Advertisement

Checking Deadlock-Freedom of Parametric Component-Based Systems

  • Marius Bozga
  • Radu IosifEmail author
  • Joseph Sifakis
Open Access
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11428)

Abstract

We propose an automated method for computing inductive invariants used to proving deadlock freedom of parametric component-based systems. The method generalizes the approach for computing structural trap invariants from bounded to parametric systems with general architectures. It symbolically extracts trap invariants from interaction formulae defining the system architecture. The paper presents the theoretical foundations of the method, including new results for the first order monadic logic and proves its soundness. It also reports on a preliminary experimental evaluation on several textbook examples.

Modern computing systems exhibit dynamic and reconfigurable behavior. To tackle the complexity of such systems, engineers extensively use architectures that enforce, by construction, essential properties, such as fault tolerance or mutual exclusion. Architectures can be viewed as parametric operators that take as arguments instances of components of given types and enforce a characteristic property. For instance, client-server architectures enforce atomicity and resilience of transactions, for any numbers of clients and servers. Similarly, token-ring architectures enforce mutual exclusion between any number of components in the ring.

Parametric verification is an extremely relevant and challenging problem in systems engineering. In contrast to the verification of bounded systems, consisting of a known set of components, there exist no general methods and tools succesfully applied to parametric systems. Verification problems for very simple parametric systems, even with finite-state components, are typically intractable [10, 16]. Most work in this area puts emphasis on limitations determined mainly by three criteria (1) the topology of the architecture, (2) the coordination primitives, and (3) the properties to be verified.

The main decidability results reduce parametric verification to the verification of a bounded number of instances of finite state components. Several methods try to determine a cut-off size of the system, i.e. the minimal size for which if a property holds, then it holds for any size, e.g. Suzuki [20], Emerson and Namjoshi [15]. Other methods identify systems with well-structured transition relations, for which symbolic enumeration of reachable states is feasible [1] or reduce to known decidable problems, such as reachability in vector addition systems [16]. Typically, these methods apply to systems with global coordination. When theoretical decidability is not of concern, semi-algorithmic techniques such as regular model checking [2, 17], SMT-based bounded model checking [3, 14], abstraction [8, 11] and automata learning [13] can be used to deal with more general classes of The interested reader can find a complete survey on parameterized model checking by Bloem et al. [10].

This paper takes a different angle of attack to the verification problem, seeking generality of the type of parametric systems and focusing on the verification of a particular but essential property: deadlock-freedom. The aim is to come up with effective methods for checking deadlock-freedom, by overcoming the complexity blowup stemming from the effective generation of reachability sets. We briefly describe our approach below.

A system is the composition of a finite number of component instances of given types, using interactions that follow the Behaviour-Interaction-Priorities (BIP) paradigm [7]. To simplify the technical part, we assume that components and interactions are finite abstractions of real-life systems. An instance is a finite-state transition system whose edges are labeled by ports. The instances communicate synchronously via a number of simultaneous interactions involving a set of ports each, such that no data is exchanged during interactions. If the number of instances in the system is fixed and known in advance, we say that the system is bounded, otherwise it is parametric.
Fig. 1.

Mutual exclusion example

For instance, the bounded system in Fig. 1a consist of component types Semaphore, with one instance, and Task, with two instances. A semaphore goes from the free state r to the taken state s by an acquire action a, and viceversa from s to r by a release action e. A task goes from waiting w to busy u by action b and viceversa, by action f. For the bounded system in Fig. 1a, the interactions are \(\{ a,b_1 \}, \{ a,b_2 \}, \{ e,f_1 \}\) and \(\{ e,f_2 \}\), depicted with dashed lines. Since the number of instances is known in advance, we can view an interaction as a minimal satisfying valuation of the boolean formula \(\varGamma = (a\wedge b_1) \vee (a\wedge b_2) \vee (e\wedge f_1) \vee (e\wedge f_2)\), where the port symbols are propositional variables. Because every instance has finitely many states, we can write a boolean formula \(\varDelta = [\lnot r \vee \lnot (w_1 \vee w_2)] \wedge [\lnot s \vee \lnot (u_1 \vee u_2)]\), this time over propositional state variables, which defines the configurations in which all interactions are disabled (deadlock). Proving that no deadlock configuration is reachable from the initial configuration \(r \wedge w_1 \wedge w_2\), requires finding an over-approximation (invariant) I of the reachable configurations, such that the conjunction \(I \wedge \varDelta \) is not satisfiable.

The basic idea of our method, supported by the D-Finder deadlock detection tool [9] for bounded component-based systems, is to compute an invariant straight from the interaction formula, without going through costly abstract fixpoint iterations. The invariants we are looking for are in fact solutions of a system of boolean constraints \(\varTheta ({\varGamma })\), of size linear in the size of \(\varGamma \) (written in DNF). In our example, \(\varTheta ({\varGamma }) = \bigwedge _{i=1,2} (r \vee w_i) \leftrightarrow (s \vee u_i)\). Finding the (minimal) solutions of this constraint can be done, as currently implemented in D-Finder, by exhaustive model enumeration using a SAT solver. Here we propose a more efficient solution, which consists in writing \(\varTheta ({\varGamma })\) in DNF and remove the negative literals from each minterm. In our case, this gives the invariant \(I = (r \vee s) \wedge \bigwedge _{i=1,2} (w_i \vee u_i) \wedge (r \vee u_1 \vee u_2) \wedge (s \vee w_1 \vee w_2)\) and \(I \wedge \varDelta \) is proved unsatisfiable using a SAT solver.

The main contribution of this paper is the generalization of this invariant generation method to the parametric case. To understand the problem, consider the parametric system from Fig. 1, in which a Semaphore interacts with n Tasks, where \(n>0\) is not known in advance. The interactions are described by a fragment of first order logic, in which the ports are either propositional or monadic predicate symbols, in our case \(\varGamma = a \wedge \exists i ~.~ b(i) \vee e \wedge \exists i ~.~ f(i)\). This logic, called Monadic Interaction Logic (\(\mathsf {MIL}\)), is also used to express the constraints \(\varTheta ({\varGamma })\) and compute their solutions. In our case, we obtain \(I = (r \vee s) \wedge [\forall i ~.~ w(i) \vee u(i)] \wedge [r \vee \exists i~.~u(i)] \wedge [s \vee \exists i~.~w(i)]\). As in the bounded case, we can give a parametric description of deadlock configurations \(\varDelta = [\lnot r \vee \lnot \exists i ~.~ w(i)] \wedge [\lnot s \vee \lnot \exists i ~.~ u(i)]\) and prove that \(I \wedge \varDelta \) is unsatisfiable, using the decidability of \(\mathsf {MIL}\), based on an early small model property result due to Löwenheim [19]. In practice, we avoid the model enumeration suggested by this result and check the satisfiability of such queries using a decidable theory of sets with cardinality constraints [18], available in the CVC4 SMT solver [4].

The paper is structured as follows: Sect. 1 presents existing results for checking deadlock-freedom of bounded systems using invariants, Sect. 2 formalizes the approach for computing invariants using \(\mathsf {MIL}\), Sect. 3 introduces cardinality constraints for invariant generation, Sect. 4 presents the integration of the above results within a verification technique for parametric systems and Sect. 5 reports on preliminary experiments carried out with a prototype tool. Finally, Sect. 6 presents concluding remarks and future work directions. For reasons of space, all proofs are given in [12].

1 Bounded Component-Based Systems

A component is a tuple \(\mathcal {C}= \langle \mathsf {P}, \mathsf {S}, {s_0}, \varDelta \rangle \), where \(\mathsf {P}= \{ p,q,r,\ldots \}\) is a finite set of ports, \(\mathsf {S}\) is a finite set of states, \({s_0}\in \mathsf {S}\) is an initial state and \(\varDelta \subseteq \mathsf {S}\times \mathsf {P}\times \mathsf {S}\) is a set of transitions written \(s \xrightarrow {{\scriptscriptstyle p}}_{{\scriptscriptstyle }} s'\). To simplify the technical details, we assume there are no two different transitions with the same port, i.e. if \(s_1 \xrightarrow {{\scriptscriptstyle p_1}}_{{\scriptscriptstyle }} s'_1, s_2 \xrightarrow {{\scriptscriptstyle p_2}}_{{\scriptscriptstyle }} s'_2 \in \varDelta \) and \(s_1 \ne s_2\) or \(s'_1 \ne s'_2\) then \(p_1 \ne p_2\). In general, this restriction can be lifted, at the cost of cluttering the presentation.

A bounded system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}},\varGamma \rangle \) consists of a fixed number (n) of components \({\mathcal {C}}^{\scriptscriptstyle {{k}}} = \langle {\mathsf {P}}^{\scriptscriptstyle {{k}}}, {\mathsf {S}}^{\scriptscriptstyle {{k}}}, {{s_0}}^{\scriptscriptstyle {{k}}}, {\varDelta }^{\scriptscriptstyle {{k}}} \rangle \) and an interaction formula \(\varGamma \), describing the allowed interactions. Since the number of components is known in advance, we write interaction formulae using boolean logic over the set of propositional variables \(\mathsf {BVar}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\bigcup _{k=1}^n({\mathsf {P}}^{\scriptscriptstyle {{k}}} \cup {\mathsf {S}}^{\scriptscriptstyle {{k}}})\). Here we intentionally use the names of states and ports as propositional variables.

