Model checking withMessage Sequence Charts

Doron PeledCollaborators: R. Alur,

E. Gunter, G. Holzmann, A.

Muscholl, Z. Su

Department of Computer ScienceUniversity of Warwick

MSCs

An ITU standard notation (Z120). Visual + Textual forms. Specifies behaviors of

communication protocols. Existing algorithms + tools.

MSC visual notation

P1 P3P2

M1

M2

M3

M4

M5

M6

MSC Textual formmsc MSC;inst P1: process Root, P2: process Root, P3: process Root; instance P1; out M1 to P2; in M5 from P2; in M6 from P3; endinstance; instance P2; in M1 from P1; out M2 to P3; out M3 to P3; in M4 from P3; out M5 to P1; endinstance;

P1 P3P2M1

M2M3M4

M5M6

instance P3; in M2 from P2; in M3 from P2; out M4 to P2; out M6 to P1; endinstance;endmsc;

Partial order semantics

P1 P3P2M1

M2M3M4

M5M6

s s

s

s

s

r

r

r

r

r

r

s M1

M2

M3

M4

M5

M6

HMSCs

P1 P3P2 P1 P3P2

P1 P3P2P1 P3P2

connect approve

failreq_service

report

An execution: infinite or maximal

connect approve

fail

report Req_service

A

C D

B

Execution: ACACD

connect

connect

fail

fail

Req_service

report

report

Visual semantics

Sends before corresponding receives.

Events on the same process line execute in order of appearance, from top to bottom.

Visual order (wysiwyg)

If some event (send, receive) is higher on the line than another, it comes first.

Sends precede matching receives.

P1 P3P2M1

M2M3M4

M5M6

Visual order (wysiwyg)

P1 P3P2M1

M2M3M4

M5M6

s s

s

s

s

r

r

r

r

r

r

s M1

M2

M3

M4

M5

M6

Causal Order and Races

•Sends before matching receive.

•Receive or sends before sends of same process.

•Two receives on the same process sent from the same process.

P1 P3P2M1

M2M3M4

M5M6

Races: check if every pair of events ordered by the visual order appears in the transitive closure of the causal order.

Races

P1 P3P2M1

M2M3M4

M5M6

P1 P3P2M1

M2M3M4

M5M6

P2P1 P3

M1M2

M3

M4M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3Finding races:

Rules: order between

- receive and a later send.- two sends from same process.- send and corresponding receive.- fifo order.

Causal Order

P1 P3P2M1

M2M3M4

M5M6

s s

s

s

s

r

r

r

r

r

r

s M1

M2

M3

M4

M5

M6

Calculating the transitive closure Structure (E, R). E – Events, R E E. R* The transitive closure. Defined as

follows:a R*b if there is a sequencex1 x2 … xn where a=x1, b=xn,and xi R xi+1 for 1i<n.

Complexity: cubic. In our case: quadratic (every event has 1 or 2 successors).

Can also deal with time

P1 P2

[2,4]

[3,5]

[2,3]

[7,10]

Use time differencematrices.

Races in HMSCs. Definition

For each HMSC M execution Ex, define thelinearizations according to the visual orderlinvis(Ex) and the linearizations according to the causal order lincaus(Ex). Extend to all executions: linvis(Ex) and lincaus(Ex).

Always linvis(Ex) lincaus(Ex). RacesRaces : when linvis(Ex) lincaus(Ex).

Mazurkiewicz TracesAlphabet {a,b,c}Independence: aIb, bIcEquivalence classes of words (denoted using

representatives):[aabb]=[abba]

Regular trace language: can be defined usingconcatenation, star, union, intersection.

Note: [ab]* is not recognizable (by automata).

Visual concatenation

P1 P3P2 P1 P3P2

P1 P3P2P1 P3P2

connect approve

failreq_service

report

P1 P2 P3

connect

failreport

approve

connect

connect

fail

report

A B

C DExecution: concatenation of a maximal path in the HMSC.

Other problems…Global decision

P1 P2 P1 P2

+ =?

What if one process will start to behave according to M1 and the other will start according to M2?

M1 M2

Races for HMSCs Undecidable [MP99]

Translate to language theory of traces, which are closed w.r.t. commuting certain pairs of letters.

Intuition: moving from visual to causal semantic introduces more commutations:Two receives on the same process line (from different processes) are dependent on visual and independent on causal order.

Reduction to universality of trace languages (things are independent with causal semantics).

Independent

Language L

Independent

Model checking

Write both specification and system as HMSCs. Do concatenation.

Write specification in LTL. Interpret over the linearizations of the partial orders.

In both cases: undecidable.

