Polymorphic systems with arrays : decidability and undecidability

http://wrap.warwick.ac.uk/

Original citation:

Lazic, Ranko, Newcomb, T. and Roscoe, A. W. (2004) Polymorphic systems with arrays

: decidability and undecidability. University of Warwick. Department of Computer

Science. (Department of Computer Science Research Report). CS-RR-399

Permanent WRAP url:

http://wrap.warwick.ac.uk/61314

Copyright and reuse:

The Warwick Research Archive Portal (WRAP) makes this work by researchers of the

University of Warwick available open access under the following conditions. Copyright ©

and all moral rights to the version of the paper presented here belong to the individual

author(s) and/or other copyright owners. To the extent reasonable and practicable the

material made available in WRAP has been checked for eligibility before being made

available.

Copies of full items can be used for personal research or study, educational, or

not-for-profit purposes without prior permission or charge. Provided that the authors, title and

full bibliographic details are credited, a hyperlink and/or URL is given for the original

metadata page and the content is not changed in any way.

A note on versions:

The version presented in WRAP is the published version or, version of record, and may

be cited as it appears here.For more information, please contact the WRAP Team at:

Deidability and Undeidability ?

RankoLazi 1??

,TomNewomb 2

,andBillRosoe 2

1

DepartmentofComputerSiene,UniversityofWarwik,UK 2

ComputingLaboratory,UniversityofOxford,UK

Abstrat. Polymorphisystemswitharrays(PSAs)is ageneral lass ofnondeterministireativesystems.APSAispolymorphiinthesense thatitdependsonasignature,whihonsistsofanumberoftype vari-ables,andanumberofsymbolswhosetypesanbebuiltfromthetype variables.SomeofthestatevariablesofaPSAanbearrays,whihare funtionsfromonetypetoanother.Wepresentseveralnewdeidability and undeidability results for parameterised ontrol-state reahability problemsonsublassesofPSAs.

1 Introdution

Context. Therehasbeenmuhinterestinreentyearsinmodelheking innite-state systems (e.g. [12℄). Oneof the mostommon reasons why a systeman haveinnitelymanystatesis thatit hasoneormoreparameterswhih anbe unboundedly large. Forexample, asystem mighthave anarbitrary number of idential parallel omponents, or it might work with data from an arbitrarily large data type. In suh ases, the aim is usually to verify that the system is orret not for spei instantiations of the parameters, but for all possible instantiations.

Whenasystemhasanarbitrarynumberofidentialparallelomponents,the ounting abstration [11℄ anbeused to representit asaPetri net.If the sys-temusesmorethanrendez-vousommuniationsbetweenparallelomponents, extensions of Petri nets are used, suh astransfer ars to represent broadast ommuniations [9℄, or non-bloking ars to represent partially non-bloking rendez-vous [21℄. Other abstrat models related to Petri nets have also been usedforrepresentinginnite-statesystems,suh asbroadastprotools[7℄and multi-setrewritingspeiations[6℄.

Findingdeisionproedures formodelhekingproblemsonPetri netsand relatedmodelsisthereforeusefulforveriationofarangeofinnite-state sys-tems. Undeidability of suh problems is also signiant, for guiding further

?

We aknowledge support from the EPSRC grant GR/M32900. The rst au-thor was also supported by grants from the Intel Corporation and the EPSRC (GR/S52759/01), theseondauthorbyQinetiQ Malvern,and thethirdauthorby theUSONR.

??

literature(e.g.[8,9,21,15,6℄).

Inpratie,innite-statesystemsareoftengivenbyUNITY-stylesyntax,i.e. usingstatevariables,guardsandassignments.Thiskindofsyntaxisommonfor deningnite-statesystems(e.g.[3℄),wherethetypesofstatevariablesarenite enumeratedtypes.Itiseasily extendedforexpressinginnite-statesystems,by usingtypevariableswhihanbeinstantiatedbyarbitrarysets.Forexample,if X,Y andZaretypevariablesrepresentingproessorindies,memoryaddresses andstorabledata,thenaahe-ohereneprotool(e.g.[20℄)mighthaveastate variableahe :(XY)!(ZEnum

3

).Here,aheisanarray(i.e.afuntion) indexedbyorderedpairsofproessorindiesandmemoryaddresses,andstoring ordered pairs ofstorable data and tagsfrom the 3-element typeEnum

3 . Note that thissystemisparametriinthree dimensions.

Itisthereforeimportanttoinvestigatedeidabilityofmodelheking prob-lems on systems given by UNITY-style syntax with type variables and array statevariables.Moreover,itisdesirabletondalgorithmitranslationsofsuh problems to deidable problemson Petri nets andrelated models.This avoids dupliationof work,andenablesuseof thevarioustehniquesimplementedfor the lattermodels (e.g. [6℄).However,UNITY-likesyntax ansuintly express systemswhih areparametri in severaldimensions, ompared withPetri nets and relatedmodelswhihare either restritedto oneortwodimensions[9,21, 6℄orrelativelyomplex[15℄.Inpartiular, relatingthetwokindsofsystemsis non-trivialingeneral.

Contributions. In this paper,we x a UNITY-like syntax with type variables andarraystatevariables,andallsuhsystemspolymorphisystemswitharrays (PSAs). For generalityand suintness, we use atyped -alulus to express guardsand right-hand sidesof assignments.Basi typesare formed from type variables,produtsandsums(i.e.disjointunions).Wealsouserst-order fun-tiontypes,astypesofarraystatevariables,ortypesofoperationsymbols(suh as

X

: X X ! Bool). Assignments to array state variables an express a rangeofoperations,inludingwritingtoseveralarrayomponents,orresetting allomponentstoasamevalue.

APSAispolymorphiinthesensethatithasasignature,whihonsistsof anumberof typevariablesand anumberofsymbolswhosetypesanbebuilt fromthetypevariables.Asignatureisinstantiatedbyassigningnon-emptysets toitstypevariables,andonrete elementsoroperationstoitssymbols.Given aPSAandaninstantiationofitssignature,thesemantisisatransitionsystem. WestudyparameterisedveriationofPSAs,so aPSAalsohasaset ofall instantiations of itssignature whih are of interest. Thesemantisis a transi-tion system onsisting of all transition systems for the given instantiations. If innitelymanyinstantiationsaregiven,thisisinnite-state.

tialisedCSR.

Weshowthat initialised CSRis undeidableforPSAs witheahof the fol-lowing restritions. In eah ase, the only allowed array operations are reads andwrites,andthetypevariablesareinstantiatedbyarbitrarysetsoftheform f1;:::;kg.

{ Thereisonlyonearray,oftypeXX !Bool.TheonlyoperationonX is equality.

{ Thereisonly onearray,oftypeXY !Bool.TheonlyoperationsonX andY areequalities.

{ Thereareonlytwoarrays,oftypesX !Y andX!Z.Theonlyoperations onX,Y andZ areequalities.

{ Thereisonlyonearray,oftypeX !Y. TheonlyoperationonX islinear order(

X ),

3

andonY equality.

