A Structural Linearization Principle for Processes - CiteSeerX

Download PDF
Comment
Report 0 Downloads 66 Views
, , 1{18 ()

c Kluwer Academic Publishers, Boston. Manufactured in The Netherlands.

A Structural Linearization Principle for Processes* ROBERT P. KURSHAN MICHAEL MERRITT AT&T Bell Labs, Murray Hill, NJ 07974, USA ARIEL ORDA Dept. of Electrical Engineering, Technion, Haifa 32000, Israel

[email protected] [email protected] [email protected]

SONIA R. SACHS [email protected] Dept. of Elec. Eng. and CS, U. C. Berkeley, Berkeley, CA 94720, USA

Abstract. In [11], an induction principle for processes was given which allows one to apply modelchecking techniques to parameterized families of processes. A limitation of the induction principle is that it does not apply to the case in which one process depends directly upon a parameterized number of processes, which grows without bound. This would seem to preclude its application to families of processes interconnected in a star topology. Nonetheless, we show that if the dependency can be computed incrementally, then the direct dependency upon the parameterized number of processes may be re-expressed recursively in terms of a linear cascade of processes, yielding in e ect a \linearization" of the inter-process dependencies and allowing the induction principle to apply. N

Keywords: Automatic veri cation, distributed algorithms, induction, invariant, linearization, model checking, star topology.

1. Introduction Distributed multi-processor systems often are speci ed as consisting of a nite but unbounded number of components. In verifying such a speci cation we aim at showing that it performs a certain task regardless of the actual ( nite) number of components. Nevertheless, automatic veri cation systems (e.g., Cospan [5]) cannot directly handle such veri cation problems, since these systems apply only to a bounded state space. Thus in general, such systems do not permit quanti cation over the number of processes. A common approach is to test the speci cation for every required number of components, up to the largest computationally feasible number; however, as the number of states in a nite state system tends to increase geometrically with the number of components, this approach usually is intractable. A number of authors have dealt with this problem. For example, Browne, Clarke and Grumberg[2] introduced a method which uses an indexed form of branchingtime temporal logic, applicable to families of processes in case the next-time operator is removed from the logic and process quanti ers are not nested (so global * A previous version of this paper appears in the Proceedings of CAV 1993 (LNCS 697).

2

properties of the system cannot be stated). A method due to German and Sistla[4] applies to a linear-time temporal logic (again, without the next-time operator). Although they can verify global properties, their decision algorithm is doubly exponential in the process size. Shtadler and Grumberg[15] propose a method which requires the user to formulate a \network grammar" by which processes may be recursively de ned. They also exclude the next-time operator from their logic. A solution approach to the above was presented in [11]: an Induction Principle for processes was given which allows one to apply model-checking techniques to parameterized families of processes. With the Induction Principle, one can infer properties of systems of unbounded size through an automatic veri cation of a system of xed (and hopefully small) size. For example, to verify that each of N distinct processors connected to a bus has some property, it may be enough to verify that property on one processor, the bus and an invariant on the bus, which captures what is needed from the other processes. Thus, the Induction Principle is based on providing an \invariant" process that carries out the inductive step. Obviously, the invariant cannot depend on the actual size of the system. In e ect, the invariant encapsulates that part of the system's logic that would enable a \hand-written" inductive proof. This veri cation process applies to any !-regular property, (including global properties), and once an invariant is found, the complexity of the veri cation step is linear in the size of the process and of the invariant. A limitation of the Induction Principle is that it does not apply to the case in which the unencapsulated process depends directly upon a parameterized number of processes, which grows without bound. This is the case, for example, with a star topology, in which a \hub" talks with each other component of the system; as the system grows, the hub has to deal with an ever larger number of components, meaning that its representation per se depends on the system size. If we are required to verify a property of the hub itself, we may not be able to encapsulate it within an invariant. This would seem to preclude application of the Induction Principle. In fact, such a limitation may seem natural, as in a star topology, it is the \role" of the hub to accumulate information from the other N components; thus no invariant independent of this number may exist, as required for the Induction Principle to apply. However, if the \bandwidth" at the hub is limited, in the sense that it does not need to process an arbitrarily large amount of input data, there is a way out. In this paper we show that if the direct dependency of the hub (or of a xed number of such processes) upon a parameterized number of processes can be computed incrementally, with the size of each incremental computation xed, as a function of the parameter N, then this dependency may be re-expressed recursively in terms of a linear cascade of processes, yielding in e ect a \linearization" of the interprocess dependencies (linear in the sense of a cascade or shift register), allowing the Induction Principle to apply: the \tail" of the cascade becomes part of the invariant, while the \head" provides the data needed for the veri cation.

3

Throughout the paper we depict the problem and its solution through an example of a distributed \doorway" algorithm for a star-like topology [1]. The paper is structured as follows. In Section 2 we give an overview of the doorway algorithm and informally discuss the apparent problem of applying the Induction Principle, as well as the key idea behind the solution through linearization. In Section 3 we treat the Linearization Principle within a formal framework, and prove its validity. We also discuss the automatic implementation of this Principle. In Section 4 we show in a precise way how the Induction Principle applies to the doorway algorithm.

