Download presentation
Presentation is loading. Please wait.
1
Model checking with Message Sequence Charts Doron Peled Collaborators: R. Alur, E. Elkind, B. Genest, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Bar Ilan University, Ramat Gan
2
Topics Syntax and semantics Checking Race Conditions High Level MSCs Extensions Model Checking
3
MSCs An ITU standard notation (Z120). Visual + Textual forms. Specifies behaviors of communication protocols. Existing algorithms + tools.
4
MSC visual notation P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6
5
MSC Textual form msc MSC; inst P1: process Root, P2: process Root, P3: process Root; instance P1; out M1 to P2; in M5 from P2; in M6 from P3; endinstance; instance P2; in M1 from P1; out M2 to P3; out M3 to P3; in M4 from P3; out M5 to P1; endinstance; P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 instance P3; in M2 from P2; in M3 from P2; out M4 to P2; out M6 to P1; endinstance; endmsc;
6
Partial order semantics In fact, there are two possibilities for semantics, which makes it problematic/interesting P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 ss s s s r r r r r r s M1M1 M2M2 M3M3 M4M4 M5M5 M6M6
7
HMSCs P1P1 P3P3 P2P2 P1P1 P3P3 P2P2 P1P1 P3P3 P2P2 P1P1 P3P2 connect approve fail req_service report
8
An execution: infinite or maximal sequence of MSCs concatenated connect approve fail report Req_service A CD B Execution: ACACD connect fail Req_service report
9
Visual semantics Sends before corresponding receives. Events on the same process line execute in order of appearance, from top to bottom.
10
Visual order (wysiwyg) P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 ss s s s r r r r r r s M1M1 M2M2 M3M3 M4M4 M5M5 M6M6
11
Causal Order: Order only what is controlable Sends before matching receive. Receive or sends before sends of same process (M 3 and M 4 ). Two receives on the same process sent from the same process. P1P1 P3P3 P2P2 M1 M2M2 M3M3 M4M4 M5M5 M6M6
12
Causal Order P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 ss s s s r r r r r r s M1M1 M2M2 M3M3 M4M4 M5M5 M6M6
13
The problem: Races The existence of two possible semantics is a source of confusion. Users may see one semantics as more intuitive or the other. The discrepancies between the two semantics, causing potentially different order of events, is called “races”.
14
Races P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 Races: check if every pair of events ordered by the visual order appears in the transitive closure of the causal order.
15
Calculating the transitive closure Structure (E, R). E – Events, R E E. R * The transitive closure. Defined as follows: a R * b if there is a sequence x 1 x 2 … x n where a=x 1, b=x n, and x i R x i+1 for 1 i<n. Complexity: in general cubic. But in our case: quadratic (every event has 1 or 2 successors).
16
Causal Order P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 ss s s s r r r r r r s M1M1 M2M2 M3M3 M4M4 M5M5 M6M6
17
Visual order (wysiwyg) P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 ss s s s r r r r r r s M1M1 M2M2 M3M3 M4M4 M5M5 M6M6
18
P2P2 P1P1 P3P3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 P1P1 P2P2 P3P3 Finding races: Rules: order between - receive and a later send. - two sends from same process. - send and corresponding receive. - fifo order. Race: In visual order but not in transitive closure of causal order.
19
Co-regions P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 Co-regions are boxes around events that explicitly say: allow these events to appear in any order!
20
Can also deal with time P1P1 P2P2 [2,4] [3,5] [2,3] [7,10] Use time difference matrices.
21
Races in HMSCs. Definition For each HMSC M execution Ex, define the linearizations according to the visual order lin vis (Ex) and the linearizations according to the causal order lin caus (Ex). Extend to all executions: lin vis (Ex) and lin caus (Ex). Always lin vis (Ex) lin caus (Ex). Races Races : when lin vis (Ex) lin caus (Ex).
22
Mazurkiewicz Traces Alphabet {a,b,c} Independence: aIb, bIc Equivalence classes of words (denoted using representatives): aabb and abba equivalent [aabb ]=[abba ] Regular trace language: can be defined using concatenation, star, union, intersection. Note: [ab ]* is not recognizable (by automata, and [abc ]* is not recognizable by stack machine). In general [L] for a regular language L is not necessarily regular or context-free. Traces can be concatenated: [vw]=[v][w]. Thus, [ab ][ab ]=[abab ]
23
Semi-traces Similar to traces, but sometimes can letters can commute only in one direction. Useful for describing communication systems: can commute receive with a later send between the same pair of processes, but not necessarily send with a later receive: sssrrr ssrsrr srssrr srsrsr -/->rssrsr A message sequence chart can be modeled as a semi-trace.
