Verifying parameterized Networks
Clarke, Grumberg, Jha
Presented by Adi Sosnovich , April 2012
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Verification of parameterized systems

Given a temporal property 𝑓 and an infinite family of
distributed systems 𝐹 = 𝑃𝑖 ∞
𝑖=1 composed of similar
processes, check 𝑷𝒊 ⊨ 𝒇 for all the finite models from 𝐹.

In general the problem is undecidable. [Apt, Kozen 86]

For specific families, the problem may be solvable.

Various cases may depend on:




Communication topology of the family F
Parallelism: synchronous, asynchronous
Synchronization primitives
Temporal properties: local , global
Verification of parameterized systems

Previous work:

Establishing a bisimulation relation between a 2-process
token ring and an n-process token ring for any 𝑛 ≥ 2.


Drawback: constructing manually the bisimulation relation.
Finding network invariants:



Constructing an invariant 𝐼 s.t : 𝑃𝑖 ≤ 𝐼 for all 𝑖 .
Using traditional model-checking on the invariant process.
Drawbacks:


the invariant 𝐼 is explicitly provided by the user.
Can handle only networks with one repetitive component.
Verification of parameterized systems

Current work:

Works on context-free network grammars

The network is an infinite family of distributed systems
composed of similar processes.

Trying to generate the invariant automatically based on the grammar’s structure

The invariant simulates all processes in the language of the
grammar. (all the finite models from the family).
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Labeled Transition System (LTS)

An LTS is a structure 𝑀 = 𝑆, 𝑅, 𝐴𝐶𝑇, 𝑆0 where:

𝑆 - set of states

𝑆0 ⊆ 𝑆 - set of initial states

𝐴𝐶𝑇 – set of actions

𝑅 ⊆ 𝑆 × 𝐴𝐶𝑇 × 𝑆 – total transition relation
Labeled Transition System (LTS)

Example :






We define the process P by the following LTS:
𝑃 = 𝑆, 𝑅, 𝐴𝐶𝑇, 𝑆0
𝑆 = 𝑛𝑐, 𝑐𝑠
𝑆0 = 𝑛𝑐
𝐴𝐶𝑇 = 𝑔𝑒𝑡 − 𝑡𝑜𝑘𝑒𝑛, 𝑠𝑒𝑛𝑑 − 𝑡𝑜𝑘𝑒𝑛, 𝜏
𝑛𝑐, 𝜏, 𝑛𝑐 , 𝑛𝑐, 𝑔𝑒𝑡 − 𝑡𝑜𝑘𝑒𝑛, 𝑐𝑠 , 𝑐𝑠, 𝜏, 𝑐𝑠 ,
𝑅=
𝑐𝑠, 𝑠𝑒𝑛𝑑 − 𝑡𝑜𝑘𝑒𝑛, 𝑛𝑐
𝜏
nc
𝜏
get-token
send-token
cs
Labeled Transition System (LTS)

Another example :






We define the process Q by the following LTS:
𝑄 = 𝑆, 𝑅, 𝐴𝐶𝑇, 𝑆0
𝑆 = 𝑛𝑐, 𝑐𝑠
𝑆0 = 𝑐𝑠
𝐴𝐶𝑇 = 𝑔𝑒𝑡 − 𝑡𝑜𝑘𝑒𝑛, 𝑠𝑒𝑛𝑑 − 𝑡𝑜𝑘𝑒𝑛, 𝜏
𝑛𝑐, 𝜏, 𝑛𝑐 , 𝑛𝑐, 𝑔𝑒𝑡 − 𝑡𝑜𝑘𝑒𝑛, 𝑐𝑠 , 𝑐𝑠, 𝜏, 𝑐𝑠 ,
𝑅=
𝑐𝑠, 𝑠𝑒𝑛𝑑 − 𝑡𝑜𝑘𝑒𝑛, 𝑛𝑐
𝜏
nc
𝜏
get-token
send-token
cs
Labeled Transition System (LTS)

Composition function:

Given 2 LTSs:


𝑀1 = 𝑆1 , 𝑅1 , 𝐴𝐶𝑇, 𝑆01
and 𝑀2 = 𝑆2 , 𝑅2 , 𝐴𝐶𝑇, 𝑆02
𝑴𝟏 ∥ 𝑴𝟐 has the form: 𝑆1 × 𝑆2 , 𝑅′ , 𝐴𝐶𝑇, 𝑆01 × 𝑆02

R’ depends on the exact semantic of the composition function
Network grammars

Network:


the set of all LTSs derived by a context-free network grammar
Network grammar:


Defined over S (set of states) and ACT (set of actions).
𝐺 = 𝑇, 𝑁, 𝑃, 𝑆




𝑇 – set of terminals, each is an LTS, defined over S and ACT.
Also referred as basic processes.
𝑁 – set of nonterminals, each defines a network.
𝑃 – set of production rules of the form: 𝐴 → 𝐵 ∥𝑖 𝐶
𝑆 ∈ 𝑁 – start symbol, represents the network generated by G.
Network grammars - example


𝑆 = 𝑛𝑐, 𝑐𝑠 , 𝐴𝐶𝑇 = 𝜏, 𝑔𝑒𝑡 − 𝑡𝑜𝑘𝑒𝑛, 𝑠𝑒𝑛𝑑 − 𝑡𝑜𝑘𝑒𝑛
𝐺 = 𝑇, 𝑁, 𝑃, 𝑆 , where



𝑇 = 𝑃, 𝑄
𝑁 = 𝑆, 𝐴
𝑆⟶𝑄∥𝐴
𝑃= 𝐴⟶𝑃∥𝐴
𝐴⟶𝑃∥𝑃

The grammar produces rings with one process Q and at least
2 processes P.

The network consists of LTSs that perform a simple mutual
exclusion using a token ring algorithm.
Network grammars - example

𝑆⟹𝑄∥𝐴⟹𝑄∥𝑃∥𝑃
𝑄 ∥ 𝑃 ∥ 𝑃 has the form:
𝑐𝑠, 𝑛𝑐 × 𝑐𝑠, 𝑛𝑐 × 𝑐𝑠, 𝑛𝑐 , 𝑅′ , 𝐴𝐶𝑇, 𝑐𝑠 × 𝑛𝑐 × 𝑛𝑐
Reachable states in LTS 𝑄 ∥ 𝑃 ∥ 𝑃 ∶
𝜏
cs,nc,nc
𝜏
𝜏
nc,cs,nc
𝜏
𝜏
𝜏
nc,nc,cs
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Specification Language

Goal: specify a network of LTSs composed of any
number of components (basic processes).

How to specify property of a global state of a system
consisting of many components?


Such a state is an n-tuple, 𝑠1 , … , 𝑠𝑛
Typical properties:




for some n.
Some component is in state 𝑠𝑖
At least (at most) k components are in state 𝑠𝑖
(Some component in state 𝑠𝑖 ) → (some component in state 𝑠𝑗 )
Such properties are conveniently expressed in terms of
regular languages.
Specification Language

Global state:


Property:


A regular language 𝐿 ⇒ the property 𝐿
Having the property:


The word 𝑠1 ∙ ⋯ ∙ 𝑠𝑛 instead of n-tuple 𝑠1 , … , 𝑠𝑛 .
The state 𝑠1 ∙ ⋯ ∙ 𝑠𝑛 has the property 𝐿 iff 𝑠1 ∙ ⋯ ∙ 𝑠𝑛 ∈ 𝐿.
Example


Property: 𝑳 = 𝒏𝒄∗ 𝒄𝒔 𝒏𝒄∗
Specifies states in which exactly one process is in its critical
section.
Specification Language

Defining atomic state properties:





The regular language is specified by a deterministic automaton
over 𝑆 : 𝑫 = 𝑸, 𝒒𝟎 , 𝜹, 𝑭
𝑳(𝑫) ⊆ 𝑺∗ is the set of words accepted by 𝐷.
A state of an LTS is a tuple from 𝑆 𝑖 , for some 𝑖.
𝒔 ⊨ 𝑫 ⟺ 𝒔 ∈ 𝑳(𝑫)
Example:
nc
q0
nc
cs
q1
nc,cs
cs
Automaton D with 𝐿 𝐷 = 𝑛𝑐 ∗ 𝑐𝑠 𝑛𝑐
q2
∗
Specification Language


Assume we have a network defined by a grammar 𝐺 on
the tuple 𝑆, 𝐴𝐶𝑇 .
The specification language is 𝐴𝐶𝑇𝐿, 𝐴𝐶𝑇𝐿∗ , with finite
automata over 𝑆 as the atomic formula.
Specification Language
Specification Language

Example:


𝑓 = 𝑨𝑮(𝐷)
𝐿 𝐷 = 𝑛𝑐 ∗ 𝑐𝑠 𝑛𝑐
𝑃
𝑃⊭𝑓
𝜏
𝜏
get-token
nc
𝑄∥𝑃∥𝑃
𝜏

∗
send-token
𝜏
cs
𝜏
𝑄∥𝑃∥𝑃⊨𝑓
cs,nc,nc
𝜏
nc,cs,nc
𝜏
𝜏
nc,nc,cs
Specification Language

Another Example:
𝐿 𝐷′ = 𝑐𝑠 𝑛𝑐
∗
𝑓 = 𝑨𝑮𝑨𝑭(𝐷′)
𝑓 expresses non-starvation for process Q.

