Model checking with Message Sequence Charts - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

Model checking with Message Sequence Charts

Description:

Model checking with. Message Sequence Charts. Doron Peled. Collaborators: R. Alur, ... MSC Textual form. msc MSC; inst P1: process Root, P2: process Root, P3: ... – PowerPoint PPT presentation

Number of Views:114
Avg rating:3.0/5.0
Slides: 49
Provided by: dorona
Category:

less

Transcript and Presenter's Notes

Title: Model checking with Message Sequence Charts


1
Model checking withMessage Sequence Charts
  • Doron Peled
  • Collaborators R. Alur, E. Gunter, G. Holzmann,
    A. Muscholl, Z. Su

Department of Computer ScienceUniversity of
Warwick
2
MSCs
  • An ITU standard notation (Z120).
  • Visual Textual forms.
  • Specifies behaviors of communication protocols.
  • Existing algorithms tools.

3
MSC visual notation
P1
P3
P2
M1
M2
M3
M4
M5
M6
4
MSC Textual form
  • msc MSC
  • inst P1 process Root,
  • P2 process Root,
  • P3 process Root
  • instance P1
  • out M1 to P2
  • in M5 from P2
  • in M6 from P3
  • endinstance
  • instance P2
  • in M1 from P1
  • out M2 to P3
  • out M3 to P3
  • in M4 from P3
  • out M5 to P1
  • endinstance

instance P3 in M2 from P2 in M3 from
P2 out M4 to P2 out M6 to P1
endinstance endmsc
P1
P3
P2
M1
M2
M3
M4
M5
M6
5
Partial order semantics
M1
s
r
M2
s
r
P1
P3
P2
M1
M2
M3
s
M3
r
M4
s
M4
M5
M6
r
s
s
M5
M6
r
r
6
HMSCs
7
An execution infinite or maximal
A
B
Execution ACACD
approve
connect
connect
fail
report
connect
fail
fail
Req_service
report
report
Req_service
C
D
8
Visual semantics
  • Sends before corresponding receives.
  • Events on the same process line execute in order
    of appearance, from top to bottom.

9
Visual order (wysiwyg)
  • If some event (send, receive) is higher on the
    line than another, it comes first.
  • Sends precede matching receives.

P1
P3
P2
M1
M2
M3
M4
M5
M6
10
Visual order (wysiwyg)
M1
s
r
M2
s
P1
P3
P2
r
M1
M2
M3
M3
s
M4
r
M5
s
M4
M6
r
s
s
M5
M6
r
r
11
Causal Order and Races
P1
P3
P2
M1
  • Sends before matching receive.
  • Receive or sends before sends of same process.
  • Two receives on the same process sent from the
    same process.

M2
M3
M4
M5
M6
Races check if every pair of events ordered by
the visual order appears in the transitive
closure of the causal order.
12
Races
P1
P3
P2
P1
P3
P2
M1
M1
M2
M2
M3
M3
M4
M4
M5
M6
M6
M5
13
Finding races
P1
P2
P3
M1
M2
M3
M4
M5
Rules order between - receive and a later
send. - two sends from same process. - send and
corresponding receive. - fifo order.
M6
14
Causal Order
M1
s
r
M2
s
r
P1
P3
P2
M1
M2
M3
s
M3
M4
r
M5
s
M4
M6
r
s
s
M5
M6
r
r
15
Calculating the transitive closure
  • Structure (E, R).
  • E Events, R ? E ? E.
  • R The transitive closure. Defined asfollowsa
    Rb if there is a sequencex1 x2 xn where ax1,
    bxn,and xi R xi1 for 1?i
  • Complexity cubic. In our case quadratic (every
    event has 1 or 2 successors).

16
Can also deal with time
Use time differencematrices.
17
Races in HMSCs. Definition
  • For each HMSC M execution Ex, define
    thelinearizations according to the visual
    orderlinvis(Ex) and the linearizations according
    to the causal order lincaus(Ex). Extend to all
    executions linvis(Ex) and lincaus(Ex).
  • Always linvis(Ex) ? lincaus(Ex).
  • Races when linvis(Ex) ? lincaus(Ex).

18
Mazurkiewicz Traces
  • Alphabet a,b,c
  • Independence aIb, bIc
  • Equivalence classes of words (denoted
    usingrepresentatives)aabbabba
  • Regular trace language can be defined
    usingconcatenation, star, union, intersection.
  • Note ab is not recognizable (by automata).

19
Visual concatenation
A
B
P1
P3
P2
P1
P3
P2
approve
connect
P1
P3
P2
P1
P3
P2
fail
req_service
report
Execution concatenation of a maximal path in the
HMSC.
C
D
20
Other problemsGlobal decision
M1
M2
P1
P2

?
What if one process will start to behave
according to M1 and the other will start
according to M2?
21
Races for HMSCs
  • Undecidable MP99
  • Translate to language theory of traces, which are
    closed w.r.t. commuting certain pairs of letters.
  • Intuition moving from visual to causal semantic
    introduces more commutationsTwo receives on the
    same process line (from different processes) are
    dependent on visual and independent on causal
    order.
  • Reduction to universality of trace languages
    (things are independent with causal semantics).

Independent
Language L
Independent
22
Model checking
  • Write both specification and system as HMSCs. Do
    concatenation.
  • Write specification in LTL. Interpret over the
    linearizations of the partial orders.
  • In both cases undecidable.