For PSAs with arbitrary array operations, but whih have arrays only of typesX !Enum

m

,where theonlyoperationonX islinearorder,and where Xisinstantiatedbyarbitrarysetsoftheformf1;:::;kg,weshowthatinitialised CSRisdeidable.Theproofisbyreduingtoareahabilityproblemformulti-set rewritingspeiationswithNConstraints,whihhasanimplementeddeision proedure [6℄.

ForuninitialisedCSR,weobtainsimilarresults.

Comparisons. PSAs generalise data-independent systems with arrays [14,13, 22,19℄ by allowing operations on type variables other than equality, and by allowinganyarrayoperationexpressibleusingarrayinstrutionparametersand assignmentsof-termsto arraystatevariables.

It was shown in [22℄ that initialised CSR is undeidable for systems with only two arrays, of type X ! Y, where the only operations on X and Y are equalities.Ourundeidabilityresultstrengthensthistotwoarrayswithdierent valuetypes.

4

Our deidability result extends the deidability result in [22℄ by allowing linear order on X instead of only equality, and by allowing a wider range of arrayoperations.

PSAsalsogeneralisetheparameterisedsystemsin[16℄,where parameterisa-tionin onlyonedimensionis onsidered.On theother hand,[16℄ treats quan-tiationin guards,whihwedonotonsiderin thispaper.

Usinga type variable X to represent the set of all proess indies, and an arrays:X !Enum

n

tostorethestateofeahproess,anybroadastprotool [7℄anbeexpressedbyaPSA.TheonlyoperationneededonX isequality.

3

Anorderprediateanexpresstheequalityprediatebyt=t 0

, tt 0

^t 0

t. 4

on-PSAs. We dene initialised and uninitialised CSR problems in Setion 3.The undeidabilityanddeidabilityresultsareinSetions 4and5.InSetion6,we brieypointto futurework.

WeuseamodeloftheBullyAlgorithm[10℄asarunningexample.

2 Polymorphi systems with arrays

Todene PSAs, westart with the syntax of types. We havebasi typesbuilt fromtypevariables,produtsandnon-emptysums,andfuntiontypesfromone basitype to another. Funtion typeswill be used astypesof array variables, andalsoastypesofsignaturesymbolssuh asequalityprediates.

B::=X jB 1

B n

jB 1

++B n1 T ::=B jB!B

0

Nextweneedasyntaxofterms,whihwillbeusedtoformone-step ompu-tationsofPSAs.Thetermsarebuiltfromtermvariables,tupleformation,tuple projetion,suminjetion,sumase,-abstration,and funtionappliation.

Weonsideronly well-typedterms.A signatureonsists ofaniteset of typevariables, andatypeontext whih isasequene hx

1 :T

1 ;:::;x

n :T

n i of typed andmutuallydistint term variables, where thetypesT

i

anontain onlytypevariablesfrom.Awell-typedterm-in-ontextiswritten; `t:T, wherethese validtypejudgementsarededuedbystandardtypingrules[18℄.

; hx:Ti 0

`x:T ; `t

1 :B

1

; `t n

:B n ; `(t

1 ;:::;t

n ):B

1

B n ; `t:B

1

B n

; `

i (t):B

i ; `t:B

i

; `

B1++Bn i

(t):B 1

++B n

8j6=iVars(B j

)

; `t:B 1

++B n

; hx 1

:B 1

i`t 0 1

:T ; hx n

:B n

i`t 0 n

:T ; `asetof x

1 :t

0 1

or ::: orx n

:t 0 n

:T ; hx:Bi`t:B

0 ; `x:Bt:B!B

0

; `t 1

:B !B 0

; `t 2

:B ; `t

1 [t

2 ℄:B

0

Usingthetypesandtermsabove,weanforexampleexpress:

andif tthent 0 1

elset 0 2

;

{ foranypositiven, then-elementenumeratedtypeEnum n

asthe sumofn Unit types,itselementse

1 ,...,e

n

,andaaseterm.

Weanalso expressanygivenoperationontheBool and Enum n

types,ofany arity.

Semantis of types is dened as follows. A nite set of type variables is instantiated by a mapping ! to non-empty sets. For any type T suh that Vars(T),itssemantiswithrespetto! isanon-emptysetJTK

!

,whihis dened intheusualway.

JXK !

=!JXK JB

1

B n

K !

=JB 1

K !

JB n

K ! JB

1

++B n

K !

=f1gJB 1

K !

[[fngJB n

K ! JB!B

0 K

! =(JB

0 K

! )

JBK!

Forsemantisofterms,asignature(; )isinstantiatedbyan! asabove, andamapping2J K

!

,i.e.Dom()=Dom( )andJxK2JTK !

forallx:T in .Foranywell-typedterm-in-ontext; `t:T,itssemantiswithrespet to(!;)isanelementJtK

!; ofJTK

!

,andisdened inthestandardway.

JxK !;

=JxK J(t

1 ;:::;t

n )K

!; =(Jt

1 K

!; ;:::;Jt

n K

!; ) J

i (t)K

!; =

i (JtK

!; ) J

B i

(t)K !;

=(i;JtK !;

) Jasetof x

1 :t

0 1

or ::: orx n

:t 0 n

K !;

=Jt 0 i K

!;fxi7!vg

; where(i;v)=JtK !; Jx:BtK

!;

=fv7!JtK

!;fx7!vg

jv2JBK !

g Jt

1 [t

2 ℄K

!; =Jt

1 K

!; (Jt

2 K

!; )

Denition1. A PSAisa5-tuple(; ;;R ;I)suhthat:

{ (; ) isa signature, onsisting of type variables and typed term variables (i.e. typed onstant or operation symbols) whih the PSA is parameterised by.

{ is a type ontextdisjoint from , andsuh that (; ) is asignature. speiesthe state variables of the PSA and their types. Aording toits type, astatevariable iseither basior anarray.

{ Risanite setof instrutions.Eah2R isof the form

:fx 1

:=t 1

;:::;x k

:=t k

g

where:

x 1

,...,x k

aremutuallydistintvariablesin,and; `t i

:(x i

) for eah i.

The semantis of will be that onsists of parameters whose values are hosennondeterministiallysubjettosatisfying,andthentheassignments x

i :=t

i

areperformedsimultaneously.

Ineah stateofthe system,any instrutionin Ranbeperformed. { I isasetof instantiationsof(; ).

Thefollowingare somearray operationswhih anbe expressed as assign-mentstoarrayvariables:

Reset. Assigningavaluet:B 0

toeahomponentofa:

a:=x:Bt

wherexisafreshvariablename. Copy. Assigninganarraya

0 toa:

a:=a 0

Map. Applyinganoperationt:(B 0 1

B

0 n

)!B 00

omponentwisetoseveral arrays:

a:=x:Bt[(a 0 1

[x℄;:::;a 0 n

[x℄)℄ wherexisfresh.

