http://wrap.warwick.ac.uk/
Original citation:
Lazic, Ranko, Newcomb, T. and Roscoe, A. W. (2004) On model checking
data-independent systems with arrays with whole-array operations. University of Warwick.
Department of Computer Science. (Department of Computer Science Research Report).
CS-RR-395
Permanent WRAP url:
http://wrap.warwick.ac.uk/61312
Copyright and reuse:
The Warwick Research Archive Portal (WRAP) makes this work by researchers of the
University of Warwick available open access under the following conditions. Copyright ©
and all moral rights to the version of the paper presented here belong to the individual
author(s) and/or other copyright owners. To the extent reasonable and practicable the
material made available in WRAP has been checked for eligibility before being made
available.
Copies of full items can be used for personal research or study, educational, or
not-for-profit purposes without prior permission or charge. Provided that the authors, title and
full bibliographic details are credited, a hyperlink and/or URL is given for the original
metadata page and the content is not changed in any way.
A note on versions:
The version presented in WRAP is the published version or, version of record, and may
be cited as it appears here.For more information, please contact the WRAP Team at:
with arrays with whole-array operations ?
RankoLazi 1??
,TomNewomb
2
,andBillRosoe 2
1
DepartmentofComputerSiene,UniversityofWarwik,UK 2
ComputingLaboratory,UniversityofOxford,UK
Abstrat. Weonsider programswhiharedataindependentwith
re-spet to two type variables X and Y, and anin addition use arrays
indexedby X and storingvaluesfromY.Weare interestedinwhether
a programsatises its ontrol-state unreahability speiation for all
non-emptyniteinstanesofXandY.Thedeidabilityofthisproblem
withoutwhole-array operationsisaorollarytoearlier results.
Weaddressthepossibleadditionoftwowhole-arrayoperations:anarray
reset instrution, whih sets every element of an array to a partiular
value, andanarrayassignment or opyinstrution. Forprogramswith
reset, we obtain deidability if there is onlyone array or if Y is xed
to be the boolean type, and we obtain undeidability otherwise. For
programswitharrayassignment,weshowthattheyaremoreexpressive
thanprogramswithreset,whihyieldsundeidabilityifthereareatleast
threearrays.Wealsoobtainundeidabilityfortwoarraysdiretly.
Keywords:modelheking,innite-statesystems,dataindependene,
arrays
1 Introdution
A system is data independent (DI) [1,2℄ with respet to a type if it an only
input,output,movevaluesofthattypearoundwithinitsstore,andtestwhether
pairs of suh values are equal. This has been exploited for the veriation of
ommuniationnetworks[3℄,proessors[4℄,andseurityprotools[5℄.
WeonsiderprogramsDIwithrespettotwodistinttypesX andY,whih
aninadditionusearrays(ormemories),indexedbyX andstoringvaluesfrom
Y. Wehavealreadyshownthat apartiularlass of programsthat donotuse
whole-array operations (i.e. ones that an only read and write to individual
loations in the array) are amenable to model heking [6℄. In this paper, we
studywhathappenstothesedeidabilityresultsontheadditionofwhole-array
operations.
?
We aknowledge support from the EPSRC Standard Researh Grant `Exploiting
DataIndependene',GR/M32900.Therstauthorwasalsosupportedbyaresearh
grantfromthe Intel Corporation,the seondauthorbyQinetiQ Malvern,and the
thirdauthorbytheUSONR. ??
ohereneprotools[7℄.SuhprotoolsareDIwithrespettothetypesof
mem-oryaddressesanddatavalues.Anotherappliationareaisparameterised
veri-ationofnetworkprotoolsbyindution,whereeahnodeofthenetworkisDI
with respet to thetype of node identities [3℄.Arraysarise when eah node is
DIwithrespettoanothertype,anditstoresvaluesofthattype.
The tehniques whih we used to establish deidability of parameterised
model hekingforDI programswitharraysannotbeused whenwhole-array
operationsareintrodued.Thepartial-funtions semantisused therereliedon
thefat thatthere ouldalwaysbepartsofthearraythat were`untouhed'by
theprogram,andanthereforebeassumedto holdanyrequiredvalue.
Inorder to investigatedata independene with arrays,we introdue a
pro-gramming framework inspired by UNITY [8℄, where programs have state and
exeute in disrete steps depending only on the urrent state. Although data
independenehasbeenharaterisedinmanyotherlanguages,e.g.[1,9,10℄,our
languageisdesignedtobeasimpleframeworkforthestudyofdataindependene
withoutthelutterofdistratinglanguagefeatures.
Given a DI program with arrays and a speiation for the program, the
main question ofinterest is whether theprogram satises thespeiationfor
all non-empty nite instanes of X and Y. The lass of speiationswe will
beonsideringhereisontrol-stateunreahability,whihanexpressanysafety
property. Forsuh speiations, we observethat theanswerto theabove
pa-rameterisedmodel-hekingproblemforniteinstanesreduestoasinglehek
withX andY instantiatedto innitesets.
