Verification

Verification, or model checking, is the problem of deciding if a parallel or serial pro- gram meets its specification. The specification is given in a temporal logic such as Linear Temporal Logic (LTL) [77,159], Computation Tree Logic (CTL) [78], the com- bination of the two (CTL∗_{), or CTL}∗ _{without the next-time operator (CTL}∗_{\X). For} example, convergence to a state predicate L be specified using the Eventually (a.k.a. Finally) operator ♦ as ♦ L, and closure within L can be specified using the Always (a.k.a. Globally) operator  as (L =⇒  L).

3.2.1 Hardness

Verifying whether a temporal formula is true for a given system is a computationally- intensive task. Sistla and Clarke [165] prove that verification using LTL is PSPACE- complete in the size of the input (which includes all states of the system). Likewise, verification of CTL∗ _{is shown to be PSPACE-complete by Clarke, Emerson, and} Sistla [52]. They, along with Arnold and Crubille [12], prove that CTL verification is P-complete. Self-stabilization and fault tolerance are such problems that can be verified in linear time with respect to the size of the transition system.

3.2.2 Implementation

The Spin model checker [113] has been extremely helpful with regard to investigating protocols. It is an explicit-state model checker that uses a C-like syntax with non- determinism to express concurrent programs. The temporal properties to be checked are specified as a formula in linear temporal logic. The complement of the tem- poral formula compiled to a Büchi automaton, and program verification reduces to

checking that the automaton never reaches an accepting state during any program execution [173].

Meseguer, Palomino, and Martí-Oliet [153] represent actions of processes as rewrite rules within the Maude tool. Using properties of term rewriting systems, they are able to automatically prove termination in special cases. Given the generality of term rewriting systems, Maude can also model and reason about algorithms and data structures.

Symbolic Representation. A transition system can also be represented as a boolean formula over unprimed and primed variables. For example, consider the 3-coloring protocol of Example 2.1.1. Particularly, consider the minimal action

(x0= 0 ∧ x1= 0 ∧ x2= 2) −→ x1:= 1;

of P1 on a ring of size 4. This can be represented with the following formula

x0= 0 ∧ x1= 1 ∧ x2= 2 ∧ x′1= 1 ∧ x′0= x0∧ x′2= x2∧ x′3= x3 which uses x′

1= 1 to represent the assignment x1:= 1 and where x′0= x0 ∧ x′2= x2∧

x′

3= x3 forbids the x0, x2, x3variables from changing. The complete transition system can be built by taking the disjunction of all such formulas of all processes.

Binary decision diagrams (BDDs) [41] and multi-valued decision diagrams (MDDs)

can be used to represent the boolean formula of a transition system. The popular NuSMV model checker [50] and PVS proof assistant [157] uses this data structure. The size of a BDD can be exponentially larger than the number of variables, and its size depends largely on the variable ordering and nature of the function, but they are much better than explicit state representations in practice. Many MDD and BDD libraries exist to manipulate transition systems; we use the GLU and CUDD libraries [166].

BDD-based cycle detection can still be infeasible due to size. Biere, Cimatti, Clarke, Strichman, and Zhu [29] introduce bounded model checking as a way to avoid using a data structure to fully represent the transition system. They show that the use of SAT solvers and abstraction can find counterexamples where BDD-based methods cannot handle the input model. However, BDD-based verification can also outperform their SAT-based method. Further, their method is incomplete, therefore one cannot assume a system is correct if no counterexample is found.

Unbounded Variables. When domains of variables are unbounded, Boigelot and

Wolper [32] show that finite automata can be represent values and constraints. Borowsky and Edelkamp [36] apply this to the planning problem where variables are unbounded. They explain the problem representations and algorithms in detail and discuss which problem conditions can prevent the algorithms from terminating. The planning problem is similar to verification and can also be solved using the same techniques [51].

3.2.3 Symbolic Cycle Detection

Livelock detection is a fundamental step in model checking self-stabilizing algorithms. These correspond to cycles in the transition system being checked. Gentilini, Piazza, and Policriti [96] give a cycle detection algorithm that is linear in the size of the BDD representing the transition system. In practice, algorithms that compute strongly connected components (SCCs) outperform explicit algorithms, even though they have a higher worst-case complexity [91]. Emerson and Lei [80] give on such fixpoint algorithm for which several variations exist [91].

Algorithm 3.1 shows the version of the Emerson-Lei algorithm that we use for detect- ing unfair cycles. It is only notable in that we avoid unnecessary computation during the main fixpoint iteration (Line 5) since we assume that the protocol is closed within the initial set of states (called span). The algorithm is written using set notation, but recall that a set of states or transitions is efficiently represented as a BDD (boolean formula) that evaluates to true for states/transitions in the set.

Algorithm 3.1 Check for unfair cycles in a transition system.

CycleCheck_{(&span: closed set of initial states (also a return value),} ∆: transitions of protocol)

Output: Whether a cycle exists.

1: let next := span

2: {Fixpoint iteration using image}

3: repeat

4: span := next

5: next := ∆[span]

6: until span = next

7: {Fixpoint iteration using preimage to make span resemble the SCCs more closely}

8: repeat

9: span := next

10: next := span ∩ ∆−1_[span]

11: until span = next

12: {span is now all states that can be visited after arbitrarily many steps in an infinite execution, but unlike in an SCC, span may contain some states that cannot be visited infinitely often}

13: return (span 6= ∅)

Chen, Abujarad, and Kulkarni [47] investigate how fairness impacts the cost of veri- fying stabilization. Weak fairness is found to substantially increase verification cost, whereas an assumption of global or no fairness allows faster verification. Particu- larly, since global fairness alleviates the need for cycle detection, it admits the fastest verification times.