𝑄∥𝑃∥𝑃
𝜏
cs,nc,nc

𝜏
𝜏
nc,cs,nc
𝜏
𝜏
𝑄∥𝑃∥𝑃⊭𝑓
𝜏

Non-starvation is guaranteed only if some kind of fairness is
assumed.
nc,nc,cs
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Abstract LTS

Using abstraction in order to reduce the state space
required for the verification of networks.

Requirements:

There must be a simulation preorder ≼ 𝑠. 𝑡 an LTS is
smaller by ≼ than the abstract LTS.

Composing 2 abstract states will result in an abstraction of
their composition.
State Equivalence

Goal:
Given an 𝐿𝑇𝑆 𝑀 = (𝑆, 𝑅, 𝐴𝐶𝑇, 𝑆0 ) , define equivalence
relation over 𝑆 , s.t equivalence classes are the states of
the abstract LTS ℎ(𝑀).
 Requirements:
1.
𝑠1 ≡ 𝑠2 → 𝑠1 ⊨ 𝐷 ⟺ 𝑠2 ⊨ 𝐷
equivalent states both satisfy/falsify atomic formula.

2.
𝑠1 ≡ 𝑠1′ 𝑎𝑛𝑑 𝑠2 ≡ 𝑠2 ′ → 𝑠1 , 𝑠2 ≡ 𝑠1 ′, 𝑠2 ′
preserving equivalence under composition.
State Equivalence





First try:
𝑠 ≡ 𝑠′ ⇔ 𝑠 ⊨ 𝐷 ⇔ 𝑠 ′ ⊨ 𝐷
Satisfies 1st requirement
Doesn’t satisfy 2nd requirement
Example for a composition in which equivalence is not
preserved:

The LTS: 𝑄 ∥ (𝑃 ∥ 𝑃)
Explaining the example
𝑸
𝑠1 = 𝑐𝑠 , 𝑠1′ = 𝑐𝑠
𝑷∥𝑷
𝑠2 = 𝑛𝑐, 𝑛𝑐
𝑠2′ = (𝑐𝑠, 𝑐𝑠)
𝑠1 ≡ 𝑠1′
𝑠2 ≡ 𝑠2′
because 𝑐𝑠 ∈ 𝐿(𝐷) because nc,nc
∉𝐿 𝐷
and cs,cs ∉ 𝐿 𝐷
𝑸∥𝑷∥𝑷
𝑠1 , 𝑠2 = 𝑐𝑠, 𝑛𝑐, 𝑛𝑐
𝑠1 ′, 𝑠2 ′ = 𝑐𝑠, 𝑐𝑠, 𝑐𝑠
𝑠1 , 𝑠2 ≢ 𝑠1 ′, 𝑠2 ′
because cs,nc,nc
∈𝐿 𝐷
and cs,cs,cs ∉ 𝐿 𝐷
We need a refined equivalence relation that will be preserved under
composition.
State Equivalence

Refining the equivalence relation

Definition:

Given an automaton 𝐷 = 𝑄, 𝑞0 , 𝛿, 𝐹 and a word 𝑤 ∈ 𝑆 ∗
, the function induced by 𝑤 on 𝑄, 𝑓𝑤 : 𝑄 ⟼ 𝑄 is:
𝒇𝒘 𝒒 =
𝒒′
𝒘
iff 𝒒 → 𝐪′
Example


𝑤 = 𝑐𝑠 ∙ 𝑛𝑐
D=
nc
q0

nc
cs
q1
nc,cs
cs
q2
To find 𝑓𝑤 , we need to find 𝑓𝑤 (𝑞𝑖 ) for each 𝑞𝑖 ∈ 𝑄.
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞0 ) :
nc
q0
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞0 ) :
nc
q0
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞0 ) :
nc
q0

𝑓𝑤 (𝑞0 ) = 𝑞1
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞1 ) :
nc
q0
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞1 ) :
nc
q0
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞1 ) :
nc
q0

𝑓𝑤 (𝑞1 ) = 𝑞2
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞2 ) :
nc
q0
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞2 ) :
nc
q0
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐

Finding 𝑓𝑤 (𝑞2 ) :
nc
q0

𝑓𝑤 (𝑞2 ) = 𝑞2
nc
cs
q1
nc,cs
cs
q2
Example

𝑤 = 𝑐𝑠 ∙ 𝑛𝑐
nc


nc,cs
D=
q0

nc
cs
Conclusion:
𝑓𝑤 = 𝑞0 , 𝑞1 , 𝑞1 , 𝑞2 , 𝑞2 , 𝑞2
q1
cs
q2
State Equivalence

Refining the equivalence relation

Defining equivalence
𝑠 ≡ 𝑠′ ⇔ 𝑓𝑠 = 𝑓𝑠′


𝑓𝑠 is the abstraction of s , and is denoted by 𝒉(𝒔) .

𝑠 ⊨ 𝐷 iff 𝑓𝑠 (𝑞0 ) ∈ 𝐹

ℎ 𝑠, 𝑠 ′ = 𝑓𝑠 ∘ 𝑓𝑠′
State Equivalence


The new equivalence relation satisfies both requirements.
Proof:
1.
𝑠 ≡ 𝑠 ′ ⇒ 𝑓𝑠 = 𝑓𝑠′ ⇒ 𝑓𝑠 𝑞0 ∈ 𝐹 ⟺ 𝑓𝑠′ 𝑞0 ∈ 𝐹 ⇒ (𝑠
State Equivalence

Example:

Considering the automaton 𝐷 over 𝑆 = 𝑐𝑠, 𝑛𝑐 , 𝐷 induces
functions 𝑓𝑠 : 𝑄 ⟼ 𝑄 for every 𝑠 ∈ 𝑆 ∗ :
There are only 3 different functions, each identifying an equivalence class
over 𝑆 ∗ .
nc
q0
nc
cs
q1
nc,cs
cs
q2
Abstract States


𝐹𝐷 - set of functions corresponding to the deterministic
automaton 𝐷.
𝑄 – the set of states of 𝐷.

In the worst case: 𝐹𝐷 = 𝑄 𝑄
In practice, the size is much smaller.

In the previous example:



𝐹𝐷 ≤ 27
In practice: 𝐹𝐷 = 3
Extension to any set of atomic formulas

𝐴𝐹 = 𝐷1 , … , 𝐷𝑘


Where 𝐷𝑖 = 𝑄𝑖 , 𝑞𝑖0 , 𝛿𝑖 , 𝐹𝑖
The abstraction of 𝑠:

ℎ 𝑠 = 𝑓𝑠1 , … , 𝑓𝑠𝑘

𝑠 ≡ 𝑠′ iff for all 𝑖 : 𝑓𝑠𝑖 = 𝑓𝑠′𝑖

𝑠 ≡ 𝑠′ ⇒ 𝑠 ∈ 𝐿 𝐷𝑖 ⇔ 𝑠′ ∈ 𝐿 𝐷𝑖
States that are mapped to the same abstract states agree on all atomic
properties.
Abstract LTS

Example:
𝑄∥𝑃∥𝑃
𝜏
cs,nc,nc
𝜏
𝜏
nc,cs,nc
𝜏
ℎ(𝑄 ∥ 𝑃 ∥ 𝑃)
𝜏
𝜏
𝜏
h
nc,nc,cs
𝒇𝟐
Simulation


Definition:
𝑀 ≼ 𝑀′ iff there is a simulation preorder ℰ ⊆ 𝑆 × 𝑆 ′ that
satisfies:
∀𝑠0 ∈ 𝑆0 there is 𝑠0 ′ ∈ 𝑆0 ′ s.t : 𝑠0 , 𝑠0 ′ ∈ ℰ.
∀s, s′ 𝑠, 𝑠′ ∈ ℰ ⇒ ℎ 𝑠 = ℎ 𝑠′
𝑠, 𝑠′ ∈ ℰ ⇒
𝑎
𝑎
∀s, s′ ∀𝑠1 𝑠. 𝑡 𝑠 → 𝑠1 𝑡ℎ𝑒𝑟𝑒 𝑖𝑠 𝑠1′ 𝑠. 𝑡 𝑠′ → 𝑠1 ′ 𝑎𝑛𝑑
𝑠1 , 𝑠1 ′ ∈ ℰ
1.
2.
3.