2. Doorway Algorithm Example The Linearization Principle is illustrated by a distributed algorithm whose interconnectivity has a star topology. In this section we present the algorithm and describe the problems encountered with its formal veri cation; then, we outline the solution to these problems, which is based on the Linearization Principle presented in this paper.

2.1. The Doorway Algorithm In [1] several algorithms are presented for handling faulty shared memory. One of these is the Doorway algorithm described here. The doorway algorithm consists of test-and-set (test&set) operations performed by N processes (P 1    P N ) each reading and writing in four test&set registers, one of which may be faulty. The reader is referred to [1] for a full description of a test&set register operation. For the purposes of this paper, the following concise description suces. A process P i (i = 1;    ; n) interacts with a test&set register by presenting to it a test&set request. The process is guaranteed to get a win or lose response within nite time (even if the register is faulty). The response of a nonfaulty register to its rst process request must be win, and all subsequent responses must be lose. A faulty register, on the other hand, may produce any sequence of win-lose responses. It is assumed that a register (either faulty or nonfaulty) with one or more pending requests gives at most one response at any given time, which is forwarded to one of the processes that have presented a test&set request to it. (Ultimately, it will give a response to each such process.) It is assumed furthermore that a process makes at most one test&set request to a test&set register. In the interest of simplicity, the generalization [1] from this one-time use doorway to a multiuse doorway is not addressed here. The goal of the Doorway algorithm is to select either one or two processes out of the list of (at most) N processes that present test&set requests. The identity of this one or two processes is later forwarded to a second algorithm (not discussed in this paper), which chooses exactly one process as a nal winner.

4

The Doorway algorithm for the rst selection, which we present here, is implemented by two \half-doorways" D1 and D2 , each consisting of a pair of test&set registers. At most one of these four test&set registers may be faulty. For simplicity, it also can be assumed that, at any given time, at most one register produces a win/lose response. (However, it is possible to adapt all that follows to the more general case where such an assumption is not made [12].) The Doorway algorithm works as follows. A process that wants to pass through the doorway presents a test&set request to each of the two registers (in succession) of the rst half-doorway D1 . If the process gets a win response from at least one of these two registers, it moves on to the second half-doorway D2 ; otherwise, the process declares itself as a \loser" of the doorway. A process moving to D2 presents a test&set request to its two registers. If the process gets a win response from at least one of these two registers, it declares itself as a \winner" of the doorway; otherwise, the process declares itself as a \loser". We may simplify the model by associating the two requests of a process to the respective registers of a half-doorway with a single abstract request to the half-doorway, the abstract request occurring at the time of the second register request. (This abstraction has been formalized and veri ed.) Henceforth, we refer to the events pertaining to the registers of each half-doorway in terms of this abstraction. The task of the Doorway algorithm which we wish to verify is stated as follows: if there is some test&set request from some process P i (i = 1; 2;    ; n) then eventually at least one and at most two processes among those that have requested, declare themselves as winners of the doorway, whereas all others that have requested, declare themselves as losers of the doorway.

2.2. The Doorway Problem and its Solution Given a speci c and suciently small value for the number of processes N, a formal veri cation tool such as Cospan [5] could be used to verify that the Doorway algorithm performs its task (the reader is referred to [12] for a detailed discussion applying Cospan to test&set algorithms). However, generally one wants to verify this for any nite number N, and in particular for values of N larger than what is feasible directly. One cannot hope to apply the Induction Principle of [11] directly, as discussed in the previous section, since the Doorway algorithm has a star topology. We now give a somewhat more detailed description of the Doorway algorithm \architecture", depicted in Figure 1. The two \half-doorway" processes D1 and D2 produce \win" and \lose" signals. The N processes P i (i = 1; 2;    ; N) may present test&set requests to each of the two half-doorways, according to the already-stated rules relating to the win/lose signals received from the half-doorways. With regard to the atomic test&set operation, the assumption of atomicity requires arbitration in case of proximate requests, and the order of proximate requests is not assumed to be preserved by the test&set operation. We model this arbitration by a nondeterministic, fair global \selector" S which selects the destination addressees among

5

those of the requesting processes, for each half-doorway response. (Here, fair means that any [continuously] requesting process eventually is selected.) This mechanism allows requests and win/lose responses to cross in time. The response of the j-th half-doorway to the i-th process is registered in a \global" variable Xij (global in the sense of being associated with the global selector S). to P 1

6

X11

D1



REQ 1

to P N

ccc 6

-

WIN,LOSE

6

XN1

REQ 1 , REQ 2

1



REQ 1 , REQ 2

N

S

D2



REQ 2

-

WIN,LOSE

X12

?1

to P

c c?c

 P  c c c  .P 



XN2

?