Weonsiderthereset(orinitialiser)instrution,whihsetseveryloationin
anarraytoagivenvalue.Thisisusefulformodellingdistributeddatabasesand
protoolswithbroadasts.Weprovethatsuhsystemswithexatlyonearrayare
well-strutured[11℄,showingthatunreahabilitymodelhekingisdeidablefor
them.However,wealsoshowthatforprogramswithjust twoarrayswithreset,
unreahabilityisnotdeidable:thisresultisaquiredusinganemulationbysuh
systemsofuniversalregistermahines 3
.Wefurthershowthatunreahabilityis
deidableforprogramswitharbitrarilymanyarrayswithresetwhenY isnota
typevariable,butisxedtobethebooleantype.Insuhprograms,anyboolean
operationanbeused,sineitanbeexpressedin termsofequalitytests.
Thestudyofaheprotoolsmotivatesanarrayassignment(orarrayopy)
instrution, for moving bloks of data between memory and ahe or setting
up the initial ondition that the ontents of the ahe aurately reets the
ontents of the memory. For programs with array assignment, we show that
theyaremoreexpressivethanprogramswithreset,whih yieldsundeidability
if there are at leastthree arrays. Wealso obtainundeidability for twoarrays
bydiretemulationofuniversalregistermahines.
Programswitharrayswithresetareomparabletobroadastprotools[12℄.
Thearraysanbeusedtomapproessidentierstoontrolstatesordatavalues,
3
om-state, might be mimiked by a reset instrution. In [12℄, it is shown that the
model heking of safety properties is deidable for broadast protools. This
resulthastehnialsimilaritiestothedeidabilityresultsinthispaper.However,
arraysanontaindata whose type is aparameter(i.e. an unboundedly large
set),whereasthesetofstatesofaproessin abroadastprotoolisxed.
OurdeidabilityresultsarealsorelatedtodeidabilityresultsforPetriNets.
Theresultforarraysstoringbooleansisrelatedtothedeidabilityofthe
Cover-ingProblemforPetriNetswithtransferars[11℄:thedierenesinformalisms,
espeiallythatwehavestatevariableswhihanindexthearrays,makeour
re-sultinteresting.Programswithanarraystoringdatawhosetypeisaparameter
are relatedto Nested PetriNets[13℄ with transferars: in addition to
formal-ismdierenes,deidabilityoftheCoveringProblemforNestedPetriNetswith
transferarshasnotbeenstudied.
Anotherrelated tehnique is symboli indexing [14℄,whih is appliable to
iruitdesignswithlargememories.However,theproedurereliesonaasesplit
whihmustbespeiedmanually,andonlyxed(althoughlarge)sizesofarrays
anbeonsidered.
SomeoftheresultsinthispaperwereannounedbytheauthorsattheVCL
2001workshop,whoseproeedingswerenotformallypublished.Thispaperan
beonsideredanabridgedversionofChapters3,8and9of[15℄,andreadersare
advisedtoonsultthisrefereneforfurther detailsandfullproofs.
2 Preliminaries
Awell-quasi-orderingisareexiveandtransitiverelationwhihhasthe
prop-ertythatforanyinnitesequeneofstatess 0
;s 1
;:::,thereexisti<jsuhthat
s i
s
j .
Atransition systemisastruture(Q;Q 0
;!;P;pq)where:
{ Qisthestatespae,
{ Q
0
Qisthesetofinitial states,
{ !QQisthesuessorrelation,relatingstateswiththeirpossiblenext
states,
{ P isanitesetofobservables,
{ pq:P !2 Q
istheextensionsfuntion,suh that S
fppqjp2Pg=Q(i.e.
everystatehasat leastone observable).Thusppqis theset of statesin Q
thathavesomeobservablepropertyp.
GiventwotransitionsystemsS 1
=(Q 1
;Q 0 1
;! 1
;P;pq 1
)andS 2
=(Q 2
;Q 0 2
;! 2
;P;pq 2
)overthesameobservablesP,arelationQ 1
Q
2
isabisimulation
betweenS 1
andS 2
whenthefollowingveonditionshold:
1. Ifst,thenforeveryp2P,wehavethat s2ppq 1
it2ppq 2
.
2. Foralls2Q 0 1
,thereexists t2Q 0 2
suhthat st.
3. Ifst ands! s 0
thenthereexists t 0
2Q suh thats
0
t
0
andt! t 0
4. Forallt2Q 2
, thereexistss2Q 1
suhthat st.
5. Ifst andt! 2
t 0
thenthereexistss 0
2Q
1
suhthats 0
t
0
ands!
1 s
0 .
Inthisase,weansaythatthetransitionsystemsS 1
and S 2
arebisimilar.
Astate sis reahable in atransition system S =(Q;Q 0
;!;P;pq)if there
existsasequeneofstatess 0
!s
1
!!s
n
suhthats 0
2Q
0 ands
n =s.
3 Language
A type is one of the following: the booleans Bool, the natural numbers Nat,
eitherofthetypevariables X orY,andthearraytypesT 2
[T 1
℄whereT 1
andT 2
arenon-arraytypes.
A type ontext is a mapping from variables (whih are just mathematial
symbols)to types.Foratypeontext wewill write `x:T if mapsthe
variablex to thetypeT,and saythatx has typeorisof typeT in . Wemay
omit in these notations ifthe typeontext weare referringto is obvious or
unambiguous.
Atypeinstaneforatypeontext (orforaprogramwithtypeontext )
givestwoountablenon-emptysetsasinstanesforX andY.Wemayalsotalk
of(in)nitetypeinstanes,whihmaponlyto (in)nitesets.
