u), but rather triples (t, u, v). This reflects the fact that path formulas define
binary relations on events.
Definition 4.39 (WA). A walking (tree) automaton ( WA) over Ω is a tuple
B = (S, →, ι, f)
60
• S
nonempty finite set of states
• ι∈S
initial state
• f∈S
final state
• → is the finite transition relation, containing transitions of two types:
dir
– s −−→ s0
A
– s−
→ s0
where s, s0 ∈ S and dir ∈ D
where s, s0 ∈ S and A is an A2A over Ω
♦
A
Taking a transition of type s −
→ s0 , the WA B checks if, in the given tree, the
current node is accepted by A. It then moves to state s0 but does not change the
current node. Otherwise, the semantics of B is defined as expected, and we only
describe it intuitively as L(B) = {(t, u, v) | B allows for a “walk” in t from u to v,
starting in state ι and ending in state f}.
Exercise 4.40. Provide a formal definition of L(B).
♦
Our aim is to translate a path formula π into a WA Bπ such that, for all τ ∈
L(Ak-sw
cbm ) and all leaves u, v of τ , the following holds:
(τ, u, v) ∈ L(Bπ ) iff cbm(τ ), u, u |= π
Let us, for the moment, assume that we are already given Bπ = (S, →, ι, f) and
that Bπ uses, in its transition, the A2As Ai = (Si , δi , ιi , acc i ) with i = 1, . . . , n.
Moreover, suppose that, by induction, we have Aσ = (Sσ , δσ , ισ , acc σ ) for a node
formula σ. We define the A2A Ahπiσ = (S 0 , δ, ι, acc) as follows:
• S 0 = S ] S1 ] . . . ] Sn ] Sσ


δi (s, α, β)





δσ (s, α, β)



W


(dir , s0 )
dir
s−
−→s0
• δ(s, α, β) = 
dir ∈β



 ∨ W

(id, ιi ) ∧ (id, s0 )
Ai



0
s
−
→
s




 ∨ W
s=f (id, ισ )

if s ∈ Si
if s ∈ Sσ


 if s ∈ S


• acc = acc 1 ∪ . . . ∪ acc n ∪ acc σ ∪ {s 7→ 1 | s ∈ S}
It remains to construct the WA Bπ for an arbitrary path formula π. We proceed
by induction:
61
WA BBd for d ∈ DS:
%
A⊕
ABd
%
.
&
ι −−−−→ −−−→ −−−−→ −−−−→ −−−−→ −−−−→ f
Here, the A2A A⊕ just checks if the current label is ⊕, and ABd checks whether
the current label is Addd1,2 (similarly to Aa and Ap for the atomic node formulas a
and p).
WA B→ : We use Exercise 4.25.
WA Btest(σ) :
A
σ
ι −−−
→f
Here, Aσ is given by induction.
Converse and regular-expression operators:
The construction of WAs Bπ−1 , Bπ1 +π2 , Bπ1 ·π2 , and Bπ∗ follows the standard methods for finite automata.
WA Bπ1 ∩ π2 :
This is the most difficult case. The idea for the construction is due to Göller,
Lohrey, and Lutz [GLL09].
One might be tempted to apply some product construction to the automata Bπ1 and
Bπ2 so that they evolve synchronously. However, recall that, in a tree τ ∈ L(Ak-sw
cbm ),
Bπ1 ∩ π2 should identify the pairs of leaves u and v such that cbm(τ ), u, v |= πi for all
i ∈ {1, 2}. But, the paths leading from u to v that match π1 and π2 , respectively,
may be quite different. In particular, there may be no paths matching π1 and
matching also π2 , or the other way around, so that a product construction would
be too restrictive. This is illustrated in the following figure, where we assume that
the red path matches π1 and the green one matches π2 :
π1
π2
u
v
62
The crucial observation is now that both paths have to visit the unique shortest
path between u and v, which is illustrated by the thick blue line. Moreover, when
one path leaves this shortest path, then it has to come back along the same way
so that, actually, any deviation from the shortest path forms a loop. In the figure,
the paths are abstracted as additional cycles.
This motivates the following construction of Bπ1 ∩ π2 : Essentially, we apply a product construction to Bπ1 and Bπ2 (since there is always the common shortest path).
This makes sure that the two paths that we simulate lead to the same node v.
However, at any time, any of the Bπi is allowed to perform a loop. To make sure
that we simulate a given WA Bπi and the detour ends in the departure node, we
make use of the power of alternation in A2As.
Loops: So, suppose B = (S, →, ι, f) is any WA (later it will be Bπ1 or Bπ2 , though
with variable initial and final states). Assume Ai = (Si , δi , ιi , acc i ) with i =
1, . . . , n are the A2As that occur in B. We will construct an A2A AB such that
the following holds, for all Ω-labeled trees t and nodes u, v of t:
(t, u) ∈ L(AB ) iff (t, u, u) ∈ L(B)
We let AB = (S 0 , δ, ι0 , acc) where
• S 0 = S1 ] . . . ] Sn ] (S × S)
• ι0 = (ι, f)
• δ(s, α, β) = δi (s, α, β)
if s ∈ Si
• acc = acc 1 ∪ . . . ∪ acc n ∪ {(s, s0 ) 7→ 1 | (s, s0 ) ∈ S × S}
The idea is now that a current state (s, r) ∈ S × S will guarantee that, in B, we
can make a loop while going from state s to state s0 . Accordingly, the remaining
transitions are defined as follows. First, δ((s, s), α, β) = true. Next, if s 6= r then
W


