We now define the concept of cycle dependencies. We first need the concept of correlated cycle sets. We call a cycle setCa correlated cycle set for a cyclec if the infinite execution ofcrequires at least one of the cycles inCto be executed infinitely often.
Definition 11.1. Given a Promela model and a cyclecin the model, a setCof cycles is acorrelated cycle set(CCS) ofcif it satisfies the following conditions:
• c /∈C, and
• ∀r.c∈IRC(r)→(∃c′.c′ ∈C∧c′ ∈IRC(r)) whereris an execution of the model.
A cycle may have none, one or many CCSs. A cycle has no CCS if and only if it is the only one being repeated infinitely often in some execution of the model. For any cycle c, if C is a CCS of c, then any superset C′ of C is
1 mtype = {r e q u e s t , r e p l y}
2
3 chan t o S e r v e r = [ 1 0 ] o f {mtype}
4 chan f r o m S e r v e r = [ 1 0 ] o f {mtype}
5
6 a cti v e proctype C l i e n t ( ){
7 i n t x = 0 ;
8
9 do
10 : : ( x < 3 ) −>
11 t o S e r v e r ! r e q u e s t ;
12 x++;
13 : : ( x == 3 ) −>
14 f r o m S e r v e r ? r e p l y ;
15 x−−;
16 od
17 }
18
19 a cti v e proctype S e r v e r ( ){
20 do
21 : : t o S e r v e r ? r e q u e s t −>
22 f r o m S e r v e r ! r e p l y ;
23 od
24 }
Listing 11.1: A simple client-server Promela model.
also a CCS of c whenc /∈C′. A CCS of a cyclec is minimal (MCCS) if none of its proper subsets is also a CCS ofc. A cycle may also have more than one MCCS. Intuitively, a MCCS of a cyclecgives a set of indispensable cycles that cdepends on in all executions in whichc is repeated infinitely often.
Definition 11.2. Given a cyclec and a MCCSC ofc, we call the pair (c, C) a cycle dependency. In this case, we say thatcdepends onC.
In the above definition, if all the cycles inCare in the same process ascis, then (c, C) is alocaldependency. Otherwise, (c, C) is aglobaldependency.
Example 11.1. Consider the Promela model in Figure 11.1. The model de-scribes a simple client-server protocol. The Client process may only have at most 3 unprocessed requests at any time, and therefore must wait for a reply from theServerprocess when the counterxequals 3. The control flow graphs of the model are shown in Figure 11.1. We useclandcr respectively to denote the left and the right cycle in the process Client, and cs to denote the only cycle in the process Server. {cl, cs} is a CCS of cr. {cl} and {cs} are two MCCSs of cr. Then, we obtain two cycle dependencies: (cr,{cl}) is a local dependency, and (cr,{cs}) is a global dependency. Intuitively,crdepends oncs
because whenevercris executed it needs areplymessage sent only bycs. We will later discuss the causes of cycle dependencies in depth.
Definition 11.3. Given a cyclecand a CCSC ofc, we call the pair (c, C) an approximate cycle dependency(ACD).
x = 0
Figure 11.1: The control flow graphs of the Promela model in Listing 11.1.
For any cycle dependency (c, C) and a CCSC′ of csuch that C⊂C′, the ACD (c, C′) is an over-approximation of (c, C).
If we interpret all buffers in a Promela model to have only finite capacities and all variables to have finite domains, then the Promela model possesses a finite global state space. In this case, it is decidable whether (c, C) is an ACD as follows. We construct the global state space for the model and then look for any (either non-elementary or elementary) cycle in the global state space which contains c but no cycles from C. If no such global cycles exist, then (c, C) is an ACD. However, we have assumed that buffers in Promela models have infinite capacities and variables may have infinite domains such as integer variables, since we want to generalize the Promela language to consider the more interesting class of infinite state systems. With this assumption, a Promela model may have an infinite global state space, for which we show in the following proposition that the above problem becomes undecidable.
