Model checking with Message Sequence Charts

Model checking withMessage Sequence Charts Doron Peled Collaborators: R. Alur, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Department of Computer ScienceUniversity of Warwick

MSCs • An ITU standard notation (Z120). • Visual + Textual forms. • Specifies behaviors of communication protocols. • Existing algorithms + tools.

MSC visual notation P1 P2 P3 M1 M2 M3 M4 M5 M6

msc MSC; inst P1: process Root, P2: process Root, P3: process Root; instance P1; out M1 to P2; in M5 from P2; in M6 from P3; endinstance; instance P2; in M1 from P1; out M2 to P3; out M3 to P3; in M4 from P3; out M5 to P1; endinstance; MSC Textual form instance P3; in M2 from P2; in M3 from P2; out M4 to P2; out M6 to P1; endinstance; endmsc; P1 P2 P3 M1 M2 M3 M4 M5 M6

Partial order semantics M1 s r M2 s r P1 P2 P3 M1 M2 M3 s M3 r M4 s M4 M5 r M6 s s M5 M6 r r

P1 P2 P3 P1 P2 P3 approve connect P1 P2 P3 P1 P2 P3 fail req_service report HMSCs

An execution: infinite or maximal A B Execution: ACACD approve connect connect fail report connect fail fail Req_service report report Req_service C D

Visual semantics • Sends before corresponding receives. • Events on the same process line execute in order of appearance, from top to bottom.

Visual order (wysiwyg) • If some event (send, receive) is higher on the line than another, it comes first. • Sends precede matching receives. P1 P2 P3 M1 M2 M3 M4 M5 M6

Visual order (wysiwyg) M1 s r M2 s P1 P2 P3 r M1 M2 M3 M3 s M4 r M5 s M4 M6 r s s M5 M6 r r

Causal Order and Races P1 P2 P3 M1 • Sends before matching receive. • Receive or sends before sends of same process. • Two receives on the same process sent from the same process. M2 M3 M4 M5 M6 Races: check if every pair of events ordered by the visual order appears in the transitive closure of the causal order.

Races P1 P2 P3 P1 P2 P3 M1 M1 M2 M2 M3 M3 M4 M4 M5 M6 M6 M5

P1 P2 P3 M1 M2 M3 M4 M5 M6 Finding races: P1 P2 P3 M1 M2 M3 M4 M5 Rules: order between - receive and a later send. - two sends from same process. - send and corresponding receive. -fifo order. M6

Causal Order M1 s r M2 s r P1 P2 P3 M1 M2 M3 s M3 M4 r M5 s M4 M6 r s s M5 M6 r r

Calculating the transitive closure • Structure (E, R). • E – Events, R  E  E. • R* The transitive closure. Defined asfollows:a R*b if there is a sequencex1 x2 … xn where a=x1, b=xn,and xi R xi+1 for 1i<n. • Complexity: cubic. In our case: quadratic (every event has 1 or 2 successors).

P1 P2 [2,4] [3,5] [7,10] [2,3] Can also deal with time Use time differencematrices.

Races in HMSCs. Definition For each HMSC M execution Ex, define thelinearizations according to the visual orderlinvis(Ex) and the linearizations according to the causal order lincaus(Ex). Extend to all executions: linvis(Ex) and lincaus(Ex). • Always linvis(Ex)  lincaus(Ex). • Races: when linvis(Ex)  lincaus(Ex).

Mazurkiewicz Traces Alphabet {a,b,c} Independence: aIb, bIc Equivalence classes of words (denoted usingrepresentatives):[aabb]=[abba] Regular trace language: can be defined usingconcatenation, star, union, intersection. Note: [ab]* is not recognizable (by automata).

P1 P2 P3 connect fail report connect fail report connect approve Visual concatenation A B P1 P2 P3 P1 P2 P3 approve connect P1 P2 P3 P1 P2 P3 fail req_service report Execution: concatenation of a maximal path in the HMSC. C D

P1 P2 Other problems…Global decision M1 M2 P1 P2 + =? What if one process will start to behave according to M1 and the other will start according to M2?

Races for HMSCs • Undecidable [MP99] • Translate to language theory of traces, which are closed w.r.t. commuting certain pairs of letters. • Intuition: moving from visual to causal semantic introduces more commutations:Two receives on the same process line (from different processes) are dependent on visual and independent on causal order. • Reduction to universality of trace languages (things are independent with causal semantics). Independent Language L Independent

Model checking • Write both specification and system as HMSCs. Do concatenation. • Write specification in LTL. Interpret over the linearizations of the partial orders. • In both cases: undecidable.

Post Correspondence Problem • List of pairs:w1:(aab,aa), w2:(aba,ab), … wn:(a,bb).Want to find if we find a set of indexesi1, i2, …, ik, such that concatenatingthe lefthand words and concatenatingthe righthand words is the same. • Supose we take indexes 1, 2, n, 1. We get: • lefthand: aab aba a aab • righthand: aa ab bb aa

P5 P6 P5 P6 P1 P2 P5 P6 P5 P6 PCP reduction Letter match Word match a b P1 P2 P1 P2 P1 P2 a b a a b b b b P3 P4 P3 P4 P3 P4 P3 P4 w1 w2 w2 w1 (aab,bb), (ab,bab),...