(id, ιi ) ∧ (id, (s0 , r))
Ai
s−→s0




W
0
0
 ∨

(dir , (s , r ))
dir


0
s−
−→s


dir


r0 −
−
→
r


δ((s, r), α, β) = 
dir ∈β





W
 ∨

q∈S (id, (s, q)) ∧ (id, (q, r)) 



W
∨
s=r true
The third case allows a transitive closure of loops. The interesting case is the
second one. Whenever B leaves a node u via direction dir towards a node v, it has
to come back to u along the same edge, passing via v and taking the dual direction
dir . This is actually why the characterization of loops in terms of δ is complete.
Here, the dual direction is defined by . = %, & = -, % = ., - = &, and
id = id.
63
It remains to define Bπ1 ∩ π2 = (S, →, ι, f) from Bπi = (Si , →i , ιi , fi ), i = 1, 2:
since we essentially have a product construction
• S = S1 × S2
• ι = (ι1 , ι2 )
f = (f1 , f2 )
• synchronous transitions:
dir
– (s1 , s2 ) −−→ (s01 , s02 )
dir
if si −−→i s0i for i = 1, 2
• simulation of A2As:
A
– (s1 , s2 ) −
→ (s01 , s2 )
A
– (s1 , s2 ) −
→ (s1 , s02 )
A
→1 s01
if s1 −
A
if s2 −
→2 s02
• loops:
A(S
0
1 ,→1 ,s1 ,s )
– (s1 , s2 ) −−−−−−−−−1→ (s01 , s2 )
A(S
0
2 ,→2 ,s2 ,s )
– (s1 , s2 ) −−−−−−−−−2→ (s1 , s02 )
Hereby, (Si , →i , si , s0i ) is simply Bπi , but with new initial state si and new
final state s0i , since we want to check that Bπi can make a loop while switching
from si to s0i .
For every node formula σ of ICPDL, we now have an A2A Aσ over Λ2k such that,
for all τ ∈ L(Ak-sw
cbm ) and all leaves u of τ , the following holds:
(τ, u) ∈ L(Aσ ) iff cbm(τ ), u |= σ
Given an A2A A, we define Lroot (A) = {t | (t, root(t)) ∈ L(A)}. For Φ ∈ ICPDL,
we can now easily construct an A2A Ak-sw
such that, for all τ ∈ L(Ak-sw
Φ
cbm ), the
following holds:
τ ∈ Lroot (Ak-sw
Φ ) iff cbm(τ ) |= Φ
We proceed inductively:
• The A2As for Φ1 ∨ Φ2 and ¬Φ are constructed exactly like for node formulas.
• The A2A for Eσ walks down non-deterministically from the root to some leaf
and starts simulating Aσ .
64
The size of Ak-sw
is exponential in |Φ| and k. The doubly exponential time comΦ
plexity comes from the fact that the transformation of an A2A into an NTA comes
with another exponential blow up:
Theorem 4.41 ([Var98]). For an A2A A with n states and highest priority `,
one can effectively construct, in exponential time, an NTA A0 of size 2O(n`) such
that L(A0 ) = L(A).
Note that the A2A constructed for an ICPDL formula has only polynomial size
when intersection is not used (or when allowing only a bounded number of nested
intersections). Thus, we get the following corollary:
Theorem 4.42. sw-CPDL-ModelChecking(A, Σ) is solvable in exponential
time (when the bound k on the split-width is encoded in unary).
65
CHAPTER
5
Distributed systems with shared resources
In the previous chapters, we have studied distributed systems communicating via
asynchronous data structures such as channels or stacks. Here, we change the
communication paradigm to shared resources. This framework allows processes to
communicate via shared variables or to synchronize via shared actions.
5.1 Architecture for shared resources
Definition 5.1 (Architecture). An architecture for shared resources is a tuple
A = (Res, Σ, R, W) where
• Res is a finite set of resources,
• Σ is a finite set of actions,
• R : Σ → 2Res gives the set of resources read by actions,
• W : Σ → 2Res gives the set of resources written by actions.
In general, we assume that W(a) 6= ∅ for all actions a ∈ Σ.
♦
Example 5.2 (Peterson’s mutual exclusion algorithm). This algorithm can
be described as follows:
66
Process 1
1
2
3
4
5
Process 2
repeat
f1 ← 1
turn ← 2
wait (f2 = 0 ∨ turn = 1)
CriticalSection1
f1 ← 0
1
2
3
4
5
repeat
f2 ← 1
turn ← 1
wait (f1 = 0 ∨ turn = 2)
CriticalSection2
f2 ← 0
We may also describe Peterson’s algorithm by the following automata with variables:
wait1
wait2
?
f2 = 0
3
?
f1 = 0
4
3
?
turn = 1
turn ← 2
4
?
turn = 2
turn ← 1
CS1
2
CS2
2
f1 ← 1
♦
f2 ← 1
1
f1 ← 0
5
1
f2 ← 0
5
The corresponding architecture A is defined by:
• Res = {P1 , f1 , turn, f2 , P2 },
• Σ = Σ1 ] Σ2 where Σ1 and Σ2 are given below with the read and write
functions:
?
?
?
?
Σ1 f1 ← 1 turn ← 2
wait1
f2 = 0 turn = 1 CS1 f1 ← 0
R
P1
P1
P1 , f2 , turn P1 , f2 P1 , turn P1
P1
W P1 , f1
P1 , turn
P1
P1
P1
P1
P1 , f1