A boolean interaction formula is either \(a \in \mathsf {BVar}\), \(f_1 \wedge f_2\) or \(\lnot f_1\), where \(f_i\) are formulae, for \(i=1,2\), respectively. We define the usual shorthands \(f_1 \vee f_2\, {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\lnot (\lnot f_1 \wedge \lnot f_2)\), \(f_1 \rightarrow f_2\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\lnot f_1 \vee f_2\), \(f_1 \leftrightarrow f_2\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,(f_1 \rightarrow f_2) \wedge (f_2 \rightarrow f_1)\). A literal is either a variable or its negation and a minterm is a conjunction of literals. A formula is in disjunctive normal form (DNF) if it is written as \(\bigvee _{i=1}^n\bigwedge _{j=1}^{m_i} \ell _{ij}\), where \(\ell _{ij}\) is a literal. A formula is positive if and only if each variable occurs under an even number of negations, or, equivalently, its DNF forms contains no negative literals. We assume interaction formulae of bounded systems to be always positive.

A Boolean Valuation \(\beta : \mathsf {BVar}\rightarrow \{ \top ,\bot \}\) maps each propositional variable to either true (\(\top \)) or false (\(\bot \)). We write \(\beta \,\models \,f\) if and only if \(f\,=\,\top \), when replacing each boolean variable a with \(\beta (a)\) in f. We say that \(\beta \) is a model of f in this case and write \(f \equiv g\) for \(\mathbf{[\![}f \mathbf{]\!]} = \mathbf{[\![}g \mathbf{]\!]}\), where \(\mathbf{[\![}f \mathbf{]\!]}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\{ \beta \mid \beta \,\models \,f \}\). Given two valuations \(\beta _1\) and \(\beta _2\) we write \(\beta _1 \subseteq \beta _2\) if and only if \(\beta _1(a) = \top \) implies \(\beta _2(a) = \top \), for each variable \(a \in \mathsf {BVar}\). We write \(f \equiv ^{\mathrm {\mu }}g\) for \(\mathbf{[\![}f \mathbf{]\!]}^{\mathrm {\mu }}=\mathbf{[\![}g \mathbf{]\!]}^{\mathrm {\mu }}\), where \(\mathbf{[\![}f \mathbf{]\!]}^{\mathrm {\mu }}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\{ \beta \in \mathbf{[\![}f \mathbf{]\!]} \mid \text { for all } \beta ':~ \beta ' \subseteq \beta \text { and } \beta ' \ne \beta \text { only if } \beta ' \not \in \mathbf{[\![}f \mathbf{]\!]} \}\) is the set of minimal models of f.

1.1 Execution Semantics of Bounded Systems

We use 1-safe marked Petri Nets to define the set of executions of a bounded system. A Petri Net (PN) is a tuple \(N= \langle S,T,E \rangle \), where \(S\) is a set of places, \(T\) is a set of transitions, \(S\cap T= \emptyset \), and \(E\subseteq S\times T\,\cup \,T\times S\) is a set of edges. The elements of \(S\cup T\) are called nodes. For a node n, let Open image in new window , Open image in new window and lift these definitions to sets of nodes, as usual.
Fig. 2.

PN for mutual exclusion

A marking for a PN \(N= \langle S,T,E \rangle \) is a function Open image in new window . A marked Petri net is a pair \(\mathcal {N}=(N,\mathrm {m}_0)\), where \(\mathrm {m}_0\) is the initial marking of \(N= \langle S,T,E \rangle \). We consider that the reader is familiar with the standard execution semantics of a marked PN. A marking \(\mathrm {m}\) is reachable in \(\mathcal {N}\) if and only if there exists a sequence of transitions leading from \(\mathrm {m}_0\) to \(\mathrm {m}\). We denote by \(\mathcal {R}({\mathcal {N}})\) the set of reachable markings of \(\mathcal {N}\). A set of markings \(\mathcal {M}\) is an invariant of \(\mathcal {N}=(N,\mathrm {m}_0)\) if and only if \(\mathrm {m}_0 \in \mathcal {M}\) and \(\mathcal {M}\) is closed under the transitions of \(N\). A marked PN \(\mathcal {N}\) is 1-safe if \(\mathrm {m}(s) \le 1\), for each \(s \in S\) and each \(\mathrm {m}\in \mathcal {R}({\mathcal {N}})\). In the following, we consider only marked PNs that are 1-safe. In this case, any (necessarily finite) set of reachable markings can be defined by a boolean formula, which identifies markings with the induced boolean valuations. A marking \(\mathrm {m}\) is a deadlock if for no transition is enabled in \(\mathrm {m}\) and let \(\mathcal {D}({\mathcal {N}})\) be the set of deadlocks of \(N\). A marked PN \(\mathcal {N}\) is deadlock-free if and only if \(\mathcal {R}({\mathcal {N}}) \cap \mathcal {D}({\mathcal {N}}) = \emptyset \). A sufficient condition for deadlock freedom is \(\mathcal {M} \cap \mathcal {D}({\mathcal {N}}) = \emptyset \), for some invariant \(\mathcal {M}\) of \(\mathcal {N}\).

In the rest of this section, we fix a bounded system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}},\varGamma \rangle \), where \({\mathcal {C}}^{\scriptscriptstyle {{k}}} = \langle {\mathsf {P}}^{\scriptscriptstyle {{k}}}, {\mathsf {S}}^{\scriptscriptstyle {{k}}}, {{s_0}}^{\scriptscriptstyle {{k}}}, {\varDelta }^{\scriptscriptstyle {{k}}} \rangle \), for all \(k \in [1,n]\) and \(\varGamma \) is a positive boolean formula, over propositional variables denoting ports. The set of executions of \(\mathcal {S}\) is given by the 1-safe marked PN \(\mathcal {N}_\mathcal {S}= (N,\mathrm {m}_0)\), where \(N=(\bigcup _{i=1}^n {\mathsf {S}}^{\scriptscriptstyle {{i}}},T,E)\), \(\mathrm {m}_0(s)=1\) if and only if \(s \in \{ {{s_0}}^{\scriptscriptstyle {{i}}} \mid i\in [1,n] \}\) and \(T\), \(E\) are as follows. For each minimal model \(\beta \in \mathbf{[\![}\varGamma \mathbf{]\!]}^{\mathrm {\mu }}\), we have a transition \(\mathfrak {t}_\beta \in T\) and edges \((s_i, \mathfrak {t}_\beta ), (\mathfrak {t}_\beta , s'_i) \in E\), for all \(i \in [1,n]\) such that \(s_i \xrightarrow {{\scriptscriptstyle p_i}}_{{\scriptscriptstyle }} s'_i \in {\varDelta }^{\scriptscriptstyle {{i}}}\) and \(\beta (p_i) = \top \). Moreover, nothing else is in T or E.

For example, the marked PN from Fig. 2 describes the set of executions of the bounded system from Fig. 1a. Note that each transition of the PN corresponds to a minimal model of the interaction formula \(\varGamma = a\wedge b_1 \vee a\wedge b_2 \vee e\wedge f_1 \vee e\wedge f_2\), or equivalently, to the set of (necessarily positive) literals of some minterm in the DNF of \(\varGamma \).

1.2 Proving Deadlock Freedom of Bounded Systems

A bounded system \(\mathcal {S}\) is deadlock-free if and only if its corresponding marked PN \(\mathcal {N}_\mathcal {S}\) is deadlock-free. In the following, we prove deadlock-freedom of a bounded system, by defining a class of invariants that are particularly useful for excluding unreachable deadlock markings.

Given a Petri Net \(N= (S, T, E)\), a set of places \(W \subseteq S\) is called a trap if and only if Open image in new window . A trap W of \(N\) is a marked trap of the marked PN \(\mathcal {N}= (N,\mathrm {m}_0)\) if and only if \(\mathrm {m}_0(s)=\top \) for some \(s \in W\). A minimal marked trap is a marked trap such that none of its strict subsets is a marked trap. A marked trap defines an invariant of the PN because some place in the trap will always be marked, no matter which transition is fired. The trap invariant of \(\mathcal {N}\) is the least set of markings that mark each trap of \(\mathcal {N}\). Clearly, the trap invariant of \(\mathcal {N}\) subsumes the set of reachable markings of \(\mathcal {N}\), because the latter is the least invariant of \(\mathcal {N}\) and invariants are closed under intersection1.