Astatesofatypeontext (orofaprogramwithtypeontext )together
withatypeinstaneI for isafuntion mappingeahvariableusedin toa
onretevalueinitstype.Thesetofallstatesofatypeontext(orofaprogram)
isalled thestatespae.Wemaywrites(a[x℄) asashorthandfors(a)(s(x)).
Theinstrutionsassoiatedwithatypeontext areasdisplayedin Table
1,whereT 1
andT 2
rangeoverthenon-arraytypes.
Instrution Typeonstraintson
Boolean ?b;b;b b:Bool
Data ?x;x=x
0 ;x6=x
0
x;x 0
:X orY
Array
?a[x℄;a[x℄=y
reset(a;y);a[℄:=a 0
[℄ a;a
0 :T
2 [T
1 ℄;
x:T1; y:T2
Counter in (r);de(r);isZero (r) r:Nat
Table1.Instrutions
The?operator representsthe seletion(orinput) of avalueinto avariable
or loation.There arealsoguarding(or bloking)instrutionssuhasequality
testingx=x 0
,thatdonotupdatethestatebutwhihanonlyproeediftrue.
Theinstrutionsb andbanproeedonlyifb isrespetivelytrueorfalse.
Theinstrutionreset(a;y)willimplementanarrayresetorinitialiser
oper-ation, settingeveryloationin anarrayato apartiularvaluey.There isalso
omparedto zero.
Theoperations ofatypeontext aregeneratedbythegrammar:
Op ::= Op;Op jOp+Op jOp
jI
whereI isany -permittedinstrution.Theoperatorombinatorsaresequential
omposition (;),hoieor seletion(+), andniterepetition (
).
We may use syntati abbreviations suh as x := x
0
for ?x;x = x 0
or
while Op
1
do Op
2
od for (Op 1
;Op 2
)
;:Op 1
. We may use brakets () or
indentationsin programsto showpreedene.
Aprogramwithtypeontext issyntaxoftheforminitOp I
repeatOp
T ;
where the initial operation Op I
and the transitional operation Op T
are both
-operations.
Given a program P = init Op
I
repeat Op
T
and a type instane I for
the program, the semantis of the program under I is the transition system
hhPii I
= (Q;Q
0
;!;P;pq);where
{ Q(states)is thestatespaeoftheprogramP withthetypeinstane I,
{ Q
0
(initial states)is theset ofallstatesthat anresultfrom theexeution
ofOp I
fromanystatein Q(i.e.thevariablesandallloationsinthearrays
anbeonsideredarbitrarilyinitialised before theexeutionofOp I
),
{ !istherelationinduedbytheoperationOp T
,
{ P (observables)is theset ofbooleanvariablesusedin P.
{ pqisamappingfromP tosetsinQsuhthatpbq=fsjs(b)=trueg.
P an bethought of asexeutingOp I
one from any stateto form the set
ofinitial statesofthetransitionsystem.Fromthese, repeatingthetransitional
operationOp T
forever(orforaslongasityieldsnextstates)generates
sues-sive sets of nextstates. Note that eah iterationof the transitional operation
generatesanynumberoftransitions (eahof lengthone)in thenal transition
system.
Note1. AUNITYprogramoverasetofvariablesonsistsofaninitialondition,
followedbyasetofguardedmultipleassignments[8℄.AUNITYprogramanbe
expressed in ourlanguage quite naturally, although extra temporary variables
maybeneededtoreproduemultiplesimultaneousassignment.Conversely,any
program in our languageanbeonverted to aUNITY program whih would
haveequivalentobservationalbehaviourwheneverabooleansignalistrue.
Furtherdisussionofmotivationandappliationofthelanguage,and
exam-pleprograms,anbefoundin[15℄. ut
4 Model-heking problems
Theontrol-stateunreahability problemCUforalassofprogramsCis:`Given
I
niteandinnitetypeinstanesrespetively.
Theparameterised ontrol-state unreahability problem PCU for a lass of
programsC is:`GivenanyprogramP from thelassC and anybooleanbfrom
theprogramP,are allstateswhih mapb to trueunreahablein hhPii I
forall
possibletypeinstanesI forP?'WewillwriteFinPCUtorestrittheproblem
tojust nitetypeinstanes.
Thedata independene ofthe datatypes meansthat systemswith
equinu-meroustype instanes areisomorphi. Therefore,InfPCU is in fat thesame
problemasPCU .
Weanusethefollowingtheoremtodedueresultsabouttheparameterised
model-hekingproblemforallnitetypesfromheksusingjustonepartiular
innitetypeinstane.
Theorem1. Suppose we have a program P without variables of type Nat, a
booleanvariable b ofP,andaninnite typeinstaneI
for P.Then,
b reahable inhhPii ? I
() 9Ib reahable inhhPii I
:
where9I existentiallyquantiesonly overnitetypeinstanesfor P. ut
Corollary 1. Forapartiularlassofprograms,InfCUisdeidableifandonly
if FinPCU isdeidable. ut
A DI system with arrays with resetis a program with novariables of type
Nat whihmaynotusearrayassignment,andoftheform
init (;
a
?y;reset(a;y));Op I
repeatOp
T ;
whereyisanyvariablewithtypeY.Itissensibletoassumethattheprogramhas
suhavariable,otherwiseitwouldbeunabletoreadfromorwritetoitsarrays.