Σ2 f2 ← 1 turn ← 1
wait2
f1 = 0 turn = 2 CS2 f2 ← 0
R
P2
P2
P2 , f1 , turn P2 , f1 P2 , turn P2
P2
W P2 , f2
P2 , turn
P2
P2
P2
P2
P2 , f2
Example 5.3 (Processes with shared variables). Peterson’s algorithm is an
example of a distributed system consisting of processes communicating exclusively
with shared variables. Such systems are described with architectures satisfying:
• Res = Procs ] Var,
• ∀a ∈ Σ, ∃p ∈ Procs such that R(a) ∩ Procs = {p} = W(a) ∩ Procs.
Each action belongs to one process. We denote by
U Σp = {a ∈ Σ | p ∈ W(a)} the
set of actions of process p ∈ Procs. We have Σ = p∈Procs Σp .
67
For Peterson’s algorithms, we have two processes with sets of actions Σ1 and Σ2
as described above.
In addition to reading/modifying the state of its process, an action a may read
shared variables in R(a) ∩ Var and modify shared variables in W(a) ∩ Var.
♦
Example 5.4 (Processes with shared actions). Here, we have a set of processes which may synchronize by executing simultaneously some shared actions.
The architecure satisfies
• Res = Procs,
• for all a ∈ Σ, R(a) = W(a) 6= ∅.
♦
Again, for each p ∈ Procs, we let Σp = S
{a ∈ Σ | p ∈ W(a)} be the set of actions
in which p participates. We have Σ = p∈Procs Σp but here the union needs not
be disjoint. If R(a) = {p} is a singleton, then a is an action internal to process p.
Otherwise, a is a synchronization between all processes in R(a).
As a special case, we have the synchronization by (binary) rendez-vous when
|R(a)| ≤ 2 for all a ∈ Σ. Behaviours of such systems are often depicted as follows:
p
a
a a
b
c c
q
d
r
e e
a a
f
b
d
e
e
Example 5.5 (Cellular distributed systems). We have again Res = Procs.
An action may read the states of several processes, but it modifies the state of
only one process. Hence, we have |W(a)| = 1 for all U
a ∈ Σ. The set of actions of
process p is Σp = {a ∈ Σ | p ∈ W(a)}. We have Σ = p∈Procs Σp .
Often, processes are organized regularly, e.g., as a line or a grid. Then an action
of process p reads the states of p’s neighbours and modifies the state of p.
♦
5.2 Asynchronous automata
Definition 5.6. An Asynchronous automaton (AsyncA) over an architecture A =
(Res, Σ, R, W) is a tuple S = ((Sr )r∈Res , (δa )a∈Σ , ι, F ) where
• Sr is the finite set of local states for resource r ∈ Res,
Q
for I ⊆ Res, we let SI = r∈I Sr ,
• δa ⊆ SR(a) × SW(a) is the set of transitions for action a ∈ Σ,
68
• ι ∈ SRes is the global initial state,
• F ⊆ SRes is the set of global accepting states.
The AsyncA S is deterministic if all local transition relations (δa )a∈Σ are functional.
♦
Example 5.7 (Peterson’s algorithm continued). It is an asynchronous automaton with sets of local states SP1 = SP2 = {1, 2, 3, 4, 5}, Sf1 = Sf2 = {0, 1},
Sturn = {1, 2}, initial global state ι = (1, 0, 1, 0, 1) (ordered P1 , f1 , turn, f2 , P2 ),
and local transitions for actions of the first process:
P1 1
f1
turn
f2
P1 3
f1
turn 2
f2 1
f1 ← 1
2
1
2
turn ← 2
?
?
3
3
2
1
turn = 1
4
3
f2 = 0
4
0
wait1
3
4
CS1
5
5
f1 ← 0
1
0
Hence, this asynchronous automaton has 16 states and 14 transitions.
♦
We first define the global, interleaved, sequential semantics of asynchronous automata. Then, we will see a semantics over graphs which emphasizes the concurrency/distribution of executions of AsyncA.
Definition 5.8 (Operational semantics). We associate with an AsyncA S, a
non determinisitic finite state automaton over Σ: S = (SRes , ∆, ι, F ) where the
a
global transition relation is given by s =⇒ s0 if (sR(a) , s0W(a) ) ∈ δa and s0Res\W(a) =
w
sRes\W(a) . The sequential language of S is Lseq (S) = L(S) = {w ∈ Σ∗ | ι =⇒ F }.
Here, s = (sr )r∈Res is a global state and sI = (sr )r∈I is its restriction to I ⊆ Res.♦
The global automaton S associated with an AsyncA S is usually huge. This phenomenon is called the combinatorial explosion due to the interleaved semantics of
several distributed processes. For instance, the AsyncA of Peterson’s algorithm has
200 states (not all are reachable) and the single action f1 ← 1 which generates a
unique local transition of the AsyncA S gives rise to 40 global transitions in S.
Definition 5.9 (CREW: Dependence/Independence). Shared resources allow concurrent reads (CR) but require exclusive write (EW). This gives rise to