24
Concatenation of MSCs Extending the lines of the process to include all messages. When we concatenate MSC A before MSC B, it does not mean that all events of A precede all the events of B. P1P1 P3P3 P2P2 M4M4 M5M5 M6M6 P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 A B
25
Concatenation of MSCs Extending the lines of the process to include all messages. When we concatenate MSC A before MSC B, it does not mean that all events of A precede all the events of B. Receiving M 2 may occur after sending M 4. Can simply concatenate the corresponding semi- traces! P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 A; B
26
Concatenation P1P1 P3P3 P2P2 P1P1 P3P3 P2P2 P1P1 P3P3 P2P2 P1P1 P3P3 P2P2 connectapprove fail req_service report P1P1 P2P2 P3P3 connect fail report approve connect fail report AB CD Execution: concatenation of a maximal path in the HMSC. Concatenation of MSCs Concatenation of semi-traces.
27
Other problems… Global decision P1P1P2P2 P1P1 P2P2 + =? What if one process will start to behave according to M 1 and the other will start according to M 2 ? Some decision procedures for this problem + MSC restrictions M1M1 M2M2
28
Races for HMSCs Undecidable [MP99] Intuition: moving from visual to causal semantic introduces more commutations: Two receives on the same process line (from different processes) are dependent on visual and independent on causal order. Build regular L where each letter becomes an MSC with one message. Universality of semi-trace languages. Is [L]= * is similarly undecidable. a b c aIc, bIc in Visual order. All letters/events are independent in causal semantics.
29
The case in the middle: No HMSC graph, but multiple MSCs [EGP07] We call a collection of finite MSCs an ensemble. This is usually what is given by engineers. A polynomial algorithm for checking races. NP-Complete if we allow co-regions. But, to be race free, one may need exponential number of MSCs (in size of a single MSC).
30
Calculating the “discord” [EGPS07] The “discord” is a measure of the possible deviation of the actual execution order from what seems to be the order according to the HMSC. This discrepancy is similar to “races” and stems from the fact that in concatenation, an event from earlier MSC can precede one from later MSC. Intuitively: the discord tell the designer that (s)he may think that the message order is X, but at worst it can be Y. Use “Allen’s logic” to describe order. B A B A B A AbB (A before B) AoB (A overlaps B)AdB (A during B)
31
Calculate from HMSC the order between pairs of messages. The Vertical lines: the two messages in focus. Dashed lines: chains of messages, i.e., s r s …s r where adjacent r and s are from same process. Faint lines: more chains of messages that can be inferred from situation. These are 4 out of 22 cases.
32
The discord tells us what is the maximal “inversion” between the message order according to the HMSC structure, and actual order P1P1 P3P3 P2P2 M4M4 M5M5 M6M6 P1P1 P3P3 P2P2 M1M1 M2M2 A B M2M2 M4M4 M 2 cannot appear completely after M 4 ; at worst, it can start after M 4 has started but before it ended, and finish after M 4 finishes. In Allen’s logic, M 4 oM 2. The discord is, informally, a mesasure of this worst situation. Calculating the discord for two messages: Co-NP complete in number of processes and size of HMSC.
33
Model checking Write both specification and system as HMSCs, or Write specification in LTL. Interpret over the linearizations of the partial orders. In both cases: undecidable. We’ll show the intersection case. For the LTL case: encode the linearizations of one of the HMSCs with LTL: for each MSC node, only one linearization is necessary.
34
Post Correspondence Problem List of pairs: w 1 :(aab,aa), w 2 :(aba,ab), … w n :(a,bb). Want to find if we find a set of indexes i 1, i 2, …, i k, such that concatenating the lefthand words and concatenating the righthand words is the same. Supose we take indexes 1, 2, n, 1. We get: lefthand: aab aba a aab righthand: aa ab bb aa
35
PCP reduction P1P1 P2P2 P3P3 P4P4 P3P3 P4P4 P1P1 P2P2 P5P5 P6P6 P5P5 P6P6 a b a a b P5P5 P6P6 P5P5 P6P6 P1P1 P2P2 P3P3 P4P4 P3P3 P4P4 P1P1 P2P2 w2w2 b w1w1 b w1w1 w2w2 b a b
36
The communication structure of an MSC (HMSC) P1P1 P3P3 P2P2 M1M1 M2M2 M3M3 P1P1 P3P3 P2P2 An edge exist from a process P i to a process P j exists if there is a communication from P i to P j.