Lemma 1

Given a bounded system \(\mathcal {S}\), the boolean formula:
$$\begin{array}{c} Trap ({\mathcal {N}_\mathcal {S}})\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\bigwedge \{ \mathop {\bigvee }\nolimits _{i=1}^k s_i \mid \{ s_1,\ldots ,s_k \} \text { is a marked trap of } \mathcal {N}_\mathcal {S} \} \end{array}$$
defines an invariant of \(\mathcal {N}_\mathcal {S}\).
Next, we describe a method of computing trap invariants that does not explicitly enumerate all the marked traps of a marked PN. First, we consider a trap constraint \(\varTheta ({\varGamma })\), derived from the interaction formula \(\varGamma \), in linear time. By slight abuse of notation, we define, for a given port \(p \in {\mathsf {P}}^{\scriptscriptstyle {{i}}}\) of the component \({\mathcal {C}}^{\scriptscriptstyle {{i}}}\), for some \(i \in [1,n]\), the pre- and post-state of p in \({\mathcal {C}}^{\scriptscriptstyle {{i}}}\) as Open image in new window and \({p}^\bullet \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,s'\), where \(s \xrightarrow {{\scriptscriptstyle p}}_{{\scriptscriptstyle }} s'\) is the unique rule2 involving p in \({\varDelta }^{\scriptscriptstyle {{i}}}\), and Open image in new window if there is no such rule. Assuming that the interaction formula is written in DNF as \(\varGamma = \bigvee _{k=1}^N\bigwedge _{\ell =1}^{M_k} p_{k\ell }\), we define the trap constraint:It is not hard to show3 that any satisfying valuation of \(\varTheta ({\varGamma })\) defines a trap of \(\mathcal {N}_\mathcal {S}\) and, moreover, any such trap is defined in this way. We also consider the formula \( Init ({\mathcal {S}}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigvee _{k=1}^n {s_0}^{\scriptscriptstyle {{k}}}\) defining the set of initially marked places of \(\mathcal {S}\), and prove the following:

Lemma 2

Let \(\mathcal {S}\) be a bounded system with interaction formula \(\varGamma \) and \(\beta \) be a boolean valuation. Then \(\beta \in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}\) iff \(\{ s \mid \beta (s) = \top \}\) is a marked trap of \(\mathcal {N}_\mathcal {S}\). Moreover, \(\beta \in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}^{\mathrm {\mu }}\) iff \(\{ s \mid \beta (s) = \top \}\) is a minimal marked trap of \(\mathcal {N}_\mathcal {S}\).

Because \(\varTheta ({\varGamma })\) and \( Init ({\mathcal {S}})\) are boolean formulae, it is, in principle, possible to compute the trap invariant \( Trap ({\mathcal {N}_\mathcal {S}})\) by enumerating the (minimal) models of \(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) and applying the definition from Lemma 1. However, model enumeration is inefficient and, moreover, does not admit generalization for the parametric case, in which the size of the system is unknown. For these reasons, we prefer a computation of the trap invariant, based on two symbolic transformations of boolean formulae, described next.

For a formula f we denote by \({f}^+\) the positive formula obtained by deleting all negative literals from the DNF of f. We shall call this operation positivation. Second, for a positive boolean formula f, we define the dual formula \(\left( {f}\right) ^{\sim }\) recursively on the structure of f, as follows: \(\left( {f_1 \wedge f_2}\right) ^{\sim } \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, {f_1}^{\sim } \vee {f_2}^{\sim }\), \(\left( {f_1 \vee f_2}\right) ^{\sim } \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, {f_1}^{\sim } \wedge {f_2}^{\sim }\) and \({a}^{\sim } \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, a\), for any \(a \in \mathsf {BVar}\). Note that \({f}^{\sim }\) is equivalent to the negation of the formula obtained from f by substituting each variable a with \(\lnot a\) in f.

The following theorem gives the main result of this section, the symbolic computation of the trap invariant of a bounded system, directly from its interaction formula.

Theorem 1

For any bounded system \(\mathcal {S}\), with interaction formula \(\varGamma \), we have:
$$\begin{array}{c} Trap ({\mathcal {N}_\mathcal {S}}) \equiv \left( {{\left[ \varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\right] }^+}\right) ^{\sim } \end{array}$$

Intuitively, any satisfying valuation of \(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) defines an initially marked trap of \(\mathcal {N}_\mathcal {S}\) and a minimal such valuation defines a minimal such trap (Lemma 2). Instead of computing the minimal satisfying valuations by model enumeration, we directly cast the above formula in DNF and remove the negative literals. This is essentially because the negative literals do not occur in the propositional definition of a set of places4. Then the dualization of this positive formula yields the trap invariants in CNF, as a conjunction over disjunctions of propositional variables corresponding to the places inside a minimal initially marked trap.

Just as any invariants, trap invariants can be used to prove absence of deadlocks in a bounded system. Assuming, as before, that the interaction formula is given in DNF as \(\varGamma = \bigvee _{k=1}^N\bigwedge _{\ell =1}^{M_k} p_{k\ell }\), we define the set of deadlock markings of \(\mathcal {N}_\mathcal {S}\) by the formula Open image in new window . This is the set of configurations in which all interactions are disabled. With this definition, proving deadlock freedom amounts to proving unsatisfiability of a boolean formula.

Corollary 1

A bounded system \(\mathcal {S}\) with interaction formula \(\varGamma \) is deadlock-free if the boolean formula \(\left( {{[\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})]}^+}\right) ^{\sim } \wedge \varDelta ({\varGamma })\) is unsatisfiable.

2 Parametric Component-Based Systems

From now on we shall focus on parametric systems, consisting of a fixed set of component types \({\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}\), such that the number of instances of each type is not known in advance. These numbers are given by a function Open image in new window , where \(\mathsf {M}(k)\) denotes the number of components of type \({\mathcal {C}}^{\scriptscriptstyle {{k}}}\) that are active in the system. To simplify the technical presentation of the results, we assume that all instances of a component type are created at once, before the system is started5. For the rest of this section, we fix a parametric system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}, \mathsf {M}, \varGamma \rangle \), where each component type \({\mathcal {C}}^{\scriptscriptstyle {{k}}} = \langle {\mathsf {P}}^{\scriptscriptstyle {{k}}}, {\mathsf {S}}^{\scriptscriptstyle {{k}}}, {{s_0}}^{\scriptscriptstyle {{k}}}, {\varDelta }^{\scriptscriptstyle {{k}}} \rangle \) has the same definition as a component in a bounded system and \(\varGamma \) is an interaction formula, written in the fragment of first order logic, defined next.

2.1 Monadic Interaction Logic

For each component type \({\mathcal {C}}^{\scriptscriptstyle {{k}}}\), where \(k \in [1,n]\), we assume a set of index variables \({\mathsf {Var}}^{\scriptscriptstyle {{k}}}\) and a set of predicate symbols \({\mathsf {Pred}}^{\scriptscriptstyle {{k}}} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, {\mathsf {P}}^{\scriptscriptstyle {{k}}} \cup {\mathsf {S}}^{\scriptscriptstyle {{k}}}\). Similar to the bounded case, we use state and ports names as monadic (unary) predicate symbols. We also define the sets \(\mathsf {Var}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigcup _{k=1}^n {\mathsf {Var}}^{\scriptscriptstyle {{k}}}\) and \(\mathsf {Pred}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigcup _{k=1}^n {\mathsf {Pred}}^{\scriptscriptstyle {{k}}}\). Moreover, we consider that \({\mathsf {Var}}^{\scriptscriptstyle {{k}}} \cap {\mathsf {Var}}^{\scriptscriptstyle {{\ell }}} = \emptyset \) and \({\mathsf {Pred}}^{\scriptscriptstyle {{k}}} \cap {\mathsf {Pred}}^{\scriptscriptstyle {{\ell }}} = \emptyset \), for all \( 1 \le k < \ell \le n\). For simplicity’s sake, we assume that all predicate symbols in \(\mathsf {Pred}\) are of arity one. For component types \({\mathcal {C}}^{\scriptscriptstyle {{k}}}\), such that \(\mathsf {M}(k)=1\) and predicate symbols \(\mathsf {pr}\in {\mathsf {Pred}}^{\scriptscriptstyle {{k}}}\), we shall write \(\mathsf {pr}\) instead of \(\mathsf {pr}(1)\), as in the interaction formula of the system from Fig. 1b. The syntax of the monadic interaction logic (\(\mathsf {MIL}\)) is given below:
$$\begin{array}{rcl} i,j &{} \in &{} \mathsf {Var}~\text { index variables} \\ \phi &{} := &{} i=j \mid \mathsf {pr}(i) \mid \phi _1 \wedge \phi _2 \mid \lnot \phi _1 \mid \exists i ~.~ \phi _1 \end{array}$$
where, for each predicate atom \(\mathsf {pr}(i)\), if \(\mathsf {pr}\in {\mathsf {Pred}}^{\scriptscriptstyle {{k}}}\) and \(i \in {\mathsf {Var}}^{\scriptscriptstyle {{\ell }}}\) then \(k=\ell \). We use the shorthands \(\forall i ~.~ \phi _1 \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \lnot (\exists i ~.~ \lnot \phi _1)\) and \(\mathrm {distinct}(i_1,\ldots ,i_m) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigwedge _{1 \le j < \ell \le m} \lnot i_j = i_\ell \)6. A sentence is a formula in which all variables are in the scope of a quantifier. A formula is positive if each predicate symbol occurs under an even number of negations. The semantics of \(\mathsf {MIL}\) is given in terms of structures \(\mathcal {I}= (\mathfrak {U},\nu ,\iota )\), where:
  • \(\mathfrak {U}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, [1,\max _{k=1}^n \mathsf {M}({k})]\) is the universe of instances, over which variables range,

  • \(\nu : \mathsf {Var}\rightarrow \mathfrak {U}\) is a valuation mapping variables to elements of the universe,

  • \(\iota : \mathsf {Pred}\rightarrow 2^{\mathfrak {U}}\) is an interpretation of predicates as subsets of the universe.

