Products of MSC-Graphs Philippe Darondeau Blaise Genest Loïc Hélouët IRISA Laboratory / CNRS&INRIA Rennes, France

General context of MSC-Graphs Use Representatives for Modeling & Verification of communication protocol. 1)Define an equivalence relation on executions: u ´ v 2)Define the equivalence closure: [X] = {u j v 2 X and u ´ v } 3)To Check M Å P = ; with [P]=P and [M]=M (M,P closed), it suffices to check R Å P = ; with [R]=M. (that is, for all u 2 M, there exist v 2 R with u ´ v) R is called a set of representatives for M, can have much fewer states than the model M. (Think about Symmetry reduction)

Communication Protocols: Infinite States Problem1: Model M cannot be given effectively (infinite states), and Hard to get R with [R]=M. Solution: We work only with representatives from the beginning! The Specification is R, a set of representatives, representing [R]=M Problem 2: Give powerful primitives/operators on representatives set to describe everything we want to model

What we want to model: -Concatenation of Models. -Loop on Model. -Choice of Models. -Parallel Composition.

Communicating Protocols Communicating Protocol: Set of Processes P. Actions on each process and messages sent from one process to another one. Execution of a Protocol: p(PSW) p!q(m) q(STRT) q?p(m) q(CheckID) Process p computes password Process p sends message m to q Process q receives message m Process q check the User ID Process q starts

Communicating Protocols p(PSW) p!q(m) q(STRT) q?p(m) q(CheckID) A message can be received Only after it is sent Dependancies: message relation + process total order + FIFO Process p does things sequencially Process q does things sequencially q?p(m) is the receive associated with send p!q(m) only if q?p(m) is the x-th message m received by q from p and p!q(m) is the x-th message m sent by p to q. FIFO:

Equivalence for Protocols Everything which is not dependant can commute: p(PSW) p!q(m) q(STRT) q?p(m) q(CheckID) p(PSW) q(STRT) p!q(m) q?p(m) q(CheckID) q(STRT) p(PSW) p!q(m) q?p(m) q(CheckID) ´ ´ Protocols are closed for this equivalence relation

Message Sequence Charts qp m Norm of the International Telecomunication Union (ITU) p(PSW) p!q(m) q(STRT) q?p(m) q(CheckID) p(PSW) q(STRT) p!q(m) q?p(m) q(CheckID) q(STRT) p(PSW) p!q(m) q?p(m) q(CheckID) ´ ´ PSW STRT CheckID Instead of choosing one representant, give a visual illustration of what happens = Message Sequence Chart MSC. (Partial Order, no cycle)

Regular Operators for Representatives -Concatenation of Models [M.M’] = [[R]. [R’]] = [R.R’] : R.R’ is a set of rep. -Loop on Model [M*] = [[R]*] = [R*] : R* is a set of rep. -Choice between Models M Ç M’ = [R] Ç [R’] = [R Ç R’] : R Ç R’ is set of rep. = Concatenation of representatives. = Loop on representatives. = Choice between representatives. Take [R]= M and [R’]=M’ Easy because operator commutes with [].

MSC-Graphs AB login AB Id AB NOK OK Identification Scenario R Norm of the International Telecomunication Union (ITU) MSC-Graph = Regular set (automaton) of Representatives

MSC-Graphs AB login AB Id AB NOK OK A!B(login) B?A(login) A(Id) B!A(OK) B!A(NOK) A?B(OK) A?B(NOK) 2 [R]=M ´ A!B(login) B?A(login) A(Id) B!A(OK) A?B(OK) B!A(NOK) A?B(NOK) 2 R R AB login Id OK NOK 2 [R]

What we want to model: -Concatenation of Models. -Loop on Model. -Choice of Models. -Parallel Composition.

Product of MSC Graphs AB login AB Id AB AB search AB AB NOK OK KO content Identification Scenario Search Scenario

Parallel Composition M // M’ = {w // w’ | [w]=M,[w’]=M’} Problem:M // M’  [R // R’] u 1 u 2 u 3 u 4 // v 1 v 2 v 3 v 4 = shuffle of u and v, e.g. u 1 u 2 v 1 u 3 u 4 v 2 v 3

Problem: M // M’  [R // R’] Id Idea: Create a regular R // (MSC-Graph) with [R // ] = M // M’ Bad news: R // does not always exists . AB AB m1 m2 Idea2: Check if there exists a regular R // with [R_{//}] = M // M’ AB m1m2 Cannot be generated by a MSC-graph RR’ 2 [R]//[R’]

Existential Boundedness AB m1 R Property: Let R a regular set (MSC-graph) with n states, u 2 R. Then u is n/2 bounded (difference number of messages sent and received in any channel is · n/2 in any prefix of u) Corollary: Let R a regular set (MSC-graph) with n states, u 2 [R]. Then u is equivalent with a n/2-bounded execution. We say that [R] is existentially n/2 bounded (every MSC of [R] has a n/2 bounded execution).

