Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model checking with Message Sequence Charts Doron Peled Collaborators: R. Alur, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Department of Computer Science.

Published byCaleb MacLeod Modified over 10 years ago

Similar presentations

Presentation on theme: "Model checking with Message Sequence Charts Doron Peled Collaborators: R. Alur, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Department of Computer Science."— Presentation transcript:

1 Model checking with Message Sequence Charts Doron Peled Collaborators: R. Alur, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Department of Computer Science University of Warwick

2 MSCs An ITU standard notation (Z120). Visual + Textual forms. Specifies behaviors of communication protocols. Existing algorithms + tools.

3 MSC visual notation P1P3P2 M1 M2 M3 M4 M5 M6

4 MSC Textual form msc MSC; inst P1: process Root, P2: process Root, P3: process Root; instance P1; out M1 to P2; in M5 from P2; in M6 from P3; endinstance; instance P2; in M1 from P1; out M2 to P3; out M3 to P3; in M4 from P3; out M5 to P1; endinstance; P1P3P2 M1 M2 M3 M4 M5 M6 instance P3; in M2 from P2; in M3 from P2; out M4 to P2; out M6 to P1; endinstance; endmsc;

5 Partial order semantics P1P3P2 M1 M2 M3 M4 M5 M6 ss s s s r r r r r r s M1 M2 M3 M4 M5 M6

6 HMSCs P1P3P2P1P3P2 P1P3P2P1P3P2 connect approve fail req_service report

7 An execution: infinite or maximal connect approve fail report Req_service A CD B Execution: ACACD connect fail Req_service report

8 Visual semantics Sends before corresponding receives. Events on the same process line execute in order of appearance, from top to bottom.

9 Visual order (wysiwyg) If some event (send, receive) is higher on the line than another, it comes first. Sends precede matching receives. P1P3P2 M1 M2 M3 M4 M5 M6

10 Visual order (wysiwyg) P1P3P2 M1 M2 M3 M4 M5 M6 ss s s s r r r r r r s M1 M2 M3 M4 M5 M6

11 Causal Order and Races Sends before matching receive. Receive or sends before sends of same process. Two receives on the same process sent from the same process. P1P3P2 M1 M2 M3 M4 M5 M6 Races: check if every pair of events ordered by the visual order appears in the transitive closure of the causal order.

12 Races P1P3P2 M1 M2 M3 M4 M5 M6 P1P3P2 M1 M2 M3 M4 M5 M6

13 P2P1P3 M1 M2 M3 M4 M5 M6 M1 M2 M3 M4 M5 M6 P1P2P3 Finding races: Rules: order between - receive and a later send. - two sends from same process. - send and corresponding receive. - fifo order.

14 Causal Order P1P3P2 M1 M2 M3 M4 M5 M6 ss s s s r r r r r r s M1 M2 M3 M4 M5 M6

15 Calculating the transitive closure Structure (E, R). E – Events, R E E. R * The transitive closure. Defined as follows: a R * b if there is a sequence x 1 x 2 … x n where a=x 1, b=x n, and x i R x i+1 for 1 i<n. Complexity: cubic. In our case: quadratic (every event has 1 or 2 successors).

16 Can also deal with time P1P2 [2,4] [3,5] [2,3] [7,10] Use time difference matrices.

17 Races in HMSCs. Definition For each HMSC M execution Ex, define the linearizations according to the visual order lin vis (Ex) and the linearizations according to the causal order lin caus (Ex). Extend to all executions: lin vis (Ex) and lin caus (Ex). Always lin vis (Ex) lin caus (Ex). Races Races : when lin vis (Ex) lin caus (Ex).

18 Mazurkiewicz Traces Alphabet {a,b,c} Independence: aIb, bIc Equivalence classes of words (denoted using representatives): [aabb]=[abba] Regular trace language: can be defined using concatenation, star, union, intersection. Note: [ab]* is not recognizable (by automata).

19 Visual concatenation P1P3P2P1P3P2 P1P3P2P1P3P2 connect approve fail req_service report P1P2P3 connect fail report approve connect fail report AB CD Execution: concatenation of a maximal path in the HMSC.