to P N

Figure 1. Doorway as Star Topology

The problem here of the star topology lies in the intrinsic dependence of S on the number N. For example, the selector S should communicate explicitly with each of P 1;    ; P N , and thus its speci cation depends upon the parameter N. We seek a transformation of this system to one in which there is no dependency of any single process on N. The transformation for the Doorway algorithm is depicted in Figure 2, which describes a linearization of the original star topology of Figure 1. Figure 2 illustrates how the dependency of S upon the parameter N is transformed into a cascade of xed-size components, each depending on a xed number of parameters, for all N. The selector function is distributed among N binary variables S i , each locally assigned in an \envelope" E i of process P i. Each S i holds a value which de nes whether or not P i is selected. In order to have a globally legal selection, we must rule out the possibility that more than one process P i is selected at any time. This is accomplished by propagating the values of the S i 's backwards, from S N up to S 1 . The propagation is performed through auxiliary variables Spi in the respective

6

envelopes E i ; the value of Spi depends upon that of S i and Spi+1 . The role of Spi is to report whether there were 0, 1 or more set bits in the range S i ;    ; S N . Thus, the legal cases are those for which Sp1  1. We eliminate the forbidden cases through an automaton acceptance condition de ned in a \KILL" structure, which eliminates all cases in which Sp1 > 1. (Any structures which de ne acceptance conditions must be linear as well, in order to apply the Induction Principle.) The reason this construction works is that the propagated signal is of bounded range, and thus independent of N. Note the intrinsic dependence of this construction on having an automata-theoretic semantics (in order to eliminate forbidden cases).

6 D1

 Sp1

KILL

h  S c c c S h  S c cc 6 ? S6 ? S ?  c c c   ?  c c c P P   6 6 2 p

+

X1

1

1

D2

?

-

WIN , LOSE

X2

6

i p

i+1 p

+

X1

i

i

E1

X2

6

Ei

WIN , LOSE

-

Figure 2. Doorway as Linear Topology: selector and X var's

Figure 2 also shows how the global variables Xij get transformed into local variables Xj of the envelope E i. In a similar way (not shown in Figure 2) requests from all the processes can be accumulated recursively and presented to the corresponding half-doorway through a cascade of bounded-range signals. The outcome of this linearization is a representation that can be accommodated within the Induction Principle. The above illustration suggests the properties of the Doorway algorithm that facilitate its linearization: the ability to distinguish the legal and illegal values of a recursively de ned distributed selector, with a test which is independent of N. In the following section we formally present the Linearization Principle and the criteria needed to apply it.

3. Linearization Principle We give a sucient condition for an arbitrary system of processes (de ned in Section 3.1), each parametrized by a single parameter N, to be transformed into another \linearized" system with the same behavior. The new system has a linear topology,

7

in the sense of a cascade or shift register. The sucient condition implies that all dependencies which grow as a function of N may be replaced by dependencies which are bounded in N, through a recursive construction, which serves to \ atten" a star topology dependency into a linear topology, as in the transformation from Figure 1 to Figure 2 in Section 2.

3.1. Process Systems The concept of nite-state \process" is common to many models of coordination. The Linearization Principle presented here applies to many of these models. We characterize process (de ned precisely below) in terms of variables. This characterization is equivalent to the characterization in terms of Boolean algebra [8] used to support the development of homomorphic reduction. The characterization in terms of variables is less abstract than many process models, containing details at an \implementational" level, as required for our development of the Linearization Principle. Transformation of the Linearization Principle to other process characterizations, such as those in terms of Boolean algebra [8], traces [3], [6], [14], [13] or synchronization primitives [7] appears to be straightforward, however, either by encoding those characterizations within this one, or by re-casting the linearization Principle directly within the chosen framework. We allow all process constructs to be parameterized by an integer index. For the system of processes S(N), N is the parameter. For a given value of N, each system b of processes S(N) gives rise to a single process S(N), the parallel composition of the b processes in S(N). Thus, S(N) de nes an in nite family of ( nite state) processes b b S(1); S(2);   . The motive for applying the Linearization Principle is to support b computer-aided veri cation of S(N) for all N, through application of the Induction Principle [11]. Veri cation always is with respect to a property or \speci cation" de ned by some additional process, which is independent of N. Veri cation of b S(N) with respect to the property or speci cation de ned by T consists of the language-containment test b L(S(N))  L(T) for an appropriate de nition of language, de ned below. While for each N this is a nite test, and for suciently small N, the test may be performed on a computer through exhaustive search, to check this for all N requires an in nite test. Under certain conditions, the Induction Principle allows this in nite test to be reduced to a nite test. The Linearization Principle given here broadens those conditions, by providing a transformation from a broader class of processes to the class in which the Induction Principle applies. The foregoing motivates the following de nitions. De nition. A process is a function P : V  Dk ! 2V  (2D )k

