Buffer Assignments

On the contrary, if we decide to construct a CFSM process only forp1 and discardp2, then the resulting ILP problem is the same as the ILP problem in Inequalities (7.23) except that thePn

i=1eff(c^′_i) part is missing on the left hand sides of the inequalities, as shown below.

· · ·+

n

X

i=1

eff(ci)·xi+· · ·>¯0 (7.24) We show that there is a solution to the ILP problem in Inequalities (7.23) if and only if there is a solution to the ILP problem in Inequalities (7.24).

If there is a solution to the former ILP problem in which xi = vi and x^′i = vi^′, then we can construct a solution to the latter ILP problem by assigning (vi+v_i^′) to each xi and copying the values of other variables in the solution to the former ILP problem. If there is a solution to the latter ILP problem in whichxi =vi, then we can construct a solution to the former ILP problem by assigning vi to xi, assigning 0 tox^′_i, and copying the values of other variables in the solution to the latter ILP problem. Therefore, if we are interested in no more than just determining the buffer boundedness of a Promela model, then we need only to construct one CFSM process for all identical copies of same processes. This improves the efficiency of the analysis as it reduces the size of the boundedness determination ILP problem. We can easily see a similar argument for the determination of livelock freedom.

However, if we want to estimate buffer bounds for a Promela model, then we should not disregard any of the identical instances of a proctype. This is because more identical instances contribute more message passing effects of acyclic paths of the respective proctype. Nevertheless, we can still construct only one CFSM process for all identical processes of some proctypep, and remember the replication factor ofp, i.e., the number of identical copies of the Promela processes. In this way, we can just multiply the acyclic path contribution ofp by its replication factor in the over-approximation of the acyclic path effect of the overall system.

7.4 Buffer Assignments

The buffer names declared in a Promela model are actually variables of the type chan. Each buffer variable keeps a pointer to an actual FIFO message queue at runtime. The queue that a buffer variable currently points to can be changed through buffer assignments. Consider the Promela model in Listing 7.4. The buffers ch1 and ch2 initially point to two different message queues that are assigned to them at the beginning of the execution. However, after the

1 mtype = {msg1};

2

3 chan ch1 = [ 2 ] o f {mtype};

4 chan ch2 = [ 2 ] o f {mtype};

5

6 a cti v e proctype P( ){

7 ch1 = ch2 ;

8 ch1 ! msg1 ;

9

10 do

11 : : ch1 ? msg1 −>

12 ch2 ! msg1 ;

13 ch2 ! msg1 ;

14 od

15 }

Listing 7.4: A Promela model with buffer assignments.

assignment at Line 7,ch1points to the same queue as the one thatch2points to, and the queue that ch1originally pointed to is simply discarded. We can easily see that the remaining queue that both buffer variables point to is then flooded by messagesmsg1.

A simple abstraction dealing with buffer assignments works as follows. Wher-ever we find a buffer assignment ch1 = ch2anywhere in the model, we distin-guish no longer messages exchanged in ch1andch2. More precisely, let R be the set of message receiving statements with constant message fields that we collect in the model. LetRch1andRch2contain all statements inRthat receive messages from ch1and ch2 respectively. We modify the coverage set of each statement in Rch1 andRch2 in the following way: For any statements∈Rch1, we construct a set of messagesM_s^ch2fromMsby replacing the buffer namech1 in all messages inMswith the buffer namech2. Then, the new coverage set of s is the union of M_s^ch2 and Ms. The new coverage sets of statements in Rch2

can be obtained in a similar way. For identifying message typesjointlyforch1 andch2, we use the new coverage sets of statements inRch1∪Rch2to partition the setMch1∪Mch2. Any subset in the partition is identified as a message type.

Furthermore, consider a statementsthat sends a message to (or receives a mes-sage from respectively) from ch1 or ch2. In order to determine the message passing effects ofs, we also construct its new coverage set in the same way as in the message type identification. A typemof messages can be sent (or received) by s if the intersection of the new coverage set and m is non-empty. As an example, the new coverage set of the only message receiving statement (Line 11) in Listing 7.4 is Ms = {hch1, msg1i} ∪ {hch2, msg1i}. As a result, there is only one identified message type asMs. The message sending statement at Line 12 has a new coverage set as the same asMs, and it can certainly send a message of the typeMs.

Since we abstract from message orders, the above abstraction is an over-approximation. We omit the formal proof for this argument. The intuition is that not distinguishing messages in two message buffers results in the merging of certain inequalities in the resulting buffer boundedness or livelock freedom determination ILP problem.

1 mtype = {msg1};

2

3 chan ch1 = [ 2 ] o f {mtype};

4 chan ch2 = [ 2 ] o f {mtype};

5

6 a cti v e proctype P( ){

7 ch1 ! msg1 ;

8

9 do

10 : : ch1 ? msg1 −>

11 ch2 ! msg1 ;

12 ch2 ! msg1 ;

13 od

14

15 ch1 = ch2 ;

16 }

Listing 7.5: A Promela model with buffer assignments.

The proposed abstraction is also relatively coarse because a buffer assign-ment does not necessarily affect all parts of the model. Consider the Promela model in Listing 7.5, which is the same as the model in Listing 7.4 except that the buffer assignment occurs after the doloop. Apparently, the buffer assign-mentch1 = ch2can never be executed, and therefore does not affect the loop wherech1andch2still point to separate queues.

We propose a finer over-approximation based on strongly connected compo-nents (or SCCs). An SCC in a directed graph is a subgraph in which any vertex is reachable from any other vertex. By collapsing all the vertices in the same SCC into a single vertex, we obtain a directed acyclic graph (or DAG). In the DAG each vertex denotes an SCC in the original graph. LetC1 andC2 be two strongly connected components in the original graph. If there is an edge from one of the states inC1to one of the states inC2, then there is an edge from the vertex in the DAG, that corresponds toC1, to the vertex corresponding toC2. Given a Promela process that contains buffer assignments, we derive the DAG from the control flow graph of the process. It’s obvious that a buffer assignment in some SCC can only affect those SCCs reachable from it in the DAG. For parallel processes, a buffer assignment in one process can affect every part of every other process running in parallel. Based on this idea, we can use a finer abstraction in which we still identify message types separately for two buffers ch1 and ch2 that may point to a same message queue in the model.

Consider a buffer assignment ch1 = ch2 in a strongly connected component C. For any statement sthat sends messages to or receives messages from ch1 or ch2, if s is in a SCC that can be affected by C, then we construct the new coverage set of s, in the same way as in the previous coarser abstraction approach, in order to determine its message passing effects. Otherwise, we still use the original coverage setMsto determine message passing effects.