Multiplepartialassign. Assigning t 1

, ..., t n

to omponents x of a whih satisfyonditionsd

1 , ...,d

n

respetively,where x may ourfree inthet i andd

i :

a:=x:Bif d 1

thent 1

elseif d n

thent n

elsea[x℄

Wemayabbreviatethisasa[x:d 1

;;d n

℄:=t 1

;;t n

.Notethatifd i

and d

j

withi<j overlap,assigningt i

takespreedene. Write. Assigningt

0 1

,...,t 0 n

toa[t 1

℄,...,a[t n

℄:

a[x:x=t 1

;;x=t n

℄:=t 0 1

;;t 0 n wherexisfresh. Wemayabbreviatethisas

a[t 1

;;t n

℄:=t 0 1

;;t 0 n

Cross-setion. Forexample,assigningtoarowtofanarraya:(B 1

B 2

)!B 0

:

a[x:( 1

(x)=t)℄:=t 0

Usinginstrutionparameters,weanforexamplealsoexpress: Choose. Nondeterministiallyhoosingawhole array:

(S;!)denedasfollows:

{ ThesetofstatesSonsistsofall(!;;)suhthat(!;)2I and2JK !

. { (!;;)!(!

0 ;

0 ;

0 ) i!

0

=!, 0

=,and there exists2R whih an produe

0

from.

Morepreisely,asisoftheform:fx 1

:=t 1

;:::;x k

:=t k

g,thereexists 2JK

!

suhthatJK !;

=tt,and:

0 Jx

i K=Jt

i K

!;

for eah i;

0 Jx

0 K=Jx

0

Kfor allx 0

62fx 1

;:::;x k

g.

Example 1. WeexpressasaPSAamodeloftheBullyAlgorithmforleadership eletioninadistributedsysteminwhihproessidentiersarelinearlyordered [10℄.

Thesignatureis(fXg;h X

:XX !Booli),whereX representsthesetof allproess identiers.Weonsiderallinstantiationswhih assignto X aset of theformf1;:::;kg,andto

X

thestandardordering.

Wemodelpassingoftimeanddetetionoffailureasfollows.Aproesswhih hasnotfailedanbroadasttorelevantproesseswithloweridentiers,tosignal itspresene.Atthat point,itslokissetto 1.Wheneverthesystemperforms atoktransition,allloksare inreasedby1.If thiswould makethelokof aproessgreater thanaonstantT

S

,that proess fails.Proessesanalso fail atothertimes.Inanyase,itisnotpossibleforanaliveproesstoletT

S tok transitionshappenwithoutsignallingitspresene.

Sineproessesperiodiallyinformothersoftheirpresene,there isnoneed to haveexpliit eletionbroadasts:aproessin Elet modean simplywait forT

E

timeunits,andifitdoesnotreeiveasignalfromahigherproessduring that time,itgoesintoCoord mode.

Inorder for the systemto be within theX,-to-Enumlass, proesses do not store identiers of their oordinators, although a proess in Coord mode periodially informsalllowerproessesthatit istheiroordinator.For spei-ationpurposes,weanmaintainoordinatoridentiersforaboundednumber ofproesses.

Thestateofaproessonsistsofitsmodeandtwoloks.Theprimarylok is used to measure the time sine the proess last signalled its presene. The seondarylokmeasureswaitingtimeoftheproess:eitherduringaneletion, orwhileawaitingaoordinator,orsineitlastheardfrom aoordinatorwhile running.Weuseonearrayvariabletohold allthisinformation:

a:X ! (fElet;Coord;Await;Run;Fldg f1;:::;T

S

gf1;:::;maxfT E

;T A

;T R

gg)

It remainsto presentthe system'sinstrutions. We write a[t℄:m, a[t℄: and a[t℄:

0

insteadof 1

(a[t℄), 2

(a[t℄)and 3

(a[t℄).

S

instrutionalso inreases by 1the seondaryloks of all proesses in the Elet, Await, or Run modes. If that would makethe seondary lokof a proessesgreaterthantheorrespondingonstantT

E ,T

A ,orT

R

,themode ofthatproessishangedanditsseondarylokisresetto1.Forexample, ifa proess is Run, but hasnot heardfrom aCoord for T

R

time units, it goesintoElet mode.

hi:true

a:=x:Xif a[x℄:m6=Fld^a[x℄:=T S

then(Fld;1;1) elseif a[x℄:m=Elet^a[x℄:

0 =T

E

then(Coord;a[x℄:+1;1) elseif a[x℄:m=Await^a[x℄:

0 =T

A

then(Elet;a[x℄:+1;1) elseif a[x℄:m=Run^a[x℄:

0 =T

R

then(Elet;a[x℄:+1;1) elseif a[x℄:m6=Fld^a[x℄:m6=Coord

then(a[x℄:m;a[x℄:+1;a[x℄: 0

+1)

elseif a[x℄:m=Coordthen(a[x℄:m;a[x℄:+1;a[x℄: 0

) elsea[x℄

signal Thisinstrutionsignalsthepreseneofaproesstoallrelevantproesses withloweridentiers,anditresetstheprimarylokoftheproessto1.If aproess in the Elet, Await, or Run mode signals to a proess whih is in the Elet or Coord mode, the latter beomesAwait. If a Coord signals toaproesswhihis notin theFld mode,it\bullies"thelattertogo into theRunmode.EqualitybetweentwotermsoftypeX isanabbreviationfor t

X t

0 ^t

0

X t.

hx:Xi:a[x℄:m6=Fld a:=x

0

:Xif x 0

=xthen(a[x℄:m;1;a[x℄: 0

) elseif x

0

<x^a[x℄:m6=Coord^ a[x

0

℄:m2fElet;Coordgthen(Await;a[x 0

℄:;1) elseif x

0

<x^a[x℄:m=Coord^a[x 0

℄:m6=Fld then(Run;a[x

0 ℄:;1) elsea[x

0 ℄

fail Atanypoint,aproessanfail.

hx:Xi:a[x℄:m6=Flda[x℄:=(Fld;1;1)

revive Atanypoint,aFld proessanrevive,anditgoesintotheElet mode.

hx:Xi:a[x℄:m=Flda[x℄:=(Elet;1;1)

3 Model-heking problems

{ astatevariable b:Enum n

, 5 { i;j 2f1;:::;ng,and

{ for eah array statevarible a :B !B 0

, a term ; bas

` t a

:B 0

, where

bas

is restritedtobasistatevariables.

The initialisedontrol-state reahabilityproblem isto deide whether there existsasequeneoftransitions fromastatesatisfying

b=e i

^ ^

a:B!B 0

2

8x:Ba[x℄=t a

toastatesatisfyingb=e j

.

For safetyproperties whereit isnotassumed thatarraysareinitialised, we havethefollowingdeisionproblem.

Denition4. Suppose we have aPSA (; ;;R ;I) with a statevariable b : Enum

n

,andi;j2f1;:::;ng.

Theuninitialisedontrol-statereahabilityproblemistodeidewhetherthere existsasequeneoftransitionsfromastatesatisfyingb=e

i

toastatesatisfying b=e

j .

Example 2. The following safetyproperties of the Bully Algorithm model an beexpressedasinitialisedCSRin anextended system.

{ There arenevertwodistint proessesin Coord mode.Weaddastate vari-ableb:f0;1g,andaninstrution

hx:X;x 0

:Xi:x6=x 0

^a[x℄:m=Coord^a[x 0

℄:m=Coordb:=1 The hek is whether, from a state in whih b = 0 and 8x : X a[x℄ = (Elet;1;1),thesystemanreahastatein whihb=1.