a dependence relation on the actions of an architecture A = (Res, Σ, R, W):
D = {(a, b) ∈ Σ2 | W(a) ∩ W(b) 6= ∅ ∨ W(a) ∩ R(b) 6= ∅ ∨ R(a) ∩ W(b) 6= ∅} .
The corresponding independence relation is I = Σ2 \ D.
The pair (Σ, D) (resp. (Σ, I)) is called a dependence (resp. independence) alphabet.♦
69
The three conditions used in the definition of D are commonly refered to as Bernstein’s conditions [Ber66].
The dependence and the independence relations are symmetric. The dependence
relation is also reflexive, assuming that W(a) 6= ∅ for all a ∈ Σ. A clique of D is a
subset A ⊆ Σ of actions which are pairwise dependent: A2 ⊆ D.
For some theorems to be applicable, such as Zielonka’s Theorem and equivalence of
asynchronous automata and MSO logic, we will require that A fulfils an additional
property: We call A symmetric if {(a, b) ∈ Σ × Σ | W(a) ∩ R(b) 6= ∅} is reflexive
and symmetric.
Example 5.10 (Peterson’s algorithm continued). The subsets Σ1 and Σ2 defined in Example 5.2 are dependence cliques. The additional dependences between
actions of P1 and actions of P2 are given below.
Σ1
f1 ← 1
f1 ← 0
?
turn ← 2 turn =
1
wait1
f2 = 0
?
CS1
Σ2
f1 = 0
?
wait2
?
turn = 2 turn ← 1
f2 ← 0
f2 ← 1
CS2
Note that the architecture from Example 5.2 is not symmetric.
♦
Exercise 5.11. Modify the model of Peterson’s algorithm in terms of a symmetric
architecture.
♦
Independent actions may be executed in any order (or even simultaneously) in an
AsyncA without changing the resulting state. This is called the diamond property.
Definition 5.12 (Diamond). A word automaton over Σ has the diamond property for the independence relation I if for all (a, b) ∈ I we have
• for all transitions (s, a, s0 ) and (s0 , b, s000 ) there exist transitions (s, b, s00 ) and
(s00 , a, s000 ),
• for all transitions (s, a, s0 ) and (s, b, s00 ) there exist transitions (s0 , b, s000 ) and
(s00 , a, s000 ).
♦
a
s′
b
s
s′′′
b
s′′
a
Clearly, the global automaton S of an asynchronous automaton S has the diamond
property for the independence relation of Defintion 5.9.
70
Definition 5.13 (Partially commutative monoid). Let (Σ, D) be a dependence
alphabet. The trace equivalence ∼ is the least congruence over Σ∗ such that ab ∼ ba
for all (a, b) ∈ I. It is also the least equivalence relation such that uabv ∼ ubav for
all (a, b) ∈ I and u, v ∈ Σ∗ .
The quotient Σ∗ /∼ is the partially commutative monoid, or trace monoid. An
element of Σ∗ /∼ is an equivalence class [w]∼ (or simply [w]) of some word w.
A word language L ⊆ Σ∗ is trace closed if for all w ∈ L we have [w] ⊆ L.
♦
Clearly, the language accepted by an automaton having the diamond property is
trace closed. We deduce
Proposition 5.14. Let S be an AsyncA over the architecture A and let D be the
associated dependence relation. The language Lseq (S) is both regular and trace
closed.
A natural question is whether the converse holds. This is a celebrated and difficult
result due to Zielonka.
Theorem 5.15 (Zielonka). Let A be a symmetric architecture with associated
dependence alphabet (Σ, D). Let L ⊆ Σ∗ be a regular language which is trace
closed. There exists a deterministic AsyncA S over A such that Lseq (S) = L.
The above theorem is effective, meaning that if L is effectively given by some finite
automaton, then we can effectively construct the corresponding AsyncA S.
Corollary 5.16. Assume A is symmetric. Given an AsyncA S, we can effectively
construct
• an equivalent deterministic AsyncA S1 : Lseq (S1 ) = Lseq (S).
• a deterministic AsyncA S2 for the complement: Lseq (S2 ) = Σ∗ \ Lseq (S).
5.3 Traces as graphs or partial orders
Instead of an equivalence class of words, which may be huge, a behaviour of an
AsyncA can be described with a single graph or partial order. This graph makes
explicit the causality between events (ordering) and the concurrency between events
(absence of ordering).
Definition 5.17 (Traces as partial orders). Let (Σ, D) be a dependence alphabet. A Mazurkiewicz trace over (Σ, D) is a tuple t = (V, ≤, λ) where
• V is a finite set of events,
• λ : V → Σ labels events with actions,
71
• ≤ ⊆ V 2 is a partial order relation describing the causality between events.