For a structure \(\mathcal {I}= (\mathfrak {U},\nu ,\iota )\) and a formula \(\phi \), the satisfaction relation \(\mathcal {I}\,\models \,\phi \) is defined as:
$$\begin{array}{lclclcll} \mathcal {I}\,\models \,\bot &{} \Leftrightarrow &{} \text {never} &{} &{} \mathcal {I}\,\models \,i=j &{} \Leftrightarrow &{} \nu (i)=\nu (j) \\ \mathcal {I}\,\models \,p(i) &{} \Leftrightarrow &{} \nu (i) \in \iota (p) &{}&{} \mathcal {I}\,\models \,\exists i ~.~ \phi _1 &{} \Leftrightarrow &{} (\mathfrak {U},\nu [i \leftarrow m],\iota )\,\models \,\phi _1 &{} \text { for some }m \in [1,\mathsf {M}({k})] \\ &{}&{}&{}&{}&{}&{}&{} \text { provided that }i \in {\mathsf {Var}}^{\scriptscriptstyle {{k}}} \end{array}$$
where \(\nu [i \leftarrow m]\) is the valuation that acts as \(\nu \), except for i, which is assigned to m. Whenever \(\mathcal {I}\,\models \,\phi \), we say that \(\mathcal {I}\) is a model of \(\phi \). It is known that, if a \(\mathsf {MIL}\) formula has a model, then it has a model with universe of cardinality at most exponential in the size (number of symbols) of the formula [19]. This result, due to Löwenheim, is among the first decidability results for a fragment of first order logic.

Structures are partially ordered by pointwise inclusion, i.e. for \(\mathcal {I}_i=(\mathfrak {U},\nu _i,\iota _i)\), for \(i=1,2\), we write \(\mathcal {I}_1 \subseteq \mathcal {I}_2\) iff \(\iota _1(p) \subseteq \iota _2(p)\), for all \(p \in \mathsf {Pred}\) and \(\mathcal {I}_1 \subset \mathcal {I}_2\) iff \(\mathcal {I}_1 \subseteq \mathcal {I}_2\) and \(\mathcal {I}_1 \ne \mathcal {I}_2\). As before, we define the sets \(\mathbf{[\![}\phi \mathbf{]\!]} = \{ \mathcal {I}\mid \mathcal {I}\,\models \,\phi \}\) and \(\mathbf{[\![}\phi \mathbf{]\!]}^{\mathrm {\mu }} = \{ \mathcal {I}\in \mathbf{[\![}\phi \mathbf{]\!]} \mid \forall \mathcal {I}' ~.~ \mathcal {I}' \subset \mathcal {I}\rightarrow \mathcal {I}' \not \in \mathbf{[\![}\phi \mathbf{]\!]} \}\) of models and minimal models of a \(\mathsf {MIL}\) formula, respectively. Given formulae \(\phi _1\) and \(\phi _2\), we write \(\phi _1 \equiv \phi _2\) for \(\mathbf{[\![}\phi _1 \mathbf{]\!]} = \mathbf{[\![}\phi _2 \mathbf{]\!]}\) and \(\phi _1 \equiv ^{\mathrm {\mu }}\phi _2\) for \(\mathbf{[\![}\phi _1 \mathbf{]\!]}^{\mathrm {\mu }} = \mathbf{[\![}\phi _2 \mathbf{]\!]}^{\mathrm {\mu }}\).

2.2 Execution Semantics of Parametric Systems

We consider the interaction formulae of parametric systems to be finite disjunctions of formulae of the form below:
$$\begin{aligned} \begin{array}{c} \exists i_1 \ldots \exists i_\ell \wedge \varphi \wedge \mathop {\bigwedge }\nolimits _{j=1}^\ell p_j(i_j) \wedge \mathop {\bigwedge }\nolimits _{j=\ell +1}^{\ell +m} \forall i_j ~.~ \psi _j \rightarrow p_j(i_j) \end{array} \end{aligned}$$
(1)
where \(\varphi ,\psi _{\ell +1}, \ldots , \psi _{\ell +m}\) are conjunctions of equalities and disequalities involving index variables. Intuitively, the formulae (1) state that there are at most \(\ell \) component instances that engage in a multiparty rendez-vous interaction on ports \(p_1(i_1), \ldots , p_\ell (i_\ell )\), together with a broadcast to the ports \(p_{\ell +1}(i_{\ell +1}), \ldots , p_{\ell +m}(i_{\ell +m})\) of the instances that fulfill the constraints \(\psi _{\ell +1}, \ldots , \psi _{\ell +m}\). Observe that, if \(m=0\), the above formula corresponds to a multiparty (generalized) rendez-vous interaction \(\exists i_1 \ldots \exists i_\ell \wedge \varphi \wedge \bigwedge _{j=1}^\ell p_j(i_j)\). An example of peer-to-peer rendez-vous is the parametric system from Fig. 1. Another example of broadcast is given below.

Example 1

Consider the parametric system obtained from an arbitrary number of Worker components (Fig. 3), where \({\mathcal {C}}^{\scriptscriptstyle {{1}}} = Worker \), \({\mathsf {Var}}^{\scriptscriptstyle {{1}}} = \{ i,i_1,i_2,j \}\) and \({\mathsf {Pred}}^{\scriptscriptstyle {{1}}} = \{ a,b,f,u,w \}\). Any pair of instances can jointly execute the b (begin) action provided all others are taking the a (await) action. Any instance can also execute alone the f (finish) action.
Fig. 3.

Parametric system with broadcast

The execution semantics of a parametric system \(\mathcal {S}\) is the marked PN \(\mathcal {N}_\mathcal {S}= (N,\mathrm {m}_0)\), where \(N = (\bigcup _{k=1}^n {\mathsf {S}}^{\scriptscriptstyle {{k}}} \times [1,\mathsf {M}({k})], T, E)\), \(\mathrm {m}_0(({{s_0}}^{\scriptscriptstyle {{k}}}, i)) = 1\), for all \(k \in [1,n]\) and \(i \in [1,\mathsf {M}({k})]\), and the sets of transitions T and edges E are defined next. For each minimal model \(\mathcal {I}= (\mathfrak {U},\nu ,\iota ) \in \mathbf{[\![}\varGamma \mathbf{]\!]}^{\mathrm {\mu }}\), we have a transition \(\mathfrak {t}_\mathcal {I}\in T\) and the edges \(((s_i,k),\mathfrak {t}_\mathcal {I}), (\mathfrak {t}_\mathcal {I},(s'_i,k)) \in E\) for all \(i \in [1,n]\) such that \(s_i \xrightarrow {{\scriptscriptstyle p_i}}_{{\scriptscriptstyle }} s'_i \in {\varDelta }^{\scriptscriptstyle {{i}}}\) and \(k \in \iota (p_i)\). Moreover, nothing else is in T or E.

As a remark, unlike in the case of bounded systems, the size of the marked PN \(\mathcal {N}_\mathcal {S}\), that describes the execution semantics of a parametric system \(\mathcal {S}\), depends on the maximum number of instances of each component type. The definition of the trap invariant \( Trap ({\mathcal {N}_\mathcal {S}})\) is the same as in the bounded case, except that, in this case, the size of the boolean formula depends on the (unbounded) number of instances in the system. The challenge, addressed in the following, is to define trap invariants using \(\mathsf {MIL}\) formulae of a fixed size.

2.3 Computing Parametric Trap Invariants

To start with, we define the trap constraint of an interaction formula \(\varGamma \) consisting of a finite disjunction of (1) formulae, as a finite conjunction of formulae of the form below:where, for a port \(p \in {\mathsf {P}}^{\scriptscriptstyle {{k}}}\) of some component type \({\mathcal {C}}^{\scriptscriptstyle {{k}}}\), Open image in new window and \({p(i)}^\bullet \) denote the unique predicate atoms s(i) and \(s'(i)\), such that \(s \xrightarrow {{\scriptscriptstyle p}}_{{\scriptscriptstyle }} s' \in {\varDelta }^{\scriptscriptstyle {{k}}}\) is the (unique) transition involving p in \({T}^{\scriptscriptstyle {{k}}}\), or \(\bot \) if there is no such rule.

Example 2

For example, the trap constraint for the parametric (rendez-vous) system in Fig. 1b is \(\forall i. [r \vee w(i)] \rightarrow [s \vee u(i)]~\wedge ~\forall i. [s \vee u(i)]\rightarrow [r \vee u(i)]\). Analogously, the trap constraint for the parametric (broadcast) system in Fig. 3 is:
$$\begin{array}{rl} \forall i_1. \forall i_2. &{} [i_1 \not = i_2 \wedge \left( w(i_1) \vee w(i_2) \vee \exists j. (j\not = i_1 \wedge j\not = i_2 \wedge w(j))\right) ] \rightarrow \\ &{} [i_1 \not = i_2 \wedge \left( u(i_1) \vee u(i_2) \vee \exists j. (j\not = i_1 \wedge j\not = i_2 \wedge w(j))\right) ] \\ \wedge ~ \forall i. &{} u(i) \rightarrow w(i) \end{array} $$