The notation (; a
) means repetition of syntax, replaing a with a dierent
arrayeahtime,inanyorder.
Inthe above denition of DI systems with arrayswith reset, the prex of
instrutionsensuresthatallarraysareinitialised(i.e.reset)toarbitraryvalues.
Thissimpliesproofsalittle.
Auniversalregistermahine(URM)isaprogramthatmayonlyusevariables
oftypeBoolorNat .Theprogrammustbeoftheform
init (;
r
isZero(r));Op I
repeatOp
T :
wheretheoperationbeforeOp I
enumera-5.1 One array storingdata from a variable type
Inthissetionwewillprovethat parameterisedmodelhekingofontrol-state
unreahabilitypropertiesfor systemswithonearrayof typeY[X℄ withresetis
deidable.Webeginwiththefollowingruialobservation.
Note2. Arraysareinitialisedatthebeginningoftheprogram,andatanystate
thereisonlyeveranitenumberofinstrutionssinethelastresetona
partiu-lararray.Thereforeeverypossiblereahablestatewillhaveonlyanitenumber
ofloationsineaharraythataredierentfrom thelastresetvalue. ut
LetP be a DIprogram with only one(resettable) array, and let I
be an
innitetypeinstaneforP.LethhPii I
=(Q;Q 0
;!;P;pq).Toaidthefollowing
proof, we restritQ (and Q 0
also) to ontain only statesthat onform to the
observationmadeinNote2|thatthereareonlynitelymanydierentvalues
inthearrayatanytimeandonlyoneofthemoursinnitelyoften|asother
statesanneverbereahable.Thissimpliesthepresentation,althoughitwould
bepossible nottorestritQand tojust mentionthisat therequiredplaesin
theproof.
Wedenesomenotationbeforegivingthewell-quasi-orderingonthestates.
Denition1. Fora states,asubset V of I
(X), andavalue w2I
(Y), we
will denote the number of ourrenesof w in loations V in the array s(a) as
C s
(V;w), whih an beformallydenedasfollows:
C s
(V;w)=jfv2V js(a)(v)=wgj:
Notethat the answer willbe 1if V isaninnite set andw isthe value ofthe
lastreset,elseitwill beanaturalnumber. ut
Wewritey::Y tomeanyisatermoftypeY |thatis,yiseitheravariable
y:Y ory issyntaxoftheforma[x℄wherex:X.Wewillalsouse:
s(:X)=fs(x)jx:Xg and s(::Y)=fs(y)jy::Yg:
Foreaseofpresentation,wemayalsowriteX andY tomeanI
(X)andI
(Y)
whenitislearthatasetisrequiredratherthanatypesymbol.
Denition2. The relation QQisdenedasst ithereexist bije
-tions:
:s(:X) =
!t(:X) and :s(::Y) =
!t(::Y)
suhthat allof thefollowing:
1. s(b)=t(b)for all b:Bool.
arrayt(a) asthere arew'sins(a), exludingloations whih arethe terms.
Formally:
C s
(Xns(:X);w)C t
(Xnt(:X);(w)):
5. There exists an injetion : Y ns(::Y)
! Y nt(::Y) suh that all other
valuesfrom thetypeY notdealt withabove anbe mathedupfroms(a) to
t(a)inthe mannerofCondition 4above, butwiththe injetion instead of
thebijetion . Formally: for all w2Y ns(::Y),
C s
(Xns(:X);w)C t
(Xnt(:X);(w)): ut
Example 1. Weillustratethedenitionofonanexamplepairofstatessand
t.The rst three onditionssay that boolean variables must beequaland the
terms musthave thesame equalityrelationship onthem. Wewill fousof the
nal twoonditions,whihareused toomparetheparts ofthearraythat are
not referenedby theurrentvaluesof X-variables(i.e. loationsthat arenot
immediatelyaessibleintheurrentstatebeforedoinga?x instrution).
Condition4saysthat,foreahtermy ::Y,there mustbeatleast asmany
t(y)'sin therestofthearrayt(a) (i.e.loationsnotreferened byX-variables)
thanthereares(y)'sintherestofthearrays(a).
Suppose s has no other loation in the array holding a value equal to the
valueoftermy 0
;similarly,supposetherearefour,one,andthreeotherloations
ontainingthevaluess(y 1
);s(y 2
)ands(y 3
)respetively.Thisisrepresented
pi-torially asahistogram: see Figure 1(a). Condition4 ofs 0
t holds for any t
whoseorrespondinghistogram`overs'thehistogramofs.
0
1
2
3
4
y
y
y
0
1
2
3
y
(a)
(b)
0
1
2
3
4
5
Fig.1.Histogramrepresentationofarraywithreset
Condition5saysthatthesamerelationshipholdsfor alltheotherY-values
insteadofhavingtoonsidereverypossiblepermutation.
Suppose the state s was last reset to a value v 0
whih is not equal to a
valueheld inanyterm:thearraywillthereforeholdaninnitenumberofthese
values. Thearraymay also hold anite number of other values:suppose s(a)
alsoholds distintvaluesv 1
;:::;v 5
(whihare dierentfrom v 0
andthevalues
ofanyterms)inardinalitiesve,four,four,two,andonerespetively.Thisan
be representedas ahistogram: see Figure 1 (b). Condition 5 requires that t's
orrespondinghistogramoversthatofs. ut
Thefollowingtwopropositionstellusthat hhPii I
isawell-strutured
tran-sitionsystem[11℄.
