Youssef Hanna
Samik Basu
Hridesh Rajan
Iowa State U.
Iowa State U.
Iowa State U.
Behavioral Automata Composition for Automatic Topology Independent Verification of Parameterized Systems Midwest Verification Day 2009
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
What is a Parameterized System? I
I
A system with n homogeneous processes. Example: I I I
Distributed Mutual Exclusion a . n = 5. Goal: Each process to access the shared resource exclusively.
a Wolper, P. and Lovinfosse, V. 1990. Verifying properties of large sets of processes with network invariants. In J. Sifakis (ed), Automatic Verification Methods For Finite State Systems. Springer-Verlag, LNCS 407.
Laboratory for Software Design, Iowa State University
2
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Distributed Mutual Exclusion
- Has token - Can enter Critical Section
Laboratory for Software Design, Iowa State University
3
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Distributed Mutual Exclusion
Pass the token
Laboratory for Software Design, Iowa State University
4
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Distributed Mutual Exclusion - Can enter/leave critical section - Pass the token
Laboratory for Software Design, Iowa State University
5
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Verifying Parameterized Systems
I
Example property to verify ϕ(i, j): I
Laboratory for Software Design, Iowa State University
no 2 processes i and j in Critical Section concurrently.
I
Property satisfied for this system where n = 5
I
Is ϕ(i, j) satisfied for n = 6, 7, . . . ?
6
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Verifying Parameterized Systems
I
Problem of Verifying Parameterized Systems: Given a parameterized system sys(n) and a property ϕ, is the property satisfied for every instance of the system (∀n : sys(n) |= ϕ)?
I
This is an undecidable problem 1 .
1
K. R. Apt and D. C. Kozen. Limits for automatic verification of finite-state con- current systems. Inf. Process. Lett., 22(6):307-309, 1986. Laboratory for Software Design, Iowa State University
7
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Existing Work I
Large amount of existing work2 3 .
I
Key idea based on the notion of cut-off.
I
Identify k s.t. sys(k ) |= ϕ ⇔ ∀n > k : sys(n) |= ϕ
I
No need to verify properties for n > k
I
k is called the cut-off
2
E. A. Emerson, R. J. Trefler, and T. Wahl. Reducing model checking of the few to the one. In ICFEM, pp. 94-113, 2006. 3 C. N. Ip and D. L. Dill. Verifying systems with replicated components in murphi. In CAV, pages 147-158, 1996. Laboratory for Software Design, Iowa State University
8
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Existing Work I
Emerson and Namjoshi found k = 4 for networks with ring topology for properties ϕ(i, j)i6=j a .
a
E. A. Emerson and K. S. Namjoshi. Reasoning about rings. In POPL, pages 85-94, 1995 Laboratory for Software Design, Iowa State University
9
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Existing Work I
I
Emerson and Namjoshi found k = 4 for networks with ring topology for properties ϕ(i, j)i6=j a . For ϕ(i, j) : no 2 processes i and j in Critical Section concurrenty: I
sys(4) |= ϕ(i, j) ⇔ ∀n > k : sys(n) |= ϕ(i, j)
a
E. A. Emerson and K. S. Namjoshi. Reasoning about rings. In POPL, pages 85-94, 1995 Laboratory for Software Design, Iowa State University
10
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Existing Work I
I
Emerson and Namjoshi found k = 4 for networks with ring topology for properties ϕ(i, j)i6=j a . For ϕ(i, j) : no 2 processes i and j in Critical Section concurrenty: I
I
sys(4) |= ϕ(i, j) ⇔ ∀n > k : sys(n) |= ϕ(i, j)
No need to verify properties of the form ϕ(i, j) for n > 4.
a
E. A. Emerson and K. S. Namjoshi. Reasoning about rings. In POPL, pages 85-94, 1995 Laboratory for Software Design, Iowa State University
11
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Problem with Existing Work I
Most ideas focus on a specific system I
e.g. for ring systems and property ϕ, cut-off = k .
Laboratory for Software Design, Iowa State University
12
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Problem with Existing Work I
Most ideas focus on a specific system e.g. for ring systems and property ϕ, cut-off = k . - Not immediately applicable to new systems - . . . without developing new theories from first principles.
I
Laboratory for Software Design, Iowa State University
13
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Problem with Existing Work I
Most ideas focus on a specific system e.g. for ring systems and property ϕ, cut-off = k . - Not immediately applicable to new systems - . . . without developing new theories from first principles.
I
I
System behavior not considered in cut-off computation I
e.g. systems organized in a ring topology.
Laboratory for Software Design, Iowa State University
14
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Problem with Existing Work I
Most ideas focus on a specific system e.g. for ring systems and property ϕ, cut-off = k . - Not immediately applicable to new systems - . . . without developing new theories from first principles.