20 Other problems… Global decision P1P2 P1P2 + =? What if one process will start to behave according to M1 and the other will start according to M2? M1M2

21 Races for HMSCs Undecidable [MP99] Translate to language theory of traces, which are closed w.r.t. commuting certain pairs of letters. Intuition: moving from visual to causal semantic introduces more commutations: Two receives on the same process line (from different processes) are dependent on visual and independent on causal order. Reduction to universality of trace languages (things are independent with causal semantics). Independent Language L Independent

22 Model checking Write both specification and system as HMSCs. Do concatenation. Write specification in LTL. Interpret over the linearizations of the partial orders. In both cases: undecidable.

23 Post Correspondence Problem List of pairs: w1:(aab,aa), w2:(aba,ab), … wn:(a,bb). Want to find if we find a set of indexes i 1, i 2, …, i k, such that concatenating the lefthand words and concatenating the righthand words is the same. Supose we take indexes 1, 2, n, 1. We get: lefthand: aab aba a aab righthand: aa ab bb aa

24 PCP reduction P1P2 P3P4P3P4 P1P2P5P6P5P6 a b a a b P5P6P5P6 P1P2 P3P4P3P4 P1P2 w2 b w1 b (aab,bb), (ab,bab),... Word match Letter match w1 w2 b a b

25 Some solutions: Obtain decidability under the following condition [MP99,AY99]: Every HMSCs cycle covers a strongly connected component in the communication graph. An edge exist from a process P i to a process P j if there is a communication from P i to P j. The specification HMSCs allows any additional gaps [MPS98]. Put limit on message queues [Holzmann]

26 Problem with describing protocols s1 t2 t1 s3 s2 P1P2 P1:snd P1:rcv P2:sndP2:rcv

27 Problem with describing protocols P1P2

28 Problem with describing protocols P1P2

29 Problem with describing protocols P1P2

30 Problem with describing protocols P1P2

31 Problem with describing protocols P1P2

32 Problem with describing protocols P1P2

33 Solution: Compositional HMSCs P1P2 P1P2

34 Even emptiness is undecideable! (E1+E2+…+Em) + (G1+G2+…+Gm) + F a a b w3 b a b w2 E3G2 F

35 Left closed CHMSCs Does not allow unmatched receive event that is not yet matched by a previous unmatched send. HCMSC is realizable if every path is matched. Can be checked in polynomial time using a nondeterministic stack machine.

36 How to check for realizability? What can go wrong? 1. More unmatched receives than sends. 2. The kth unmatched send before a mathced pair, the kth receive after. 3. The kth unmatched send has name C, the kth unmatched receive has name D. How to check with a stack machine for each pair of processes? 1+2: Push a £ for each unmatched send, pop a £ for each unmatched receive. 3: Guess that its a name mismatch upon seeing an unmatched send. Ignore further sends. Pop £ as usual for receives, until corresponding receive occurs.

37 Now we can translate finite state protocols to CHMSCs Any finite state protocol can be translated. Trivial translation: any transition in finite state graph makes one CHMSC node, with possibly an unmatched message. This does not give more information than finite state graph. Try to optimize: take some paths. Break graph into cycle free paths (e.g., using DFS and back arrows). Use partial order reduction (sleep sets) to minimize number of paths.

38 P2P1P3 M1 M2 M3 M4 M5 M6

39 Nexttime: O p P2P1P3 M1 M2 M3 M4 M5 M6 M1 M2 M3 M4 M5 M6 P1P2P3 p p p The logic TLC [APP] over MSCs. Label events with propositions.

40 ¬O ¬p P2P1P3 M1 M2 M3 M4 M5 M6 M1 M2 M3 M4 M5 M6 P1P2P3 p p p p p

41 O p P2P1P3 M1 M2 M3 M4 M5 M6 M1 M2 M3 M4 M5 M6 P1P2P3 p p p

42 P2P1P3 M1 M2 M3 M4 M5 M6 p p M1 M2 M3 M4 M5 M6 P1P2P3 Until: pUq p q p p p p p pppp q q true U q = <>q

43 P2P1P3 M1 M2 M3 M4 M5 M6 p p M1 M2 M3 M4 M5 M6 P1P2P3 ¬(trueU¬p) = p p p p p p p ppppp p p pp p p p p p p p p pp

44 Some specifications (req --> <> ack) Every request is followed by acknowledge. ¬<>(transA /\ <> (transB /\ <>transA)) Transaction B cannot interfere with transaction A. (beginA --> O (transA U finishA )) The execution of transaction A is not interrupted by any other event.