Proposition1. Therelationisawell-quasi-ordering onthestatesetQ. ut
Proposition2. The relation is stronglyupwardompatible with !, i.e. for
all st ands!s 0
thereexistst 0
2Qsuhthat t!t 0
ands 0
t
0
. ut
Anystatesanberepresentednitelybyatuplewiththefollowing
ompo-nents:
{ thevaluesofthebooleanvariables;
{ theequivalenerelationsonthevariablesoftypeX andontermsoftypeY
induedbytheequalityof valuesstoredinthem;
{ foreahy::Y,thevalueC s
(Xns(:X);s(y));
{ abag(i.e.multiset) onsistingof,foreahw2Y ns(::Y),thevalue
C s
(Xns(:X);w)
ifitisnon-zero. 4
Thisrepresentationyieldsaquotient \ hhPii
I
ofthetransitionsystemhhPii I
,
whih is awell-strutured transition systemwith respet to thequotient ^
of
the quasi ordering . Moreover, for any state representation s,^ a nite set of
state representations whose upwardlosure is "Pred(" ^s) is omputable, and
^
is deidable. Therefore, ontrol-state unreahability an be deided by the
bakwardset-saturationalgorithmin[11℄.
Theorem2. Theproblems InfCUandFinPCUaredeidablefor thelass of
DIprogramswith resetwith justonearrayoftypeY[X℄. ut
5.2 Multiplearrays storing boolean data
HereweonsiderDIprogramsthatusemultiplearraysallindexedbyatype
vari-ableXandstoringbooleanvalues.Deidabilityofparameterisedmodelheking
of ontrol-state unreahabilityproperties for these systemsfollows similarly as
forsystemsin Setion5.1.
Thefollowingarethemaindierenesin deningthequasiordering:
withrespettoit.Therefore,thefuntion mustberemoved(i.e.replaed
withtheidentityrelation)fromDenition 2.
{ InDenition1,redene theC s
operator totakeavetorofbooleanvalues
w=(w 1
;:::;w n
)ratherthanasinglevalue:
C s
(V;(w 1
;:::;w n
))=jfv2V j8is(a i
)(v)=w i
gj:
Theniterepresentationofstatesisnowasfollows:
{ thevaluesofthebooleanvariables;
{ theequivalenerelation onthevariables oftypeX induedbytheequality
ofvaluesstoredin them;
{ foreahw2B n
,thevalueC s
(Xns(:X);w ).
Theorem3. Theproblems InfCUandFinPCUaredeidablefor thelass of
DIprogramswith arbitrarily many arraysonly oftype Bool[X℄ withreset. ut
5.3 Multiplearrays storing data from a variabletype
Wenowshowthatunreahabilitymodelhekingisundeidablewithmorethan
one array of type Y[X℄. We demonstrate that for any URM P there is a DI
program P
℄
with just twotype variables X and Y and only two arrays with
resetwhihhasthesameobservablebehaviourasP.Weanenodethevalues
ofthevariablesr:Natasthelengthofalinkedlistin thearraysin P ℄
.
Denition3. Thetypeontext ℄
ofP ℄
isdenedasfollows,whereP hastype
ontext .
℄
has the same variables of type Bool as and has two arrays ℄
`S;I :Y[X℄tohold thelinkedlists.Italsohas variables ℄
`h r
:X forthe
headsofthelinkedlistsrepresentingeah `r:Nat,andavariable ℄
`e:X
whih marks the end of all the lists. A variable ℄
` y 0
: Y is used to hold
a speial value whih marks aloation in I as beingunused. The program also
makesuse oftemporary variables ℄
`x:X and ℄
`y;n:Y. ut
Example 2. Figure2showsanexamplestateofthearraysS andI,representing
astateintheURMwhereitsountervariablesaresetasfollows:r 0
=0,r 1
=2
andr 2
=3.
ThearrayI isusedtogiveuniqueidentiersin Y toallofthenitelymany
loationsinX thatareurrentlybeingusedtomodelthelinkedlists.Itissetto
y 0
(whihhappenstobethevalue0inthisexample)atalltheunusedloations.
WhereI isnon-zero,thearrayS givestheidentierofthatloation'ssuessor.
Chekingaregister r iszero beomesasimple matter of heking whether
h r
=e. Weanderease aregisterrbyupdatingh r
tothevaluex,whereI[x℄
isequaltoS[h r
℄,rememberingtomarktheoldloationasbeingnowunusedby
doingI[h r
℄:=y 0
.
To inrease r by one, we must nd a brand new identier as well as an
0
4
4
5
2
7
9
3
0
0
3
8
0
0
4
0
5
8
1
h
0
h
h
2
3
6
0
0
0
S
I
9
7
5
5
0
1
9
e
Fig.2.Buildingalinkedlist usingarrayswithreset
hosenidentierisnewwemustgothroughallthelistsandhekthatitisnot
beingused already.Weanhekwhetheraloationisbeingusedbytestingif
itiszeroinI.
