location 1 location 2

Transcription

1 Verication Based on Local States? Michaela Huhn 1 and Peter Niebert 1 and Frank Wallner 2 1 Institut fur Informatik, Universitat Hildesheim, Postfach , D Hildesheim, Germany, fhuhn,niebertg@informatik.uni-hildesheim.de 2 Institut fur Informatik, Technische Universitat Munchen D Munchen, Germany wallnerf@informatik.tu-muenchen.de Abstract. Net unfoldings are a well-known partial order semantics for Petri nets. Here we show that they are well suited to act as models for branching-time logics interpreted on local states. Such local logics (in particular a distributed -calculus) can be used to express properties from the point of view of one component in a distributed system. Local logics often allow for more ecient verication procedures because { in contrast to interleaving branching-time logics { they do not refer to the entire space of global states. We reduce verication of local properties to standard model checking algorithms known for interleaving branchingtime logics. The key is to extract a nite (usually small), local transition system bisimilar to the complete unfolding. The construction is based on the nite prex of a net unfolding dened by McMillan. 1 Introduction Model checking is one of the most successful approaches to formal, automated verication of distributed systems. Model checking algorithms decide whether a nite state system meets its specication given in terms of a temporal logic formula. One of the causes of the state explosion problem limiting this approach is the representation of concurrency as interleaving. Recently proposed partial order methods [Pel93, GW91, Val91] avoid the exploration of the entire state space for model checking by reductions according to the partial order semantics of the system, where certain interleaving properties are preserved. Instead of reducing the interleaving model, verication can also be done directly on the partially ordered object: Net unfoldings 3 [NPW80, Eng91] provide a partial order branching time semantics for Petri nets. McMillan [McM92] has shown how to use net unfoldings for ecient deadlock detection and reachability analysis of nite-state Petri nets. He described the construction of a \nite pre- x" of the (usually innite) unfolding containing every reachable global state.? This work was partially supported by: the SFB 342, Teilprojekt A3 of the DFG; and by the Human Capital and Mobility Cooperation Network \EXPRESS" (Expressivity of Languages for Concurrency). 3 Also known as (branching) non-sequential processes.

2 It was already observed by Esparza in [Esp94] that the McMillan prex can be used for model checking S4 (the modal logic based on the reachability relation of the global state space without next-modalities). We show in this paper that a slight modication of McMillan's construction is a very adequate basis for more expressive branching time logics interpreted on local states and that for model checking such logics algorithms known from corresponding interleaving logics can be used. Here we understand a local (prime) conguration as the representation of the view of a single component onto the system, taking into account that the individual components have only partial information on a system's global state. Local logics allow to express partial order properties of distributed systems in a natural way, while the expression of properties, that refer to a certain interleaving of concurrent events, is impossible. For the linear time case, such logics have been investigated by Thiagarajan in [Thi94, Thi95], local branching time logics were introduced in [LT87, LRT92]. We consider systems { described in terms of Petri nets { composed of sequential, nondeterministic subsystems, which synchronously communicate by means of common actions. As a logic we propose a distributed -calculus, interpreted solely at the local states of the contributing components. The basic operator is an indexed modality hai J meaning \next a for the components i 2 J". Using xpoints, local CTL-operators (cf. Sec.3) or the knowledge operator 2 i from [LRT92] can be encoded. Thus, the distributed -calculus serves as a powerful low-level logic, in which other local branching time logics can be expressed. Besides considerations of its practical use for specication, the proposed logic is designed (i.e. restricted) in order to stay feasible for automatic verication. For good reasons we do not address the theoretical question of the overall expressiveness of the logic: the reference logics for the comparison with -calculi are monadic second order logics, but the monadic second order logic of net unfoldings (or prime event structures) can be shown to have a highly undecidable model-checking problem even for 1-safe Petri nets. The distributed -calculus corresponds directly to the sequential -calculus [Koz83] interpreted on the local congurations of the system's unfolding. Since the (local) state space of the unfolding is in general innite, our aim is to extract a bisimilar, nite-state representation of the unfolding. Such a representation can be immediately used by proved interleaving model checkers [CS93, CES86], yielding ecient automated verication. We show that for any local conguration of the system's unfolding we nd a bisimilar local conguration in the nite prex { no matter whether we take McMillan's original denition or the improved prex construction given in [ERV96]. Thus the local congurations within the nite prex can serve as the state space for the desired nite representation. But the proof does not indicate how to determine the transitions needed for the nite bisimilar representation without exploring the complete unfolding. The major problem to solve is to determine those transitions (leading to the direct local successors) that are not already present in the nite prex but which must exist because the local states of the prex serve as representatives also for local states in the unfolding far beyond the 2