{ AproessannotontinuouslybeRun sinereeivingasignalfromaCoord untilreeivingasignalfromaCoord whoseidentier issmallerthanthatof the previous one. We addstatevariablesb :f0;1;2gand y;y

0

:X.Wean modifytheinstrutionstok,signalandfail,so that:

ifb=0andaCoord x signalstoproessy,b issetto1andy 0

isset to x;

ifb=1andproessyleavestheRunmode, bissetto0; ifb=1andaCoord xy

0

signalstoproessy,y 0

issetto x; ifb=1andaCoord x<y

0

signalstoproessy,bisset to2.

The hek is whether, from a state in whih b = 0 and 8x : X a[x℄ = (Elet;1;1),thesystemanreahastatein whihb=2.

{ There isneveraCoord proessandaRun proess withagreateridentier. Weaddastatevariable b:f0;1g,andaninstrution

hx:X;x 0

:Xi:x<x 0

^a[x℄:m=Coord^a[x 0

℄:m=Runb:=1 Thehekisasintherstexample.

5

Weonsiderthefollowinglassesof PSAs:

XX-to-Bool. ThislassonsistsofallPSAs(; ;;R ;I)suhthat: { =fXgand =h=

X

:XX!Booli;

{ thereisonlyonearrayvariablein,anditisoftypeXX!Bool; { instrutions in R donot ontain array parameters, and eah array

as-signmentisawrite;

{ I onsistsof all (!;)suh that ! assigns to X a set of theform ^ k= f1;:::;kg,and assignsto=

X

theequalityprediateon ^ k.

XY-to-Bool. HereX andY aredistinttypevariables,andtherestritions are:

{ =fX;Ygand =h= X

:XX!Bool;= Y

:Y Y !Booli; { thereisonlyonearrayvariablein,anditisoftypeXY !Bool; { instrutions in R donot ontain array parameters, and eah array

as-signmentisawrite;

{ I onsistsofall(!;)suhthat!assignstoX andY some ^ kand

^ l ,and assignsto=

X and=

Y

theequalityprediates.

X-to-Y,Z. HereX,Y,Z aredistinttypevariables,andtherestritionsare: { =fX;Y;Zgand =h=

X

:XX !Bool;= Y

:Y Y !Bool;= Z

: ZZ !Booli;

{ there are onlytwoarrayvariablesin , and theyare of typesX !Y andX !Z;

{ instrutions in R donot ontain array parameters, and eah array as-signmentisawrite;

{ I onsistsofall(!;)suhthat!assignstoX,Y,Z some ^ k,

^

l ,m,^ and assignsto=

X ,=

Y ,=

Z

theequalityprediates.

X,-to-Y. HereX andY aredistinttypevariables,andtherestritionsare: { =fX;Ygand =h

X

:XX!Bool;= Y

:Y Y !Booli; { thereisonlyonearrayvariablein,anditisoftypeX!Y;

{ instrutions in R donot ontain array parameters, and eah array as-signmentisawrite;

{ I onsists of all (!;) suh that ! assigns to X and Y some ^ k and

^ l, J

X

Kistheorderingon ^

k,and J= Y

Kistheequalityprediateon ^ l .

Theorem1. Initialised CSR is undeidable for eah of the lasses X X -to-Bool, XY-to-Bool, X-to-Y,Z,and X,-to-Y.

Proof. Werstreallsomeundeidabilityresultsfortwo-ountermahines(2CMs). A 2CM onsists of a nite non-empty set fL

1 ;:::;L

u

g of loations, two ounters

1 and

2

,andforeveryloationL i

,aninstrutionofoneofthefollowing forms:

{ L i

: j

:= j

+1;gotoL i

0 { L

i :

j :=

j

1;gotoL i

0

i 1 2 1 2 valuesof

1 and

2

.TheinstrutionatL i

produesauniquenextonguration, exeptthat L

i :

j :=

j

1annotexeutewhenv j

=0.

From[17℄,ongurationreahability isundeidable,i.e.whetheragiven2CM anreahagivenonguration(L

j ;v

1 ;v

2

)from(L 1

;0;0).Itisstraightforwardto reduethisproblemtoloation reahability,i.e.whetheragiven2CManreah aongurationwithagivenloationL

j

from(L 1

;0;0), sothelatterproblemis alsoundeidable.

Supposewehavea2CMasabove,andaloationL j

.Weprovethetheorem by showinghowto redue thequestionwhether the 2CManreaha ongu-rationwithloationL

j

from(L 1

;0;0)toaninitialisedCSRquestionforaPSA (; ;;R ;I) in eah of the lasses above in turn. In eah ase, , and I are speied in the denition of the lass,so it remainsto onstrut thestate variables,theinstrutionsR ,andtheCSRquestion.

XX-to-Bool. Let equal hb:Enum

5u+1 ;x 1 ;x 0 1 ;x 2 ;x 0 2 ;x 00 ;x 000

:X;a:XX !Booli whereweshalldenotetheelementsofEnum

5u bye

i

fori2f0;:::;ug,and e

j 0 j;i

fori2 f1;:::;ug andj;j 0

2f1;2g.The e i

for i>0will representthe loationsofthe2CM,wherease

0

andthee j

0 j;i

willbeusedasauxiliaryontrol statesofthePSA.

TheCSRquestioniswhetherthePSAanreahastatewithb=e j

froma statewithb=e

0 and

8(x;x 0

):XXa[(x;x 0

)℄=false Werepresentavaluev

j

of aounter j

by asequene ofmutually distint indiesx

j 1

,...,x j vj+1

suhthata[(x j k

;x j k +1

)℄istrue forallk.Thesetsindies for

1 and

2

willbedisjoint.Theremainingentriesofawillbefalse. Thestatevariablesx

j

willontainx j 1

,andx 0 j

willontainx j vj+1

. Atontrolstatee

0

,weensurethatx 1

6=x 2

.Wetheninitialisethe represen-tationsof

1 and

2

tozero,andmovetoontrolstatee 1

. hi:b=e

0 ^x

1 6=x

2

fb:=e 1 ;x 0 1 :=x 1 ;x 0 2 :=x 2 g For any instrution L

i :

j :=

j

+1;gotoL i

0

of the 2CM, the PSA has thefollowingfourinstrutions.Therstonehoosesavaluex

00

fromX for extendingtherepresentationof

j

byanentrytrue at(x 0 1

;x 00

).Italsostarts theomputation forhekingthat x

00

is afresh value.An invariantduring thisomputationis thatiftheontrolstateise

j 0 j;i

0

,thenx 00

doesnotour amongtheindiesin therepresentationof

j

0 uptox 000

.

