Modelling Concurrent Systems

m=1

Var^m_s ∪ (Var^m_l × PID^m_Nm)
.

We explicitly allow that the variable sets Var¹_s, . . . ,Var_s^khave common elements, i.e. communication between processes of different classes is permitted.

So far, we have seen that there exists a wide range of different kinds of concurrent systems in practical use. The systems can be distinguished by the underlying concept of communication, by symmetry characteristics, and whether they are finite or not. Nevertheless, we have introduced a general notion of concurrent systems, under which all these different kinds are com-prised. In the next section we will show how our systems can be transferred into a computational model for verification.

3.3 Modelling Concurrent Systems

Verifying concurrent systems involves the exploration of the systems state space. Thus, we need to transfer our systems into a model that represents the set of reachable states under all computations. In Chapter 2 we have already introduced Kripke structures as the most common computational model in automatic verification. Here, we will see how states and the state space are formally defined for concurrent systems, and how a system can be transformed into a Kripke structure. In order to explore the state space of a concurrent system, we first of all require a formal characterisation of its control flow.

In the previous section we have already described the control structure of single processes, but in an intuitive and rather informal way. Now, we show that concurrent systems can be straighforwardly transferred into control flow graphs [5].

Definition 3.5 (Processes as Control Flow Graphs).

Let Proc_ibe a process with operations from a set Op. Moreover, let BOp be the corresponding set of basic operations, i.e. for each basic operation bop ∈ Op:

bopis also contained in Bop, and for each compound operation op ∈ Op: BOp contains all basic operations nested inside op. Then Proc_ican be represented as a control flow graph (CFG) G_i= (Loc_i, δi), where Loc_iis the set of control locations of Proc_iand δi⊆ Loc_i× BOp × Loc_iis a labelled transition relation, i.e. transitions are labelled with basic operations.

3.3 Modelling Concurrent Systems 41 Hence, basic operations of the form l : bop l⁰: can be directly mapped to the control flow graph: we get the corresponding transition δi(l, bop, l⁰). For compound operations this mapping is a bit more complicated. Remember that every compound operation can be decomposed into a set of basic operations that are nested inside a control structure. This control structure corresponds to a subgraph of the CFG where the edges are labelled with the basic operations from the decomposition. As an example, we consider again the compound if-then-else operation:

1 : (if e then (2 : bop1) else (3 : bop2)) 4 :

Assuming that bop₁and bop₂are basic operations, the corresponding control flow representation now looks as follows:

1

2 3

4

assume(e) assume(¬e)

bop1 bop2

Fig. 3.6 Control flow representation of the if-then-else operation.

In a similar way we can transform all other compound operations into (sub-graphs of) CFGs, which enables us to formally represent the control flow of individual processes. However, concurrent systems are composed of many processes running in parallel. Therefore, we need to define a notion of parallel compositions of control flow graphs.

Definition 3.6 (Concurrent Systems as Control Flow Graphs).

Let Sys = kⁿ_i=1Procibe a concurrent system, where each process Proc_iis given as a control flow graph G_i. Then Sys can be represented as a composite control flow graph G = (Loc, δ ). Loc = ×ⁿ_i=1Loc_iis the set of combined locations and δ ⊆ Loc × BO p × [1..n] × Loc is a labelled transition relation with δ (l, bo p, i, l⁰) = δi(l_i, bop, l_i⁰), where l_idenotes the individual location of Proc_iin the combined location l = (l₁, . . . , l_n).

Hence, each transition of a composite control flow graph is additionally labelled with the index i ∈ [1..n] of the associated process. A fair computation of a concurrent system Sys corresponds to an infinite path in the composite control flow graph representing Sys, where for each i ∈ [1..n] a transition δ (l, bo p, i, l⁰)occurs infinitely often.

For illustration, we consider the concurrent system Sys₆in Figure 3.7 and show, how it can be transferred into a composite control flow graph. Sys₆

consists of two processes Proc₁and Proc₂. Both attempt to execute one basic operation on a shared variable x and then terminate with the end operation.

x:integer where x = 1

Proc1:: 1 : x:= x + 1 2 : end



k Proc2:: 1 : x:= x + x 2 : end



Fig. 3.7 Concurrent system Sys6= Proc₁k Proc1over Var = Vars= {x}.

In a first step, we transform the processes Proc₁and Proc₂of our concurrent system into single control flow graphs G₁and G₂(see Figure 3.8).

1 G1::

2 x:= x + 1

1 G2::

2

x:= x + x

Fig. 3.8 Control flow graphs G1and G2of the processes Proc1and Proc2.

In the second step, we build the composite control flow graph G for G1and G2(see Figure 3.9). We can see, that in each combined location there are two transitions enabled, i.e. each process can always be selected for executing its next operation. Every infinite path in G that eventually reaches location (2, 2)and then alternately takes the self-loops associated with Proc₁and Proc₂, corresponds to a fair computation of Sys₆.