Notie that there are important invariants our emulator must maintain in
additionto therequirementthatthelinkedlists musthavelengthequalto the
appropriateURMregister.
{ Theidentiersshould beuniquesothateahheadhasexatlyonelistfrom
it.
{ Asidefromtheendmarkere,theloationsin anypairoflistsaredisjoint.
{ I must haveunused loations set to y 0
, of whih there must alwaysbe
in-nitelymany. ut
Denition4. An instrution translator ℄
from instrutions used in P to
in-strutions usedin P ℄
isshown inTable 2. Thesyntax (; r
0
) means the
repe-titionof syntax,replaing r 0
withadierentvariable oftypeNat eah time,all
onjoined withthe ;operator. ut
Denition5. Given a URM P = init o
I
repeat o T
, the orresponding DI
programwitharraysis
P ℄
=init reset(I;y 0
); y6=y 0
; I[e℄:=y; o ℄ I repeat o ℄ T :ut
LethhPii=(Q;Q 0
;!;P;pq) and hhP ℄
ii=(Q ℄
;Q 0℄
;! ℄
;P;pq ℄
):We will
showthereexistsabisimulationbetweenhhPii andhhP ℄
ii I
foranyinnitetype
instaneI
forP ℄
.
First,someshorthands.Givenastatet,wewillsaythattheinversefuntion
t(I) 1
: I
(Y) ! I
(X) is dened at avalue w 2 I
(Y) and is equal to the
valuev whenthere is exatlyonevaluev in I
(X)suhthat t(I)(v) =w. We
will usenotation toomposearraysasfollows:t(I) 1
(t(S)(v)) may be written
t(I 1
ÆS)(v).
I I
isZero (r) h r
=e
de(r)
hr6=e;I[hr℄:=y0;y:=S[hr℄;
?hr;I[hr℄=y
in (r)
?n;n6=y0;n6=I[e℄;
(; r
0 x:=h
r 0;
whilex6=edo
n6=I[x℄;y:=S[x℄;
?x;I[x℄=y
od );
?x;I[x℄=y0;
I[x℄:=n;y:=I[h r
℄;S[x℄:=y;
hr:=x
other nohange
Table 2.TranslatingURMinstrutionstoinstrutionsonarrayswithreset
Denition6. DenearelationQQ
℄
asst i
{ s(b)=t(b)for b:Bool.
{ Forevery r:Natthere existsanitesequenev r 0
v r s(r)
suhthat:
Foreahr:Nat:
v
r s(r)
=t(h r
),
v
r i 1
=t(I 1
ÆS)(v r i
)for i=1;:::;s(r),
v
r 0
=t(e).
Thevalues ofeah t(I)(v r i
)forr:Nat andi=1;:::;s(r)together with
t(e)are pairwise unequal.(`UniquenessInvariant.')
For all v 2 I
(X), we have that v r i
6= v for every r : Nat and i =
0;:::;s(r) ifandonly ift(I)(v)=t(y 0
).(`UnusedInvariant.') ut
Proposition3. There relation is a bisimulation between hhPii and hhP ℄
ii I
for any innitetype instaneI
for P ℄
. ut
ThefollowinganbededuedfromtheundeidabilityoftheHaltingProblem
forURM'sandCorollary1.
Theorem4. Theproblems InfCUandFinPCU forthe lass ofDIprograms
with twoarraysof typeY[X℄with resetareundeidable. ut
6 Array assignment
6.1 Simulationof arrays with reset
WeshowthatforanyprogramP usingarrayswithreset,thereexistsaprogram
P ℄
Denition7. Thetypeontext oftheprogramP isdenedasfollows.Ifwe
assumethearraysusedinP arer 0
;:::;r n 1
,wehavearrays ℄
`a 0
;:::;a n 1
:
Y[X℄ in P ℄
. We also have another array ℄
` A : Y[X℄ whih we will use to
hekwhetherloationshavehangedsinethe last resetofthat array. Thetype
ontext ℄
hasallthesamenon-arrayvariables as exeptthatitalsohasextra
variables ℄
`Y 0
;:::;Y n 1
:Y tostorethe lastresetvaluetothe orresponding
array.Therearealsotemporaryvariables ℄
`y a
;y A
;n:Y. ut
Example 3. Hereisanexamplestateofasystemusingarrayswithreset,together
withanemulatingstatefromthesystemusingarrayassignment.
with assignment
1
Y
0
Y
A
1
a
a
0
0
5
6
5
9
0
1
1
6
5
3
Simulation by arrays
Arrays with
reset
1
r
0
r
0
0
0
3
5
0
0
9
4
5
5
5
5
1
9
7
0
0
4
9
0
Fig.3.Emulatingarrayresetwitharrayassignment
Ontheleftofthegure,thearraysr 0
andr 1
fromthesystemwiththereset
operationavailableareshown. Itanbeseenthatr 0
waslastresetto 5andr 1
waslast reset to 0.The loations where these arrayshavebeen hangedsine
theirlastupdateareemphasisedwithvertialbars.