hx y

:Xi:b=e i

^x y

6=x 1

fb:=e 1 j;i

0;x 00 :=x y ;x 000 :=x 1 g Ifx 00

hasbeenomparedagainstthewholerepresentationof 1

,wemoveto omparingitagainsttherepresentationof

2 : hi:b=e

1 0 ^x 000 =x 0 ^x 00 6=x 2

j respondingtotheinrementby1,andmovetoe

i 0:

hi:b=e 2 j;i

0 ^x 000

=x 0 2

fb:=e i 0; x 0 j :=x 00 ;a[(x 0 j ;x 00

)℄:=trueg

Thefourth instrutionperformsastepinomparing x 00

withtheindiesin therepresentationof

j 0

:

hx y

:Xi:b=e j 0 j;i 0 ^x y 6=x 00 ^a[(x 000 ;x y )℄fx

000 :=x

y g

ForanyinstrutionL i

: j

:= j

1;gotoL i

0

of the2CM,thePSAhasthe followinginstrution, whih redues therepresentation of

j

by moving x 1 tothenextindexin thesequene:

hx y

:Xi:b=e i ^a[(x j ;x y )℄ fb:=e

i 0;x

j :=x y ;a[(x j ;x y

)℄:=falseg

Azero-testinstrutionof the2CMis straightforwardto represent,sine j hasvalue0ifandonlyifx

j =x

0 j :

hi:b=e i

fb:=if x j =x 0 j thene i 0 elsee i 00 g

Itislearthat thisPSAisinthelassXX-to-Bool. Foranyonguration(L

i ;v

1 ;v

2

)ofthe2CM, letF(L i

;v 1

;v 2

) betheset of allstates(!;;)ofthePSAsuh thatJbK=Je

i

K andassigns tox 1 ,x 0 1 , x 2 ,x 0 2

andaarepresentationofv 1

andv 2

asabove.It isstraightforwardto hekthat:

(i) if the 2CM an reah (L i

0;v 0 1

;v 0 2

) from (L i

;v 1

;v 2

), then the PSA an reahastatein F(L

i 0;v

0 1

;v 0 2

)fromastateinF(L i ;v 1 ;v 2 ); (ii) anystate(!;;)whihthePSAanreahfromastateinF(L

i ;v 1 ;v 2 ) andwhihsatisesb2fe

1 ;:::;e

u

g,isinF(L i 0 ;v 0 1 ;v 0 2

)forsome(L i 0 ;v 0 1 ;v 0 2 ) whih the2CManreahfrom (L

i ;v 1 ;v 2 ).

It follows that the 2CM an reah a onguration with loation L j

from (L

1

;0;0)ifandonlyifthePSAsatisestheinitialisedCSRquestionabove. Alternatively, undeidability of initialised CSR for this lass follows from undeidability for the lass X Y-to-Bool. Given a PSA S in X Y -to-Bool,letS

0

bethePSAinXX-to-Boolobtainedfrom S bysubstituting X for Y.Then S satises aninitialisedontrol-state rehabilityquestionif andonlyifS

0

satisesthesamequestionwithX substitutedforY.

XY-to-Bool. TheonstrutionofaPSA in thislass whih representsthe 2CMfollowsthesamepatternastheonstrutionaboveforthelassXX -to-Bool.Itismoreomplexbeausethearrayisnowindexedbytwodierent types. Torepresent avaluev

j

of aounter j

, weuse 2v j

+1 entries true insteadofv

j . Let equal

hb:Enum 5u+1 ;x 1 ;x 0 1 ;x 2 ;x 0 2 ;x 00 ;x 000

5u i e

j 0 j;i

fori2 f1;:::;ug andj;j 0

2f1;2g.The e i

for i>0will representthe loationsofthe2CM,wherease

0

andthee j

0 j;i

willbeusedasauxiliaryontrol statesofthePSA.

TheCSRquestioniswhetherthePSAanreahastatewithb=e j

froma statewithb=e

0 and

8(x;y):XY a[(x;y)℄=false

Werepresentavaluev j

ofaounter j

by2v j

+1entries true in thearray a. If their indies are (x

j k

;y j k

) for k 2 f1;:::;2v j

+1g, then eah x j 2k will equalx j 2k +1

, and eah y j 2k 1

will equaly j 2k

. All the x j 2k 1

, and also all the y

j 2k 1

will be mutuallydistint. Moreover,thesets ofall x 1 k

andall x 2 k

will be disjoint, aswell asthesets of ally

1 k

and y 2 k

. Theremaining entries of a willbefalse.

The state variables x j

and y j

will ontain x j 1

and y j 1

, and x 0 j and y 0 j will ontainx j 2vj+1 andy j 2vj+1 . Atontrolstatee

0

, weensurethat x 1 6=x 2 andy 1 6=y 2

. Wetheninitialise therepresentationsof

1 and

2

to zero,andmovetoontrolstatee 1

.

hi:b=e 0 ^x 1 6=x 2 ^y 1 6=y 2 fb:=e

1 ;x 0 1 :=x 1 ;y 0 1 :=y 1 ;x 0 2 :=x 2 ;y 0 2 :=y 2 ; a[(x 1 ;y 1 );(x 2 ;y 2

)℄:=true;trueg

For anyinstrutionL i

: j

:= j

+1;gotoL i

0

of the2CM,thePSAhasthe followingfour instrutions.The rstonehoosesa valuex

00

from X anda valuey

00

from Y for extending the representation of j

by entries true at indies(x

00 ;y

0 j

)and(x 00

;y 00

).Italsostartstheomputationforhekingthat x

00 and y

00

arefresh values.An invariantduring thisomputation isthat if theontrolstateise

j 0 j;i

0

,then x 00

andy 00

donotouramongtheindiesin therepresentationof

j 0

upto (x 000 ;y 000 ). hx y

:X;y y

:Yi:b=e i ^x y 6=x 1 ^y y 6=y 1 fb:=e

1 j;i 0 ;x 00 :=x y ;y 00 :=y y ;x 000 :=x 1 ;y 000 :=y 1 g Ifx 00 andy 00

havebeenomparedagainstthewholerepresentationof 1

,we movetoomparingthem againsttherepresentationof

2 :

hi:b=e 1 j;i 0 ^x 000 =x 0 1 ^y 000 =y 0 1 ^x 00 6=x 2 ^y 00 6=y 2 fb:=e

2 j;i 0 ;x 000 :=x 2 ;y 000 :=y 2 g

Whentheomputationisomplete, weextendtherepresentationof j

or-respondingtotheinrementby1,andmovetoe

i 0:

hi:b=e 2 j;i 0 ^x 000 =x 0 2 ^y 000 =y 0 2 fb:=e

i 0 ;x 0 :=x 00 ;y 0 :=y 00 ;a[(x 00 ;y 0 );(x 00 ;y 00

The fourth instrution performs a step in omparing x and y with the indiesintherepresentationof

j 0

:

hx y

:X;y y

:Yi: b=e

j 0 j;i 0 ^x y 62fx 00 ;x 000 g^y

y 62fy

00 ;y

000

g^a[(x y

;y 000

)℄^a[(x y ;y y )℄ fx 000 :=x y ;y 000 :=y y g

For anyinstrutionL i

: j

:= j

1;gotoL i

0

of the2CM,thePSAhasthe followinginstrution, whih redues therepresentation of

j

by moving x j andy

j

fromtherstentrytrue to thethird:

hx y

:X;y y

:Yi:b=e i ^x y 6=x j ^y y 6=y j ^a[(x y ;y j

)℄^a[(x y

;y y

)℄ fb:=e

i 0 ;x j :=x y ;y j :=y y ;a[(x j ;y j );(x y ;y j

)℄:=false;falseg

Azero-testinstrutionof the2CMis straightforwardto represent,sine j hasvalue0ifandonlyifx

j =x 0 j andy j =y 0 j :

hi:b=e i

fb:=if x j =x 0 j ^y j =y 0 j thene i 0 elsee i 00 g

Itislearthat thisPSAisinthelassXY-to-Bool. Foranyonguration(L

i ;v

1 ;v

2

)ofthe2CM, letF(L i

;v 1

;v 2

) betheset of allstates(!;;)ofthePSAsuh thatJbK=Je

i

K andassigns tox 1 ,x 0 1 , x 2 ,x 0 2 ,y 1 , y 0 1 ,y 2 ,y 0 2

andaarepresentationofv 1

andv 2

asabove.Therest isasintheaseXX-to-Bool.