3 nite prex. We show how to nd all direct local successors without extending the prex any further. 4 Since the resulting local transition system does not contain more states than the prex contains events, the input for model checkers can be dramatically smaller than the transition system of the global state space. Nevertheless, during the construction of the local transition system we sometimes have to inspect global congurations contained in the prex. Complexity considerations show that the representation of the algorithm given in Sec. 5 can be improved such that it never exceeds the costs of building the global state space times the number of transitions of the original net { which is at the same time the worst case bound of the size of the resulting transition system. The paper is structured as follows. In Section 2 we introduce basic denitions of our models. In Section 3 we introduce the distributed -calculus and its formal semantics, and illustrate its use in specication with examples. In Sections 4 and 5 we show how to use the nite prex for constructing a nite local transition system on which conventional model checkers apply. 2 Distributed nets and their unfoldings We begin with the indispensable basic denitions and the class of Petri nets that serve as our system models. For further details on nets, cf. [Rei85]. Petri nets. Let P and T be disjoint, nite sets of places and transitions, generically called nodes. A net is a triple N = (P; T; F ) with a ow relation F (P T ) [ (T P ), which we identify with its characteristic function on the set (PT )[(TP ). The preset x and the postset x of the node x are dened as x:=fy 2P [ T j F (y; x)=1g and x :=fy 2P [ T j F (x; y)=1g. The preset (postset) of a set X of nodes is given by the union of the presets (postsets) of all nodes in X. We assume x [ x 6= ; for every node x. A marking of a net is a mapping P!IN. We call = (N; M 0 ) a net system with initial marking M 0 if N is a net and M 0 a marking of N. A marking M enables the transition t if M(p) 1 for each p2 t. In this case the transition can occur, leading to the new marking M 0, given by M 0 (p) = M(p)+F (t; p)?f (p; t) for every place p. We denote this occurrence by M?! t M 0. If there exists a chain t M 1 t 0?! M 2 t 1?! : : :?! n M n then the sequence = t 1 t 2 : : : t n is called occurrence sequence and we write M 0?! M n. M is called a reachable marking of if there exists an occurrence sequence, such that M 0?! M. Two transitions t 1 ; t 2 are concurrently enabled in M if M enables t 1, and t 2 is enabled in M 0, where M 0 (p) = M(p)?F(p; t 1 ) for each p. A system is called sequential if no reachable marking concurrently enables two transitions. We will exclusively regard 1-safe systems, in which every reachable marking map each place to 0 or 1, and thus can be identied with the set of places it 4 Since a direct local successor in one component may require an enormous number of causal predecessors in another component, it is not clear in advance when a further extension is sucient to decide on the existence of a local successor. 3

4 maps to 1, i.e., M P for every reachable marking M. Safe net systems can be seen as a synchronization of several nite automata. In the following we will exploit this compositional view by introducing the notion of locations. ) j i 2 Ig be a family of Distributed net systems. Let f i = (P i ; T i ; F i ; Mi 0 1-safe, sequential net systems with pairwise disjoint sets P i of places, indexed by a nite set I of locations. The distributed net system I = (N I ; M 0 ) is the union of the subsystems i : [ P = P i ; i2i [ T = T i ; i2i [ [ F = F i ; M 0 = Mi 0 : i2i i2i Clearly, I is again 1-safe. The intended interpretation of such a system is a collection of sequential, non-deterministic processes with communication capabilities, namely the common transitions. We understand the common execution of a joint transition as a communication event. The location loc(x) of a node x is dened by loc(x) := fi 2 I j x 2 P i [ T i g. A simple distributed net system consisting of two subsystems is depicted in Fig A b a B location 1 location 2 C d e D c D? A d C c a D C B d c b C D A e a C A C B c a D C A Fig. 1. Distributed net Fig. 2. Branching process Net unfoldings. In order to dene a partial order semantics of the behaviour of a distributed net system, we consider net unfoldings, also known as branching processes. They contain information about both concurrency and conict. Two nodes x 1 ; x 2 of a net (P; T; F ) are in conict, denoted x 1 #x 2, if there exist two distinct transitions t 1 ; t 2 such that t 1 \ t 2 6= ;, and (t 1 ; x 1 ); (t 2 ; x 2 ) belong to the reexive and transitive closure of F. If x#x, we say x is in selfconict. An occurrence net [NPW80] is a net N = (B; E; F ) such that (1) for every b 2 B, j bj 1, (2) the irreexive transitive closure of F is wellfounded and acyclic, i.e., for every node x 2 B [ E, the set fy 2 B [ Ejy xg is nite and does not contain x, and (3) no element e 2 E is in self-conict. The reexive closure of determines a partial order, called causal relation. In occurrence nets we speak of conditions and events instead of places and transitions, respectively. Min(N) denotes the minimal elements of N w.r.t., and Max(X) the causally maximal elements of the set X of nodes. 4