We let l = ≤ \ ≤2 be the immediate successor relation. The following two
conditions should be satisfied for all e, f ∈ V :
T1 λ(e) D λ(f ) implies e ≤ f or f ≤ e: dependent events must be ordered,
T2 e l f implies λ(e) D λ(f ): the immediate successor relation must be
justified by the dependency of events.
We denote by M(Σ, D) the set of finite traces over (Σ, D).
♦
Example 5.18 (Traces). We usually depict the Hasse diagram (V, l, λ) of a
trace t = (V, ≤, λ). Consider the dependence alphabet (Σ, D) on the left below.
The Hasse diagram of a trace over (Σ, D) is depicted on the right.
c
b
a
a
d
a
b
c
f
e
e
a
c
d
e
a
a
b
f
d
e
e
We may assume that the dependence alphabet describes a systems with shared
actions (cf. Example 5.4) and three processes: Σp = {a, b, f }, Σq = {b, c, d} and
Σr = {d, e, f }. Then, the trace above can be described with the process-based
view below.
p
a
a a
b
c c
q
d
r
e e
a a
f
b
d
e
e
♦
As we will see below, equivalence classes of words or traces viewed as partial orders
are equivalent objects.
Definition 5.19 (Linearization). Let t = (V, ≤, λ) ∈ M(Σ, D) be a trace.
A linear extension of ≤ is a total order v compatible with ≤, i.e., ≤ ⊆ v.
A linearization of t is a word w = (V, v, λ) where v is a linear extension of ≤.
Here, we identify the total order (V, v, λ) with the word λ(e1 )λ(e2 ) · · · λ(en ) ∈ Σ∗
if V = {e1 , e2 , . . . , en } and e1 @ e2 @ · · · @ en .
We let Lin(t) ⊆ Σ∗ be the set of linearizations of t.
♦
Example 5.20. Let t be the trace depicted in Example 5.23 below. Then, Lin(t)
consists of 25 words, the least in lexicographic order being acbabddc and the last
being cddababc.
♦
72
Proposition 5.21. Let t = (V, ≤, λ) ∈ M(Σ, D) be a trace. Then, Lin(t) is an
equivalence class [w] of some/any word w ∈ Lin(t). More precisely,
1. ∀w1 , w2 ∈ Lin(t), we have w1 ∼ w2 .
2. Lin(t) is trace closed.
We deduce that Lin : M(Σ, D) → Σ∗ /∼ is a well-defined function.
We will see below that Lin is actually a bijetion from M(Σ, D) to Σ∗ /∼.
Proof. 1. Let w1 = (V, v1 , λ) and w2 = (V, v2 , λ) be linearizations of t. The
proof is by induction on |V |. Let e ∈ V be maximal wrt v1 and a = λ(e). Then,
w1 = u1 a. It is easy to check that t0 = (V \ {e}, ≤, λ) ∈ M(Σ, D) is a trace and
that u1 is a linearization of t0 .
Now, let f ∈ V with e @2 f . We show by contradiction that a I λ(f ). Indeed,
if a D λ(f ) then by (T1 ) we get e < f or f < e. The second case is impossible
since e @2 f and v2 is a linear extension of ≤. The first case is impossible since
e is maximal for v1 which is a linear extension of ≤. We deduce that w2 = u2 av2
with a I v2 , i.e., a I b for all b ∈ alph(v2 ). Here, u2 (resp. v2 ) is the prefix (resp.
suffix) of w2 induced by {f ∈ V | f @2 e} (resp. {f ∈ V | e @2 f }). We obtain
w2 ∼ u2 v2 a and it is easy to check that u2 v2 ∈ Lin(t0 ). By induction u1 ∼ u2 v2 .
Hence, w1 = u1 a ∼ u2 v2 a ∼ u2 av2 = w2 .
2. Assume that w1 = uabv and w2 = ubav with w1 ∈ Lin(t) and a I b. We
have to show that w2 ∈ Lin(t). Let e, f ∈ V be the events corresponding to these
occurrences of a and b. We show that ekf are concurrent in t, i.e., ¬(e ≤ f ∨f ≤ e).
First, assume that e < f . Since f is a successor of e in w1 we get e l f , which
implies a D b by (T2 ), a contradiction. Second, f < e is a contradiction with
e @1 f and v1 is a linear extension of ≤.
We deduce that v2 = v1 \ {(e, f )} ∪ {(f, e)} is a linear extension of ≤. Therefore,
w2 = (V, v2 , λ) ∈ Lin(t).
To prove that the map Lin from traces to equivalence classes is a bijection, we
construct the inverse map. We show how to associate with every word w ∈ Σ∗ a
trace Tr(w) ∈ M(Σ, D).
Definition 5.22 (Words to traces). Let w ∈ Σ∗ be a word. We define the trace
Tr(w) = (Vw , ≤w , λ) ∈ M(Σ, D) as follows:
1. Vw = {(a, i) | a ∈ Σ ∧ 1 ≤ i ≤ |w|a } the set of action occurrences in w,
a pair (a, i) stands for the ith occurrence of a in w,
|w|a is the number of occurrences of a in w,
we denote by vw the total order induced by w on V : (a, i) vw (b, j) if the ith
occurrence of a is before the jth occurrence of b in w,
2. λ((a, i)) = a,
73
3. ≤w = (Ew )+ is the transitive closure of the relation
Ew = {((a, i), (b, j)) | a D b ∧ (a, i) vw (b, j)} .
