Communicating Finite State Machines

Communicating Finite State Machines (CFSMs) [26] are natural models for asynchronous reactive systems. Many modeling languages can be seen as being based on CFSMs, including Statecharts [65], Estelle [110], SDL [101], Promela [68], and UML-RT [106], among others. Therefore, we choose CFSMs as the initial abstract formalism for all the modeling languages to which our verification framework applies.

Intuitively, a CFSM system consists of a set of concurrently running pro-cesses. The behavior of each process is captured by a state machine. The

concurrency of processes is captured at the semantics level of CFSMs by the interleaving of processes executions. Processes exchange messages between each other asynchronously over a set of message buffers. Message buffers are inter-preted at the semantic level as unbounded FIFO message queues. A sender process continues its local execution after sending a message to a buffer, and a receiver process is blocked when it tries to receive a message that is not available in the respective buffer.

We formally define the syntax and semantics of CFSMs for self-containedness.

We change some parts of the definition in [26] for the convenient abstraction of the modeling languages that we consider in the thesis.

Definition 3.1(Communicating Finite State Machines). A system of commu-nicating finite state machines (CFSM) is a quadruple

(P, M, B,succ) where

• P is a finite set of processes. Each process pi is a pair (Si, sⁱ₀) where Si

is a finite set of statesof pi andsⁱ₀ ∈Si is the initial state. For any two different processespiand pj, we put the restriction that Si∩Sj=∅, i.e., their sets of states are disjoint.

• M is a finite set ofmessage symbols.

• B is a finite set ofmessage buffers. Each buffer is associated with a subset of message symbols M^′ ⊆M such that only the messages in M^′ can be exchanged in the buffer. Moreover, for each bufferb∈Band each message symbol min the subset ofM associated withb, we call (b, m) a message type.

• succ is a finite set oflocal transitions(s, e, s^′) wheresands^′ are states of some same processpi, andeis either empty or a message passing event in the formb!morb?msuch that (1)b∈Band (2)m∈M can be exchanged in the bufferb.

Example 3.1. One simple example of CFSMs is shown in Figure 3.4, which consists of two processes namedclientandserver.

toS!req toC?reply toS?req toC!reply

client server

s¹₁

s¹₂

s²₁

s²₂

Figure 3.4: A simple CFSM system

Semantics. The semantics of CFSMs is defined using the concepts of config-urations and reachability.

Definition 3.2(Configuration). Given a CFSM system (P, M, B,succ), a con-figuration(orglobal state) of the system is a tuple (s¹, . . . , s^|P|, q¹, . . . , q^|B|) such that

• eachsⁱ is a state of the processpi, and

• eachqⁱ is a queue of messages exchangeable in the bufferbi.

A configuration of a CFSM system does not only contain the information of which local state each process is currently at, but also the information of the content of each message buffer denoted as a message queue. Since message buffers have unbounded capacities, there may be an infinite number of config-urations of the system. The initial configurationc0 is where each process is at its initial state and all message buffers contain an empty queue.

We define an auxiliary functionupdto update the contents of message buffers according to the message passing event of a transition. We need theupdfunction in the definition of reachability. Intuitively, the function upd restricts message queues to be first-in-first-out: When a new message is sent to a buffer, the message is attached to the end of the queue. Moreover, only the top message in a buffer can be received. Given a configuration (s¹, . . . , s^|P|, q¹, . . . , q^|B|) and assume that the bufferbi corresponds to the message queueqⁱ, we define

upd(qⁱ, e) =







qⁱ.m, ifeisbi!m;

qwhere qⁱ=m.q, ifeisbi?m;

qⁱ, otherwise.

and

upd(q¹, . . . , q^|B|, e) = (upd(q¹, e), . . . , upd(q^|B|, e)).

Consider two configurations c1 and c2. Let c1 = (s¹₁, . . . , s^|P|₁ , q¹₁, . . . , q^|B|₁ ) and c2 = (s¹₂, . . . , s^|P₂ ^|, q₂¹, . . . , q₂^|B|). We define that c2 is a successor of c1, denoted byc1⇒c2, if the following is satisfied:

• There exists a process pi ∈ P such that (1) for all j 6= i we have that s^j₁=s^j₂; and (2) (sⁱ₁, e, sⁱ₂)∈succ.

• upd(q¹₁, . . . , q^|B|₁ , e) = (q₂¹, . . . , q^|B|₂ ).

Let ⇒⁺ be the reflexive and transitive closure of ⇒. A configuration c is reachablefrom another configurationc^′ ifc^′⇒⁺c. In particular,cis defined to be a reachableconfiguration if it is reachable from the initial configurationc0. Anexecutionof the CFSM system is a sequence of configurationshc0, . . . , ci, . . .i such thatci ⇒ci+1 for each ci in the sequence. An execution can be finite or infinite. The relation⇒⁺ essentially defines a reachability graph for a CFSM system, and every finite or infinite path from the initial configuration in the graph is a possible execution of the system. Figure 3.5 shows the reachability graph of the previous simple client-server example in Figure 3.4. While this ex-ample system has a finite reachability graph and contains only 4 configurations,

(s¹₂, s²₁,hreplyi,hi) (s¹₁, s²₁,hi,hi)

(s¹₂, s²₂,hi,hi) (s¹2, s²₁,hi,hreqi)

Figure 3.5: The reachability graph of the CFSM system in Figure 3.4.

a CFSM system in general may have an exponential or even infinite number of reachable configurations due to unbounded message buffers.

Our definition of CFSMs deviates from the original definition given in [26]

mainly in the definition of message buffers. According to the definition in [26], for each pair of different processes (pi, pj) there exists exactly one message buffer such thatpiis the sender of the buffer andpjis the receiver of the buffer. On the contrary, our definition disassociates message buffers from processes. A buffer may therefore have multiple senders and receivers. A process can also send messages to or receive messages from multiple buffers. Such deviation enables a more straightforward abstraction from Promela models into CFSM systems since Promela may put no restrictions on which processes may use a certain buffer. Although it is rarely observed in realistic models that a process uses more than one buffer to store messages from one other process and that a buffer allows more than one sender and receiver, such modification comes at no cost and all theoretical results in [26] that we use in this thesis are still valid for our modified definition.

We can further modify the definition of CFSM systems by allowing a se-quence of message passing events for a transition, with the restriction that the sequence can contain at most one message receiving event and the receiving event must be the head of the sequence. This modification results in a more compact abstraction of UML RT models in which the action code of a transition may contain a number of message sending events. The necessary modification of semantics is straightforward: just re-define the upd function so that it up-dates message queues appropriately with a sequence of message passing events in order to maintain the FIFO condition of message buffers.

For CFSM systems, most non-trivial problems are undecidable, including buffer boundedness and reachability among others. In particular, the following problem is proved to be undecidable in [26].

Problem 1. Executability of a message reception in a CFSM system.

Instance: A CFSM system S and a state sin S having an outgoing transition tlabeled by the message receiving eventb?m Question: Does there exist an execution of S in which the message

events b?moccurs at s?