I
I
System behavior not considered in cut-off computation I
+ -
e.g. systems organized in a ring topology. Generic cut-off, applies to other systems organized as ring Computed cut-off value is often larger (i.e. more nodes). More nodes ⇒ Larger verification models. Larger models ⇒ Increased verification cost
Laboratory for Software Design, Iowa State University
15
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
A Programming Language Design Perspective
Can we represent parameterized systems in a manner, which enables automatic computation of the cut-off value?
Laboratory for Software Design, Iowa State University
16
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Yes, We Can!
Laboratory for Software Design, Iowa State University
17
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Language-based Technique for Cut-off Computation Technical Contributions: A representation strategy to specify system as input, which enables a novel cut-off generation algorithm. Key Benefits: I
Fully automated – Ease of verification, no PhD required.
I
Topology independent – User can specify the topology.
I
Protocol-specific cut-off – often tighter i.e. reduced costs.
Laboratory for Software Design, Iowa State University
18
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Key Idea
1
Given all possible actions of a process, system topology
Laboratory for Software Design, Iowa State University
19
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Key Idea
1
Given all possible actions of a process, system topology
2
If we can generate the maximum behavior of that process in any environment, and
Laboratory for Software Design, Iowa State University
20
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Key Idea
1
Given all possible actions of a process, system topology
2
If we can generate the maximum behavior of that process in any environment, and
3
Find smallest system that allows any one process to exhibit its maximum behavior, then the size of this network is the cut-off.
Laboratory for Software Design, Iowa State University
21
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Key Idea
1
Given all possible actions of a process, system topology
2
If we can generate the maximum behavior of that process in any environment, and
3
Find smallest system that allows any one process to exhibit its maximum behavior, then the size of this network is the cut-off.
I
Any larger system cannot exhibit any more behavior.
Laboratory for Software Design, Iowa State University
22
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Define Process Actions
I
Process Actions: I I I
I
Topology I
Laboratory for Software Design, Iowa State University
23
Receive token. Enter/Leave critical section. Send token. Ring.
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Generate Behavior of one process in Any Environment
3: Send Token 2: Enter/ Leave Critical Sct
1: Receive Token Environment
Laboratory for Software Design, Iowa State University
24
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Find Smallest System Exhibiting Full Process Behavior
3: Send Token 2: Enter/ Leave Critical Sct Laboratory for Software Design, Iowa State University
1: Receive Token 25
Automatic Cut-off Generation for Parameterized Systems
Parameterized Systems Problem Existing Work Proposed Solution Outline
Overview Our Approach Conclusion
Outline I
Parameterized System Definition
I
Problem Statement Solution:
I
I I I
I
I
Define all possible actions of a process. Define system topology, system start configuration. Generate maximum behavior of a process in any environment. Find smallest system allowing such behavior to be exhibited.
Case Studies
Laboratory for Software Design, Iowa State University
26
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Steps for Our Technique
1
Define actions of a process
2
Define system topology and start configuration
3
Generate maximum behavior of one process in any environment
4
Find smallest system that allows any one process to perform its maximum behavior
Laboratory for Software Design, Iowa State University
27
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Behavioral Automata: Atomic Actions RCV PASS ENTER LEAVE
token choose
choose in
Idle
Ncs
Ncs
Idle
Ncs
Cs
Cs
Idle
choose token
in token
Initiating automaton
SND
Laboratory for Software Design, Iowa State University
Start
28
Idle
token
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Steps for Our Technique
1
Define actions of a process
2
Define system topology and start configuration
3
Generate maximum behavior of one process in any environment
4
Find smallest system that allows any one process to perform its maximum behavior
Laboratory for Software Design, Iowa State University