Proposition 11.3. Given a cyclec and a set C of cycles, it is undecidable in general whetherC is a CCS of c.
Proof. Similarly, we prove the proposition for CFSM systems, by a reduction from the undecidable Problem 1.
The reduction is as follows. Consider a CFSM system S that contains a local state s. There is an outgoing transition t from s, which is labeled with a message receiving event b?m. We construct a CFSM system S′ from S by (1) introducing a new state s′ in the same process as s is; (2) adding at s′ a self-transition labeled with an empty string; (3) changing the target state of the transitiont to the newly introduced states′; and finally (4) adding a new process whose state machine consists of a single state s′′ and a self-transition at s′′. Moreover, letc be the self-loop at s′ and C be the singleton cycle set consisting of the self-loop ats′′.
We prove thatb?m can be executed atsinS if and only ifC isnota CCS ofcin S′.
For the “if” part, assume that C is not a CCS ofc. Then, there exists an infinite execution ofS′ in whichcis executed infinitely often while the self-loop ats′′is not. From the construction ofS′,ccan be executed only ifb?mcan be executed atsinS′, which means thatb?mcan be executed also inS.
For the “only if” part, assume that b?mcan be executed ats in S. Then, b?mcan be also executed inS′. Afterb?mis executed,ccan be repeated alone forever, which meanschas no CCSs.
Since it is impossible to determine whether C is not a CCS of c, it is also undecidable whetherC is a CCS ofc. 2
Although it is impossible in general to determine ACDs, we propose several static analysis methods to derive some types of ACDs according to how they are caused. The root cause for cycle dependencies lies in the executability of Promela statements. Given a cycle, if the executability of every statement along the cycle is unconditional, then the cycle can be repeated without interruption forever once the cycle is entered. Such a cycle has no CCSs and its repetition does not depend on any other cycles. On the contrary, consider a cyclec that contains a statementswhose executability is conditional. Ifscannot be contin-uously enabled forever by only repeatingc, then some other cycles need to be executed in order to re-enablesby, e.g., modifying the values of some variables, sending a message etc. In Promela there are two kinds of statements with con-ditional executability: condition statements and message receiving statements1. In the following we explain how cycle dependencies may be imposed by these two kinds of statements.
Condition statements. Consider the right cycle cr in the proctype Client in Figure 11.1, which contains a condition statement(x == 3). The condition x= 3 cannot remain true aftercr is executed becausexis decremented by 1 in the cycle. Then, cr can be repeated infinitely often only if the left cycle cl is also repeated infinitely often to modify the value ofx such that xcan always acquire the value 3 again. In such a case, we say thatcr isterminatingon the condition statement(x == 3).
Definition 11.4(Termination of Control Flow Cycles).Given a Promela model and a control flow cyclec in the model, we assume thatccontains a condition statements. The cyclecisterminatingonsif the boolean condition inscannot remain true forever whenc is repeated without interruption.
Note that a cycle may be terminating on several condition statements con-tained in the cycle. Since we focus here on discovering cycle dependencies, it is out of the scope of this chapter how to determine whether a cycle is terminat-ing, which is a well-known undecidable problem. We will propose an incomplete procedure to prove termination for control flow cycles in Section 12.2. There are also many existing techniques [99, 35, 41, 24] to prove termination for cer-tain kinds of loops in programs, which can be adapted to prove termination for control flow cycles. In Section 11.3 we will show how to determine cycle dependencies from a condition statement on which a cycle is terminating.
Message receiving statements. The above mentioned cycle cr contains a message receiving statement fromServer?reply. Thus, the cycle cs sending replymessages has to be repeated infinitely often when cr is to be repeated infinitely often. In Section 11.4 we will present a method to determine cycle dependencies from message receiving statements, which are usually global de-pendencies.
1Recall that, by the assumption that buffers have infinite capacities, message sending statements are always executable.
1 i f
2 : : y > 0 −> x = 5 ;
3 : : y <= 0 −> x = 4 ;
4 f i
Listing 11.2: A piece of Promela code.