(1,1) G::

(2,1) (1,2)

(2,2) x:= x + 1

1

x:= x + x 2

x:= x + x 2

x:= x + 1 1

1 2

1 2

Fig. 3.9 Composite control flow graph G of the system Sys6= Proc₁k Proc2.

3.3 Modelling Concurrent Systems 43 Control flow graphs allow us to formally represent all sequences of operations that might occur during the execution of a concurrent system. For verifying a system, we moreover need to model the systems state space. A state of a concurrent system corresponds to a feasible valuation of all its variables, including the program counters. For instance, the initial state of the concurrent system in Figure 3.7 can be characterised by the tuple s_Init= (pc₁= 1, pc2= 1, x = 1). We denote the valuation of an expression e in a state s by s(e), e.g.

for s_Initwe have s_Init(x) = 1, and s_Init(x > 0) = true. Now, the overall state space of a system corresponds to the set of all states over its variables. We write S_Varto denote the set of states over the system variables Var, and respectively, S_Var∪^Sn

i=1{pc_i}to denote the set of states over the system variables and program counters.

In order to obtain a formal model of the state space, we transform our concurrent systems into Kripke structures (compare Chapter 2).

Definition 3.7 (Concurrent Systems as Kripke Structures).

Let Sys = kⁿ_i=1Proc_i be a concurrent system given by a composite control flow graph G = (Loc, δ ). Moreover, let Pred be a set of predicates (i.e. boolean expressions) over the system variables Var. The corresponding Kripke structure is a tuple K = (S, R, L, F) over a set of atomic predicates AP = Pred ∪ {pci=

j| i ∈ [1..n], j ∈ Loc_i} with

• S := Loc × S_Var,

• R (hl, si, hl⁰, s⁰i) :=^Wn_i=1R_i(hl, si, hl⁰, s⁰i) :=

Wn

i=1(δ (l, bop, i, l⁰) ∧ s(e) ∧ s⁰(x₁) = s(e₁) ∧ . . . ∧ s⁰(x_m) = s(e_m)) where bop = assume(e) : x₁:= e₁, . . . , x_m:= e_m,

• L (hl, si, p) := s(p) for any p ∈ Pred,

• L (hl, si, pc_i= j) :=

(true if l_i= j f alse else

where l_iis the location of Proc_iin the combined location l,

• F :=n

{(s, s⁰) | R_i(s, s⁰) , f alse}i∈[1..n]

o

for each process Proc_ia fairness set F_iwith all associated transitions.

Hence, given a concurrent system Sys and a set of predicates Pred, we can construct the corresponding Kripke structure K. Now, a fair computation of Sys corresponds to a fair path π in K, i.e. an infinite sequence of states π = s0s₁s₂. . . with s₀|= ϕInit, for all i ∈ N: R(si, s_i+1), and π satisfying the fairness requirements given by F (compare Chapter 2). As an example, the Kripke structure for the system Sys₆in Figure 3.7. and the set of predicates Pred= {(x < 4)}is shown in Figure 3.10.

h(1, 1), (x < 4)i s0:

K::

h(2, 1), (x < 4)i

s1: s2: h(1, 2), (x < 4)i

h(2, 2), ¬(x < 4)i

s3: s4: h(2, 2), (x < 4)i

Fig. 3.10 Kripke structure K for the concurrent system Sys₆ and the set of predi-cates Pred = {(x < 4)}. The set of fairness constraints is F = {F1, F2} where F1= {(s0, s1), (s1, s1), (s2, s4), (s3, s3), (s4, s4)} and F2 = {(s0, s2), (s1, s3), (s2, s2), (s3, s3), (s4, s4)}.

Only reachable states are depicted.

According to Definition 3.7, we can, in theory, transform any concurrent sys-tem into a computational model for sys-temporal logic model checking. However, the number of states in a Kripke structure grows exponentially with the size of the modelled system. Thus, for real-life systems a straightforward modelling is practically not feasible. The additional application of abstraction techniques is typically necessary, which we will discuss in Chapter 4. – Furthermore, verifying a parameterised concurrent system means to check all (i.e. an infinite number of) instantiations of the system. Hence, parameterised verification is undecidable in general. Later we will show, that in many cases verification results obtained on single instantiations can be transferred to the overall parameterised system, i.e. to each possible instantiation.

Nevertheless, modelling the state space of parameterised – and in particular symmetric – systems deserves some additional remarks. Remember that in symmetric systems all processes execute the same code and there exists a replication of the set of local variables Var_lfor each process. Hence, a local variable x ∈ Var_l that is associated with some process Proc_ican be represented as a tuple (x, i). Now, the valuation of (x, i) in a state s is denoted by s(x, i).

This lets us define local views on states of symmetric systems. For a state s of a symmetric system Sys = ki∈PID_NProc_iwe write s[i] to describe the local view of process Proc_ion s, where s[i](x) = s(x) for a shared variable x ∈ Var_s, and s[i](x) = s(x, i)for a local variable x ∈ Var_l. These local views will later be very helpful when we exploit symmetry to verify parameterised systems (compare Chapter 6).