29
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
System Topology token
RCV
I
choose
PASS
Topology = {(token, i, (i + 1) mod k ), ENTER (in, i, i), (choose, i, i)} LEAVE
choose in
Idle
Ncs
Ncs
Idle
Ncs
Cs
Cs
Idle
choose token
in token
Initiating automaton Start
SND
Laboratory for Software Design, Iowa State University
30
Idle
token
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
System Topology token
RCV
I
I
choose
PASS
Topology = {(token, i, (i + 1) mod k ), ENTER (in, i, i), (choose, i, i)} LEAVE Start Configuration I I
1 : SND rest: RCV
in
Ncs
Ncs
Idle
Ncs
Cs
Cs
Idle
choose token
in token
Initiating automaton Start
SND
Laboratory for Software Design, Iowa State University
choose
Idle
31
Idle
token
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Steps for Our Technique
1
Define actions of a process
2
Define system topology and start configuration
3
Generate maximum behavior of one process in any environment
4
Find smallest system that allows any one process to perform its maximum behavior
Laboratory for Software Design, Iowa State University
32
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Behavior of One Process in Any Environment Done by Composing behavioral automata SND
Start
Idle
Idle
Ncs
token
output = input token
RCV
Start SND
ϵ / token
τ Idle RCV
Idle SND
Laboratory for Software Design, Iowa State University
33
token / choose
choose
Ncs RCV
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Behavior of One Process in Any Environment SND token
RCV
choose
PASS ENTER
choose
Start
Idle
Idle
Ncs
Ncs
Idle
Ncs
Cs
token
choose token
in
τ
St art SND
ϵ / token
τ Idle SND
Idle RCV
token / choose
τ Ncs RCV
Ncs PASS
τ Ncs ENTER
Laboratory for Software Design, Iowa State University
34
choose / token
choose / in
Idle PASS
Cs ENTER
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Behavior of One Process in Any Environment
τ
St art SND
ϵ / token
τ Idle SND
Idle RCV
token / choose
τ Ncs RCV
Ncs PASS
τ Ncs ENTER
choose / token
choose / in
Idle PASS
Cs ENTER
τ
Cs LEAVE
in / token
Idle LEAVE
τ
Laboratory for Software Design, Iowa State University
35
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Steps for Our Technique
1
Define actions of a process
2
Define system topology and start configuration
3
Generate maximum behavior of one process in any environment
4
Find smallest system that allows any one process to perform its maximum behavior
Laboratory for Software Design, Iowa State University
36
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Goal of Finding Smallest Network I
Find smallest network that allows any process to exhibit its maximum behavior. The size of this network (k ) is the cut-off. τ
St art SND
ϵ / token
τ Idle SND
Idle RCV
token / choose
τ Ncs RCV
Ncs PASS
τ Ncs ENTER
choose / token
choose / in
Idle PASS
Cs ENTER
τ
Cs LEAVE
in / token
Idle LEAVE
τ
sys(k ) |= ϕ ⇔ ∀n > k : sys(n) |= ϕ
Laboratory for Software Design, Iowa State University
37
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
System with 2 processes sys(2) SND RCV
Start SND Ø Idle RCV Ø
ϵ / token
Idle SND {token} Idle RCV Ø
token / choose
choose / token Idle SND Ø Ncs RCV {choose} choose / in
Laboratory for Software Design, Iowa State University
Idle SND Ø
token / choose
PASS ...
ENTER
Idle PASS {token} Idle SND Ø Cs ENT ER {in}
38
LEAVE
in / token
...
I
token choose
choose in
Start
Idle
Idle
Ncs
Ncs
Idle
Ncs
Cs
Cs
Idle
token
choose token
in token
Topology = {(token, i, (i + 1) mod k ), (in, i, i), (choose, i, i)}
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Behavior of one process in any environment τ
St art SND
ϵ / token
τ Idle SND
Idle RCV
token / choose
Ncs PASS
τ Ncs RCV
τ Ncs ENTER
choose / token
choose / in
Idle PASS
Cs ENTER
τ
Cs LEAVE
in / token
Idle LEAVE
τ
System with 2 processes choose / token
Start SND Ø Idle RCV Ø
ϵ / token
Idle SND {t oken} Idle RCV Ø
token / choose
Idle SND Ø Ncs RCV {choose}
choose / in
Laboratory for Software Design, Iowa State University
39
Idle SND Ø
token / choose
...
Idle PASS {t oken} Idle SND Ø Cs ENT ER {in}
in / token
Idle SND Ø
token / choose
...
Idle LEAVE {t oken}
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Behavior of one process in any environment τ
St art SND
ϵ / token
τ Idle SND
Idle RCV
token / choose
Ncs PASS
τ Ncs RCV
τ Ncs ENTER
choose / token
choose / in
Idle PASS
Cs ENTER
τ
Cs LEAVE
in / token
Idle LEAVE
τ
System with 2 processes choose / token
Start SND Ø Idle RCV Ø
ϵ / token
Idle SND {t oken} Idle RCV Ø
token / choose
Idle SND Ø Ncs RCV {choose}
choose / in
Laboratory for Software Design, Iowa State University
40
Idle SND Ø
token / choose
...
Idle PASS {t oken} Idle SND Ø Cs ENT ER {in}
in / token
Idle SND Ø
token / choose
...