Example 5.23. Consider the dependence alphabet depticted on the left below.
Then, the trace Tr(acbdabdc) is depicted on the right.
a
c
a
b
c
a
b
d
d
b
c
d
Proposition 5.24 (Words to traces). The following holds.
1. ∀w ∈ Σ∗ , Tr(w) ∈ M(Σ, D) is indeed a trace and w ∈ Lin(Tr(w)).
2. ∀w1 , w2 ∈ Σ∗ , we have w1 ∼ w2 iff Tr(w1 ) = Tr(w2 ).
3. ∀t ∈ M(Σ, D), ∀w ∈ Lin(t), we have t = T r(w).
Σ∗
[·]
Σ∗ /∼
Tr
Tr
Lin
M(Σ, D)
Therefore, the diagram above commutes and the maps Tr and Lin are inverse bijections between traces seen as equivalence classes and traces seen as partial orders.
Proof. 1. The relation Ew is antisymmetric: (e, f ), (f, e) ∈ Ew implies e v f and
f v e which implies e = f . Hence ≤w is a partial order. We check that conditions
(T1 ) and (T2 ) are satisfied. First, assume that λ(e) D λ(f ). Since v is a total order,
either e v f and we get (e, f ) ∈ Ew , or f v e and (f, e) ∈ Ew . We deduce that
(T1 ) holds. Second, if e l f then (e, f ) ∈ Ew and we get λ(e) D λ(f ). Therefore,
Tr(w) is indeed a trace. Moreover, ≤ = Ew+ ⊆ vw + = vw and w ∈ Lin(Tr(w)).
2. Assume w1 = uabv and w2 = ubav with u, v ∈ Σ∗ and a I b. Then Vw1 = Vw2
and Ew1 = Ew2 . Therefore, Tr(w1 ) = Tr(w2 ).
Conversely, let w1 , w2 ∈ Σ∗ with Tr(w1 ) = Tr(w2 ) = t. By (1) we get w1 , w2 ∈
Lin(t) and by Proposition5.21 we deduce w1 ∼ w2 .
3. Let t = (V, ≤, λ) ∈ M(Σ, D) and w = (V, v, λ) ∈ Lin(t) be a linearization of t.
We show below that l ⊆ Ew ⊆ ≤. We deduce that ≤ = Ew+ and t = Tr(w).
First, assume that e l f , then e < f and λ(e) D λ(f ) by (T2 ). Since v is a linear
extension of ≤ we get e @ f . Hence, (e, f ) ∈ Ew . Second, assume that (e, f ) ∈ Ew .
Then, e v f and λ(e) D λ(f ). By (T1 ) we get e ≤ f or f < e. The second case
contradicts e v f . Hence, e ≤ f .
74
Actually, Σ∗ /∼ and M(Σ, D) are isomorphic monoids. Since ∼ is a congruence, the
quotient Σ∗ /∼ of the free monoid is also a monoid. On the other hand, it is easy
to define a concatenation on M(Σ, D). Let t1 = (V1 , ≤1 , λ1 ) and t2 = (V2 , ≤2 , λ2 )
be two traces. Wlog. we assume that V1 ∩ V2 = ∅. The concatenation t1 · t2 is
t = (V1 ∪ V2 , ≤, λ1 ∪ λ2 ) where ≤ is the transitive closure of ≤1 ∪ ≤2 ∪ {(e, f ) ∈
V1 × V2 | λ1 (e) D λ2 (f )}. We can check that t is indeed a trace. The concatenation
is associative and the unit element is the empty trace. Therefore, (M(Σ, D), ·) is a
monoid. Moreover, the maps Tr and Lin are morphisms.
We show now that runs of AsyncA can be defined directly on traces seen as partial
orders. First, we introduce some notations. Let t = (V, ≤, λ) ∈ M(Σ, D) be a
trace over A = (Res, Σ, R, W). For all r ∈ Res, we let Vr = {e ∈ V | r ∈ W(a)}
be the set of events that write on resource r. For an event e ∈ V , we denote by
⇓e = {f ∈ V | f < e} its strict past.
Definition 5.25 (Semantics of AsyncA over traces).
Consider an AsyncA S = ((Sr )r∈Res , (δa )a∈Σ , ι, F ) over A = (Res, Σ, R, W). Let
t = (V, ≤, λ) ∈ M(Σ, D) be a trace
S over the associated dependence alphabet. A run
of S over t is a map ρ : V → I⊆Res SI such that for all e ∈ V with a = λ(e), we
have
R1 ρ(e) ∈ SW(a) : when S executes e it writes ρ(e)(r) on resources r ∈ W(a).
R2 (ρ− (e), ρ(e)) ∈ δa is a local transition, where ρ− (e) ∈ SR(a) is defined for all
r ∈ R(a) by
(
ι(r)
if ⇓e ∩ Vr = ∅
ρ− (e)(r) =
ρ(max(⇓e ∩ Vr ))(r) otherwise.
The run ρ is accepting if Last(ρ) ∈ F , where Last(ρ) ∈ SRes is defined for all
r ∈ Res by
(
ι(r)
if Vr = ∅
Last(ρ)(r) =
ρ(max(Vr ))(r) otherwise.
The trace language accepted by S is
L(S) = {t ∈ M(Σ, D) | S admits an accepting run on t} .
Example 5.26 (Peterson’s algorithm continued). Consider the AsyncA S for
Peterson’s algorithm defined in Example 5.7. A run of S over a trace is given in
Figure 5.1.
♦
Proposition 5.27 (Sequential vs. trace semantics). Consider an AsyncA S =
((Sr )r∈Res , (δa )a∈Σ , ι, F ) over the architecture A = (Res, Σ, R, W). The following
holds:
1. ∀w ∈ Lseq (S) = L(S), we have Tr(w) ∈ L(S).
2. ∀t ∈ L(S), we have Lin(t) ⊆ Lseq (S) = L(S).
Exercise 5.28. Prove Proposition 5.27.
75
♦
f1
0
P1
1
turn
1
f1 ← 1
2
1
f2
0
P2
1
f2 ← 1
1
2
turn ← 2
3
2
turn ← 1
1
3
?
turn = 1
4
CS1
5
wait2
3
f1 ← 0
1
0
?
f1 = 0
4
f1 ← 1
2
1
CS2
5
turn ← 2
2
3
f2 ← 0
0
1
?
f2 = 0
4
f2 ← 1
1
2
CS1
5
turn ← 1
1
3