23
Post Correspondence Problem
  • List of pairsw1(aab,aa), w2(aba,ab),
    wn(a,bb).Want to find if we find a set of
    indexesi1, i2, , ik, such that
    concatenatingthe lefthand words and
    concatenatingthe righthand words is the same.
  • Supose we take indexes 1, 2, n, 1. We get
  • lefthand aab aba a aab
  • righthand aa ab bb aa

24
PCP reduction
Letter match
Word match
a
P1
P2
P1
P2
b
P1
P2
a
b
a
a
b
b
b
b
P3
P4
P3
P4
P3
P4
P3
P4
w2
w1
w2
w1
(aab,bb), (ab,bab),...
25
Some solutions
  • Obtain decidability under the following condition
    MP99,AY99Every HMSCs cycle covers a strongly
    connected component in the communication graph.
    An edge exist from a process Pi to a process Pj
    if there is a communication from Pi to Pj.
  • The specification HMSCs allows any additional
    gaps MPS98.
  • Put limit on message queues Holzmann

26
Problem with describing protocols
P1
P2
s1
t1
P1snd
s2
P2snd
P2rcv
t2
P1snd
P1rcv
s3
27
Problem with describing protocols
P1
P2
28
Problem with describing protocols
P1
P2
29
Problem with describing protocols
P1
P2
30
Problem with describing protocols
P1
P2
31
Problem with describing protocols
P1
P2
32
Problem with describing protocols
P1
P2
33
Solution Compositional HMSCs
P1
P2
34
Even emptiness is undecideable!
(E1E2Em) (G1G2Gm) F
b
b
w2
a
E3
G2
F
35
Left closed CHMSCs
  • Does not allow unmatched receive event that is
    not yet matched by a previous unmatched send.
  • HCMSC is realizable if every path is matched.
  • Can be checked in polynomial time using a
    nondeterministic stack machine.

36
How to check for realizability?
  • How to check with a stack machine for each pair
    of processes?
  • 12 Push a for each unmatched send, pop a
    for each unmatched receive.
  • 3 Guess that its a name mismatch upon seeing an
    unmatched send.Ignore further sends. Pop as
    usual for receives, until corresponding receive
    occurs.
  • What can go wrong?
  • More unmatched receives than sends.
  • The kth unmatched send before a mathced pair, the
    kth receive after.
  • The kth unmatched send has name C, the kth
    unmatched receive has name D.

37
Now we can translate finite state protocols to
CHMSCs
  • Any finite state protocol can be translated.
  • Trivial translation any transition in finite
    state graph makes one CHMSC node, with possibly
    an unmatched message.
  • This does not give more information than finite
    state graph.
  • Try to optimize take some paths.
  • Break graph into cycle free paths (e.g., using
    DFS and back arrows).
  • Use partial order reduction (sleep sets) to
    minimize number of paths.

38
(No Transcript)
39
The logic TLC APP over MSCs. Label events with
propositions.
P1
P2
P3
M1
Nexttime O p
P2
P1
P3
M2
M1
p
M2
M3
p
M3
M4
M4
M5
M6
M5
M6
p
40
O p
P1
P2
P3
M1
P2
P1
P3
M2
M1
p
M2
M3
p
p
M3
p
M4
M4
M5
M6
M5
M6
p
41
O p
P1
P2
P3
M1
P2
P1
P3
M2
M1
M2
M3
M3
M4
M4
M5
M6
p
M5
M6
p
p
42
Until pUq
P1
P2
P3
M1
M2
p
P2
P1
P3
M1
p
M3
M2
p
p
p
M3
p
q
M4
p
M4
p
q
M5
M6
M5
M6
p
p
p
p
q
true U q q
43
(trueUp) p
P1
P2
P3
M1
M2
p
P2
P1
P3
M1
p
M3
p
M2
p
p
p
M3
p
p
M4
p
M4
p
p
p
M5
p
p
M6
p
p
M5
p
p
p
M6
p
p
p
p
p
p
p
p
44
Some specifications
(req -- ack) Every request is followed by
acknowledge. (transA /\ (transB /\
transA)) Transaction B cannot interfere with
transaction A. (beginA -- O (transA U finishA
)) The execution of transaction A is not
interrupted by any other event.
45
HMSC linearizations
46
Intuition behind algorithm for Op
Aut. with 2 successors relations. There are two
cases - p holds for matching receive. Then
use 2nd successor rel. - p holds for successor in
proc. Then wait to see event of same
process. Intersect System autom.
(linearizations) Property autom. (of prop)
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
10
10
11
11
12
12
47
Overview
MSC
Findingraces
Finite, one scenario
HMSC
Undecidable linear model checking
Bounded HMSC
ConnectedcommunicationHMSC
Partial order model checking
Cannot express behavior of some protocols
CHMSC
Emptiness undecidable
Realizable CHMSC
Checking realizability
48
Conclusions
  • Model checking for MSCs is undecidable GP,AY.
  • TLC model checking is based on partial order
    semantics and is decidable.
  • Some extensions to the MSC standard are useful,
    e.g., CHMSCs, LSCs.
  • Visual notation have advantages over textual
    representation.
  • MSCs is a standard for describing concurrent
    interactions.
  • MSCs are based on partial order semantics.
  • MSCs raise many interesting research problems,
    e.g., race condition.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Model checking with Message Sequence Charts" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!