We define a translation of \(\mathsf {MIL}\) formulae into boolean formulae of unbounded size. Given a function Open image in new window , the unfolding of a \(\mathsf {MIL}\) sentence \(\phi \) is the boolean formula \(\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \) obtained by replacing each existential [universal] quantifier \(\exists i ~.~ \psi (i)\) [\(\forall i ~.~ \psi (i)\)], for \(i \in {\mathsf {Var}}^{\scriptscriptstyle {{k}}}\), by a finite disjunction [conjunction] \(\bigvee _{\ell =1}^{\mathsf {M}(k)} \psi [\ell /i]\) [\(\bigwedge _{\ell =1}^{\mathsf {M}(k)} \psi [\ell /i]\)], where the substitution of the constant \(\ell \in \mathsf {M}(k)\) for the variable i is defined recursively as usual, except for \(\mathsf {pr}(i)[\ell /i] \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, (\mathsf {pr},\ell )\), which is a propositional variable. Further, we relate structures to boolean valuations of unbounded sizes. For a structure \(\mathcal {I}= (\mathfrak {U},\nu ,\iota )\) we define the boolean valuation \(\beta _\mathcal {I}((\mathsf {pr},\ell )) = \top \) if and only if \(\ell \in \iota (\mathsf {pr})\), for each predicate symbol \(\mathsf {pr}\) and each integer constant \(\ell \). Conversely, for each valuation \(\beta \) of the propositional variables \((\mathsf {pr},\ell )\), there exists a structure \(\mathcal {I}_\beta = (\mathfrak {U},\nu ,\iota )\) such that \(\iota (\mathsf {pr}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \{ \ell \mid \beta ((\mathsf {pr},\ell ))=\top \}\), for each \(\mathsf {pr}\in \mathsf {Pred}\). The following lemma relates the semantics of \(\mathsf {MIL}\) formulae with that of their boolean unfoldings:

Lemma 3

Given a \(\mathsf {MIL}\) sentence \(\phi \) and a function Open image in new window , the following hold:
  1. 1.

    for each structure \(\mathcal {I}\in \mathbf{[\![}\phi \mathbf{]\!]}\), we have \(\beta _\mathcal {I}\in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}\) and conversely, for each valuation \(\beta \in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}\), we have \(\mathcal {I}_\beta \in \mathbf{[\![}\phi \mathbf{]\!]}\).

     
  2. 2.

    for each structure \(\mathcal {I}\in \mathbf{[\![}\phi \mathbf{]\!]}^{\mathrm {\mu }}\), we have \(\beta _\mathcal {I}\in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}^{\mathrm {\mu }}\) and conversely, for each valuation \(\beta \in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}^{\mathrm {\mu }}\), we have \(\mathcal {I}_\beta \in \mathbf{[\![}\phi \mathbf{]\!]}^{\mathrm {\mu }}\).

     

Considering the \(\mathsf {MIL}\) formula \( Init ({\mathcal {S}}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigvee _{k=1}^n \exists i_k ~.~ {{s_0}}^{\scriptscriptstyle {{k}}}(i_k)\), that defines the set of initial configurations of a parametric system \(\mathcal {S}\), the following lemma formalizes the intuition behind the definition of parametric trap constraints:

Lemma 4

Let \(\mathcal {S}\) be a parametric system with interaction formula \(\varGamma \) and \(\mathcal {I}\) be a structure. Then \(\mathcal {I}\,\models \,\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) iff \(\{ (s,k) \mid k \in \iota (s) \}\) is a marked trap of \(\mathcal {N}_{\mathcal {S}}\). Moreover, \(\mathcal {I}\in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}^{\mathrm {\mu }}\) iff \(\{ (s,k) \mid k \in \iota (s) \}\) is a minimal marked trap of \(\mathcal {N}_{\mathcal {S}}\).

We are currently left with the task of computing a \(\mathsf {MIL}\) formula which defines the trap invariant \( Trap ({\mathcal {N}_\mathcal {S}})\) of a parametric component-based system \(\mathcal {S}=\langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}, \mathsf {M}, \varGamma \rangle \). The difficulty lies in the fact that the size of \(\mathcal {N}_\mathcal {S}\) and thus, that of the boolean formula \( Trap ({\mathcal {N}_\mathcal {S}})\) depends on the number \(\mathsf {M}({k})\) of instances of each component type \(k \in [1,n]\). As we aim at computing an invariant able to prove safety properties, such as deadlock freedom, independently of how many components are present in the system, we must define the trap invariant using a formula depending exclusively on \(\varGamma \), i.e. not on \(\mathsf {M}\).

Observe first that \( Trap ({\mathcal {N}_\mathcal {S}})\) can be equivalently defined using only the minimal marked traps of \(\mathcal {N}_\mathcal {S}\), which, by Lemma 4, are exactly the sets \(\{ (s,k) \mid k \in \iota (s) \}\), defined by some structure \((\mathfrak {U},\nu ,\iota ) \in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}^{\mathrm {\mu }}\). Assuming that the set of structures \(\mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}^{\mathrm {\mu }}\), or an over-approximation of it, can be defined by a positive \(\mathsf {MIL}\) formula, the trap invariant is defined using a generalization of boolean dualisation to predicate logic, defined recursively, as follows:
$$\begin{array}{rclcrclcrclcrcl} \left( {i=j}\right) ^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \lnot i=j &{}&{} \left( {\phi _1 \vee \phi _2}\right) ^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} {\phi _1}^{\sim } \wedge {\phi _2}^{\sim } &{}&{} \left( {\exists i~.~ \phi _1}\right) ^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \forall i~.~ {\phi _1}^{\sim } &{}&{} {p(i)}^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} p(i) \\ \left( {\lnot i=j}\right) ^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} i=j &{}&{} \left( {\phi _1 \wedge \phi _2}\right) ^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} {\phi _1}^{\sim } \vee {\phi _2}^{\sim } &{}&{} \left( {\forall i ~.~ \phi _1}\right) ^{\sim } &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \exists i ~.~ {\phi _1}^{\sim } \end{array}$$
The crux of the method is the ability of defining, given an arbitrary \(\mathsf {MIL}\) formula \(\phi \), a positive \(\mathsf {MIL}\) formula \({\phi }^\oplus \) that preserve its minimal models, formally \(\phi \equiv ^{\mathrm {\mu }}{\phi }^\oplus \). Because of quantification over unbounded domains, a \(\mathsf {MIL}\) formula \(\phi \) does not have a disjunctive normal form and thus one cannot define \({\phi }^\oplus \) by simply deleting the negative literals in DNF, as was done for the definition of the positivation operation Open image in new window , in the propositional case. For now we assume that the transformation Open image in new window of monadic predicate formulae into positive formulae preserving minimal models is defined (a detailed presentation of this step is given next in Sect. 3) and close this section with a parametric counterpart of Theorem 1.

Theorem 2

For any parametric system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}, \mathsf {M}, \varGamma \rangle \), we have
$$\begin{aligned} \begin{array}{c} Trap ({\mathcal {N}_\mathcal {S}}) \equiv \mathrm {B}_{{\mathsf {M}}}\left( {\left( {{(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}))}^\oplus }\right) ^{\sim }}\right) \end{array} \end{aligned}$$

3 Cardinality Constraints

This section is concerned with the definition of a positivation operator Open image in new window for \(\mathsf {MIL}\) sentences, whose only requirements are that \({\phi }^\oplus \) is positive and \(\phi \equiv ^{\mathrm {\mu }}{\phi }^\oplus \). For this purpose, we use a logic of quantifier-free boolean cardinality constraints [4, 18] as an intermediate language, on which the positive formulae are defined. The translation of \(\mathsf {MIL}\) into cardinality constraints is done by an equivalence-preserving quantifier elimination procedure, described in Sect. 3.1. As a byproduct, since the satisfiability of quantifier-free cardinality constraints is \(\mathsf {NP}\)-complete [18] and integrated with SMT [4], we obtain a practical decision procedure for \(\mathsf {MIL}\) that does not use model enumeration, as suggested by the small model property [19]. Finally, the definition of a positive \(\mathsf {MIL}\) formula from a boolean combination of quantifier-free cardinality constraints is given in Sect. 3.2.

We start by giving the definition of cardinality constraints. Given the set of monadic predicate symbols \(\mathsf {Pred}\), a boolean term is generated by the syntax:
$$\begin{aligned} t := \mathsf {pr}\in \mathsf {Pred}\mid \lnot t_1 \mid t_1 \wedge t_2 \mid t_1 \vee t_2 \end{aligned}$$
When there is no risk of confusion, we borrow the terminology of propositional logic and say that a term is in DNF if it is a disjunction of conjunctions (minterms). We also write \(t_1 \rightarrow t_2\) if and only if the implication is valid when \(t_1\) and \(t_2\) are interpreted as boolean formulae, with each predicate symbol viewed as a propositional variable. Two boolean terms \(t_1\) and \(t_2\) are said to be compatible if and only if \(t_1 \wedge t_2\) is satisfiable, when viewed as a boolean formula.
For a boolean term t and a first-order variable \(i \in \mathsf {Var}\), we define the shorthand t(i) recursively, as \((\lnot t_1)(i) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \lnot t_1(i)\), \((t_1 \wedge t_2)(i) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, t_1(i) \wedge t_2(i)\) and \((t_1 \vee t_2)(i) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, t_1(i) \vee t_2(i)\). Given a positive integer Open image in new window and t a boolean term, we define the following cardinality constraints, by \(\mathsf {MIL}\) formulae:
$$\begin{array}{rclcrcl} {\left| {t}\right| } \ge n&\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,&\exists i_1 \ldots \exists i_n ~.~ \mathrm {distinct}(i_1,\ldots ,i_n) \wedge \mathop {\bigwedge }\nolimits _{j=1}^n t(i_j)&&{\left| {t}\right| } \le n&\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,&\lnot ({\left| {t}\right| } \ge n+1) \end{array}$$
We shall further use cardinality constraints with \(n = \infty \), by defining \({\left| {t}\right| } \ge \infty \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bot \) and \({\left| {t}\right| } \le \infty \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \top \). The intuitive semantics of cardinality constraints is formally defined in terms of structures \(\mathcal {I}=(\mathfrak {U},\nu ,\iota )\) by the semantics of monadic predicate logic, given in the previous. For instance, \({\left| {p\wedge q}\right| } \ge 1\) means that the intersection of the sets p and q is not empty, whereas \({\left| {\lnot p}\right| } \le 0\) means that p contains all elements from the universe.