5 Given two nets N 1 ; N 2, the mapping h : P 1 [ T 1! P 2 [ T 2 is called a homomorphism if h(p 1 )P 2 ; h(t 1 )T 2, and for every t2t 1 the restriction of h to t, denoted hj t, is a bijection between t and h(t), and similar for hj t. A branching process [Eng91] of a net system =(N; M 0 ) is a pair =(N 0 ; ) where N 0 =(B; E; F ) is an occurrence net and : N 0! N is a homomorphism, such that the restriction of to Min(N 0 ) is a bijection between Min(N 0 ) and M 0 and additionally for all e 1 ; e 2 2E: if (e 1 ) = (e 2 ) and e 1 = e 2 then e 1 = e 2. Loosely speaking, we unfold the net N to an occurrence net N 0, obeying the rules determined by the conditions for, and labelling each node x of N 0 with the corresponding node (x) of N. Referring to distributed net systems, the location loc(x) of a node x of N 0 is given by loc(x) = loc((x)). By E J we denote the set of J-events, i.e., E J := fe 2 E j J loc(e)g. For singleton locations J = fig we abbreviate E fig by E i. Given two distinct branching processes 1 ; 2 of, we say that 1 and 2 are isomorphic if there exists a bijective homomorphism h : N 1! N 2, such that the composition 2 h equals 1. If h is injective, such that hj Min(N1) is a bijection between Min(N 1 ) and Min(N 2 ), and furtheron B 1 B 2 and E 1 E 2, we call 1 a prex of 2. Notice that a prex is uniquely determined by its set of events or its set of conditions. In [Eng91] it is shown that a net system has a unique maximal branching process up to isomorphism, which we call the unfolding of, and denote by Unf. Fig. 2 shows a prex of the innite unfolding of the net system drawn in Fig. 1. Congurations and Cuts. A conguration C of an occurrence net is a causally downward-closed, conict-free set of events, i.e., for each e 2 C: if e 0 e then e 0 2C, and for all e; e 0 2C : :(e#e 0 ). If Max(C) is a singleton, say feg, we speak of the local conguration of e and denote it by #e. It is given by the set of all the preceding events, i.e., #e = fe 0 2E j e 0 eg. As usual, we identify each nite conguration C with the state of the system that is reached after all the events in C have occurred. A local conguration then denes a local state. The set of local congurations of a branching process is denoted by C loc (). In order to simplify the handling, we introduce a virtual event symbol? that can be seen as initial event with an empty preset and Min(N) as postset. #? then denotes the empty conguration. We extend the set of events of Unf to E? := E [ f?g and set loc(?) = I. In distributed systems, we dene the i-view # i C of a conguration C as # i C := fe2c j 9e 0 2(C \ E i ) : e e 0 g The i-view is a conguration: the empty conguration if C \ E i = ;, and the local conguration of the (unique) maximal i-event in C, otherwise. This follows from the sequentiality of the subsystems. Thus, # i C can be understood as the most recent local state of the subsystem i 2 I that the whole system is aware of in the global state C. The i-view of the local conguration #e is written as # i e. Two nodes of an occurrence net are concurrent if they are neither in conict nor causally related. A set B 0 of conditions of an occurrence net is called a coset if any two elements of B 0 are concurrent. A co-set is called a cut if it is a 5

6 maximal co-set w.r.t. set inclusion. There is a tight interrelation between nite congurations and cuts: the set of conditions Cut(C) = (Min(N) [ C ) n C where C is a nite conguration, is a cut. The corresponding set of places (Cut(C)) is a reachable marking, denoted by M(C) and called nal state of C. Notice that for every reachable marking M of the system there exist a (not necessarily unique) nite conguration with nal state M. Congurations are called M-equivalent, denoted by C =M C 0, if their nal state is equal. Two M-equivalent congurations C; C 0 have a similar \future", i.e., there exists an isomorphism between the part of Unf that lies behind C and that one behind C 0. Formally, if C =M C 0 then (C) is isomorphic to (C 0 ), where (C) := fx 2 B [ E j 9b 2 Cut(C): b x ^ 8y 2 C: :(x#y)g. Assume two M-equivalent local congurations #e; #e 0 with j#ej < j#e 0 j. The branching process (#e) can be seen as (#e 0 ) \shifted backward". Any con- guration C 0 containing e 0 thus can be shifted backward to an M-equivalent conguration C containing e. In [Esp94] this idea was formalized as follows: let Ie e0 denote the isomorphism from (#e 0 ) to (#e), and C be a conguration of Unf. The (e 0 ; e)-shift of C, denoted shift (e0 ;e)(c), is dened by shift (e0 ;e)(c) := C if e 0 =2 C #e [ I e0 e (C n #e 0 ) if e 0 2 C Local successor relation. Let Act be a distributed alphabet of actions, i.e., Act = S i2i Act i where the Act i are not necessarily disjoint. We speak of the location of an action, dened as loc(a) := fi j a 2 Act i g. Assume a mapping l from the transitions (and, via, also from the events) to the actions that respects the distribution of the alphabet: l(t) = a implies loc(t) = loc(a). C Given two congurations C; C 0 we call C 0 an a-successor of C, written as a?! C 0, if C 0 = C ] feg for some event e mapped to the action a. This relation works ne for global congurations, but when considering local congurations it turns out to be too restrictive. Intuitively, we want to speak of the local a-successor of the local state #e, if for some locations that participated in e the next possible action is an a, ignoring the fact that some other locations possibly have to do some preparing steps until a is enabled. By parameterizing the successor relation with sets of locations, we will determine which of the locations may do those preparing steps, and for which locations the a is the immediate next action. Let C 1 ; C 2 be congurations, a an action, and J a non-empty set of locations such that loc(a) \ J 6= ;. We call C 2 a J-local a-successor of C 1, written as a C 1?! J C 2, if there exists a conguration C 0 1 C 1 such that # i C 1 = # i C 0 1 for all i 2 J, and C 0 a 1?! C 2. If J = fig is a singleton, we write?! i. Note that?! i captures the local transition relation in an adequate way, i.e.,?! i in the unfolding of I corresponds to the?! relation in the unfolding of i. 6