45 connectapprove fail report Req_service HMSC linearizations

46 Intuition behind algorithm for Op 2 5 7 3 6 4 8 10 12 11 1 9 M1 M2 M3 M4 M5 M6 P1P2P3 2 3 4 5 6 7 8 9 10 1 12 11 Aut. with 2 successors relations. There are two cases: - p holds for matching receive. Then use 2nd successor rel. - p holds for successor in proc. Then wait to see event of same process. Intersect: System autom. (linearizations) Property autom. (of ¬ prop ) 2 3 4 5 6 7 8 9 10 1 12 11

47 Overview MSC HMSC Finite, one scenario CHMSC Cannot express behavior of some protocols Bounded HMSC Connected communication HMSC Undecidable linear model checking Emptiness undecidable Realizable CHMSC Partial order model checking Finding races Checking realizability

48 Conclusions Visual notation have advantages over textual representation. MSCs is a standard for describing concurrent interactions. MSCs are based on partial order semantics. MSCs raise many interesting research problems, e.g., race condition. Model checking for MSCs is undecidable [GP,AY]. TLC model checking is based on partial order semantics and is decidable. Some extensions to the MSC standard are useful, e.g., CHMSCs, LSCs.

Download ppt "Model checking with Message Sequence Charts Doron Peled Collaborators: R. Alur, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Department of Computer Science."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
1 Concurrency: Deadlock and Starvation Chapter 6.

1 Concurrency: Deadlock and Starvation Chapter 6.
1 Concurrency: Deadlock and Starvation Chapter 6.

1 Concurrency: Deadlock and Starvation Chapter 6.
Visual Formalisms Message Sequence Charts Book: Chapter 10.

Visual Formalisms Message Sequence Charts Book: Chapter 10.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
School of Computer Science & Software Engineering

School of Computer Science & Software Engineering
Chapter 6 Concurrency: Deadlock and Starvation Operating Systems: Internals and Design Principles, 6/E William Stallings Patricia Roy Manatee Community.

Chapter 6 Concurrency: Deadlock and Starvation Operating Systems: Internals and Design Principles, 6/E William Stallings Patricia Roy Manatee Community.
1 © R. Guerraoui Universal constructions R. Guerraoui Distributed Programming Laboratory.

1 © R. Guerraoui Universal constructions R. Guerraoui Distributed Programming Laboratory.
Distributed systems Total Order Broadcast Prof R. Guerraoui Distributed Programming Laboratory.

Distributed systems Total Order Broadcast Prof R. Guerraoui Distributed Programming Laboratory.
1 Process groups and message ordering If processes belong to groups, certain algorithms can be used that depend on group properties membership create (

1 Process groups and message ordering If processes belong to groups, certain algorithms can be used that depend on group properties membership create (
Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.

Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.
Then/Now You named angle pairs formed by parallel lines and transversals. Use theorems to determine the relationships between specific pairs of angles.

Then/Now You named angle pairs formed by parallel lines and transversals. Use theorems to determine the relationships between specific pairs of angles.
1 st Wave Allen plays Atascosita 9 AM, Ct 1 Allen plays Coppell 10 AM, Ct 1 2 nd Wave If Allen is 1 st in Wave 1, Play at 2:30 and 4:30 on Ct 2 (R2G1P1)

1 st Wave Allen plays Atascosita 9 AM, Ct 1 Allen plays Coppell 10 AM, Ct 1 2 nd Wave If Allen is 1 st in Wave 1, Play at 2:30 and 4:30 on Ct 2 (R2G1P1)
Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT Victor Khomenko University of Newcastle upon Tyne Supported by IST project.

Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT Victor Khomenko University of Newcastle upon Tyne Supported by IST project.
IPC (Interprocess Communication)

IPC (Interprocess Communication)
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 14: Simulations 1.

CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 14: Simulations 1.
Computer Architecture CST 250 K-Map Prepared by:Omar Hirzallah.

Computer Architecture CST 250 K-Map Prepared by:Omar Hirzallah.
Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,

Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,
Global States.

Global States.
Distributed Computing 9. Sorting - a lower bound on bit complexity Shmuel Zaks ©

Distributed Computing 9. Sorting - a lower bound on bit complexity Shmuel Zaks ©

Similar presentations

Ads by Google