3.1 Quantifier Elimination

Given a sentence \(\phi \), written in \(\mathsf {MIL}\), we build an equivalent boolean combination of cardinality constraints \(\mathrm {qe}({\phi })\), using quantifier elimination. We describe the elimination of a single existential quantifier and the generalization to several existential or universal quantifiers is immediate. Assume that \(\phi = \exists i_1 ~.~ \bigvee _{k \in K} \psi _k(i_1,\ldots ,i_m)\), where K is a finite set of indices and, for each \(k\in K\), \(\psi _k\) is a quantifier-free conjunction of atomic propositions of the form \(i_j=i_\ell \), \(\mathsf {pr}(i_j)\) and their negations, for some \(j,\ell \in [1,m]\). We write, equivalently, \(\phi \equiv \bigvee _{k \in K} \varphi _k \wedge \exists i_1 ~.~ \theta _k(i_1,\ldots ,i_m)\), where \(\varphi _k\) does not contain occurrences of \(i_1\) and \(\theta _k\) is a conjunction of literals of the form \(\mathsf {pr}(i_1)\), \(\lnot \mathsf {pr}(i_1)\), \(i_1 = i_j\) and \(\lnot i_1 = i_j\), for some \(j \in [2,m]\). For each \(k \in K\), we distinguish the following cases:
  1. 1.

    if \(i_1=i_j\) is a consequence of \(\theta _k\), for some \(j>1\), let \(\mathrm {qe}({\exists i_1 ~.~ \theta _k}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \theta _k[i_j/i_1]\).

     
  2. 2.
    else, \(\theta _k = \bigwedge _{j \in J_k} \lnot i_1 = i_j \wedge t_k(i_1)\) for some \(J_k \subseteq [2,m]\) and boolean term \(t_k\), and let:
    $$\begin{array}{rcl} \mathrm {qe}({\exists i_1 ~.~ \theta _k}) &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \mathop {\bigwedge }\nolimits _{J \subseteq J_k} \Big [\mathrm {distinct}\big (\{i_j\}_{j\in J}\big ) \wedge \mathop {\bigwedge }\nolimits _{j \in J} t_k(i_j)\Big ] \rightarrow {\left| {t_k}\right| } \ge {||{J}||}+1 \\ \mathrm {qe}({\phi }) &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \mathop {\bigvee }\nolimits _{k \in K} \varphi _k \wedge \mathrm {qe}({\exists i_1 ~.~ \theta _k}) \end{array}$$
     

Universal quantification is dealt with using the duality \(\mathrm {qe}({\forall i_1 ~.~ \psi }) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \lnot \mathrm {qe}({\exists i_1 ~.~ \lnot \psi })\). For a prenex formula \(\phi = Q_n i_n \ldots Q_1 i_1 ~.~ \psi \), where \(Q_1, \ldots , Q_n \in \{ \exists ,\forall \}\) and \(\psi \) is quantifier-free, we define, recursively \(\mathrm {qe}({\phi }) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \mathrm {qe}({Q_n i_n ~.~ \mathrm {qe}({Q_{n-1} i_{n-1} \ldots Q_1 i_1 ~.~ \psi })})\). It is easy to see that, if \(\phi \) is a sentence, \(\mathrm {qe}({\phi })\) is a boolean combination of cardinality constraints. The correctness of the construction is a consequence of the following lemma:

Lemma 5

Given a \(\mathsf {MIL}\) formula \(\phi =Q_n i_n \ldots Q_i i_1 ~.~ \psi \), where \(Q_1, \ldots , Q_n \in \{ \forall ,\exists \}\) and \(\psi \) is a quantifier-free conjunction of equality and predicate atoms, we have \(\phi \equiv \mathrm {qe}({\phi })\).

Example 3

(contd. from Example 2) Below we show the results of quantifier elimination applied to the conjunction \(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) for the system in Fig. 1b:
$$\begin{array}{c} (\lnot r \wedge \lnot s \wedge |w \wedge \lnot u| \le 0 \wedge |u \wedge \lnot w|\le 0 \wedge 1 \le |w|) ~\vee \\ (\lnot r \wedge |w \wedge \lnot u| \le 0 \wedge |\lnot w|\le 0 \wedge 1 \le |w|) \vee (s \wedge r) \vee (s \wedge |\lnot w| \le 0 \wedge 1 \le |w|) ~\vee \\ (\lnot s \wedge |\lnot u| \le 0 \wedge |u \wedge \lnot w| \le 0 \wedge 1 \le |w|) \vee (|\lnot u| \le 0 \wedge |\lnot w| \le 0 \wedge 1 \le |w|). \end{array}$$
Similarly, for the system in Fig. 3, we obtain the following cardinality constraints:
$$ \begin{array}{c} (3 \le |w| \wedge |u \wedge \lnot w| \le 0) \vee (2 \le |w| \wedge |w \wedge \lnot u| \le 1 \wedge |u \wedge \lnot w| \le 0) ~\vee \\ (|\lnot u| \le 1 \wedge |\lnot u \wedge \lnot w| \le 0 \wedge |u \wedge \lnot w| \le 0 \wedge 1 \le |w|) \vee (|w \wedge \lnot u| \le 0 \wedge |u \wedge \lnot w| \le 0 \wedge 1 \le |w|). \end{array}$$

3.2 Building Positive Formulae that Preserve Minimal Models

Let \(\phi \) be a \(\mathsf {MIL}\) formula, not necessarily positive. We shall build a positive formula \({\phi }^\oplus \), such that \(\phi \equiv ^{\mathrm {\mu }}{\phi }^\oplus \). By the result of the last section, \(\phi \) is equivalent to a boolean combination of cardinality constraints \(\mathrm {qe}({\phi })\), obtained by quantifier elimination. Thus we assume w.l.o.g. that the DNF of \(\phi \) is a disjunction of conjunctions of the form \(\bigwedge _{i \in L} {\left| {t_i}\right| } \ge \ell _i \wedge \bigwedge _{j \in U} {\left| {t_j}\right| } \le u_j\), for some sets of indices L, U and some positive integers \(\{\ell _i\}_{i \in L}\) and \(\{u_j\}_{j \in U}\).

For a boolean combination of cardinality constraints \(\psi \), we denote by \(\mathrm {P}({\psi })\) the set of predicate symbols that occur in a boolean term of \(\psi \) and by \(\mathrm {P}^+({\psi })\) (\(\mathrm {P}^-({\psi })\)) the set of predicate symbols that occur under an even (odd) number of negations in \(\psi \). The following proposition allows to restrict the form of \(\phi \) even further, without losing generality:

Proposition 1

Given \(\mathsf {MIL}\) formulae \(\phi _1\) and \(\phi _2\), for any positivation operator Open image in new window , the following hold:
  1. 1.

    \({(\phi _1 \vee \phi _2)}^\oplus \equiv ^{\mathrm {\mu }}{\phi _1}^\oplus \vee {\phi _2}^\oplus \),

     
  2. 2.

    \({(\phi _1 \wedge \phi _2)}^\oplus \equiv ^{\mathrm {\mu }}{\phi _1}^\oplus \wedge {\phi _2}^\oplus \), provided that \(\mathrm {P}({\phi _1}) \cap \mathrm {P}({\phi _2}) = \emptyset \).

     

From now on, we assume that \(\phi \) is a conjunction of cardinality constraints that cannot be split as \(\phi = \phi _1 \wedge \phi _2\), such that \(\mathrm {P}({\phi _1}) \cap \mathrm {P}({\phi _2}) = \emptyset \).

Let us consider a cardinality constraint \({\left| {t}\right| } \ge \ell \) that occurs in \(\phi \). Given a set \(\mathcal {P}\) of predicate symbols, for a set of predicates \(S \subseteq \mathcal {P}\), the complete boolean minterm corresponding to S with respect to \(\mathcal {P}\) is \(t_{S}^{\scriptscriptstyle {\mathcal {P}}} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigwedge _{p \in S} p \wedge \bigwedge _{p \in \mathcal {P} \setminus S} \lnot p\). Moreover, let \(\mathcal {S}_t \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \{ S \subseteq \mathrm {P}({\phi }) \mid t_S \rightarrow t \}\) be the set of sets S of predicate symbols for which the complete minterm \(t_S\) implies t. Finally, each cardinality constraint \({\left| {t}\right| } \ge \ell \) is replaced by the equivalent disjunction7, in which each boolean term is complete with respect to \(\mathrm {P}({\phi })\):Note that because any two complete minterms \(t_S\) and \(t_T\), for \(S \ne T\), are incompatible, then necessarily \({\left| {t_S \vee t_T}\right| } = {\left| {t_S}\right| } \,+\, {\left| {t_T}\right| }\). Thus \({\left| {t_S \vee t_T}\right| } \ge \ell \) if and only if there exist Open image in new window such that \(\ell _1+\ell _2 = \ell \) and \({\left| {t_S}\right| } \ge \ell _1\), \({\left| {t_T}\right| } \ge \ell _2\), respectively.