Idle LEAVE {t oken}
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
I
A system with 2 processes allows one process to exhibit its maximum behavior
I
cut-off for DME is k = 2
I
sys(2) |= ϕ ⇔ ∀n > 2 : sys(2) |= ϕ
Laboratory for Software Design, Iowa State University
41
Automatic Cut-off Generation for Parameterized Systems
Define Process Actions Define System Topology, Start Conf Compose Process Behavior Find Smallest System
Overview Our Approach Conclusion
Kind of Properties ϕ
Properties involving one process i ∀i, 1 ≤ i ≤ k : sys(k ) |= ϕ(i) ⇔ ∀n ≥ k , ∀i, 1 ≤ i ≤ n : sys(n) |= ϕ(i) Properties involving 2 interdependent processes i, j ∀i, j, 1 ≤ i, j ≤ k , i 6= j : sys(k ) |= ϕ(i, j) ⇔ ∀n ≥ k , ∀i, j, 1 ≤ i, j ≤ n, i 6= j : sys(n) |= ϕ(i, j)
Laboratory for Software Design, Iowa State University
42
Automatic Cut-off Generation for Parameterized Systems
Overview Our Approach Conclusion
Case Studies Conclusion
Comparison with Other Techniques
Topology Dining Philosophers Spin Lock
Ring Star
Existing Work Cut-off ϕ 5d i, j 3e i, j
Our Technique Cut-off ϕ 3 i, j 2 i, j
d E. A. Emerson and V. Kahlon. Model checking large-scale and parameterized resource allocation systems. In TACAS, pages 251-265, 2002. e S. Basu and C. R. Ramakrishnan. Compositional analysis for verification of parameterized systems. Theor. Comput. Sci., 354(2):211-229, 2006. Laboratory for Software Design, Iowa State University
43
Automatic Cut-off Generation for Parameterized Systems
Overview Our Approach Conclusion
Case Studies Conclusion
Conclusion I
Parameterized system verification is important.
I
Reduce problem to verify small system with cut-off k . Current solutions are topology specific.
I
I
I
Our Solution: I I
I
New theories required for every new system. Automated technique for cut-off generation. Topology Independent.
Future Work: Apply technique to I I
Synchronous systems. Infinite-data domain systems.
Laboratory for Software Design, Iowa State University
44
Automatic Cut-off Generation for Parameterized Systems
Overview Our Approach Conclusion
Case Studies Conclusion
Questions?
http://www.cs.iastate.edu/˜slede/
Laboratory for Software Design, Iowa State University
45
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
System with 2 processes sys(2) 1st process configuration SND
Start SND Ø Idle RCV Ø
RCV
I
token
Idle
Idle
Ncs
token
choose
A configuration consists of I I I
2nd process configuration
Start
The state of the process The automaton of the process The set of its output messages to be consumed
Figure: Start state in sys(2) Laboratory for Software Design, Iowa State University
47
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
System with 2 processes sys(2)
Start SND Ø Idle RCV Ø
ϵ / token
Idle SND {token} Idle RCV Ø
SND RCV
token
Start
Idle
Idle
Ncs
token
choose
Figure: Autonomous action
Laboratory for Software Design, Iowa State University
48
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
System with 2 processes sys(2)
SND
Start SND Ø Idle RCV Ø
ϵ / token
Idle SND {token} Idle RCV Ø
token / choose
Idle SND Ø Ncs RCV {choose}
RCV
I
Figure: Non-autonomous Action
Laboratory for Software Design, Iowa State University
49
token
Start
Idle
Idle
Ncs
token
choose
Topology = {(token, i, i + 1), (in, i, i), (choose, i, i)}
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
System with 2 processes sys(2) SND RCV
choose / token
Start SND Ø Idle RCV Ø
ϵ / token
Idle SND {token} Idle RCV Ø
token / choose
Idle SND Ø Ncs RCV {choose}
choose / in
Laboratory for Software Design, Iowa State University
Idle SND Ø
token / choose
PASS ENTER LEAVE
Cs ENT ER {in}
50
in / token
choose
...
Idle PASS {token} Idle SND Ø
token
...
I
choose in
Start
Idle
Idle
Ncs
Ncs
Idle
Ncs
Cs
Cs
Idle
token
choose token
in token
Topology = {(token, i, i + 1), (in, i, i), (choose, i, i)}
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
Proof of Soundness I
I
Assume smallest system sys(k ) simulating full process behavior is not the cut-off sys(n) |= ϕ(i) while sys(k ) 6|= ϕ(i) for n > k i
i ... . . .
. . .
extra behavior satisfying ϕ (i)
i
...
i
start state
start state
Figure: sys(k)
Figure: sys(n) Laboratory for Software Design, Iowa State University
51
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
Proof of Soundness I I I
To verify property ϕ(i) we ONLY care for process i All processes are homogeneous sys(k ) covers all possible behavior of any process (i) in any environment (j)
i
i
...
start state Figure: sys(k) Laboratory for Software Design, Iowa State University
52
Automatic Cut-off Generation for Parameterized Systems
Generating a system Proof of Soundness
Proof of Soundness
I
For any n > k , no such transition is possible since all such transitions belong to behavior of i-th process which are covered by sys(k )
Laboratory for Software Design, Iowa State University
i
i ...
. . .
. . .
extra behavior satisfying ϕ (i)
start state Figure: sys(n)
53
Automatic Cut-off Generation for Parameterized Systems