X-to-Y,Z. TheproofforthisasediersfromtheaseXY-to-Boolbyhow theountersarerepresented.

Werepresentavaluev j

ofaounter j

by 2v j

entries in eah ofthearrays a:X !Y andb:X !Z.Iftheirindiesarex

j k

andx 0j k

,thenJaK(x j 2k 1 )= JaK(x j 2k ), JbK(x 0j 2k 1

)=JbK(x 0j 2k

), andx j 2k

=x 0j 2k 1

.ThevaluesJaK(x j 2k 1

)are mutuallydistint,anddistintfromavalueywhihllstherestofthearray a.Inthesameway,thevaluesJbK(x

0j 2k 1

)aremutuallydistint,anddistint fromavaluezwhihllstherest ofthearrayb.

Thestatevariablesx j

willontainx j 1

,andx 0 j

willontainx 0j 2vj

.Weshallhave x

j =x

0 j

ifandonlyifv j

=0.

=hb:Enum 5u+1 ;x 1 ;x 0 1 ;x 2 ;x 0 2 ;x 00

:X;y;y 0

:Y;z;z 0

:Z ; a:X !Y;b:X !Zi

TheCSRquestioniswhetherthePSAanreahastatewithb=e j

froma statewithb=e

0 and

8x:Xa[x℄=y^b[x℄=z

Atontrolstatee 0

,therepresentationsoftheountersareinitialisedtozero, andwemoveto e

1 :

hi:b=e 0

^x 1

6=x 2

For an inrement L i : j := j

+1;gotoL i

, we have the following four instrutions:

hy y

:Y;z y

:Zi:b=e i

^y y

6=y^z y

6=z fb:=e

1 j;i 0 ;y 0 :=y y ;z 0 :=z y ;x 00 :=x 1 g

hi:b=e 1 j;i 0 ^x 00 =x 0 1

fb:=e 2 j;i 0;x 00 :=x 2 g hx y

:X;x z

:Xi: b=e

2 j;i 0 ^x 00 =x 0 2 ^a[x y

℄=y^b[x y

℄=z^b[x z

℄=z^a[x z

℄=y fb:=e

i 0; x 0 j :=x z ;a[x 0 j ;x y

℄:=y 0 ;y 0 ;b[x y ;x z

℄:=z 0 ;z 0 g hx y

:X;x z

:Xi: b=e

j 0 j;i 0 ^x y 6=x 00 ^x z 6=x y ^a[x 00 ℄=a[x

y

℄62fy;y 0

g^b[x y

℄=b[x z

℄6=z 0 fx 00 :=x z g

ForaderementL i

: j

:= j

1;gotoL i

0

,wehave:

hx y

:X;x z

:Xi: b=e

i ^x y 6=x j ^x z 6=x y ^a[x j ℄=a[x

y

℄6=y^b[x y

℄=b[x z

℄ fb:=e

i 0 ;x j :=x z ;a[x j ;x y

℄:=y;y;b[x y

;x z

℄:=z;zg

Azero-testL i

:if j

=0thengotoL i

0elsegotoL i

00 isrepresentedby

hi:b=e i

fb:=if x j =x 0 j thene i

0 elsee i

00g

X,-to-Y. Again,thedierenesfromtheaseXY-to-Boolarein howthe ountersarerepresented.

Here,werepresentvaluesv 1

andv 2

oftheounters 1 and 2 by2v 1 +2v 2 +2 entriesin anarraya:X !Y.Iftheirindiesare

x 1 1

<<x 1 2v 1 +1 <x 2 1

<<x 2 2v 2 +1 wehave: { JaK(x j 1

)=JaK(x j 3 ), { JaK(x j 2k

)=JaK(x j 2k +3

)forallk2f1;:::;v j 1g,and { JaK(x 1 1 ), JaK(x 2 1

), and all the values JaK(x j 2k

) are mutually distint, and distintfromavaluey whihlls therest ofthearraya.

Thestatevariablesx j

willontainx j 1

,and x 0 j

and x 00 j

will ontainx j 2vj and x j 2v j +1

.Weshallhavex j

=x 0 j

ifandonlyifv j

=0.

=hb:Enum 5u+1 ;x 1 ;x 0 1 ;x 00 1 ;x 2 ;x 0 2 ;x 00 2 ;x [ ;x ℄ :X; y;y 0

:Y;a:X!Yi

TheCSRquestioniswhetherthePSAanreahastatewithb=e j

froma statewithb=e

0 andwemoveto e

1 :

hy y

:Y;y z

:Yi:b=e 0 ^x 1 <x 2 ^y y

6=y^y z

62fy;y y

g fb:=e

1 ;x 0 1 :=x 1 ;x 00 1 :=x 1 ;x 0 2 :=x 2 ;x 00 2 :=x 2 ;a[x 1 ;x 2

℄:=y y

;y z

g

ForaninrementL i

: j

:= j

+1;gotoL i

0,wehavethefollowingve instru-tions.Thethirdandfourthinstrutionsextendtherepresentationsof

1 and

2

respetively,orrespondingtotheinrement.Theydieronlybeausethe onstraintx 1 2v1+1 <x 2 1

needstobemaintainedwheninrementing 1

.

hy y

:Yi:b=e i

^y y

62fy;a[x 1

℄gfb:=e 1 j;i

0 ;y

0 :=y;x

[ :=x 1 ;x ℄ :=x 1 g

hi:b=e 1 j;i

0^x [ =x 0 1 ^y 0 6=a[x 2

℄fb:=e 2 j;i 0;x [ :=x 2 ;x ℄ :=x 2 g hx y :X;x

z

:Xi:b=e 2 1;i 0 ^x [ =x 0 2 ^x 00 1 <x y <x z <x 2 fb:=e

i 0 ;x 0 1 :=x y ;x 00 1 :=x z ;a[x y ;x z

℄:=y 0 ;a[x 0 1 ℄g hx y :X;x

z

:Xi:b=e 2 2;i 0 ^x [ =x 0 2 ^x 00 2 <x y <x z fb:=e

i 0 ;x 0 2 :=x y ;x 00 2 :=x z ;a[x y ;x z

℄:=y 0 ;a[x 0 2 ℄g hx y

:X;x z

:Xi:b=e j 0 j;i 0 ^a[x [ ℄=a[x

z ℄^x

℄ <x y <x z ^y 0 6=a[x y ℄ fx [ :=x y ;x ℄ :=x z g ForaderementL

i :

j :=

j

1;gotoL i

0

,wehave:

hx y

:X;x z

:Xi:b=e i

^a[x j

℄=a[x z

℄^x j <x y <x z ^a[x y

℄6=y fb:=e

i 0;x

j :=x y ;x 00 j

:=if x 00 j =x z thenx y elsex 00 j ;a[x j ;x z

℄:=y;yg

Azero-testisrepresentedby:

hi:b=e i

fb:=if x j =x 0 j thene i 0 elsee i 00 g 2

Corollary 1. For lasses of PSAs obtained by extending the lasses above to allow resetsofarrays, uninitialised CSRisundeidable. 2