7 3 The distributed -calculus In this section we dene the syntax and semantics of a version of the -calculus [Koz83] that is adequate to describe local properties of the components of a distributed system. More precisely, the formulae of the logic are interpreted over the local congurations of the unfolding of a distributed net system. The logic is adapted from a similar linear time logic for Mazurkiewicz traces [Nie95]. We will indicate how the local approach can be used for the specication and verication of distributed systems, and show that our logic naturally can be transferred to the conventional framework of global states. Syntax. Let (N I ; M 0 ) be a distributed net system, Unf = (N 0 ; ) its unfolding, and l : T! Act a labelling of the transitions of N I with actions taken from the alphabet Act. We identify the corresponding labelling of events with l, i.e., l(e) = l((e)) for e in Unf. The abstract syntax of the logic is given by ' ::= p j :p j x j ' ^ ' j ' _ ' j [a] J ' j hai J ' j x:' j x:' where the atomic propositions p range over the set P of places of the distributed net, x over a set V of propositional variables, a over Act, and J over 2 I n ;. For the modal operators [a] J and hai J, we assume J \ loc(a) 6= ;. The intended meaning of hai J ' is that there exists a next local state #e such that l(e) = a and no event of any of the locations in J will happen before e. The operators and bind the variables. A formula that does not contain any free variable is closed. We use the basic propositions true and false as abbreviations for y:y and y:y, respectively, and dene h-i J ' := W a2acthai J ' and [-] J ' := V a2act [a] J '. We only allow negation of atomic propositions. However, the logic is closed under negation, because every operator has its dual, and negations can be drawn inside down to the atomic propositions. Semantics. The semantics of a formula ' of our logic is a set of local congurations (satisfying it), and is written as ['] Unf v C loc (Unf ), where Unf is the unfolding under consideration and v : V! 2 C loc(unf ) is a valuation function for the variables. Since Unf is clear from the context, we omit this superscript, and if also v is understood, we simply write [']. For #e 2 ['] we also write #e j= '. We inductively dene the semantics according to the following rules: [p] v = f#e j p2m(#e)g [:p] v = f#e j p 62M(#e)g S [x:'] v = T fa j A ['] v[x:=a] g [x:'] v = fa j ['] v[x:=a] Ag [' ^ ] v = ['] v \ [ ] v [ [a] J ' ] v = f#e j 8e 0 2 E : if #e?! a J #e 0 then #e 0 2 ['] vg [' _ ] v = ['] v [ [ ] v [ hai J ' ] v = f#e j 9e 0 2 E : #e?! a J #e 0 and #e 0 2 ['] vg where v[y := A](y) = A, and for z 6= y we have v[y := A](z) = v(z). We say that system satises the formula ', denoted by j= ', if the empty conguration #? belongs to [']. 7

8 Note that a local state #e may satisfy an atomic proposition p that does not belong to the location of e. Thus, the proposed logic allows to express properties corresponding to the local view that one component has onto other components. We briey comment on the assertions expressible by the proposed language. Single-located formulae are simply formulae of the standard -calculus, interpreted on the corresponding subsystem. For instance, = x:' ^ [-] i x means that on every path of the i-component ' holds at every local state { `' always holds in i'. If we substitute [-] i x by ([-] i x ^ h-i i true) in, we additionally express that the mentioned path is of innite length since for every local state of i there must exist a successor. `' holds in i innitely often' can be formalized as y:x:(' _ [-] i x) ^ [-] i y ^ h-i i true. Notice, however, that this formula may hold even if there exist global runs in which the i-component only executes a nite number of events. It actually states that if i executes innitely many events in the future then it will satisfy ' innitely often. It is useful to translate a local logic reminding of CTL [CES86] to our logic. Localised variants of the two next operators, EXJ and AXJ are already part of the syntax, namely h-i J and [-] J. The set of locations species, for which components this event is a next step. Similarly we now dene the until-operators of CTL with locations: E('U J ) := y: _ (' ^ h-i J y) A('U J ) := y: _ (' ^ [-] J y ^ h-i J true): Other CTL-like operators, such as AGJ; AFJ; EGJ; EFJ can in turn be dened using the until-operators in the standard way. E('UJ ) species a J-local chain of events along which ' holds until is satised. The more interesting properties, of course, are expressed by formulae referring to distinct subsystems. If J = fi; j; kg then y:[-] i y ^ (p! hai J true) describes that whenever p holds in i then i's next a-action may be a synchronization with j and k, which is also for j and k the next step. Another example referring to several components can be found in the appendix. It is also possible to refer to conicts in the causal future of local congurations: W i2i (h-i i p ^ h-i i :p) states that there are two next events in conict which can be distinguished by p. Nevertheless, it is not possible to express that there are two identically labelled, but conicting events if their future cannot be distinguished with the distributed -calculus. As a further example we specify properties of the echo-algorithm as dened in [Wal95] in the distributed -calculus. Assume a (strongly connected) network consisting of a set of agents Ag including initiator A 0. Each agent A i communicates exclusively with her direct neighbours, and each agent (but the initiator) behaves identically. At any time the initiator wants to ood the whole network with a wake-up signal, each agent { after receiving a wake-up { executes a local computation and sends back an accept signal afterwards. Whenever the initiator reaches state terminated, she wants to be sure that every agent in the network has executed her local computation: j= AG 0 (terminated! V i1 accepted i). Furthermore, no agent shall have nished her local computation, when any of her neighbours is still sleeping: j= V i1 AG i(accepted i! V j2n i :sleeping j ). 8