Notation:

If 𝑠, 𝑠′ ∈ ℰ, we say that 𝑠 ≼ 𝑠′.
Abstract LTS

Lemma:
1.
The simulation relation is:
𝑠, 𝑎 ∈ ℰ ⇔ ℎ 𝑠 = 𝑎
2.
Let ℰ be the simulation relation between 𝑀, 𝑀′.
Define the relation ℰℎ as the following:
𝑎, 𝑏 ∈ ℰℎ
⟺ ∃𝑠1 , 𝑠2 ℎ 𝑠1 = 𝑎 ∧ ℎ 𝑠2 = 𝑏 ∧ 𝑠1 , 𝑠2 ∈ ℰ
Abstract LTS

Theorem:

And there are some more cases to prove…
Abstract LTS

Conclusion:


𝑀 ≼ 𝑀′ ⇒ 𝑀′ ⊨ 𝜙 ⟹ 𝑀 ⊨ 𝜙
Proof:




𝑀′ ⊨ 𝜙 ⇒ ∀𝑠𝑜′ ∈ 𝑆0′ : 𝑀′ , 𝑠0′ ⊨ 𝜙
𝑀 ≼ 𝑀′ ⇒ ∀𝑠0 ∈ 𝑆0 there is 𝑠0 ′ ∈ 𝑆0 ′ s.t : 𝑠0 , 𝑠0 ′ ∈ ℰ
⇒ ∀𝑠0 ∈ 𝑆0 : M, 𝑠0 ⊨ 𝜙
⇒𝑀⊨𝜙
(theorem)
Abstract LTS and Simulation

Example:
𝑄∥𝑃∥𝑃
𝜏
cs,nc,nc
𝜏
𝜏
nc,cs,nc
ℎ(𝑄 ∥ 𝑃 ∥ 𝑃)
𝜏
𝜏
𝜏
h
nc,nc,cs
𝒇𝟐
𝜏



ℰ = 𝑐𝑠 ∙ 𝑛𝑐 ∙ 𝑛𝑐, 𝑓2 , 𝑛𝑐 ∙ 𝑐𝑠 ∙ 𝑛𝑐, 𝑓2 , 𝑛𝑐 ∙ 𝑛𝑐 ∙ 𝑐𝑠, 𝑓2
𝑄 ∥ 𝑃 ∥ 𝑃 ≼ ℎ(𝑄 ∥ 𝑃 ∥ 𝑃)
ℎ 𝑄 ∥ 𝑃 ∥ 𝑃 ⊨ 𝐴𝐺(𝐷) ⇒ 𝑄 ∥ 𝑃 ∥ 𝑃 ⊨ 𝐴𝐺(𝐷)
Abstract LTS and Simulation

Another Example:
𝑃
𝜏
nc


ℎ(𝑃)
𝜏
get-token
send-token
cs
ℰ = 𝑛𝑐, 𝑓1 , 𝑐𝑠, 𝑓2
𝑃 ≼ ℎ(𝑃)
𝜏
h
𝜏
get-token
𝒇𝟏
send-token
𝒇𝟐
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Verification Method



𝐺 is a monotonic grammar
𝜙 is an 𝐴𝐶𝑇𝐿 formula with atomic formulas 𝐷1 , … , 𝐷𝑘
To check that every LTS derived by 𝐺 satisfies 𝜙 we
perform:
1.
2.
3.
For every symbol A in G, choose 𝒓𝒆𝒑(𝑨) and construct the
abstract LTS ℎ 𝑟𝑒𝑝 𝐴 with respect to the atomic formulas
𝐷1 , … , 𝐷𝑘 .
Check that the set of representatives satisfy the
monotonicity property.
Perform MC on ℎ 𝑟𝑒𝑝 𝑆 with 𝜙 as the specification.
Monotonic Grammar

Monotonic composition:


The composition ∥ is monotonic iff given LTSs
𝑀1 , 𝑀2 , 𝑀1′ , 𝑀2 ′ :
𝑀1 ≼ 𝑀2 𝑎𝑛𝑑 𝑀1 ′ ≼ 𝑀2 ′ → 𝑀1 ∥ 𝑀1′ ≼ 𝑀2 ∥ 𝑀2 ′
Monotonic grammar:

A network grammar G is monotonic iff all rules in the
grammar use only monotonic composition operators.
Representative Processes

For a network grammar 𝐺 , we find for each symbol A of
the grammar a representative process 𝑟𝑒𝑝(𝐴).