8

for some nite sets V = V (P) (the process states) and D (the domain of the process variables, which are de ned below), and integer k, subject to the following: writing P(x) = (P0(x); :::; Pk(x)) for x = (x0; :::; xk), with x0 2 V and xi 2 D for i > 0, it holds that P0 (x) 2 2V and Pi (x) 2 2D for i > 0, and either Pi (x) = fxig or Pi is independent 1 of xj for all j  i. We say x0 is the state of P, P0(x) is the state transition relation of P and x1;    ; xk are the (combinational) variables of P. We de ne the number of variables of P to be k(P) = k. The range of P is 2V  (2D )k , rather than simply V  Dk , in order to support non-deterministic state transitions and variable assignments. k V D (We could have de ned the range more generally to be 2  2 , thus allowing non-deterministic assignment of variables to be coupled. However, this would not increase expressiveness, as coupled nondeterministic assignment may be expressed in terms of an auxiliary variable which indices the couplings; for simplicity we disallow them.) Often we will abuse notation and write a value in place of the singleton set containing that value. Thus, for example, we may write Pi(x) = xi to mean Pi(x) = fxig. When Pi(x) = xi , xi (or Pi ) is called an input to P, serving as a place-holder into which we may \plug" a variable of another process; otherwise xi (and Pi) is called an output of P. Let bk(P) denote the number of outputs of P. If b k(P) = k(P), P is said to be closed. The de nition of the language L(P) of the process P is based upon successions of states (successive values of x0), denoting a run of process P, each succession starting with a state in a given set of initial states I  V , such that for each pair of consecutive states v; w in the given succession, there exists some variable assignment x = (v; x1; :::; xk) with w 2 P0(x) and xi 2 Pi(x) for all i > 0. (This makes sense on account of the variable independence assumptions.) Thus, w is a next-state determined by the evaluation P(x). L(P) is the set of sequences or strings t of successive values ti of the vector (xm ; : : :; xk ) for some once and for all xed m, each such sequence corresponding to a process run. The variables x1; : : :; xm?1 (which may be inputs or outputs) are internal variables, not represented in L(P); noninternal variables are termed observable. (Restricting observability to a sux does not sacri ce expressiveness, as any variable may be copied to the sux.) Note that the de nition of L(P) is implicitly related to the set I of initial states, and to a given set of observable variables. Thus, there can be processes P and Q with di erent variable domains but with corresponding sets of observable variables, such that L(P) = L(Q). Also, note that the above de nition of a language does not consider acceptance conditions, i.e., it applies to state machines rather than to automata. For simplicity, we omit from our presentation

9

a precise discussion of automaton acceptance conditions (which are vital for the full power of the theory). We trust the reader can extend this presentation to automaton acceptance conditions as well. Example 1

a) De ne the process P(x) with k(P) = 3 and V (P) = D = f0; : : :; 232 ? 1g for x = (x0 ; x1; x2; x3) by

P0(x) P1(x) P2(x) P3(x)

= = = =

x1x2 + (1 ? x1)x0 ; f0; 1g ; x2 ; x0 :

This process has a \control" variable x1 which nondeterministically assumes the values 0 or 1. If x1 = 1, P assigns the value of its input x2 as its next state; otherwise its state remains unchanged. The process copies the value of its current state to its output x3. The states v; w are consecutive if for x1 = 0 or x1 = 1 and some x2,

w = P0(v; x1 ; x2; v) = x1x2 + (1 ? x1)v : (Thus, every pair of states v; w are consecutive.) If x1 is taken to be internal, then L(P) consists of successions of pairs (ai ; bi) where bi+1 = ai or bi+1 = bi. b) Let Q(x) be the process with k(Q) = 3 and V (Q) = D as above, de ned by

Q0(x) Q1(x) Q2(x) Q3(x)

= = = =

x 0 + x 1 x2 ; x1 ; x2 ; x0 : (Say, arithmetic is modulo 232.) This process takes the product of inputs x1 ; x2 and adds that to its current state x0 , whose value it produces in output x3 . The states v; w are consecutive if for some x1 , x2 w = Q0(v; x1 ; x2; v) = v + x1 x2 : If x1 is taken to be internal, then L(Q) consists of successions of pairs (ai; bi ) where ai is arbitrary and bi+1 = bi + ciai for some ci  0.

De nition. A process system is a nite set of processes S = fP 1; :::; P M g sharing a

common set of states, V (S), and a common variables domain, say D. The variables of S are the (non-state) variables of the processes in S. A parallel composition b = V (S)M , variables of the system of processes S is a process Sb with states V (S) i i b  M domain D and M i=1 k(P ) variables, subject to the following: i=1 bk(P )  k(S) b for k = k(S) and y = (v; y1 ; :::; yk), where v = (v1 ; :::; vM ) 2 V (S)M , and for