In [22℄,it was shown that uninitialised CSR is deidable for systems with arraysfromXwithequalitytoenumeratedtypes.In[19,Chapter8℄,deidability ofthesameproblemwasshownforsystemswithanarrayfromXwithequalityto Y withequality.Theorem1tellsusthatdeidabilityfailswhentheformerarrays are generalisedto two-dimensional, and when thelatter arrays aregeneralised toX withalinearordering.

-to-LetX,-to-EnumbethelassofallPSAs(; ;;R ;I)suh that:

{ =fXgand =h X

:XX !Booli;

{ thetypeofany arrayvariablein ,and ofany arrayparameterin R ,isof theform X!Enum

m ;

{ I onsistsofall(!;)suhthat!assignstoX some ^

k,andassignsto X thelinearorderingon

^ k.

Theorem2. Initialised and uninitialised CSR problems are deidable for the lass X,-to-Enum.

Proof. SupposewehaveaninstaneoftheinitialisedoruninitialisedCSR prob-lem,whihisforaPSA(; ;;R ;I)inthelassX,-to-Enum.Weshowhow to redue thisto whether amonadiMSR(NC) speiation(P;NC;I;R) an reah the upward losure of a nite set of onstrained ongurations U. The latterproblemwasproveddeidablein[6℄.

Weanusethe following properties ofthe typed-alulus to simplify the statevariables:

{ anyvariable ofproduttypeB 1

B n

is representableby variablesof typesB

1 ,...,B

n ;

{ anyvariableofsumtypeB 1

++B n

isrepresentablebyavariableofthe enumeratedtypeEnum

n

andvariablesoftypesB 1

,...,B n

;

{ a nite number of variables of enumerated types is representable by one variableofenumeratedtype;

{ a nite number of arrays of types X ! Enum m

1

, ..., X ! Enum m

k is representablebyonearrayoftypeX !Enum

m 1

m k

.

Weanthereforeassumeis oftheform

hb:Enum n

;x 1

:X;:::;x l

:X;a:X!Enum m

i

Theparametersof any instrutionin R anbe simplied in thesame way. Furthermore,aninstrutionwith aparameteroftype Enum

n 0

is equivalent to n

0

instrutionswithoutthat parameter.Weanthusassumetheparametersof any2R areoftheform

hx l+1

:X;:::;x l+l

0 :X;a 0

:X !Enum m

0i

andthat thistypeontextis thesameforallinR . An instrution whose guardis adisjuntion _

0

is equivalentto two in-strutionswithguardsand

0

.Therefore,usingredutionoftermsofthetyped -alulustonormalform,weanassumethattheguardofany2Risofthe form

b=f^ l+l

0 ^

a[x i

℄=g i

^ l+l

0 ^ a

0 [x

i ℄=g

0 i

where f 2 fe 1

;:::;e n

g,g i

2 fe 1

;:::;e m

g, g i

2 fe 1

;:::;e m

0g,

and d is an NC onstraintoverx

1 ,...,x

l+l 0

,i.e. 6

d::=false jtruejx i =x j jx i <x j

jd^d 0

Finally,using redutionoftermsto normalform again,weanassumethat theassignmentsofany2Rareoftheform

fb:=f 0

;x 1

:=y 1

;:::;x l

:=y l

; a:=x:Xif x=x

1 theng

00 1

elseif x=x l+l 0 theng 00 l+l 0 elseh[(a[x℄;a 0 [x℄)℄g wheref 0 2fe 1 ;:::;e

n g,y

i 2fx

1 ;:::;x

l+l 0g, g 00 i 2fe 1

;:::;e m

g,andhrepresents afuntionfrom Enum

m Enum m 0 into Enum m .

Wenow onstruta monadi MSR(NC) speiation (P;NC;I;R). Let P onsistof:

{ nullaryprediatesymbolsz,nz,b 1

, ...,b n

; { unaryprediatesymbolsx

1 ,...,x

l ; { unaryprediatesymbolsaa

0 i;j

fori2f1;:::;mg,j2f0;1;:::;m 0

g. NCis thesystemofnameonstraints[6℄:

'::=falsejtrue jx=x 0

jx<x 0

j'^' 0

NConstraintsareinterpretedovertheintegersZ.Theusualentailmentrelation forlinearintegeronstraintsisusedanddenoted v

.

ThesimpliationsofthestatevariablesabovemeanthattheCSRproblem nowreferstoaprojetionofthestatevariableb.Thusweneedtodeidewhether astatein whihb hasoneof aset ofvaluesis reahablefrom astatein whih b has oneof another set of values(and the array statevariable a is initialised appropriately). This is equivalent to a nite number of questions for pairs of valuesofb,soweanwork withtheoriginalform oftheCSR problem.

IftheCSRproblemisuninitialised,i.e.todeidewhetherastatewithb=e j is reahable from astate with b =e

i

, letI onsistof all ongurationsof the form

zjb i

jx 1

(v 1

)jjx l

(v l

)jaa 0 i 1

;0

(1)jjaa 0 i k

;0 (k) suhthatk isapositiveintegerandv

1 ;:::;v

l 2

^ k.

IftheCSR problemis initialised,i.e. to deidewhetherastatewith b=e j is reahablefrom astate withb=e

i

and8x:Xa[x℄=t a

, letI onsist ofall ongurationsasabove,suhthatin additionalli

i 0 equal Jt a K fX7! ^ kg;f X 7! ^ k ;b7!i;x 1 7!v 1 ;:::;x l 7!v l g

Foranyinstrution2R ,whoseformisasabove,Rontainsarule nzjb

f jx

1 (x

1

)jjx l

(x l

)jaa 0 g 1 ;g 0 1 (x 1

)jjaa 0 g l+l 0 ;g 0 l+l 0 (x l+l 0 ) ! zjb

f 0jx

1 (y

1

)jjx l

(y l

)jaa 0 g 00 1 ;0 (x 1

)jjaa 0 g 00 l+l 0 ;0 (x l+l 0) [aa 0 i;j (x 0 i;j

),!aa 0 JhK(i;j);0

(x 0 i;j

):i2f1;:::;mg^j2f1;:::;m 0

g℄:d 6

Here t =t 0

and t < t 0

are abbreviations for t t 0

^t 0

tand t t 0

^:t 0

x 1

, ..., x l+l

0 and x

0 i;j

insteadof extending by equalities the onstraint of the rule.