Notice that, restricting the sets of predicates in \(\mathcal {S}_t\) to subsets of \(\mathrm {P}({\phi })\), instead of the entire set of predicates, allows to apply Proposition 1 and reduce the number of complete minterm to be considered. That is, whenever possible, we write each minterm \(\bigwedge _{i \in L} {\left| {t_i}\right| } \ge \ell _i \wedge \bigwedge _{j \in U} {\left| {t_j}\right| } \le u_j\) in the DNF of \(\phi \) as \(\psi _1 \wedge \ldots \wedge \psi _k\), such that \(\mathrm {P}({\psi _i}) \cap \mathrm {P}({\psi _j}) = \emptyset \) for all \(1 \le i < j \le k\). In practice, this optimisation turns out to be quite effective, as shown by the small execution times of our test cases, reported in Sect. 5.

The second step is building, for each conjunction \(C = \bigwedge \{ \ell _S \le {\left| {t_{S}^{\scriptscriptstyle {\mathrm {P}({\phi })}}}\right| } \wedge {\left| {t_{S}^{\scriptscriptstyle {\mathrm {P}({\phi })}}}\right| } \le u_S \mid S \subseteq \mathrm {P}({\phi }) \}\)8, as above, a positive formula \({C}^\oplus \), that preserves its set of minimal models \(\mathbf{[\![}C \mathbf{]\!]}^{\mathrm {\mu }}\). The generalization to arbitrary boolean combinations of cardinality constraints is a direct consequence of Proposition 1. Let \(\mathcal {L}^+({\phi })\) (resp. \(\mathcal {L}^-({\phi })\)) be the set of positive boolean combinations of predicate symbols \(p \in \mathrm {P}^+({\phi })\) (resp. \(\lnot p\), where \(p \in \mathrm {P}^-({\phi })\)). Further, for a complete minterm \(t_{S}^{\scriptscriptstyle {\mathcal {P}}}\), we write \({t_{S}^{\scriptscriptstyle {\mathcal {P}}}}^+\) (\({t_{S}^{\scriptscriptstyle {\mathcal {P}}}}^-\)) for the conjunction of the positive (negative) literals in \(t_{S}^{\scriptscriptstyle {\mathcal {P}}}\). Then, we define:
$$\begin{array}{c} {C}^\oplus \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigwedge \Big \{{\left| {\tau }\right| } \ge \mathop {\sum }\nolimits _{{t_{S}^{\scriptscriptstyle {\mathrm {P}({\phi })}}}^+ \rightarrow \tau } \ell _S \mid \tau \in \mathcal {L}^+({\phi })\Big \} \wedge \bigwedge \Big \{{\left| {\tau }\right| } \le \mathop {\sum }\nolimits _{{t_{S}^{\scriptscriptstyle {\mathrm {P}({\phi })}}}^- \rightarrow \tau } u_S \mid \tau \in \mathcal {L}^-({\phi })\} \end{array}$$
It is not hard to see that \({C}^\oplus \) is a positive \(\mathsf {MIL}\) formula, because:
  • for each \(\tau \in \mathcal {L}^+({\phi })\), we have \({\left| {\tau }\right| } \ge k \equiv \exists i_1 \ldots \exists i_k ~.~ \mathrm {distinct}(i_1,\ldots ,i_k) \wedge \bigwedge _{j=1}^k \tau (j)\) and

  • for each \(\tau \in \mathcal {L}^-({\phi })\), we have \({\left| {\tau }\right| } \le k \equiv \forall i_1 \ldots \forall i_{k+1} ~.~ \mathrm {distinct}(i_1,\ldots ,i_{k+1}) \rightarrow \bigvee _{j=1}^{k+1} \lnot \tau (i_j)\).

The following lemma proves that the above definition meets the second requirement of positivation operators, concerning the preservation of minimal models.

Lemma 6

Given \(\mathcal {P}\) a finite set of monadic predicate symbols, Open image in new window and Open image in new window sets of constants, for any conjunction \(C = \bigwedge \{ \ell _S \le {\left| {t_{S}^{\scriptscriptstyle {\mathcal {P}}}}\right| } \wedge {\left| {t_{S}^{\scriptscriptstyle {\mathcal {P}}}}\right| } \le u_S \mid S \subseteq \mathcal {P} \}\), we have \(C \equiv ^{\mathrm {\mu }}{C}^\oplus \).

Example 4

(contd. from Example 3).

Consider the first minterm of the DNF of the cardinality constraint obtained by quantifier elimination in Example 3, from the system in Fig. 1b. The result of positivation for this minterm is given below:
$${\big (\lnot r \wedge \lnot s \wedge |w \wedge \lnot u| \le 0 \wedge |u \wedge \lnot w|\le 0 \wedge 1 \le |w|\big )}^\oplus = 1 \le |u \wedge w|$$
Intuitively, the negative literals \(\lnot r\) and \(\lnot s\) may safely disappear, because no minimal model will assign r or s to true. Further, the constraints \({\left| {w \wedge \lnot u}\right| } \le 0\) and \({\left| {u \wedge \lnot w}\right| } \le 0\) are equivalent to the fact that, in any structure \(\mathcal {I}= (\mathfrak {U}, \nu , \iota )\), we must have \(\iota (u)=\iota (w)\). Finally, because \({\left| {w}\right| }\ge 1\), then necessarily \({\left| {u \wedge w}\right| } \ge 1\).
Similarly, the result of positivation applied to the second conjunct of the DNF cardinality constraint corresponding to the system in Fig. 3 is given below:
$${\big (2 \le |w| \wedge |w \wedge \lnot u| \le 1 \wedge |u \wedge \lnot w| \le 0\big )}^\oplus = 2 \le |w| \wedge 1 \le |u \wedge w|$$
Here, the number of elements in w is at least 2 and, in any structure \(\mathcal {I}= (\mathfrak {U}, \nu , \iota )\), we must have \(\iota (u) \subseteq \iota (w)\) and at most one element in \(\iota (w) \setminus \iota (u)\). Consequently, the intersection of the sets \(\iota (u)\) and \(\iota (w)\) must contain at least one element, i.e. \({\left| {u \wedge w}\right| } \ge 1\).

4 Proving Deadlock Freedom of Parametric Systems

We have gathered all the ingredients necessary for checking deadlock freedom of parametric systems, using our method based on trap invariant generation (Fig. 4). In particular, we derive a trap constraint \(\varTheta ({\varGamma })\) directly from the interaction formula \(\varGamma \), both of which are written in \(\mathsf {MIL}\). Second, we compute a positive formula that preserves the set of minimal models of \(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\), by first converting the \(\mathsf {MIL}\) formula into a quantifier-free cardinality constraint, using quantifier elimination, and deriving a positive \(\mathsf {MIL}\) formula from the latter.
Fig. 4.

Verification of parametric component-based systems

The conjunction between the dual of this positive formula and the formula \(\varDelta ({\varGamma })\) that defines the deadlock states is then checked for satisfiability. Formally, given a parametric system \(\mathcal {S}\), with an interaction formula \(\varGamma \) written in the form (1), the \(\mathsf {MIL}\) formula characterizing the deadlock states of the system is the following:We state a sufficient verification condition for deadlock freedom in the parametric case:

Corollary 2

A parametric system \(\mathcal {S}=\langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}, \mathsf {M}, \varGamma \rangle \) is deadlock-free if
$$\begin{array}{c} \left( {{(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}))}^\oplus }\right) ^{\sim } \wedge \varDelta ({\varGamma }) \rightarrow \bot \end{array}$$

The satisfiability check is carried out using the conversion to cardinality constraints via quantifier elimination Sect. 3.1 and an effective set theory solver for cardinality constraints, implemented in the CVC4 SMT solver [6].

5 Experimental Results

To assess our method for proving deadlock freedom of parametric component-based system, we ran a number of experiments on systems with a small numbers of rather simple component types, but with nontrivial interaction patterns, given by \(\mathsf {MIL}\) formulae. The task-sem i/n examples, \(i = 1,2,3\), are generalizations of the parametric Task-Semaphore example depicted in Fig. 1b, in which n Tasks synchronize using n Semaphores, such that i Tasks interact with a single Semaphore at once, in a multiparty rendez-vous. In a similar vein, the broadcast i/n examples, \(i=2,3\) are generalizations of the system in Fig. 3, in which i out of n Workers engage in rendez-vous on the b port, whereas all the other stay idle—here idling is modeled as a broadcast on the a ports. Finally, in the sync i/n examples, \(i=1,2,3\), we consider systems composed of n Workers (Fig. 1b) such that either i out of n instances simultaneously interact on the b ports, or all interact on the f ports. Notice that, for \(i=2,3\), these systems have a deadlock if and only if \(n \ne 0 \mod i\). This is because, if \(n = m \mod i\), for some \(0< m < i\), there will be be m instances that cannot synchronize on their b port, in order to move from w to u, in order to engage in the f broadcast.
Table 1.