Monotonicity property:



Given a grammar 𝐺 = 𝑇, 𝑁, 𝑃, 𝑆 and a set of representatives:
𝐴 ∈ 𝑇 → ℎ 𝑟𝑒𝑝 𝐴 ≽ ℎ 𝐴
𝐴→𝐵∥𝐶∈𝑃 →
ℎ 𝑟𝑒𝑝 𝐴 ≽ ℎ(ℎ 𝑟𝑒𝑝 𝐵
∥ ℎ 𝑟𝑒𝑝 𝐶 )
Theorem





Let 𝐺 be a monotonic grammar
Suppose we can find representatives that satisfy the
monotonicity property.
Let A be a symbol of 𝐺
Let 𝑎 be an LTS derived from A using the rules of 𝐺.
Then:
𝒉 𝒓𝒆𝒑(𝑨) ≽ 𝒂
Proof


We will prove that ℎ 𝑟𝑒𝑝 𝐴 ≽ ℎ(𝑎).
Since ℎ 𝑎 ≽ 𝑎 , we will get that ℎ 𝑟𝑒𝑝 𝐴
[transitivity of simulation relation].
≽ 𝑎.
Let 𝐴 ⟹𝑘 𝑎 .
We will prove by induction on k.

(k=0) : 𝐴 is a terminal ⇒ 𝑎 = 𝐴 ⇒ the result follows from
the monotonicity property.
Proof

(k>0) : Let 𝐴 → 𝐵 ∥ 𝐶 be the first rule in the derivation of a
from A .
Assume: 𝐵 ⇒𝑖 𝑏 , C ⇒𝑗 𝑐 , 𝑎 = 𝑏 ∥ 𝑐 , 𝑖, 𝑗 < 𝑘
By I.H : ℎ 𝑟𝑒𝑝 𝐵 ≽ ℎ(𝑏) , ℎ 𝑟𝑒𝑝 𝐶 ≽ ℎ(𝑐).
We have the following equations:
Lemma 3.2.3
Back to the verification method…



𝐺 is a monotonic grammar
𝜙 is an 𝐴𝐶𝑇𝐿 formula with atomic formulas 𝐷1 , … , 𝐷𝑘
To check that every LTS derived by 𝐺 satisfies 𝜙 we
perform:
1.
2.
3.
For every symbol A in G, choose 𝒓𝒆𝒑(𝑨) and construct the
abstract LTS ℎ 𝑟𝑒𝑝 𝐴 with respect to the atomic formulas
𝐷1 , … , 𝐷𝑘 .
Check that the set of representatives satisfy the
monotonicity property.
Perform MC on ℎ 𝑟𝑒𝑝 𝑆 with 𝜙 as the specification.
Back to the verification method…



Now we have proved that in step #3 , for every 𝑎 derived
by the grammar 𝐺 , ℎ(𝑟𝑒𝑝 𝑆 ) ≽ 𝑎.
Thus, if 𝜙 is an 𝐴𝐶𝑇𝐿 formula and ℎ(𝑟𝑒𝑝 𝑆 ) ⊨ 𝜙 , we
can conclude that for all LTSs 𝑀 derived by 𝐺 : 𝑀 ⊨ 𝜙.
The next question:

How to find representatives that satisfy the monotonicity
property?
The Unfolding Heuristic


Might be helpful in automatically finding monotonic
representatives.
Basic ideas:



Initial representative of a symbol A will be the LTS derived
by A using the minimum number of rules.
Often certain behaviors only occur when a process is
composed with other processes (that provide the
environment).
By unfolding the current set of representatives we will find a
larger set of potential representatives, that might satisfy the
monotonicity property.
The Unfolding Heuristic


Some notations:
Association function (𝑨𝑺) for a grammar 𝐺 :



Assigns a set of processes to each symbol of 𝐺.
This set will contain the potential representatives of the
symbol.
Given 2 sets of LTSs 𝑋 and 𝑌 we define 𝑋 ∥ 𝑌 as:
𝑋 ∥ 𝑌 = 𝑝 ∥ 𝑞 | 𝑝 ∈ 𝑋 𝑎𝑛𝑑 𝑞 ∈ 𝑌
The Unfolding Heuristic

Finding the initial association 𝑨𝑺𝟎

For a terminal A , 𝐴𝑆0 𝐴 = 𝐴 .
The Unfolding Heuristic


Example : Finding the initial association - 𝐴𝑆0
𝐺 = 𝑇, 𝑁, 𝑃, 𝑆 , where



𝑇 = 𝑃, 𝑄
𝑁 = 𝑆, 𝐴
𝑆⟶𝑄∥𝐴
𝑃= 𝐴⟶𝑃∥𝐴
𝐴⟶𝑃∥𝑃
𝑨
𝑺
0
1
𝑃∥𝑃
2
𝑃∥𝑃
𝑄∥𝑃∥𝑃
𝑷
𝑸
𝑃
𝑄
𝑃
𝑄
𝐴𝑆0 𝐴 = 𝐴𝑆 𝑃 ∥ 𝐴𝑆(𝑃)
𝑃
𝑄
𝐴𝑆0 𝑆 = 𝐴𝑆 𝑄 ∥ 𝐴𝑆(𝐴)
The Unfolding Heuristic