Post Correspondence Problem List of pairs:

w1:(aab,aa), w2:(aba,ab), … wn:(a,bb).Want to find if we find a set of indexesi1, i2, …, ik, such that concatenatingthe lefthand words and concatenatingthe righthand words is the same.

Supose we take indexes 1, 2, n, 1. We get:

lefthand: aab aba a aab righthand: aa ab bb aa

PCP reduction

P1 P2

P3 P4P3 P4

P1 P2

P5 P6

P5 P6

ab

a ab

P5 P6

P5 P6

P1 P2

P3 P4P3 P4

P1 P2

w2

b

w1

b

(aab,bb),

(ab,bab),...

Word

match

Letter match

w1

w2

bab

Some solutions: Obtain decidability under the following

condition [MP99,AY99]:Every HMSCs cycle covers a strongly connected component in the communication graph. An edge exist from a process Pi to a process Pj if there is a communication from Pi to Pj.

The specification HMSCs allows any additional gaps [MPS98].

Put limit on message queues [Holzmann]

Problem with describing protocols

s1

t2

t1

s3

s2

P1 P2

P1:snd

P1:snd P1:rcv

P2:snd

P2:rcv

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Solution: Compositional HMSCs

P1 P2

P1 P2

Even emptiness is undecideable!

(E1+E2+…+Em)+ (G1+G2+…+Gm)+ F

a

a

bw3

b

a

bw2

E3

G2

F

Left closed CHMSCs

Does not allow unmatched receive event that is not yet matched by a previous unmatched send.

HCMSC is realizable if every path is matched.

Can be checked in polynomial time using a nondeterministic stack machine.

How to check for realizability?

What can go wrong?1. More unmatched

receives than sends.2. The kth unmatched

send before a mathced pair, the kth receive after.

3. The kth unmatched send has name C, the kth unmatched receive has name D.

How to check with a stack machine for each pair of processes?

1+2: Push a £ for each unmatched send, pop a £ for each unmatched receive.

3: Guess that it’s a name mismatch upon seeing an unmatched send.Ignore further sends. Pop £ as usual for receives, until corresponding receive occurs.

Now we can translate finite state protocols to CHMSCs Any finite state

protocol can be translated.

Trivial translation: any transition in finite state graph makes one CHMSC node, with possibly an unmatched message.

This does not give more information than finite state graph.

Try to optimize: take some paths.

Break graph into cycle free paths (e.g., using DFS and back arrows).

Use partial order reduction (sleep sets) to minimize number of paths.

P2P1 P3

M1M2

M3

M4M5

M6

Nexttime: O p

P2P1 P3

M1M2

M3

M4M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3

pp

p

The logic TLC [APP] over MSCs.

Label events with propositions.

¬O ¬p

P2P1 P3

M1M2

M3

M4M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3

pp

p

p p

O p

P2P1 P3

M1M2

M3

M4M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3

p

p

p

P2P1 P3

M1M2

M3

M4M5

M6

p

p

M1

M2

M3

M4

M5

M6

P1 P2 P3Until: pUq

p

q p

p

pp

p

pppp

q

q

true U q = <>q

P2P1 P3

M1M2

M3

M4M5

M6

p

p

M1

M2

M3

M4

M5

M6

P1 P2 P3¬(trueU¬p) = p

pp

p

pp

p

pppp p

p pp p

p

p

p

p p

p

pp

p p

Some specifications

(req --> <> ack) Every request is followed by acknowledge.

¬<>(transA /\ <> (transB /\ <>transA)) Transaction B cannot interfere with transaction A.

(beginA --> O (transA U finishA )) The execution of transaction A is not interrupted by any other event.

connect approve

fail

report Req_service

HMSC linearizations

Intuition behind algorithm for Op

2

5

7

3

64

8

10

12

11

1

9

M1

M2

M3

M4

M5

M6

P1 P2 P3

23456789

10

1

1211

Aut. with 2 successors relations.

There are two cases:

- p holds for matching receive.

Then use 2nd successor rel.

- p holds for successor in proc.

Then wait to see event of same

process.

Intersect:

System autom. (linearizations)

Property autom. (of ¬prop)

23456789

10

1

1211

OverviewMSC

HMSC

Finite, one scenario

CHMSC

Cannot express behavior of some protocols

BoundedHMSC

Connectedcommunication

HMSC

Undecidable linear model checking

Emptiness undecidable

RealizableCHMSC

Partial order model checking

Findingraces

Checking realizability

Conclusions

Visual notation have advantages over textual representation.

MSCs is a standard for describing concurrent interactions.

MSCs are based on partial order semantics.

MSCs raise many interesting research problems, e.g., race condition.

Model checking for MSCs is undecidable [GP,AY].

TLC model checking is based on partial order semantics and is decidable.

Some extensions to the MSC standard are useful, e.g., CHMSCs, LSCs.