9 4 Transition systems semantics Now we want to show that the unfolding can be understood as a local transition system T Unf with transitions labelled by indexed actions a J, J I, and with the local congurations of Unf as set of states. It will be immediate that on T Unf the distributed -calculus corresponds to the standard -calculus over the modied action alphabet Act g = faj j a 2 Act; J Ig. -calculus and bisimulation. The syntax of the -calculus [Koz83] is given by ::= p j :p j x j ^ j _ j hai j [a] j x: j x: where p 2 P, x 2 V, and a 2 ActT. The semantics of the -calculus is dened over transition systems T = hs; s 0 ;!; ActT ; P; Ii where S is a set of states, ActT an action alphabet, s 0 2 S the initial state,! SActT S the transition relation, and I : S! 2 P an interpretation mapping the states onto the propositions. As usual, we write s?! a s 0 if (s; a; s 0 ) 2!. The semantics of a -calculus formula over a given transition system T is denoted by [] T v S, where v is the valuation function for the variables. We write s j=t if s 2 [] v. The semantics is dened inductively by: [p] v = fs j p 2 I(s)g S [x:] v = fa j A [] v[x:=a] g [:p] v = fs j p =2 I(s)g T [x:] v = fa j [] v[x:=a] Ag [ ^ ] v = [] v \ [] v [hai] v = fs j 9s 0 a 2 S : s?! s 0 and s 0 2 [] vg [ _ ] v = [] v [ [] v [[a]] v = fs j 8s 0 a 2 S : if s?! s 0 then s 0 2 [] vg It is well-known that the distinguishing power of the -calculus is limited to standard bisimulation: A relation R S S is called a bisimulation i for any s R s 0 it holds that I(s) = I(s 0 ) and for all a 2 ActT { if s?! a s 1, then there exists s 0 1 with s 0 a?! s 0 1 and s 1 R s 0 1, and dually { if s 0 a?! s 0 1, then there exists s 1 with s?! a s 1 and s 1 R s 0 1. Two states s and s 0 are called bisimilar, denoted s s 0, i there exists a bisimulation R with s R s 0. We also write T T 0 if for the initial states s 0 s 0 0. It was shown by Milner [Mil89] (see also [Sti92]) that s s 0 implies s j=t, s 0 j=t for all closed -calculus formulae. The local transition system T Unf. Let Unf be the unfolding of a distributed net system. Then the local transition system extracted from Unf is given by T Unf = hc loc (Unf ); #?;!;g Act; P; Ii a where #e?!#e J 0 i #e?! a J #e 0, and the interpretation of propositions I(#e) = M(#e) for all #e. Two events e 1 ; e 2 are M-loc-equivalent i #e 1 =M #e 2 and loc(e 1 ) = loc(e 2 ). Proposition 1. Let #e 1 ; #e 2 2 T Unf. If e 1 and e 2 are M-loc-equivalent then #e 1 #e 2. 9

10 Proof. Let I be the isomorphism from (#e 1 ) to (#e 2 ), induced by M-equivalence of #e 1 and #e 2. Clearly, loc(f) = loc(i(f)), and f g i I(f) I(g) for all events f; g 2 (#e 1 ). If furtheron e 1 f and e 2 I(f), the events f and I(f) again are M-equivalent, and thus =M would be a bisimulation. However, it does not necessarily hold that e 1 f i e 2 I(f). The additional loc-condition now preserves the desired causality: Let us call e 0 a direct successor of e, i e \ e 0 6= ;. For all e 1 ; e 0 1 it holds that if e 0 1 is a direct successor of e 1 then loc(e 1 )\loc(e 0 1) 6= ;. Consequently, if e 0 1 is a direct successor of e 1 then I(e 0 1) 2 (#e 2 ) is a direct successor of e 2 i loc(e 2 ) \ loc(i(e 0 1)) 6= ;. Thus the set of direct successors is preserved under M-loc-equivalence. Since every J-local successor of an event e 1 is a direct successor of e 1 or the J-local successor of a direct successor of e 1, and since every direct successor of e 1 is M-loc-equivalent to the corresponding direct successor of e 2, indeed M-locequivalence is a bisimulation. 2 Let ' be a formula of the distributed -calculus. Then ~' denotes the formula where each occurrence of hai J is substituted by ha J i, and similarly [a] J by [a J ]. Proposition 2. #e j= ' i #e j=t ~' for any #e 2 C loc (Unf ). 5 Model checking In this section we develop the technical tools required to achieve ecient verication techniques for the logic. In fact we will not give an algorithm for the model checking procedure itself. Rather we give a construction, which reduces the model checking problem for the distributed -calculus to a suitable input for well understood algorithms known from sequential model checking like [CES86, CS93]. As a rst step, we will show that there exists a nite transition system T Fin bisimilar to the usually innite system T Unf. This nite system T Fin can be dened over the set of local congurations of the complete nite prex introduced by McMillan [McM92]. Secondly, we give an algorithm for constructing T Fin. The nite prex. In [McM92], McMillan showed how to construct a nite prex of the unfolding of a nite-state net system in which every reachable marking is represented by some cut. We will use a slight modication of this prex to obtain a nite transition system with local states, bisimilar to T Unf. Let Unf = (N 0 ; ) be the unfolding of a net system. A cut-o event is an event e 2E? whose local conguration's nal state coincides with the nal state of a smaller local conguration with the same location, formally: 9 e 0 2E? : j#e 0 j < j#ej and e; e 0 are M-loc-equivalent: In McMillan's standard denition M-equivalence suces. 5 Notice that in general for each cut-o event e there may be several corresponding M-loc-equivalent 5 The cut-o events from the unfolding of the distributed net system of Fig. 1 are tagged by \" in Fig. 2 whereas the cut-os due to McMillan's original denition are tagged by \". 10