Benchmarks

example

interaction formula

t-gen

t-smt

result

task-sem 1/n

\(\exists i \exists j_1.~ a(i) \wedge b(j_1) ~\bigvee ~ \exists i \exists j_1.~ e(i) \wedge f(j_1)\)

22 ms

20 ms

unsat

task-sem 2/n

\(\exists i \exists j_1 \exists j_2.~ j_1 \not = j_2 \wedge a(i) \wedge b(j_1) \wedge b(j_2)~\bigvee \)

\(\exists i \exists j_1 \exists j_2.~ j_1 \not = j_2 \wedge e(i) \wedge f(j_1) \wedge f(j_2)\)

34 ms

40 ms

unsat

task-sem 3/n

\(\exists i \exists j_1 \exists j_2 \exists j_3.~ \mathrm {distinct}(j_1,j_2,j_3) \wedge a(i) \wedge b(j_1) \wedge b(j_2) \wedge b(j_3) ~\bigvee \)

\(\exists i \exists j_1 \exists j_2 \exists j_3.~ \mathrm {distinct}(j_1,j_2,j_3) \wedge e(i) \wedge f(j_1) \wedge f(j_2) \wedge f(j_3)\)

73 ms

40 ms

unsat

broadcast 2/n

\(\exists i_1 \exists i_2. i_1 \not = i_2 \wedge b(i_1) \wedge b(i_2) ~\wedge \)

\(\forall j.~ j\ne i_1 \wedge j \ne i_2 \rightarrow a(j) ~\bigvee \exists i. f(i)\)

14 ms

20 ms

unsat

broadcast 3/n

\(\exists i_1 \exists i_2 \exists i_3. \mathrm {distinct}(i_1,i_2,i_3) \wedge b(i_1) \wedge b(i_2) \wedge b(i_3) ~\wedge \)

\(\forall j.~ j \ne i_1 \wedge j \ne i_2 \wedge j \ne i_3 \rightarrow a(j) ~\bigvee ~ \exists i. f(i)\)

409 ms

20 ms

unsat

sync 1/n

\(\exists i. b(i) ~\bigvee ~ \forall i. f(i)\)

5 ms

20 ms

unsat

sync 2/n

\(\exists i_1 \exists i_2. ~i_1 \not =i_2 \wedge b(i_1) \wedge b(i_2) ~\bigvee ~ \forall i. f(i)\)

7 ms

50 ms

sat

sync 3/n

\(\exists i_1 \exists i_2 \exists i_3. \mathrm {distinct}(i_1,i_2,i_3) \wedge b(i_1) \wedge b(i_2) \wedge b(i_3) ~\bigvee ~ \forall i. f(i)\)

11 ms

40 ms

sat

All experiments were carried out on a Intel(R) Xeon(R) CPU @ 2.00 GHz virtual machine with 4 GB of RAM. Table 1 shows separately the times needed to generate the proof obligations (trap invariants and deadlock states) from the interaction formulae and the times needed by CVC4 1.7 to show unsatisfiabilty or come up with a model. All systems considered, for which deadlock freedom could not be shown using our method, have a real deadlock scenario that manifests only under certain modulo constraints on the number n of instances. These constraints cannot be captured by \(\mathsf {MIL}\) formulae, or, equivalently by cardinality constraints, and would require cardinality constraints of the form \({\left| {t}\right| } = n \mod m\), for some constants Open image in new window .

6 Conclusions

This work is part of a lasting research program on BIP linking two work directions: (1) recent work on modeling architectures using interaction logics, and (2) older work on verification by using invariants. Its rationale is to overcome as much as possible complexity and undecidability issues by proposing methods which are adequate for the verification of essential system properties.

The presented results are applicable to a large class of architectures characterized by the \(\mathsf {MIL}\). A key technical result is the translation of \(\mathsf {MIL}\) formulas into cardinality constraints. This allows on the one hand the computation of the \(\mathsf {MIL}\) formula characterizing the minimal trap invariant. On the other hand, it provides a decision procedure for \(\mathsf {MIL}\), that leverages from recent advances in SMT, implemented in the CVC4 solver [6].

Footnotes

  1. 1.

    The intersection of two or more invariants is again an invariant.

  2. 2.

    We have assumed that each port is associated a unique transition rule.

  3. 3.

    See [5] for a proof.

  4. 4.

    If the DNF is \((p \wedge q) \vee (p \wedge \lnot r)\), the dualization would give \((p \vee q) \wedge (p \vee \lnot r)\). The first clause corresponds to the trap \(\{ p,q \}\) (either p or q is marked), but the second does not directly define a trap. However, by first removing the negative literals, we obtain the traps \(\{ p,q \}\) and \(\{ r \}\).

  5. 5.

    This is not a limitation, since dynamic instance creation can be simulated by considering that all instances are initially in a waiting state, which is left as result of an interaction involving a designated “spawn” port.

  6. 6.

    Throughout this paper, we consider that \(\bigwedge _{i \in I} \phi _i = \top \) if \(I=\emptyset \).

  7. 7.

    The constraints \({\left| {t}\right| } \le u\) are dealt with as \(\lnot ({\left| {t}\right| } \ge u+1)\).

  8. 8.

    Missing lower bounds \(\ell _S\) are replaced with 0 and missing upper bounds \(u_S\) with \(\infty \).

References

  1. 1.
    Abdulla, P.A.: Well (and better) quasi-ordered transition systems. Bull. Symb. Log. 16(4), 457–515 (2010)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Abdulla, P.A., Delzanno, G., Henda, N.B., Rezine, A.: Regular model checking without transducers (on efficient verification of parameterized systems). In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 721–736. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-71209-1_56CrossRefzbMATHGoogle Scholar
  3. 3.
    Alberti, F., Ghilardi, S., Sharygina, N.: A framework for the verification of parameterized infinite-state systems*. In: CEUR Workshop Proceedings, vol. 1195, pp. 302–308, January 2014Google Scholar
  4. 4.
    Bansal, K., Reynolds, A., Barrett, C.W., Tinelli, C.: A new decision procedure for finite sets and cardinality constraints in SMT. In: Olivetti, N., Tiwari, A. (eds.) IJCAR 2016. LNCS (LNAI), vol. 9706, pp. 82–98. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-40229-1_7CrossRefGoogle Scholar
  5. 5.
    Barkaoui, K., Lemaire, B.: An effective characterization of minimal deadlocks and traps in petri nets based on graph theory. In: 10th International Conference on Application and Theory of Petri Nets, ICATPN 1989, pp. 1–21 (1989)Google Scholar
  6. 6.
    Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22110-1_14CrossRefGoogle Scholar
  7. 7.
    Basu, A., et al.: Rigorous component-based system design using the BIP framework. IEEE Softw. 28(3), 41–48 (2011)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Baukus, K., Bensalem, S., Lakhnech, Y., Stahl, K.: Abstracting WS1S systems to verify parameterized networks. In: Graf, S., Schwartzbach, M. (eds.) TACAS 2000. LNCS, vol. 1785, pp. 188–203. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-46419-0_14CrossRefzbMATHGoogle Scholar
  9. 9.
    Bensalem, S., Bozga, M., Nguyen, T., Sifakis, J.: D-finder: a tool for compositional deadlock detection and verification. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 614–619. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-02658-4_45CrossRefGoogle Scholar
  10. 10.
    Bloem, R., et al.: Decidability of Parameterized Verification: Synthesis Lectures on Distributed Computing Theory. Morgan & Claypool Publishers, San Rafael (2015)CrossRefGoogle Scholar
  11. 11.
    Bouajjani, A., Habermehl, P., Vojnar, T.: Abstract regular model checking. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 372–386. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-27813-9_29CrossRefGoogle Scholar
  12. 12.
    Bozga, M., Iosif, R., Sifakis, J.: Checking deadlock-freedom of parametric component-based systems (2018). Technical report. arXiv:1805.10073
  13. 13.
    Chen, Y., Hong, C., Lin, A.W., Rümmer, P.: Learning to prove safety over parameterised concurrent systems. In: 2017 Formal Methods in Computer Aided Design, FMCAD 2017, Vienna, Austria, 2–6 October 2017, pp. 76–83 (2017)Google Scholar
  14. 14.
    Conchon, S., Goel, A., Krstić, S., Mebsout, A., Zaïdi, F.: Cubicle: a parallel smt-based model checker for parameterized systems. In: Madhusudan, P., Seshia, S.A. (eds.) Computer Aided Verification, pp. 718–724 (2012)Google Scholar
  15. 15.
    Emerson, E.A., Namjoshi, K.S.: Reasoning about rings. In: POPL 1995 Proceedings, pp. 85–94 (1995)Google Scholar
  16. 16.
    German, S.M., Sistla, A.P.: Reasoning about systems with many processes. J. ACM 39(3), 675–735 (1992)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Kesten, Y., Maler, O., Marcus, M., Pnueli, A., Shahar, E.: Symbolic model checking with rich assertional languages. Theor. Comput. Sci. 256(1), 93–112 (2001)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Kuncak, V., Nguyen, H.H., Rinard, M.C.: Deciding Boolean algebra with Presburger arithmetic. J. Autom. Reason. 36(3), 213–239 (2006)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Löwenheim, L.: Über Möglichkeiten im Relativkalkül. Math. Ann. 470, 76–447 (1915)zbMATHGoogle Scholar
  20. 20.
    Suzuki, I.: Proving properties of a ring of finite-state machines. Inf. Process. Lett. 28(4), 213–214 (1988)MathSciNetCrossRefGoogle Scholar

Copyright information

© The Author(s) 2019

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.Univ. Grenoble Alpes, CNRS, Grenoble INP (Institute of Engineering Univ. Grenoble Alpes), VERIMAGGrenobleFrance

Personalised recommendations