f1 ← 0
1
0
Figure 5.1: A run of Peterson’s AsyncA over a trace
76
5.4 Checking Closure of DFAs
In view of Zielonka’s theorem, it is natural to ask whether a given regular language
is trace closed:
Closure:
Instance:
Question:
A = (Res, Σ, R, W) (or (Σ, D)); DFA B over Σ
Is L(B) trace closed ?
Theorem 5.29. Closure is decidable in polynomial time.
Proof. We minimize B to obtain the DFA Bmin = (Q, δ, ι, F ), and then simply
check whether Bmin has the diamond property (cf. Definition 5.12). Both can be
done in polynomial time. Thus, it remains to show that L(Bmin ) is trace closed iff,
for all q ∈ Q and (a, b) ∈ I, we have δ(q, ab) = δ(q, ba).
The direction ⇐ is obvious.
Towards ⇒, suppose q ∈ Q and (a, b) ∈ I such that δ(q, ab) 6= δ(q, ba). Then, we
can find u, v ∈ Σ∗ such that
• δ(ι, u) = q and
• δ(q, abv) ∈ F iff δ(q, abv) 6∈ F .
Thus, uabv ∈ L(Bmin ) iff uabv 6∈ L(Bmin ), which implies that L(Bmin ) is not trace
closed.
Alternatively, one may consider B as a partial specification and be interested in
the following problem:
Reg-Closure(A):
Instance:
Question:
DFA B over Σ
Is [L(B)] regular ?
Unfortunately, this problem is, in general, undecidable:
Theorem 5.30 ([Sak92]). Reg-Closure is decidable iff the relation I is transitive.
5.5 Star-Connected Regular Expressions
There is a class of regular (word) expressions whose closure is guaranteed to be
regular:
77
Definition 5.31. A regular expression α over Σ is star-connected if, for all subexpressions β ∗ of α, Tr(L(β)) consists only of connected traces.
♦
Theorem 5.32 ([Och95]). Suppose A is symmetric. For L ⊆ M(Σ, D), the following statements are equivalent:
• There is an AsyncA S such that L(S) = L.
• There is a star-connected regular expression α over Σ such that Tr(L(α)) = L.
Example 5.33. Suppose D is given by a−b−c.
• (ac)∗ is not star-connected.
• (a + c + (acb)∗ )∗ is star-connected.
• (acb∗ )∗ is not star-connected.
♦
5.6 Logic Specifications
Traces come with a canonical MSO logic. The set MSO(A) of formulas from
monadic second-order logic is given by the grammar:
ϕ ::= a(x) | x ≤ y | x ∈ X | ϕ ∨ ϕ | ¬ϕ | ∃x ϕ | ∃X ϕ
where a ∈ Σ. As usual, for a sentence ϕ ∈ MSO(A), we let L(ϕ) = {t ∈ M(Σ, D) |
t |= ϕ}.
Example 5.34. In MSO logic, the desired specification of Peterson’s mutual exclusion protocol (cf. Example 5.2) reads as follows:
¬∃x∃y(x k y ∧ CS1 (x) ∧ CS2 (y))
where x k y is defined as ¬(x ≤ y ∨ y ≤ x).
♦
It turns out that AsyncA and MSO logic are expressively equivalent:
Theorem 5.35 ([Tho90]). Let A be symmetric. For L ⊆ M(Σ, D), the following
statements are equivalent:
• There is an AsyncA S over A such that L(S) = L.
• There is a sentence ϕ ∈ MSO(A) such that L(ϕ) = L.
Proof. The transformation of an automaton into a formula is standard (cf. proof
of Theorem 3.4, for example) and left as an exercise.
For the converse translation, we proceed by induction. We will restrict to the most
interesting cases: x ≤ y and ¬ϕ.
78
For x ≤ y, we build an AsyncA Sx≤y accepting traces with two events e, f marked
as x, y, respectively, such that e ≤ f . To take into account the additional marking,
we extend the given architecture A = (Res, Σ, R, W) to A0 = (Res, Σ0 , R0 , W0 ) where
Σ0 = Σ × {0, 1}2 , W0 ((a, i, j)) = W(a), and R0 ((a, i, j)) = R(a). The idea is that a
label of the form (a, 1, j) indicates that the event is marked x, and a label of the
form (a, i, 1) indicates that the event is marked y.
Note that this gives rise to a new independence relation D0 ⊆ Σ0 × Σ0 , and we have
(a, i, j) D0 (a0 , i0 , j 0 ) iff a D a0 .
We are looking for an AsyncA Sx≤y for the trace language Lx≤y , which is defined
to be the set of traces (V, ≤, λ) ∈ M(Σ0 , D0 ) such that there are e, f ∈ V satisfying
• e ≤ f,
• for all g ∈ V , λ(g) ∈ Σ × {1} × {0, 1} iff g = e, and
• for all g ∈ V , λ(g) ∈ Σ × {0, 1} × {1} iff g = f .
Instead of constructing Sx≤y directly, we will build an NFA B over Σ0 such that
L(B) = Lin(Lx≤y ). Zielonka’s theorem will then yield the desired AsyncA.
The NFA B should accept a word w ∈ (Σ0 )∗ iff
• either it is of the form w = u(a, 1, 1)v with u, v ∈ (Σ × {0}2 )∗ ,
• or it is of the form w = u(a, 1, 0)v(b, 0, 1)v 0 such that u, v, v 0 ∈ (Σ×{0}2 )∗ and