37
Some solutions: Obtain decidability under the following condition [MP99,AY99]: Every HMSCs cycle covers a strongly connected component of the communication graph. An edge exist from a process P i to a process P j if there is a communication from P i to P j. Pattern matching: The specification HMSCs allows any additional gaps [MPS98]. Put limit on message queues [Holzmann].
38
Problem with describing protocols s1s1 t2t2 t1t1 s3s3 s2s2 P1P1 P2P2 P1:snd P1:rcv P2:sndP2:rcv
39
Problem with describing protocols P1P1 P2P2
40
P1P1 P2P2
41
P1P1 P2P2
42
P1P1 P2P2
43
P1P1 P2P2
44
P1P1 P2P2
45
Solution: Compositional HMSCs P1P1 P2P2 P1P1 P2P2
46
Even emptiness is undecideable! (E 1 +E 2 +…+E m ) + (G 1 +G 2 +…+G m ) + F a a b w3 b a b w2 E3E3 G2G2 F
47
Left closed HCMSCs Does not allow unmatched receive event that is not yet matched by a previous unmatched send. HCMSC is realizable if every path is matched. Can be checked in polynomial time using a nondeterministic stack machine.
48
How to check for realizability? What can go wrong? 1. More unmatched receives than sends. 2. The k th unmatched send before a mathced pair, the k th receive after. 3. The k th unmatched send has name C, the k th unmatched receive has name D. How to check with a stack machine for each pair of processes? 1+2: Push a £ for each unmatched send, pop a £ for each unmatched receive. 3: Guess that it’s a name mismatch upon seeing an unmatched send. Ignore further sends. Pop £ as usual for receives, until corresponding receive occurs.
49
Now we can translate finite state protocols to HCMSCs Any finite state protocol can be translated. Trivial translation: any transition in finite state graph makes one HCMSC node, with possibly an unmatched message. This does not give more information than finite state graph. Try to optimize: take some paths.
50
Nexttime: O p P2P2 P1P1 P3P3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 P1P1 P2P2 P3P3 p p p The logic TLC [APP] over MSCs. Label events with propositions. Interpret over any execution path of the MSCs (Partial order logic!) Not over the linearizations of the executions.
51
¬O ¬p P2P2 P1P1 P3P3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 P1P1 P2P2 P3P3 p p p p p
52
O p P2P2 P1P1 P3P3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 P1P1 P2P2 P3P3 p p p
53
P2P2 P1P1 P3P3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 p p M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 P1P1 P2P2 P3P3 Until: pUq p q p p p p p pppp q q true U q = <>q
54
P2P2 P1P1 P3P3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 p p M1 M2 M3 M4 M5 M6 P1P1 P2P2 P3P3 ¬(trueU¬p) = []p p p p p p p ppppp p p pp p p p p p p p p pp
55
Some specifications [](req --> <> ack) Every request is followed by acknowledge. ¬<>(transA /\ <> (transB /\ <>transA)) Transaction B cannot interfere with transaction A. [](beginA --> O (transA U finishA )) The execution of transaction A is not interrupted by any other event.
56
connectapprove fail report Req_service HMSC linearizations
57
Intuition behind algorithm for Op 2 5 7 3 6 4 8 10 12 11 1 9 M1 M2 M3 M4 M5 M6 P1P2P3 2 3 4 5 6 7 8 9 10 1 12 11 Aut. with 2 successors relations. There are two cases: - p holds for matching receive. Then use 2nd successor rel. - p holds for successor in proc. Then wait to see event of same process. Intersect: System autom. (linearizations) Property autom. (of ¬ prop ) 2 3 4 5 6 7 8 9 10 1 12 11
58
Overview MSC HMSC Finite, one scenario HCMSC Cannot express behavior of some protocols Bounded HMSC Connected communication HMSC Undecidable linear model checking Emptiness undecidable Realizable HCMSC Partial order model checking Finding races Checking realizability
59
Conclusions MSCs and HMSCs are a useful standard in designing protocols. Studying MSCs is based on partial order models such as traces. MSCs and HMSCs behave in a different way than traditional transition systems, based on the interleaving model: challenging problems. The problems of finding races, discords and model checking provide some interesting solutions.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.