10

some k(P i)-dimensional vector Yi whose components are (not necessarily unique) elements of the set y1 ; :::; yk, i = 1; :::; M,it is required that for each l, l = 0; 1;    ; k: Sbl (y) = Pnj (vj ; Yj ) (1) for some j; n > 0 (i.e., each variable of Sb is a variable of S); furthermore, it is required that, for Yjs = ym (i.e., ym is the s-th component of Yj ), either Psj is an input to P j (Psj (x) = xs ) or Sbm (y) = Psj (vj ; Yj ) (i.e., ym is in fact the s-th variable of P j ); nally, it is required that for each output Pnj of S there is a unique l for which (1) holds, and the state transition relation Sb0 of Sb satis es Sb0 (y) = P01(v1 ; Y1)      P0M (vM ; YM ) (2) (where  denotes Cartesian product), provided yi 2 Sbi (y) (3) for all i > 0. If (1) holds, and for some m; s, Yms = yi , then, for s < t, we say Ptm depends upon Pnj if Ptm (x) depends upon xs. Thus, the variables of Sb are the variables of S (or, more precisely, each component b Si of Sb (i > 0) is equal to a (non-state) component of some P j , evaluated on a b Since Sb is a process, these variables must moreover subset of the arguments of S). satisfy the independence assumption for processes. The association (1) de nes the interconnectivity of the processes in S: if yl is a component of Ym and m 6= j, then P m takes as \input" the n-th variable of P j . In this case, the output yl of the parallel composition Sb is internal i both Pnj and the corresponding input of P m b are internal. (Unsubstituted inputs retain their character{ internal or not{ in S.) Example 2 Let S = fP; Qg, where P and Q are taken from example 1. We may

de ne a parallel composition Sb of P and Q as follows. In this composition we de ne a closed process (no inputs) in which the following output-input match is made:

Sb y1 : y2 : y3 :

output ! input

P 1 ! Q1 P 3 ! Q2 Q3 ! P 2 Thus, for y = ((v; w); y1 ; y2; y3 ), y0 = Sb0 (y) = (P0 (v; y1 ; y3; y2 ); Q0(w; y1; y2 ; y3)) = = (y1 y3 + (1 ? y1 )v; w + y1 y2 ) y1 = Sb1 (y) = P1 (v; y1 ; y3; y2 ) = f0; 1g y2 = Sb2 (y) = P3 (v; y1 ; y3; y2 ) = v y3 = Sb3 (y) = Q3 (w; y1; y2 ; y3) = w:

11 b consists of successions of pairs (ai ; bi) of values Since y1 = P1 is internal, L(S) of (y2 ; y3), where ai+1 = bi and bi+1 = ai + bi or ai+1 = ai and bi+1 = bi . If each succession is initialized at v = 1, w = 1, then (until bi rst surpasses 232) b consists of Fibonacci pairs \computed asynchronously" (i.e., with arbitrary L(S) repetitions).

The concept of \parallel composition" described above supports both the \synchronous product" illustrated in example 2, and \interleaving": the parallel composition is interleaving provided for each component in (2), P0i(vi ;   ) = vi for all but at most one value of i, when (3) is satis ed. (See [9] for details.) ^ of a parallel composition of a system of proWe need to relate the language L(S) 1 M cesses S = fP ;    ; P g, to the languages of the components: L(P i), i = 1;    ; M. For this purpose, we henceforth assume that the set of observable variables of S coincides with the set of observable variables of each P i. There is no loss of generality in this assumption, as we may add, as \dummy" inputs to P i, observable variables missing in its original list of observable variables. We assume that for each system of processes S = fP 1;    ; P M g, some (unique) parallel composition is de ned (although which speci c one, is not of interest here). Disregarding termination or acceptance semantics, it can be seen that a parallel composition satis es the Lanb = L(P 1) \    \ L(P M ). We also assume this is guage Intersection Property: L(S) supported by whatever termination or acceptance semantics which is adopted. The Language Intersection Property, in turn, gives a convenient means for reorganizing process systems: if S = fP 1; :::; P m; :::; P M g is a system of processes, then so are b P m+1 ; :::; P Mg, and under consistent substitution U = fP 1; :::; P mg and W = fU; b = L(W). c Through such a reorganization, one can of outputs for inputs (1), L(S) directly generalize those assertions of the Linearization Principle which apply to one process (see below), to several processes.

3.2. Linearization Let S(N) = fP 1;    ; P M g be a process system of M = M(N) processes, each parametrized by N. Thus, by varying N we get a family of process systems. The number of processes M, as a function of N, may be arbitrary.

De nition. An output variable x of a process parameterized by N is of bounded

computation if the number of variables upon which x depends, is bounded (as a

function of the parameter N).

De nition. A process system U(N) = fQ1; : : :; QM g, parametrized by N, is linear

if, for all i, k^(Qi ) = O(1), i.e., each k^(Qi ) is bounded as a function of N, and each output of Qi is of bounded computation. Say U(N) is a linearization of a parameterized system of processes S(N) = fP 1; :::; P M g if U(N) is linear and, for b b all N, L(S(N)) = L(U(N)). Say S(N) is linearizable if it admits of a linearization.