Existential Boundedness AB m1m2 MSC M k not existentially k-1 bounded. So (M k ) k not existentially bounded. So (M k ) k cannot be generated by a MSC-graph So [R // ] = [R] // [R’] does not exists with R // a MSC-graph k k k k MkMk Corollary: Let R a regular set (MSC-graph). then [R] is existentially bounded. Idea3: Check if [R] // [R’] is existentially bounded

Testing 9 -k-Boundedness of MSC AB m1m2 k k k k MkMk Prop[Lohrey-Muscholl’04]: process order + message order + rev k-1 is acyclic iff M is 9 -(k-1)-bounded (if cycle, 2p points needed to make the cycle) Add order rev k-1 between a n-th receive and n+k-1-th send on same channel MSC not 9 -(k-1)-bounded if no execution (k-1)-bounded: We cannot impose every n-th receive to be before the n+k-1-th send on same channel. It is not possible (creates a cycle). For instance, between 1st receive and k-th send.

Testing 9 -k-Boundedness of Product AB m1m2 2 [R]//[R’] AB m1 2 [R] AB m2 2 [R’] MSC of product described by 2 MSCs + relations not creating cycles. Relations not creating cycles + 2 MSCs represent set of MSCs of product.

Testing 9 -k-Boundedness of Product Problem: cannot keep track of all relations with bounded memory because no bound on size of MSCs. Solution: we non deterministically guess 2 executions of R and R’ in parallel, 2p points e 1.. e 2p, the relations between e 1.. e 2p. M1  [w]//[w’] can have out of order events wrt w,w’, But only finite number of future to remember We check 1)no cycle with process order + message order + on e 1.. e 2p (it means there is an MSC in the product) 2) cycle with process order + message order + + rev k on e 1.. e 2p (it means this MSC is not existentially bounded) Th: Check whether [R] // [R’] is existentially-k-bounded is PSPACE Problem: what if k is not given?

Testing 9 -Boundedness of Product Prop[Darondeau-G-Helouet’08]: [R] // [R’] is existentially bounded iff It is 9 -n-bounded, where n depends only on |R|+|R’| Solution: Pumping lemma. Problem: what if k is not given? Th[Darondeau-G-Helouet’08]: Check whether [R] // [R’] is existentially-bounded is PSPACE Problem: what if k is not given?

Much More in the Paper! Work same for safe Compositional MSC-graphs (still regular set of representatives) Th[Darondeau-G-Helouet’08] If product existentially bounded, we can generate R // with [R // ] = [R] // [R’] granted R or R’ is globally-cooperative. + Controlled Shuffle!

Product of MSC Graphs AB login AB Id AB AB search AB AB NOK OK KO content Identification Scenario Search Scenario Problem: a search can be done while the user is not logged in

Controlled Shuffle AB login AB Id AB AB sync AB search AB AB AB sync NOK OK KO content Identification Scenario Search Scenario Sync is a synchronization point, both scenarios should pass it in same time Means that B answer a search request only if A is logged in.

Result on Controlled Shuffle Th[Darondeau-G-Helouet’08]: Undecidable to test whether [R] // [R’] is existentially-bounded if synchronization point on 2 processes or more. (encode PCP) Th[Darondeau-G-Helouet’08]: Checking whether [R] // [R’] is existentially-bounded is PSPACE (same as before) Th[Darondeau-G-Helouet’08]: Check whether [R] // [R’] is existentially-bounded is Co-NP-hard It is co-NP-complete if no content of messages. If synchronizations on a single process:

Conclusion: Under certain condition, decidable whether there exists a regular R // with [R // ] = [R] // [R’], and then we can check it What about non regular R // ? We can use R // = rational trace language, that is a causal MSC-graph! (equivalently another relation []) Observation : such a R // always exists when control on one process. (independance relation a I b if a   i  b   i ) Probably: decidable to know whether caMSC-graphs is Existentially-bounded Important to compare two caMSC-graphs with different I, Since this question is in general probably undecidable.