Message Types and the Precision of Verification

We have known that fewer identified message types may result in a smaller abstract CFSM system being constructed, which implies a more efficient analysis that we will perform on the CFSM system. However, the following example suggests that if too few message types are identified then the precision of the future analysis may be severely compromised.

Example 7.1. Consider the Promela model as shown in Listing 7.3. In the model, a client asks a consultant a question about A (askA) and waits for the answer. The client is forgetful such that if she ever gets an answer she will forget it immediately and has to ask the same question again. Moreover, she apparently visits a wrong consultant since the consultant only knows how to answer questions about B. The consultant also documents every consultation, which is represented in the model by sending arecord message to the buffer log(see Line 18).

In the example model, if we identify 5 types of messages as {m1={htoConsultant,askAi},

m2={htoClient,answerAi}, m3={htoConsultant,askBi}, m4={htoClient,answerBi}, m5={hlog,recordi}}

then we obtain the abstract CFSM system for the model as shown in Figure 7.4. We can determine either using our boundedness test or even by manual inspection that this CFSM system is bounded. Therefore, the original Promela model is bounded as well. This is because none of the two control flow cycles in the CFSM system can be ever completely executed – the consultant can never answer a question about A.

1 mtype = {askA , answerA , askB , answerB , r e c o r d};

2

3 chan t o C o n s u l t a n t = [ 1 ] o f {mtype};

4 chan t o C l i e n t = [ 1 ] o f {mtype};

5 chan l o g = [ 1 0 ] o f {mtype};

6

7 a cti v e proctype f o r g e t f u l C l i e n t ( ){

8 do

9 : : t o C o n s u l t a n t ! askA ;

10 t o C l i e n t ? answerA ;

11 od;

12 }

13

14 a cti v e proctype C o n s u l t a n t ( ){

15 do

16 : : t o C o n s u l t a n t ? askB −>

17 t o C l i e n t ! answerB ;

18 l o g ! r e c o r d ;

19 od;

20 }

Listing 7.3: A Promela model describing a consulting scenario.

forgetfulClient Consultant

toConsultant!m₁

toClient?m2

toConsultant?m₃

log!m5 toClient!m4

Figure 7.4: The abstract CFSM system for the Promela model shown in Listing 7.3 when we identify 5 types of messages in the model.

Alternatively, we may decide to discriminate only messages in different buffers. This is in fact an example of mapping the formats of messages de-fined in buffer declarations directly to message types. In this way, we only identify three message types as follows:

{m1={htoConsultant,askAi,htoConsultant,askBi}, m2={htoClient,answerAi,htoClient,answerBi}, m3={hlog,recordi}}.

The resulting abstract CFSM system is depicted in Figure 7.5. This CFSM system is unbounded due to the introduction of the spurious behavior that the consultant answers the client’s questions and can therefore add an unbounded number ofrecordmessages of the message typem3. The presence of the spuri-ous behavior is caused by being no longer able to distinguish between messages regarding A and messages regarding B. The boundedness analysis based on such a CFSM system is imprecise and returns “UNKNOWN”.

forgetfulClient Consultant

toConsultant!m1

toClient?m₂

toConsultant?m1

toClient!m₂ log!m₃

Figure 7.5: The abstract CFSM system for the Promela model shown in Listing 7.3 when we discriminate messages in different buffers.

The above example shows that the precision of the buffer boundedness test is reduced when we decide a too coarse message type definition. In the following we formally prove that by refining message types we always obtain no less precise results of the boundedness test.

Proposition 7.1. Given a CFSM system, let D1 andD2 be two message type definitions such thatD2⊳D1. LetS1 andS2 be the independent cycle systems that we derive respectively based onD1andD2, using the message passing effect determination method described in Section 7.2.1. If S2 is bounded, then S1 is also bounded.

Proof. It is sufficient to prove that, given two message type definitionsD and D^′ such thatD⊳¹D^′, if the resulting independent cycle system based onD is bounded then the resulting cycle system based onD^′ is also bounded.

Let S = (n, C,eff) be the independent cycle system based on D, and S^′ = (n^′, C^′,eff^′) be the independent cycle system based onD^′. Without loss of generality, we assume thatD^′ refines the message typeminDwith message types m1, . . . , mk. Therefore, we have n^′ = n−1 +k. For the sake of con-venience, we re-order the effect vector components for both independent cycle systems such that (1) for anyi such that 1≤i ≤n−1, the i-th effect vector components in both systems correspond to one same message type; and (2) the

n-th components inDcorrespond to the message typem; and (3) for anyisuch that 1≤i≤k, the (n−1 +i)-th components inS^′ correspond to the message typemi.

Furthermore, we assume without loss of generality that there arepcycles in C: c1, . . . , cp. Assume that in some cyclecithere is a transitiontthat potentially sends or receives a message of type m. Let sbe the Promela statement along the control flow edge that corresponds tot. As the result of refining the message typem, the transitiont may correspond to a set of transitions in the abstract CFSM system based onD^′. Each of these corresponding transitions sends or receives a message of a distinct type mj such that Ms∩mj 6= ∅. The cycle ci may contain one or more transitions such as t. Consequently, each cycle ci

corresponds to a set of cycles inC^′: c^′_i1, . . . , c^′_iqi as the result of the refinement of the message type m. Furthermore, we can easily see the following property forci and one of its corresponding cyclesc^′_il:

Now we prove that ifSis bounded thenS^′is also bounded. By contradiction we assume thatSis bounded whileS^′is unbounded. SinceS^′is unbounded, the sufficient and necessary condition as stated in Proposition 5.4 implies a solution to the following ILP problem: vpqp. We show in the following that from this solution we can construct a solu-tion to the ILP problem representing the sufficient and efficient condisolu-tion of the unboundedness of S, as shown in Inequalities (7.5–7.6), thereby contradicting the assumption.

r=1vir is a solution to the above ILP problem.

• For each j-th (1 ≤j ≤n−1) inequality in Inequalities (7.5), replacing

eachxi with its respective valuePq_i (following the property as Inequality (7.1))

≥0 (7.10)

(following the fact thatxir=vir is a solution to Inequalities (7.3))

• For the n-th inequality in Inequalities (7.5), also replacing each xi with its respective value, we have that:

eff(c1)ⁿ· (following the property as Inequality (7.2))

≥0 (7.14)

(following the fact thatxir=vir is a solution to Inequalities (7.4))

2

Proposition 7.1 shows that the boundedness analysis returns no less precise results by refining message type definitions. The same holds for the livelock freedom analysis that we proposed. We leave out the formal proof here. How-ever, a refined message type definition causes more identified message types, which may lead to a growing number of control flow cycles and hence render the future analysis to be less efficient. Therefore, there is a trade-off between efficiency and precision for the determination of message types. In the following subsection, we will propose a method to identify message types optimally such that the precision of the future analysis cannot be improved by further refining the obtained optimal message type definition.