Ontheright,thearraysa 0
anda 1
fromthesystemwitharrayassignmentare
showntobeidentialtor 0
andr 1
respetivelyattheseloationsthathavebeen
hanged(alsoshownwithin vertialbars).Plaeswhihhavenotbeenhanged
sinethelast resetofthearrayareinsteadequaltowhateveris inthearrayA
at those loations | the variablesY 0
and Y 1
anbe used to nd thevalue of
thelastresets.Nowtheinstrutionstranslateasfollows:
{ Whenwewishtoreadaloationr i
[x℄in theabstratprogramP,wereturn
a i
[x℄whena i
[x℄6=A[x℄,andY i
whena i
[x℄=A[x℄.
{ Resetting an array an be emulatedby the array assignmenta i
[℄ := A[℄,
whilesettingY i
to thevalueofthereset.
{ Whenwritingto an abstrat loation r i
[x℄, wewrite insteadto a i
[x℄.
Fur-thermore we should makesure that A[x℄ is notequal to a i
[x℄; if it is not,
wemusthangeA[x℄andanyothera j
Denition8. An instrution translator from instrutions used in P to
in-strutionsusedin P ℄
isshowninTable 3.The notation(; j6=i
)means
repeti-tion of syntax for every j from 0 ton 1 exept i, all onjoined with ; in any
order. ut
I I
℄
y=r i
[x℄ y
A
:=A[x℄;y a
:=a i
[x℄;
if yA=ya
theny=Y i
elsey=ya
reset(r i
;y)a i
[℄:=A[℄;Y i
:=y
?ri[x℄
?a i
[x℄;y A
:=A[x℄;?n;a i
[x℄6=n;
(; j6=i
ya:=aj[x℄;
if ya6=yA
theny a
6=n
elseaj[x℄:=n
);
A[x℄:=n
other nohange
Table 3.Translatinginstrutionsfor arrayswithresettoinstrutionsforarrayswith
assignment
Denition9. GivenaDIprogramwitharrayswithresetP =inito I
repeato T
,
we an form a orresponding DI program with arrays with assignment P ℄
=
inito ℄ I
repeato ℄ T
asdesribed above. ut
Theorem5. GivenaDI programP withn arraysof typeY[X℄with resetand
a type instane I for P, there exists a DI program P ℄
with n+1 arrays of
typeY[X℄ withassignment suhthat thereisabisimulation between hhPii I
and
hhP ℄
ii I
. ut
6.2 Simulationof universal register mahines
By Theorem 5, any program with two arrays with reset is bisimilar to a
pro-gram withthree arrayswithassignment.Theorem4statesthat unreahability
isundeidablefortheformerlass,andsoitalsoisforthelatter.
Itturnsoutthat astrongernegativeresultispossible.Weadapt theresults
from Setion 5.3 aboutarrayreset towork insteadwith arrayassignment.We
show that, for any universal register mahine P, there exists a DI program
P ℄
{ Thevariable `y 0
:Y fromDenition 3is unneessary.
{ Figure2ouldbereplaedbyFigure4.
S
I
9
5
5
4
8
0
4
8
3
3
2
7
9
3
6
9
e
0
h
2
h
1
h
2
3
5
4
4
0
8
5
5
7
7
1
9
6
Fig.4.Buildingalinkedlistusingarrayswithassignment
{ TheorrespondingexplanationfromExample2wouldbealteredasfollows:
InsteadofI[x℄beingsettoy 0
atunusedloationsx,wehaveI[x℄=S[x℄to
markaloationasunused.Conversely,aloationxmusthaveI[x℄6=S[x℄if
itisinuseto preventitbeingoverwritten.This hadtobetheaseanyway
otherwisethesuessorofthatloationwouldbeitself,andhenewouldbe
aninnitelist|exeptat e,whosesuessoris neverused,sowemust be
sureto haveI[e℄6=S[e℄.
{ Table2isupdatedasfollows:
Remove the instrution n 6= y 0
in (in(r)) ℄
. The role of y 0
has been
replaed.
ReplaeI[h r
℄:=y 0
withI[h r
℄:=S[h r
℄in(de(r)) ℄
.Thisisthenewway
ofmarkingaloationasunused.
Replae ?h
r
with ?h r
;I[h r
℄ 6= S[h r
℄ in (de(r)) ℄
, and replaethe rst
ourrene of ?x (i.e. within the while-loop) with ?x;I[x℄ 6= S[x℄ in
(in (r)) ℄
.Thisisthenewhekforausedloation.
ReplaeI[x℄=y 0
withI[x℄=S[x℄in(in(r)) ℄
.Thistestsforanunused
loation.
{ InDenition 5,thepiee ofodereset(I;y 0
);?y;y 6=y 0
;I[e℄:=y isusedto
markeveryloationas unused, andto pikanon-y 0
valueastheidentier
for loation e so it is marked as being used. This should be replaed by
I[℄:=S[℄;?y;y6=S[e℄;I[e℄:=y to markeveryloationasunused (beause
I[x℄=S[x℄ateveryloationx),andthentomakeI[e℄6=S[e℄sothisloation
ismarkedasbeingused.
{ We require a modiation to the inverse funtion implied by an array as
used in Setion 5.3. We now say that t(I) 1
is dened at a value w and
is equalto v when there is exatlyone v suh that both t(I)(v) = w and
t(I)(v)6=t(S)(v).