Example : Finding the initial association - 𝐴𝑆0
𝐺 = 𝑇, 𝑁, 𝑃, 𝑆 , where







𝑇 = 𝑃, 𝑄
𝑁 = 𝑆, 𝐴
𝑆⟶𝑄∥𝐴
𝑃= 𝐴⟶𝑃∥𝐴
𝐴⟶𝑃∥𝑃
𝐴𝑆0
𝐴𝑆0
𝐴𝑆0
𝐴𝑆0
𝑄
𝑃
𝐴
𝑆
=
=
=
=
𝑄
𝑃
𝑃∥𝑃
𝑄∥𝑃∥𝑃
The Unfolding Heuristic

The algorithm to find representatives:

The unfolding operator:
The Unfolding Heuristic

Example : Unfolding the current association- 𝐴𝑆0








𝐴𝑆0
𝐴𝑆0
𝐴𝑆0
𝐴𝑆0
𝐴𝑆
𝐴𝑆
𝐴𝑆
𝐴𝑆
𝑄
𝑃
𝐴
𝑆
𝑄
𝑃
𝐴
𝑆
=
=
=
=
=
=
=
=
𝑄
𝑃
𝑃∥𝑃
𝑄∥𝑃∥𝑃
𝑄
𝑃
𝑃 ∥ 𝑃, 𝑃 ∥ 𝑃 ∥ 𝑃
𝑄 ∥ 𝑃 ∥ 𝑃, 𝑄 ∥ 𝑃 ∥ 𝑃 ∥ 𝑃
The Unfolding Heuristic

Example:

The corresponding representatives didn’t satisfy the
monotonicity property.

ℎ 𝑃∥𝑃 ⋡ℎ ℎ 𝑃 ∥ℎ 𝑃∥𝑃

The process ℎ ℎ 𝑃 ∥ ℎ 𝑃 ∥ 𝑃 might have more abstract states
than ℎ 𝑃 ∥ 𝑃 . We need to find a representative that “has more
behaviors than ℎ 𝑃 ∥ 𝑃 ”.
The Unfolding Heuristic

After unfolding:

If we choose representatives as:
The process ℎ 𝑃 ∥ 𝑃 ∥ 𝑃 have more abstract states than ℎ 𝑃 ∥ 𝑃
The Unfolding Heuristic

Observations:

Each iteration increases the set of processes associated with a
nonterminal.

Unfolding results in processes that are a combination of a
larger number of basic processes.

The procedure might not terminate. The user will have to put a
limit on the number of iterations.
The Unfolding Heuristic

If we find representatives with the monotonicity property
s.t : ℎ 𝑟𝑒𝑝 𝑆 ⊭ 𝜙 , then we cannot conclude anything
about the correctness of the network derived by G.

Counter example might aid the user in finding more
refined representatives or we may want to apply the
unfolding technique again.
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Synchronous model of computation

Presenting a synchronous framework, that has the
properties required by the verification method.

LTSs represent Moore machines:




𝑀 = 𝑆, 𝑅, 𝐼, 𝑂, 𝑆0
𝐼∩𝑂 =𝜙
𝐴𝐶𝑇 = 𝜏 ∪ 2𝐼∪𝑂
𝑎
Transition: 𝑠 → 𝑡 with 𝑎 = 𝑖 ∪ 𝑜, occurs only if the environment
supplies inputs 𝑖 , and the machine 𝑀 produces the outputs 𝑜.
Synchronous model of computation

Synchronous composition , 𝑀′′ = 𝑀 ∥ 𝑀′ :





𝑆 ′′ = 𝑆 × 𝑆 ′
𝑆0,, = S0 × 𝑆0,
𝐼 ′′ = 𝐼 ∪ 𝐼′ \ 𝑂 ∪ 𝑂′
𝑂′′ = 𝑂 ∪ 𝑂′
𝑠, 𝑠′
𝑎
𝑎′′
𝑠1 , 𝑠1 ′ ∈ 𝑅′′ ⇔
𝑎′
𝑠 𝑠1 ∈ 𝑅 and 𝑠 ′ 𝑠1 ′ ∈ 𝑅′ and
𝑎 ∩ 𝐼 ′ ∪ 𝑂′ = 𝑎′ ∩ 𝐼 ∪ 𝑂 and 𝑎′′ = 𝑎 ∪ 𝑎′
Synchronous model of computation

Lemma:

The composition ∥ is monotonic w.r.t ≼ .