Some solutions: • Obtain decidability under the following condition [MP99,AY99]:Every HMSCs cycle covers a strongly connected component in the communication graph. An edge exist from a process Pi to a process Pj if there is a communication from Pi to Pj. • The specification HMSCs allows any additional gaps [MPS98]. • Put limit on message queues [Holzmann]

Problem with describing protocols P1 P2 s1 t1 P1:snd s2 P2:snd P2:rcv P1:snd t2 P1:rcv s3

Problem with describing protocols P1 P2

P1 P2 Solution: Compositional HMSCs P1 P2

a b w3 a Even emptiness is undecideable! (E1+E2+…+Em)+ (G1+G2+…+Gm)+ F b b w2 a E3 G2 F

Left closed CHMSCs • Does not allow unmatched receive event that is not yet matched by a previous unmatched send. • HCMSC is realizable if every path is matched. • Can be checked in polynomial time using a nondeterministic stack machine.

What can go wrong? More unmatched receives than sends. The kth unmatched send before a mathced pair, the kth receive after. The kth unmatched send has name C, the kth unmatched receive has name D. How to check with a stack machine for each pair of processes? 1+2: Push a £ for each unmatched send, pop a £ for each unmatched receive. 3: Guess that it’s a name mismatch upon seeing an unmatched send.Ignore further sends. Pop £ as usual for receives, until corresponding receive occurs. How to check for realizability?

Any finite state protocol can be translated. Trivial translation: any transition in finite state graph makes one CHMSC node, with possibly an unmatched message. This does not give more information than finite state graph. Try to optimize: take some paths. Break graph into cycle free paths (e.g., using DFS and back arrows). Use partial order reduction (sleep sets) to minimize number of paths. Now we can translate finite state protocols to CHMSCs

P1 P2 P3 M1 M2 M3 M4 M5 M6

The logic TLC [APP] over MSCs. Label events with propositions. P1 P2 P3 M1 Nexttime: O p P1 P2 P3 M2 M1 p M2 M3 p M3 M4 M4 M5 M6 M5 M6 p

¬O ¬p P1 P2 P3 M1 P1 P2 P3 M2 M1 p M2 M3 p p M3 p M4 M4 M5 M6 M5 M6 p

O p P1 P2 P3 M1 P1 P2 P3 M2 M1 M2 M3 M3 M4 M4 M5 M6 p M5 M6 p p

Until: pUq P1 P2 P3 M1 M2 p P1 P2 P3 M1 p M3 M2 p p p M3 p q M4 M4 p p q M5 M6 M5 M6 p p p p q true U q = <>q

¬(trueU¬p) = p P1 P2 P3 M1 M2 p P1 P2 P3 M1 p M3 p M2 p p p M3 p p M4 M4 p p p p M5 p p M6 p p M5 p p p M6 p p p p p p p p

Some specifications (req --> <> ack) Every request is followed by acknowledge. ¬<>(transA /\ <> (transB /\ <>transA)) Transaction B cannot interfere with transaction A. (beginA --> O (transA U finishA )) The execution of transaction A is not interrupted by any other event.

connect approve fail Req_service report HMSC linearizations

P1 P2 P3 M1 1 2 M2 3 5 M3 4 6 M4 7 8 M5 10 9 11 M6 12 Intuition behind algorithm for Op Aut. with 2 successors relations. There are two cases: - p holds for matching receive. Then use 2nd successor rel. - p holds for successor in proc. Then wait to see event of same process. Intersect: System autom. (linearizations) Property autom. (of ¬prop) 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8 9 9 10 10 11 11 12 12

Overview MSC Findingraces Finite, one scenario HMSC Undecidable linear model checking Bounded HMSC ConnectedcommunicationHMSC Partial order model checking Cannot express behavior of some protocols CHMSC Emptiness undecidable Realizable CHMSC Checking realizability

Visual notation have advantages over textual representation. MSCs is a standard for describing concurrent interactions. MSCs are based on partial order semantics. MSCs raise many interesting research problems, e.g., race condition. Model checking for MSCs is undecidable [GP,AY]. TLC model checking is based on partial order semantics and is decidable. Some extensions to the MSC standard are useful, e.g., CHMSCs, LSCs. Conclusions

Model checking with Message Sequence Charts

Model checking with Message Sequence Charts

Presentation Transcript

Software Model Checking with SLAM

Model Checking

Model Checking

Model checking

Model checking with Message Sequence Charts

Message Sequence Chart

Software Model Checking with SMT

Sequence Charts

Model Checking

Model Checking

Model checking

Model Checking

Model Checking

Analysis of Message Sequence Charts

Executable Specifications using Message Sequence Charts

Model Checking

Model Checking

Model Checking

Message Sequence Charts simulation

Interpolation-Sequence Based Model Checking

Model Checking

Model checking