11 events e 0. In the sequel, we x one of them and refer to it as corr(e). The prex Fin is then dened as the unique prex of Unf with E Fin E? as set of events, where E Fin is characterised by e 2 E Fin i no event e 0 e is a cut-o event. It is easy to prove that Fin is nite for net systems with nitely many reachable markings. Usually, the prex Fin is much smaller than the state space of the system. However, it can also be larger. In [ERV96] it is shown how to improve McMillan's construction such that the nite prex never exceeds the size of the full state space (up to a constant). The main idea is to determine cut-o events not by comparing the size of the local congurations of events (which does not produce any cut-o event when the sizes are equal), but other well-founded partial orders instead. In the prex generated by the rened algorithm, if e and e 0 are two dierent non-cut-o events, then they are not M-loc-equivalent. The number of location sets occurring at events can grossly be bounded by the number of transitions in the original net. Therefore, the number of non-cuto events never exceeds the number of reachable states times the number of transitions of the original net, and so the prex can never be substantially larger than the state space. The nite, local transition system T Fin. Now we show that there exists a nite transition system T Fin T Unf, such that the states of T Fin are at most the local congurations of the nite prex. Observe that the modied McMillan construction in fact guarantees that for each local conguration #e in Unf there exists an M-loc-equivalent corresponding conguration #e 0 in Fin, i.e., #e #e 0 in T Unf, and e 0 2E Fin. The only reason for e =2 E Fin can be that e supersedes a cut-o belonging to Fin and therefore itself is a cut-o. By induction it is possible to nd a corresponding event for e within E Fin. For the following, we select for each equivalence class of bisimilar congurations #e in Unf a unique representative #corr(e) in Fin which is minimal w.r.t. the size of j#corr(e)j. (In case of using the improved prex [ERV96], corr(e) is selected from the non-cut-o events in E Fin and thus uniquely determined.) If we have two bisimilar states #e 1 #e 2 in T Unf we can replace each transition #e?! aj #e 1 by #e?! aj #e 2 for any source state #e and obtain a transition system T 0 Unf bisimilar with T Unf on all states and with the same state space. Since we have selected for all local congurations #e, #e 0 bisimilar representatives #corr(e) and #corr(e 0 ) in Fin, we can (imaginarily) \bend" all the transitions #e?! aj #e 0 a in T Unf to transitions #corr(e)?! J #corr(e 0 ) in Fin (possibly merging innitely many transitions into one). Since corr(e) is unique and minimal, afterwards all local states #e reachable from #? via transitions are noncut-os. Now we discard all cut-o events (whether contained in Fin or not). We call the resulting transition system T Fin. Observe that T Fin is even smaller than Fin itself, since cut-os are discarded. We obtain: Proposition 3. T Fin T Unf. 11

12 Theorem 4. For any closed formula ' of the distributed -calculus it holds that #? j= ' i #? j=t Fin ~'. Theorem 4 is an immediate consequence of Proposition 2 and Proposition 3. Thus we can reduce the model checking problem of the distributed -calculus for some distributed net system to the model-checking problem of the standard -calculus over T F in. Observe that T Fin is not bigger than the global state space (i.e. the product of the local state spaces) times the number of transitions of the distributed net system { and often much smaller. The gure depicts T Fin of the prex drawn in Fig. 2.? d 2 a 1 c 2 d 2 a 2 a 2 e 1 a f1;2g b 1 a 1 c 2 e 2 An algorithm to compute T Fin. By now we know that T Fin exists, the question remains, how we can compute it. We propose an algorithm that takes Fin as input and moreover uses the structural information, which the algorithm computing Fin has built up: { a function corr mapping all M-loc-equivalent events onto a unique representative non-cut-o event. The codomain of corr is called E Rep E Fin, the set of representative events. The state space of T Fin is formed by the local congurations of these representatives. { a function shift, which maps any conguration C = C 1 of Unf containing some cut-o to a conguration shift (C) = C 0 = C n not containing a cut-o, hence being present in Fin. This function works by repeatedly applying C i+1 := shift (ei;corr(e i))(c i ) with e i being a cut-o in Fin contained in C i. shift terminates, because the sequence C 1 ; C 2 ; :: decreases in the underlying (well-founded) order (e.g. contains less and less events in the case of the McMillan order). Obviously this function implies the existence of an isomorphism I between (C) and (shift (C)), which is the composition of the isomorphisms I ei corr(e i) induced by the chosen cut-o events. Moreover, shift (#e) is strictly smaller than #e (in the underlying order) for any e 2 (C), and hence for any e, for which C?! a J #e. The most important part of the algorithm is the recursive procedure successors which, when called from the top level with a triple (#e; J; a), returns the a J - successors for #e in T Fin. More generally, successors performs depth-rst search through triples (C; J; a), where C is an arbitrary, not necessarily local conguration not containing a cut-o, J is a non-empty subset of locations, and a is an action. It determines the subset of events in E Rep that represent the J-local a-successors of C. Formally, e 2 successors(c; J; a) i there exists #e 0 in Unf, which is M-loc-equivalent to #e, and C?! a J #e 0. The procedure works as follows. Assume there exists at least one e 0 anywhere in Unf with C?! a J #e 0 ; then there are two possibilities: (1) One of these e 0 lies in the prex. This is easy to determine. The corresponding 12