Thepurposeoftheprediatesymbolszandnz,andtheindies0inthe rea-tionsaa

0 i;j

(x 0 i;j

),!aa 0 JhK(i;j);0

(x 0 i;j

),istoensurethat alwaysaa 0 i;j

6=aa 0 JhK(i

0 ;j

0 );0

, asrequiredin[6,Denition27℄.Thefollowingrulehangesallsuhindiesto1. Using theprediatesymbolsz and nz, this ruleis redin alternationwith the rulesabove.

z !nz[aa 0 i;0

(x 0 i

),!aa 0 i;1

(x 0 i

):i2f1;:::;mg℄:true

Whenj 6=0,anatomiformulaaa 0 i;j

(x) representsa[x℄=e i

anda 0

[x℄=e j

. The remaining rules, onefor eah i 2 f1;:::;mg and j 2 f2;:::;m

0

g, an be redanarbitrarynumberoftimesafterthepreviousrule.Theyensurethatthe valuesa

0

[x℄anbearbitrary,orrespondingtothearraya 0

beingaparameterin theinstrutionsin R .

nzjaa 0 i;1

(x) !nzjaa 0 i;j

(x):true

For any state(!;;)of thePSA(; ;;R ;I), where ! =fX 7! ^ kgand =f

X 7!

^ k

,let

F(!;;)=zjb JbK

jx 1

(Jx 1

K)jjx l

(Jx l

K)jaa 0

JaK(1);0

(1)jjaa 0

JaK(k );0 (k)

ItisstraightforwardtoshowthattheMSR(NC) speiation(P;NC;I;R)an reah a onguration M with ( z) 2 M from F(!;;) if and only if M = F(!;;

0

)forsomestate(!;; 0

)reahablefrom(!;;). LetU=fzjb

j

:trueg.ThenthePSAanreah astatewith b=e j

ifand onlyiftheMSR(NC)speiationanreahaongurationinJUK,i.e.a ong-urationontainingz andb

j

.By[6,Theorem 2℄,there isanalgorithmtodeide the latter. (The algorithm in [6℄ involves elimination of existential quantiers fromNConstraints,whihisnotpossibleingeneral.However,itis straightfor-wardto overomethis problem, byusing an auxiliaryunary prediate symbol "(x). Instead ofeliminating 9x, wekeep"(x) in the onstrainedonguration. Theseprediatesdonothangethedenotationsoftheonstrainedongurations M,but theyaddemptymultisetsintothestringsStr(M).) 2

Example 3. Our model of the Bully Algorithm is in the lass X,-to-Enum. Theorem 2givesus adeision proedure for initialised and uninitialised CSR problems,suhasthosein theexamplein Setion3.

6 Future work

Chap-WethankSaraKalvalaforausefuldisussion.

Referenes

1. M.Bozzano andG.Delzanno,Beyond Parameterized Veriation,Proeedingsof TACAS'02,LetureNotesinComputerSiene2280,221{235,2002.

2. M.BozzanoandG.Delzanno,Automati VeriationofInvalidation-based Proto-ols,ProeedingsofCAV'02,July2002.

3. E.M.Clarke,O.GrumbergandD.A.Peled,ModelCheking,MITPress,January 2000.

4. G. Delzanno, Automati veriation of parameterized ahe oherene protools, Proeedingsofthe12thInternationalConfereneonComputer-AidedVeriation (CAV2000),LetureNotesinComputerSiene1855,53{68,Springer,July2000. 5. G. Delzanno, An Assertional Language for Systems Parametri in Several Di-mensions,ProeedingsoftheWorkshoponVeriationofParameterizedSystems (VEPAS 2001), Eletroni Notes in Theoretial Computer Siene 50, Elsevier, 2001.

6. G.Delzanno,OntheAutomatedVeriationofParameterizedConurrentSystems withUnboundedLoalData,TehnialReport,DipartimentoInformatiaeSienze dell'Informazione,UniversitadiGenova,2002.Revisedandextendedversionof[5℄, [1℄,[2℄.

7. E.A. Emerson and K.S. Namjoshi, On model heking for non-deterministi innite-state systems,Proeedingsofthe13thAnnualIEEESymposiumonLogi inComputerSiene(LICS),1998.

8. J.Esparza, Deidability andomplexity of Petrinetproblems |an introdution, LeturesonPetriNetsI:BasiModels,AdvanesinPetriNets,LetureNotesin ComputerSiene1491,374{428,Springer,1998.

9. J. Esparza, A. Finkel and R. Mayr, On the veriation of broadast protools, Proeedingsofthe 14thAnnualIEEESymposiumonLogiinComputerSiene (LICS),352{359,July1999.

10. H.Garia-Molina,Eletionsinadistributedomputingsystem,IEEETransations onComputers31(1):48{59,1982.

11. S.M.GermanandA.P.Sistla,ReasoningaboutSystemswithManyProesses, Jour-naloftheACM39(3):675{735,1992.

12. AnnualInternationalWorkshopsonVeriationofInnite-StateSystems (INFIN-ITY).

13. R.S.Lazi,T.C.NewombandA.W.Rosoe,Onmodelhekingdata-independent systemswitharrayswithoutreset,ProgrammingResearhGroupResearhReport RR-02-02,31pages,OxfordUniversityComputingLaboratory,January2002. Re-visedversiontoappearinthejournalTheoryandPratieofLogiProgramming (TPLP),CambridgeUniversityPress.

14. R. Lazi and A.W. Rosoe, Verifying determinism of onurrent systems whih useunboundedarrays,Proeedingsofthe3rdInternationalWorkshopon Veria-tionofInnite-StateSystems(INFINITY'98),ReportTUM-I9825,2{8,Tehnial UniversityofMunih,July1998.

eterizedSystems, Proeedings ofthe13thInternationalConfereneonComputer AidedVeriation(CAV2001),LetureNotesinComputerSiene2102,311{323, Springer,July2001.

17. N.M.Minsky,FiniteandInniteMahines,Prentie-Hall,1967.

18. J.C. Mithell,TypeSystemsforProgrammingLanguages,in[23℄,365{458. 19. T.C. Newomb,Model Cheking Data-Independent Systems with Arrays, D.Phil.

thesis,ComputingLaboratory,OxfordUniversity,2003.

20. S.Qadeer,Verifying sequential onsisteny onshared-memory multiproessors by model heking, IEEE Transationson Parallel and Distributed Systems 14(8), August2003.

21. J.-F. Raskin and L. Van Begin, Petri Nets with Non-bloking Ars are DiÆult toAnalyse,ProeedingsoftheInternationalWorkshoponVeriationof Innite-StateSystems(INFINITY2003),Eletroni NotesinTheoretial Computer Si-ene.

22. A.W.RosoeandR.S.Lazi,Whatanyoudeideaboutresetablearrays?, Proeed-ingsofthe2ndInternationalWorkshoponVeriationandComputationalLogi (VCL'2001), Tehnial Report DSSE-TR-2001-3,5{23, Delarative Systems and SoftwareEngineering ResearhGroup,DepartmentofEletronis andComputer Siene,UniversityofSouthampton,September2001.