{ Inthedenitionof(Denition6),thelastonditionshouldbethatt(I)(v)
Theorem 6. Given auniversal register mahine P there existsa DI program
P ℄
, and two arrays of type Y[X℄ with array assignment, suh that there is a
bisimulation betweenhhPii and hhP ℄
ii I
for anyinnite typeinstanesI
. ut
Theorem7. Theproblems InfCUandFinPCU forthe lass ofDIprograms
with justtwoarraysof typeY[X℄with array assignmentisundeidable. ut
Notethataprogramwithonlyonearraywitharrayassignmentisunableto
makeanyuseofthearrayassignmentinstrution:itanthereforebeonsidered
nottohavethisinstrution.
7 Conlusions
ThispaperhasextendedpreviousworkonDIsystemswitharrayswithout
whole-arrayoperations[16,4,6℄byonsideringarrayresetandarrayassignment.
Forprogramswitharrayreset,weshowedthatparameterisedmodelheking
ofontrol-stateunreahabilitypropertiesisdeidablewhenthereisonlyone
ar-ray,butundeidableiftwoarraysareallowed.Ifthearraysstorebooleansrather
thanvalueswhosetypeisaparameter,weshoweddeidabilityforprogramswith
anynumberof arrays.Thedeidabilityresultsarebasedonthetheoryof
well-struturedtransitionsystems[11℄,whereasundeidabilityfollowedbyreduing
theHaltingProblemforuniversalregistermahines.
Programswitharrayassignmentwere shown tobeat leastasexpressiveas
programs with array reset.However,this yields aweakerundeidabilityresult
thanfor programswithreset,but undeidability fortwoarrayswasobtainable
diretly.
Futurework inludesonsidering programs witharrayassignmentin whih
thearraysstorebooleans.More generally, programswith morethantwo
data-typeparameters,multi-dimensionalarrays,andarrayoperationsotherthanreset
andassignmentshouldbeonsidered,aswellaslassesoforretnessproperties
otherthanontrol-stateunreahability.
We would like to thank Zhe Dang, Alain Finkel, and Kedar Namjoshi for
usefuldisussions.
Referenes
1. Wolper,P.:Expressinginterestingpropertiesofprogramsinpropositionaltemporal
logi. In:Proeedingsofthe13thACMSymposiumonPriniplesofProgramming
Languages.(1986)184{193
2. Lazi,R.S.,Nowak,D.: Aunifyingapproahtodataindependene. In:
Proeed-ingsofthe11thInternationalConfereneonConurrenyTheory.Volume1877of
LetureNotesinComputerSiene.,Springer-Verlag(2000)581{595
3. Creese,S.J.,Rosoe,A.W.:Dataindependentindutionoverstruturednetworks.
heking. In:ConfereneonCorret HardwareDesignandVeriationMethods.
(1999)219{234
5. Broadfoot, P.J., Lowe, G., Rosoe, A.W.: Automating data independene. In:
Proeedingsofthe6thEuropeanSymposiumonResearhonComputerSeurity.
(2000)75{190
6. Lazi,R.S.,Newomb,T.C.,Rosoe,A.W.: Onmodelhekingdata-independent
systems witharrayswithout reset. Theory and Pratie of Logi Programming:
Speial Issue onVeriation and Computational Logi (2003) To appear. Draft
availableasresearhreportRR-02-02fromOxfordUniversityComputing
Labora-tory.
7. Adve,S.,Gharahorloo,K.: Sharedmemoryonsistenymodels:atutorial.
Com-puter29(1996)66{76
8. Chandy,K.M.,Misra,J.:ParallelProgramDesign:AFoundation.AddisonWesley
PublishingCompany,In.,Reading,Massahusetts(1988)
9. Hojati,R.,Brayton,R.K.: Automatidatapathabstrationinhardwaresystems.
In:Proeedingsofthe7thInternationalConfereneonComputerAided
Veria-tion.Volume939ofLetureNotes inComputerSiene.,Springer-Verlag (1995)
98{113
10. Lazi,R.S.: ASemantiStudyofDataIndependenewithAppliationstoModel
Cheking. PhDthesis,OxfordUniversityComputingLaboratory(1999)
11. Finkel,A.,Shnoebelen,P.: Well-struturedtransitionsystemseverywhere!
The-oretialComputerSiene256(2001)63{92
12. Esparza, J.,Finkel,A.,Mayr,R.: Ontheveriationofbroadastprotools. In:
Proeedings of the14th IEEE SymposiumonLogi inComputer Siene,IEEE
Comp.So.Press(1999)352{359
13. Lomazova,I.A.:Nestedpetrinets:Multi-levelandreursivesystems.Fundamenta
Informatiae47(2001)283{294
14. Melham,T.,Jones,R.:Abstrationbysymboliindexingtransformations.In:
Pro-eedingsoftheFourthInternationalConfereneonFormalMethodsin
Computer-AidedDesign.Volume2517ofLetureNotesinComputerSiene.,Springer-Verlag
(2002)
15. Newomb,T.C.: ModelChekingData-IndependentSystemsWithArrays. PhD
thesis,OxfordUniversityComputingLaboratory(2003)Toappear.Draftavailable
attheConurrenyGroupwebpages.
16. Hojati, R., Isles,A.J.,Brayton, R.K.: Automatistate redution tehniquesfor
hardware systems modelled using uninterpreted funtions and innite memory.
In:ProeedingsoftheIEEEInternationalHighLevelDesignValidationandTest