We should prove that: 𝑀 ∥ 𝑀1 ≼ 𝑀′ ∥ 𝑀1 ′
Synchronous model of computation

Lemma:

The composition ∥ is monotonic w.r.t ≼ .


Proof – continued:
We say that

We show that ℰ × ℰ1 has the required properties.
1.
Synchronous model of computation

Lemma:

The composition ∥ is monotonic w.r.t ≼ .
Proof – continued:
2.
3.
Network Grammars for Synchronous Models

𝐺 = 𝑁, 𝑇, 𝑃, 𝑆

Each 𝐴 ∈ 𝑇 ∪ 𝑁 is associated with 𝐼𝐴 and 𝑂𝐴 .

In G we allow different composition operators ∥𝑖 for
different production rules.
Network Grammars for Synchronous Models


Definitions:
Renaming function 𝓡:



When applied to A, it maps inputs to inputs and outputs to
outputs s.t: ℛ 𝐼𝐴 ∩ ℛ 𝑂𝐴 = 𝜙 .
Applying ℛ to an LTS 𝑀 results in an LTS 𝑀′ with:
𝑆 = 𝑆′, 𝑆0 = 𝑆0 ′, 𝐼 ′ = ℛ 𝐼 \ 𝜏 , 𝑂′ = ℛ 𝑂 \ 𝜏 , and
𝑠, 𝑎, 𝑠′ ∈ 𝑅 ⇔ 𝑠, ℛ 𝑎 , 𝑠′ ∈ 𝑅′
Hiding function 𝓡𝒂𝒄𝒕 :

For 𝑎𝑐𝑡 ⊆ 𝐼 ∪ 𝑂,is a renaming function that maps each element
in act to 𝜏.
Network Grammars for Synchronous Models


Definitions:
Renaming function 𝓡:



When applied to A, it maps inputs to inputs and outputs to
outputs s.t: ℛ 𝐼𝐴 ∩ ℛ 𝑂𝐴 = 𝜙 .
Applying ℛ to an LTS 𝑀 results in an LTS 𝑀′ with:
𝑆 = 𝑆′, 𝑆0 = 𝑆0 ′, 𝐼 ′ = ℛ 𝐼 \ 𝜏 , 𝑂′ = ℛ 𝑂 \ 𝜏 , and
𝑠, 𝑎, 𝑠′ ∈ 𝑅 ⇔ 𝑠, ℛ 𝑎 , 𝑠′ ∈ 𝑅′
Hiding function 𝓡𝒂𝒄𝒕 :

For 𝑎𝑐𝑡 ⊆ 𝐼 ∪ 𝑂,is a renaming function that maps each element
in act to 𝜏.
Network Grammars for Synchronous Models

Typical composition operator:

𝑀 ∥𝑖 𝑀′ = ℛ𝑎𝑐𝑡 ℛ𝑙𝑒𝑓𝑡 𝑀 ∥ ℛ𝑟𝑖𝑔ℎ𝑡 𝑀′
Network Grammars for Synchronous Models

Example

Describing more precisely the processes and the network
grammar that constructs rings with any number of processes.

P and Q identical, except that now: 𝐼 = 𝑔𝑒𝑡 − 𝑡𝑜𝑘𝑒𝑛 , O
= 𝑠𝑒𝑛𝑑 − 𝑡𝑜𝑘𝑒𝑛 .

Derivation rules:
Network Grammars for Synchronous Models

Applying this rule results in a network with one terminal Q
and one nonterminal A, connected as a ring.
Network Grammars for Synchronous Models

∥2 is defined as:
Outline

Introduction


Definitions







Verification of parameterized systems
Labeled transition system
Network grammars
Specification language
Abstract LTS
Verification Method
Synchronous model of computation
Conclusion
Conclusion





Described the verification problem of parameterized
systems.
Defined network grammars, LTSs , and abstraction of
LTSs.
Specifying state properties using regular languages.
The method requires a monotonic grammar.
To apply the method we must find representatives that
satisfy the monotonicity property


Might be done automatically using the unfolding heuristics.
Presented synchronous model of computation that has
the required properties by the verification method.