12

Note that if a parametrized process has a bounded number of outputs, each of bounded computation, then the output variables of that process depend collectively upon only a bounded number of inputs. (As already explained, a process may require an unbounded number of inputs, in order to render the respective languages of the processes of a system commensurate. However, this does not a ect the application of the Induction Principle.) De nition. A function f : Dn ! D is D-associative if there exist fi : D2 ! D (i = 1; : : :; n ? 1) such that, for zi = fi (xi ; zi+1 ), zn = xn , we have f(x) = z1 . Theorem 1 A process system S(N) = fP 1; : : :; P M g, whose variables have domain D, is linearizable if every output variable and the state of each P i (1  i  M ) is of bounded computation or is D-associative. Proof: Replace each variable which is D-associative with its corresponding set of zi 's, treated as internal variables, except possibly z1 (if the original D-associative variable is observable, so is z1). Every variable in the resulting system is of bounded computation. Partition output variables among newly created \combinatorial" (1state) processes as necessary (say, one per process), so as to result in a system in which every process has a number of output variables which is bounded in N. Finally, augment the list of variables of each process by \copying" all observable variables to the end of the list of variables of each process. Since before this step each process had only a bounded number of outputs, this number at most doubles as a result of this step, so each process continues to have a bounded number of variables. By construction, the resulting system is linear, and its observable variables retain their original values. We note that, although observable variables may correspond to di erent processes in the two systems, this does not a ect the languages, due to the Language Intersection Property. We thus conclude that the resulting system is a linearization of the original system. We note that the requirements of the theorem hold for many commonparametrized processes, such as the star-topology of the Doorway Algorithm. The associability requirement means that each variable of unbounded computation has some underlying regular structure. Although this requirement restricts the type of such computations, we note that such structure is common of many typical examples, in particular if there is some symmetry in the system of processes.

3.3. Mechanical Implementation There is a potential for algorithmic linearization of a process system which meets the conditions of the above theorem. Processes whose number of variables is parameterized on N may be identi ed syntactically. Thus, sucient syntactic conditions may be established to determine if the speci ed system meets the required conditions. If so, the construction of the theorem may be followed to give a linearization. It may be convenient to identify syntactically the reassigned variables with respective

13

\enveloping" processes (cf. Figure 2), for each of the system processes (cf. Section 4.1). Likewise, we may identify syntactically components of expressions which depend upon an unbounded number of variables, and attempt to replace each of these by new respective variables corresponding to the constructed recursion. In order to verify the associativity of variables which are not of bounded computation (identi ed syntactically, through the presence of the parameter N), it may be possible to use an interface to a theorem-prover (such as the interface described in [10]). Alternatively, commonly used (parametrized) associative expressions and their recursively de ned counterparts may be drawn from a pre-veri ed library.

4. Application to the Doorway Example In Section 2 we outlined the way in which the doorway algorithm is linearized. We now return to this example. A full speci cation of both the \star" and \linear" doorway algorithms, as well as a detailed description of the veri cation of the linear algorithm through Cospan [5], can be found in [12]. Due to its length and the necessity to address issues that are out of the scope of the present paper, such a detailed description is omitted here. Nonetheless, in order to keep the paper self-contained, we summarize the issues in the speci cation and veri cation of the Doorway algorithm that are germane to the linearization principle. We begin with a few preliminary remarks on veri cation of systems of processes through an automatic veri cation tool such as Cospan [5]. Modeling a system consists of de ning a system of processes as in Section 3. Undesirable process behavior can be removed by de ning sets of states which the process must eventually leave: these are given by automaton acceptance conditions. Non-determinism is used as an abstraction mechanism to model undetermined delay of a component in performing a given action. For instance, by allowing the variables of a half-doorway to be non-deterministically assigned values in the set f%, win, loseg, we model the assumption that each half-doorway may pause an arbitrary amount of time before producing a response (the token % denoting this pause). Non-determinism also is used to abstract the internal mechanisms of the half-doorways: we are only interested in their responses to the external system of processes, and not in how they actually decide to respond \win" or \lose". The \tasks" that a system is veri ed to perform are modeled as processes as well, as discussed in Section 3.

4.1. Speci cation of the Star Topology We proceed with a statement of the tasks that the doorway system is veri ed to perform: Task A If at least one process requests from the doorway, then there are either one or two processes that are nal winners of the doorway. Task B A process that has not requested cannot be a nal winner of the doorway.

14

Next, we outline the speci cation of the doorway in the star topology. The half-doorways Dl (l = 1; 2) produce win/lose signals according to the Doorway Algorithm. When a half-doorway is faulty, it may produce any sequence of such signals. Each half-doorway receives as input a corresponding signal which is the logical OR'ing of the requests of all processes to that half-doorway, i.e., the half-doorway is noti ed if there is some process requesting from it. The win/lose selections of a half-doorway Dl are recorded in the global variable Xij , where i is the current selection of the selector S (see below). Simple constructions using automata acceptance conditions prevent half-doorways from pausing forever. The selector S is a process that randomly selects a value in the range 1::N. A process P i, for i = 1    N, presents requests to each of the two half-doorways and gets win/lose responses through the Xij -variables. The sequence of requests that a process P i presents, as well as its nal \declaration" as a winner or loser, are according to the win/lose responses it gets, as speci ed by the Doorway Algorithm. A process acceptance condition (denoted by KILL in Figure 2) gets rid of forbidden events. A forbidden event is when a process gets a response from a half-doorway, although it is not requesting from that half-doorway. Task A is de ned by a process that follows the requests of processes P i and the win responses of the second half-doorway D2 , i.e., the responses that make a process be a nal winner. There are two forbidden states, both correspond to the condition that at least one process has presented a request. The rst forbidden state is when there are no win responses from D2 (i.e., no nal winner although there was a request); the second forbidden state is when D2 gives more than two win responses (note that, due to the KILL process, this corresponds to more than two nal winners). Task B is de ned as a state invariant which tests if there is a win response from D2 to some process Pi which has not requested yet. Such a state invariant is easily implemented by a 2-state process and an automaton acceptance condition.