v is of the form v1 (a1 , 0, 0) . . . vn (an , 0, 0) with a D a1 D a2 D . . . D an D b.
Note that such a B can be easily found. It essentially guesses the next letter ai+1
until some letter is found that is dependent on b.
From B, using Zielonka’s theorem, we obtain an AsyncA Sx≤y such that L(Sx≤y ) =
Tr(L(B)) = Lx≤y .
For ¬ϕ, we assume that we are given an AsyncA Sϕ such that L(Sϕ ) = L(ϕ).
Then, L = Lin(L(Sϕ )) is regular and trace closed. Thus, Σ∗ \ L is regular and
trace closed, too. By Zielonka’s theorem, there exists an AsyncA S¬ϕ such that
L(S¬ϕ ) = Tr(Σ∗ \ L) = L(¬ϕ).
It immediately follows that MSO model checking of asynchronous automata (over
a symmetric architecture A) is decidable:
MSO-ModelChecking(A):
Instance:
Question:
AsyncA S over A ; ϕ ∈ MSO(A)
L(S) ⊆ L(ϕ) ?
79
Bibliography
[AG14] C. Aiswarya and P. Gastin. Reasoning about distributed systems:
WYSIWYG (invited talk). In Proceedings of the 34th Conference on
Foundations of Software Technology and Theoretical Computer Science (FSTTCS’14), Leibniz International Proceedings in Informatics.
Leibniz-Zentrum für Informatik, 2014. To appear.
[AGNK14] C. Aiswarya, P. Gastin, and K. Narayan Kumar. Verifying Communicating Multi-pushdown Systems. Technical report, Inria, 2014.
[AM09] R. Alur and P. Madhusudan.
J. ACM, 56(3):1–43, 2009.
Adding nesting structure to words.
[Ber66] A. J. Bernstein. Analysis of programs for parallel processing. Electronic
Computers, IEEE Transactions on, EC-15(5):757–763, 1966.
[BKM10] B. Bollig, D. Kuske, and I. Meinecke. Propositional dynamic logic
for message-passing systems. Logical Methods in Computer Science,
6(3:16), September 2010.
[BL06] B. Bollig and M. Leucker. Message-passing automata are expressively
equivalent to EMSO logic. Theor. Comput. Sci., 358(2-3):150–172,
2006.
[Büc60] J. Büchi. Weak second-order arithmetic and finite automata. Z. Math.
Logik, Grundlag. Math., 5:66–62, 1960.
[CE12] B. Courcelle and J. Engelfriet. Graph Structure and Monadic SecondOrder Logic - A Language-Theoretic Approach, volume 138 of Encyclopedia of mathematics and its applications. Cambridge University Press,
2012.
80
[CGNK14] A. Cyriac, P. Gastin, and K. Narayan Kumar. Verifying communicating
multi-pushdown systems via split-width. In Proceedings of the 12th International Symposium on Automated Technology for Verification and
Analysis (ATVA’14), volume 8837 of Lecture Notes in Computer Science. Springer, 2014. To appear.
[Cou10] Bruno Courcelle. Special tree-width and the verification of monadic
second-order graph pr operties. In FSTTCS, volume 8 of LIPIcs, pages
13–29, 2010.
[Cyr14] A. Cyriac. Verification of Communicating Recursive Programs via Splitwidth. Thèse de doctorat, Laboratoire Spécification et Vérification,
ENS Cachan, France, 2014.
[Elg61] C. C. Elgot. Decision problems of finite automata design and related
arithmetics. Trans. Amer. Math. Soc., 98:21–52, 1961.
[GLL09] S. Göller, M. Lohrey, and C. Lutz. PDL with intersection and converse:
satisfiability and infinite-state model checking. Journal of Symbolic
Logic, 74(1):279–314, 2009.
[Och95] E. Ochmański. Recognizable Trace Languages. In The Book of Traces,
chapter 6, pages 167–204. World Scientific, 1995.
[Sak92] J. Sakarovitch. The "last" decision problem for rational trace languages. In LATIN’92, volume 583 of LNCS, pages 460–473. Springer,
1992.
[Tho90] W. Thomas. On logical definability of trace languages. In Proceedings
of Algebraic and Syntactic Methods in Computer Science (ASMICS),
Report TUM-I9002, Technical University of Munich, pages 172–182,
1990.
[Tho96] W. Thomas. Elements of an automata theory over partial orders. In
Proc. of POMIV’96, volume 29 of DIMACS. AMS, 1996.
[Tra62] B. A. Trakhtenbrot. Finite automata and monadic second order logic.
Siberian Math. J, 3:103–131, 1962. In Russian; English translation in
Amer. Math. Soc. Transl. 59, 1966, 23–55.
[TW68] J. W. Thatcher and J. B. Wright. Generalized finite automata theory with an application to a decision problem of second-order logic.
Mathematical Systems Theory, 2(1):57–81, 1968.
[Var98] M. Y. Vardi. Reasoning about the past with two-way automata.
In ICALP’98, Lecture Notes in Computer Science, pages 628–641.
Springer, 1998.
81