13 type Vertex = f C: Conguration; J: LocationSet; a: ActionLabel; pathmark: bool ; (* for depth rst search *) g prex successors(c; J; a) = f#corr(e) j e 2 E Fin ^ C?! a J #eg inheritable extension(c; e; J; a) = (8i 2 J: (#e n C) \ E i = ;) (* predicate ensuring, that joining #e to C adds no i-events for i 2 J *) compatible cutos(c) = fe j e is cut-o and #e [ C is a conguration in Fing proc successors(c; J; a): CongurationSet; f var result: CongurationSet; (* result accumulator for the current vertex *) Vertex v := ndvertex(c,j,a); (* lookup in hash table, if not found then *) (* create new vertex with pathmark = false *) if v.pathmark then return ;; (* we have closed a cycle *) result := prex successors(c; J; a); (* directly accessible successors *) v.pathmark:=true; (* put vertex on path *) for e c 2 compatible cutos(c) do (* nd successors outside the prex behind e c *) if inheritable extension(c; e c; J; a) then result := result [ successors(shift (C [ #e c); J; a); od ; v.pathmark:=false; (* take vertex from path *) return result; g proc ComputeT Fin; f InitializeTransitionSystem(ts,Fin) (* extract state space from F in *) for e 2 E Rep; a 2 Act; ; 6= J I do for #e 0 2 successors(#e,j,a) do add transition #e a J?!#e 0 g od od Fig. 3. The conceptual algorithm to compute T Fin event corr(e 0 ) 2 E Rep is given back by prex successors(c; J; a). (2) There exist such events e 0, but none of them lies in the prex. The reason for e 0 =2 E Fin is the existence of a cut-o e c 2 E Fin, such that e c e 0. So we can do a case analysis over the compatible cut-os. A cut-o e c is compatible with C if it is not in conict with C, i.e., #e c [ C is a conguration in Fin. If there is a compatible e c, such that (#e c n C) \ E i = ; for all i 2 J then for at least a one of them, we have (C [ #e c )?! J #e 0. In this case we inherit the transition C?! a J #e 0. 13

14 In the second case, we loop over all compatible cut-os e c looking at the conguration C c := C [ #e c. If the J-local a-successors of C c are J-local a- successors of C (determined by inheritable extension(c; e c ; J; a)) we want to search for the successors(c c ; J; a). But if any J-local a-successor e 0 of C c exists, then there also exists a bisimilar e 00 for C := shift (C c ) (by the isomorphism), where moreover #e 00 is smaller than #e 0. So successors is recursively called with (C ; J; a). Note that C contains no cut-o. Hence we apply depth-rst search with respect to triples (C; J; a). Cycles may occur (if we hit a triple (C; J; a) with pathmark= true), at which we break o to ensure termination. Note that the search space is limited by the fact that C is represented in Fin and does not contain cut-os. It remains to show that the termination is correct: Assume a J-local a- successor e 0 of C exists. Then we choose from all these suitable successors a minimal one named e min. Whenever a conguration (C [ #e c ) is shifted with shift to obtain a conguration C 0 for the next call of successors, also e min is shifted to a strictly smaller e 0 min. Thus in case we hit a conguration C twice, when searching for J-local a-successors, e min is mapped by the various shift s to a strictly smaller event e min which contradicts the minimality of e min. Thus whenever a conguration is investigated a second time for J-local a-successors, we know that there cannot be one. The main procedure ComputeT Fin thus only has to loop about all possible triples (#e; J; a) with e 2 E Rep to check for transitions #e?!#e aj 0 in T Fin and to insert the results of successors. Concluding the above discussion, we obtain: Theorem 5. The algorithm ComputeT Fin computes T Fin. Note that at top level, successors is only called with local congurations C, but the extension of C with cut-os requires that we can also handle some global congurations. Further note that we present the algorithm in Fig. 3 with emphasis on understandability, not eciency: many vertices (C; J; a) will be explored very often, leading to an unsatisfying runtime. However it is very easy to modify the algorithm so that every vertex is explored at most once, essentially by storing intermediate results with the vertices in the hash-table. Then the runtime of the algorithm is proportional to the size of the search space. Since we have to deal with some global congurations, in principle the search space can grow to the size of the global state space times the number of the transitions of the original net, but no larger. However it can very well be, that the number of visited global states remains small compared to the number of all global states existing. Only practical experiments can give an answer here. Heuristic improvements. Apart of the improvements mentioned above, the algorithm also allows for several heuristic improvements to save unnecessary computation. For instance, it is impossible that a state #e has any a J -successor if the J-places in M(#e) are not contained in t for any a-labelled transition t of the original net, and thus successors(#e; J; a) need not to be called. Moreover, 14