4.2. Speci cation of the Linear Topology We now outline the speci cation of the doorway in the linear topology. The half-doorways Dl (l = 1; 2) are state-machines similar to those corresponding to the star topology, except for the following. A half-doorway in the linear topology does not look at the signals produced by each of the N processes P i; rather, the input that a half-doorway Dl gets is a signal R1l passed to it from the rst \envelope" process E 1 (see below). This signal indicates to Dl whether some process P i, i = 1;    N, is requesting from Dl . For each process P i we de ne an \envelope" process E i . The envelope E i contains the following entities:  The original process P i, which presents requests to each of the two half-doorways, gets win/lose responses through the X-variables (see below), according to the Doorway Algorithm.

15

 Local \win/lose" variables Xli (l = 1; 2), indicating whether P i has won or lost

in the half-doorway Dl .  A local \selector" process S i with a binary selection, which decides whether E i is choosing P i to be active at a given time.  A ternary \propagation variable" Spi , whose value describes whether there are 0, 1 or more processes in the range [1::N] choosing themselves (i.e., whose local selector is set).  A binary variable K i which is set when any of the processes E j in the range [i::N] selects itself and receives a response win or lose from a half-doorway Dl (l = 1; 2), even though it did not make a request to the responding half-doorway, resulting in the erroneous event that one P j in the range [i::N] might win or lose even though it is not requesting.  \Request propagation" variables Ril (l = 1; 2), indicating whether a process in the range [i::N] is requesting from the half-doorway Dl .  A binary variable Z i which is set when any of the processes E j in the range [i::N] is in the \initial" state (i.e., has not requested yet) but gets a \win" response from the second half-doorway (i.e., Xi2 = win). Note that the value of a \propagation" variable (Spi , Ril , K i , Z i ) depends on that of a local variable and on that of another propagation variable (e.g., Spi is determined by S i and, for i < N, also by Spi+1 ). The KILL process for the linear case amounts in \killing" the following events: K 1 = 1 and Sp1 6= 1; the rst kill is similar to the one killed also in the star topology; the second prevents the distributed selector to chose any other number of processes except that one. Task A is de ned by a process similar to that de ned for the star topology, except that it nds out that some process has requested not by directly looking at the variables of all N processes (as in the star topology), but rather by looking at the value of R11 alone. Task B is de ned by a process similar to that for the star topology, except that instead of looking at the states of all N processes (to see, for each process, whether it is still in the initial state), it gets the information it needs directly from the value of Z 1 , i.e.: if Z 1 is set then it means that some process got a win response from the second half-doorway although it has not requested yet; in such case, the state invariant is falsi ed.

4.3. Application of the Induction Principle Having speci ed the doorway system and its tasks, we proceed by stating the Induction Principle[11]. Let  be a partial order on processes (e.g., one induced by a language containment order); let be a composition operator on processes,

16

monotonic with respect to ; let  be a unary shift operator on processes, which distributes over and preserves the relation . We then have: Induction Principle Given two sets of processes, fp1;    ; pN g and fq1;    ; qN g, and an integer 1  m < N , such that for all m  i < N , pi+1 = (pi) and qi+1 = (qi ): if

mi=1 pi  qm

(4)

qm pm+1  qm+1

(5)

and then

Ni=1 pi  qN Thus, by proving two propositions about arrays of xed size m, we may draw a conclusion about an array of arbitrary size N. In particular, given a task T, qN  T implies Ni=1 pi  T, that is: in order to verify that the system Ni=1 pi performs task T it is sucient to verify that qN performs T. qi is called the process invariant. We now apply the Induction Principle to the linearized doorway example. Denote p0 = D1 D2 , pi = E i for 1  i  N. The linearized doorway system is given by: ^ = p0 ( Ni=1 pi ). S(N) We choose the following invariant, valid for i > 3: qi = p0 ( ik?=2i pk ) p^i?3 where p^i is a modi ed version of an arbitrary pi , as explained in the following. The variables of p^i are de ned exactly as in pi . A process p^i non-deterministically choses values for all of its variables. However, the values of the propagation variables are constrained as follows: Spi = 1 , S i = 1 Ril = 1 , (^pi :request = true) K i = 1 , (^pi :request = false)  ((X1i = win + lose) + (X2i = win + lose)) Z i = 1 , (^pi :state = initial)  (X2i = win) These imposed constraints prevent p^i from selecting values for the propagation variables which cause task T to fail. Notice that the invariant qi requires a reverse ordering of the pi ; i > 0 processes, in the sense that the doorway process p0 communicates with pi , which in turn communicates with pi?1, and so on, with p^i?3 being the last process of this communication sequence. The shift operation on the processes pi, p^i, is de ned as:

17

 for i = 0: (pi ) = pi ;  for 0 < i < N: (pi) = pi+1;  for 0 < i < N: (^pi) = p^i+1;

i.e.,  is an identity map for the doorway and maps all other processes to their

successors. The conditions for applying the Induction Principle are met, because the shift operator  distributes over , i.e., ( ki=1 pi) = ki=1 (pi); 0  i < N (pi p^j ) = (pi) (^pj ); 0  i < N; 0 < j < N In addition, it preserves the  relation, i.e.,

mi=1 pi  qm ! ( mi=1 pi )  (qm ); 0 < m < N Choosing m = 4 we have that the \induction base" (4) p0 ( 4i=1 pi )  p0 ( 4i=2 pi ) p^1 = q4 holds trivially because p^1 has more behaviors than p1, thus allowing q4 to have more behaviors than the system p0 ( 4i=1 pi ). The \inductive step" (5) which is veri ed with Cospan is: q 4 p5  q 5 p0 p5 ( 4i=2 pi ) p^1  p0 ( 5i=3 pi ) p^2 By verifying that qN  T, we thus have that p0 ( Ni=1 pi )  T. The veri cation N q  T is easily done, since N can be substituted in this case by any nite number greater than 3. We note that the intuition for choosing this particular invariant was gained after the following observations were made: (i) any length of processes can be represented by three processes pi ; i > 0, plus one which is \freed" 2 so that it expresses the possible behaviors of any number of processes following the rst three ones. We thus observed that all systems comprised of a doorway process, and a group of three processes of type pi; i > 0, followed by a process of type p^i ; i > 0, are equivalent; (ii) reversing the communication sequence among the processes pi ; i > 0, allows adding a process to the system which directly communicates with the doorway process p0 . This mechanism was found necessary when attempting to de ne a map (a candidate for homomorphism) between the actions of the qm+1 invariant, and the action of the composition of the invariant qm , with a \next" process pm+1 .

Notes 1.

i ( ) is independent of j if for each ( xed) value of ( 1 j ?1 j +1 i is a k ), constant function of j ; otherwise, we say i ( ) depends upon j . 2. A "freed" process is a trivial homomorphic reduction of the original process to a single state process. At the single state, outputs are non-deterministically selected from the set of all possible outputs of the original process. P

x

x

x

x ;:::;x

P

x

x

;x

;:::;x

P

18

References 1. Y. Afek, D. S. Greenberg, M. Merritt, and G. Taubenfeld. Computing with faulty shared memory. In Proceedings of 11th ACM Symp. on Principles of Distributed Computing, 1992. 2. M. C. Browne, E. M. Clarke, and O. Grumberg. Reasoning about networks with many identical nite state processes. In Proceedings of 5th ACM Symp. on Principles of Distributed Computing, 1986. 3. D. Dill. Trace Theory for Automatic Hierarchical Veri cation. MIT Press, 1989. 4. S. M. German and A. P. Sistla. Reasoning about systems with many processes. JACM, 39:675{735, 1992. 5. Z. Har'El and R. P. Kurshan. Modelling concurrent processes. In Proceedings of Internat. Conf. Syst. Sci. Eng., pages 382{385, 1988. 6. M. Hennessy. Algebraic Theory of Processes. MIT Press, 1988. 7. C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985. 8. R. P. Kurshan. Analysis of discrete event coordination. LNCS, 430:414{453, 1990. 9. R. P. Kurshan. Automata-Theoretic Veri cation of Coordinating Processes. UC Berkeley Lecture Notes, 1992. 10. R. P. Kurshan and L. Lamport. Veri cation of a multiplier: 64 bits and beyond. In Proceedings of CAV (LNCS 697), pages 166{179, 1993. 11. R. P. Kurshan and K. McMillan. A structural inductiontheorem for processes. In Proceedings of 8th ACM Symp. on Principles of Distributed Computing, pages 239{247, 1989. 12. R. P. Kurshan, M. Merritt, A. Orda, and S. R. Sachs. Formal veri cation of a distributed algorithm for accessing faulty shared memory. In Proceedings of SBT/IEEE International Telecommunications Symposium, 1994. 13. N. Lynch and M. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proceedings of 6th ACM Symp. on Principles of Distributed Computing, pages 137{151, 1987. 14. R. Milner. A calculus for communicating systems. LNCS, 92, 1980. 15. Z. Shtadler and O. Grumberg. Network grammars, communication behaviors and automatic veri cation. LNCS, 407:151{165, 1989.

Recommend Documents