15 the algorithm can be combined with on-the-y algorithms (sometimes called local model checking), by only calling successors, when the model checker needs to nd the a J -successors of some state. 6 Conclusion We introduced a distributed version of the -calculus and showed its use in describing branching time properties of distributed algorithms based on local states. We reduced the model checking problem for the distributed -calculus to the well-investigated model-checking problem of sequential logics over transition systems. How expensive is all this? The computation of T Fin can be as costly as generating the global state space (although we believe that often it will be much cheaper), the resulting system T Fin is typically much smaller than the global transition system. The transformation of the formulae is for free. So the cost of computing T Fin does not aect the runtime of the standard model checker in the next phase. However, practical experiments are necessary. At the time of submission, a prototype implementation of our algorithm for computing T Fin is almost available. We expect to be able to present rst results very soon. Independently, Penczek [Pen97] suggested a model checker for a future fragment of his event structure logic DESL. Instead of using net unfoldings, Penczek relies on partial order methods in the generation of a nite representation of the event structure. The causal future operators of DESL as considered in [Pen97] can easily be treated by the algorithm we proposed here by changing the modalities and the successor relation accordingly. At the price of the restriction to free-choice systems, in [Pen97] also an immediate conict operator is handled. Acknowledgment. We thank P.S. Thiagarajan for discussions on location based logics. Burkhard Graves has helped our understanding of the subtleties of Fin. Special thanks to Javier Esparza, whose contribution to this work in its initial phase was very important. References [CES86] [CS93] E.M. Clarke, E.A. Emerson, and A.P. Sistla, Automatic verication of nitestate concurrent systems using temporal logic specications, ACM Transactions on Programming Languages and Systems 8 (1986), no. 2, 244{263. Rance Cleaveland and Bernhard Steen, A linear time model-checking algorithm for the alternation-free modal mu-calculus, Formal Methods in system Design 2 (1993), 121{ 147. [Eng91] J. Engelfriet, Branching processes of Petri nets, Acta Informatica 28 (1991), 575{591. [ERV96] J. Esparza, S. Romer, and W. Vogler, An Improvement of McMillan's Unfolding Algorithm, Tools and Algorithms for the Construction and Analysis of Systems TACAS '96 (Passau, Germany) (T. Margaria and B. Steen, eds.), LNCS, vol. 1055, Springer, 1996, pp. 87{

16 [Esp94] J. Esparza, Model checking using net unfoldings, Science of Computer Programming 23 (1994), 151{195. [GW91] P. Godefroid and P. Wolper, A Partial Approach to Model Checking, Proceedings of the 6th IEEE Symposium on Logic in Computer Science (Amsterdam), July 1991, pp. 406{415. [HNW96] M. Huhn, P. Niebert, and F. Wallner, Put your model checker on diet: veri- cation on local states, Technical Report TUM-I9642, Technische Universitat Munchen, December [Koz83] Dexter Kozen, Results on the propositional -calculus, TCS 27 (1983), 333{ 354. [LRT92] K. Lodaya, R. Ramanujam, and P.S. Thiagarajan, Temporal logics for communicating sequential agents: I, Int. Journal of Foundations of Computer Science 3 (1992), no. 2, 117{159. [LT87] K. Lodaya and P.S. Thiagarajan, A modal logic for a subclass of event structures, Automata, Languages and Programming (T. Ottmann, ed.), LNCS, vol. 267, Springer, 1987, pp. 290{303. [McM92] K.L. McMillan, Using unfoldings to avoid the state explosion problem in the verication of asynchronous circuits, Proceedings of the 4th Workshop on Computer Aided Verication (Montreal), 1992, pp. 164{174. [Mil89] R. Milner, Communication and concurrency, Prentice Hall, [MT89] M. Mukund and P.S. Thiagarajan, An axiomatization of event structures, Foundations of Software Technology and Theoretical Computer Science (C.E. Veni Madhavan, ed.), LNCS, vol. 405, Springer, 1989, pp. 143{160. [Nie95] Peter Niebert, A -calculus with local views for systems of sequential agents, MFCS, LNCS, vol. 969, [NPW80] M. Nielsen, G. Plotkin, and G. Winskel, Petri nets, event structures and domains, Theoretical Computer Science 13 (1980), no. 1, 85{108. [Pel93] Doron Peled, All from one, one for all: on model checking using representatives, Computer Aided Verication CAV, LNCS, [Pen97] W. Penczek, Model-checking for a subclass of event structures, TACAS, 97, [Rei85] [Sti92] [Thi94] [Thi95] [Val91] [Wal95] to appear. W. Reisig, Petri Nets, EATCS Monographs on Theoretical Computer Science, vol. 4, Springer, Colin Stirling, Modal and temporal logics, Handbook of Logic in Computer Science (S. Abramsky, D. Gabbay, and T. Maibaum, eds.), Oxford University Press, P.S. Thiagarajan, A Trace Based Extension of PTL, Proceedings of the 9th IEEE Symposium on Logic in Computer Science, P.S. Thiagarajan, A Trace Consistent Subset of PTL, Proceedings of CON- CUR '95 (Philadelphia, P.A., USA) (I. Lee and S.A. Smolka, eds.), LNCS, vol. 962, Springer, 1995, pp. 438{452. A. Valmari, Stubborn Sets for Reduced State Space Generation, Advances in Petri Nets 1990 (G.Rozenberg, ed.), LNCS, vol. 483, Springer, 1991, pp. 491{ 515. Rolf Walter, Petrinetzmodelle verteilter Algorithmen { Beweistechnik und Intuition, Ph.D. thesis, Humboldt-Universitat zu Berlin, Institut fur Informatik, 1995, edition VERSAL, W. Reisig (Hrsg.), Dieter Bertz Verlag. 16