Model checking probabilistic lossy channel systems

Model Checking Probabilistic Lossy Channel Systems

Purush Iyer

Murali Narasimha

Dept of Computer Science

North Carolina State University

Raleigh, NC 27695-8206

Ph: +1 919 515 7291, +1 919 515 6014

Fax: +1 919 515 7925

EMail:

fpurush,[email protected]

NCSU-CS Tech Report

TR-98-08

June 8, 1998

Abstract

Lossy channel systems model a set of nite state processes interacting with each other over unbounded, lossy FIFO channels. This computational model is an abstraction of protocols in the lower layers of the network protocol hierarchy. In spite of its unbounded FIFO queues the Lossy channel system model is not turing-powerful. It has been shown that the reachability problem is decidable [1]. However, the model-checking problem, against specications in linear time temporal logic (LTL), is known to be undecidable [2]. Given that the rate of message loss in communication systems can be probabilistically characterized we consider a probabilistic version of Lossy channel systems. We show that the problem of checking whether a LTL requirement holds almost always. i.e., with probability 1, of probabilistic lossy channel systems (PLCS) is decidable. As can be expected the probability of message loss does not play a part in the model-checking procedure.

1 Introduction

Finite state machines which communicate over unbounded channels have been used as an abstract model of computation for reasoning about communication protocols [8, 15] and form the backbone of ISO protocol specication languages Estelle [21] and SDL [10]. Ever since the publication of the Alternating bit protocol [7] (the rst ever computer communication protocol) it has been customary to assume, while modeling a protocol, that the communication channels between processes are free of errors. Possible errors in the communication channels are treated separately, or are completely ignored.

Over the past few years there have been attempts to rectify this situation to allow modeling of imperfections in the communication medium. In what might be termed as a surprising result it was shown [1] that the reachability problem is decidable for a model of processes communicating over unbounded FIFO buers in which message losses are implicitly model-led. By capturing the notion of message loss the Lossy channel system model is closer to reality than the CFSM model. However, it turns out that the model-checking problem1is undecidable [2]. As model-checking, which permits

Supported in part by NSF under grant CCR 9404619 1Given a lossy channel system

checking of arbitrary safety and liveness properties of systems (expressible in a temporal logic), is now used in most software tools for concurrency [12, 20] the undecidability result would make it dicult to build design tools around the lossy channel system model.

In this paper we consider a probabilistic version of Lossy channel systems, where the message loss is characterized probabilistically. For such systems we show that probabilistic model-checking problem is decidable. Technically, we show that there is an algorithm which when given

L

Pr_{} (PLCS)}

and

(a LTL formula) can report whether the set of execution sequences of

L

Pr_{} that satisfy}

has a probability 1, i.e., whether

holds of

L

Pr_{} almost always. Given that the cell loss rates (i.e.,}

message loss rates) of communication channels in a network are readily available from vendors, the probabilistic lossy channel system model and the attendant probabilistic model-checking algorithm could be very useful in practise for designing, and validating, protocols that have to deal with communication errors.

Related work:

We will now draw the reader's attention to recent related work on innite state systems, and to the literature on probabilistic model-checking. Lossy channel systems can be thought of as an instance of the innite state systems. With the success of formal methods based techniques for nite state systems there has been a spate of attention lately on reasoning about innite state systems [3, 9]. However, decidable subclasses of processes communicating over un-bounded FIFO queues have been investigated for a long time [14, 11, 15, 25]. To our knowledge, there are very few results on reasoning about probabilistic innite state systems [18, 22]. Hart and Sharir consider the satisability problem for two probabilistic logics, and show that one of them has a nite-model property. In an earlier paper [22] we considered the following problem:

given a probabilistic lossy channel system

L

Pr_{} , a LTL formula}

_{, a probability}

_p

_{in the}

open interval (0

;

1), and a tolerance

>

0, is the probability with which

holds of

L

Pr_}

at least

p

(within the tolerance of

).

Our solution in [22] involved an elaborate numerical-approximation scheme to answer that question. In contrast, the algorithm for the problem considered in this paper uses graph-theoretic proper-ties of the innite graph (i.e., innite Labeled Markov chain) capturing the semantics of PLCS specications.

There have been several eorts recently on model-checking probabilistic systems [4, 6, 13, 16, 17, 27]. However, all of them deal with nite state systems. The algorithm engendered by our decidability result uses automata-theoretic techniques that are similar to those used by Vardi [27] and by Courcoubetis and Yannakakis [13].

Outline

The paper is organized as follows: in Section 2 we introduce the computation model PLCS, its semantics (Labeled Markov chains), and the denition of Muller automata (automata-theoretic version of LTL). In Section 3 we prove certain essential properties of the Markov chains which form the semantics of our specications, and in Sections 4 and 5 we provide the proof of decidability of probabilistic model-checking of PLCS specications, against LTL formulae, and our algorithm. We conclude, in Section 6, with a discussion on the implications of our result and explain why probabilistic model-checking is decidable but non-probabilistic model-checking is not.

2 Computational model and Denitions

Let

W

(

Ch;

) be the set of

Ch

indexed vectors over the set of strings . We will write

w

(

c

) to

two is intended should be clear from the context. Let

Comm

(

Ch;

) = f

c

?

;c

!

j

c

2

Ch;

2 g

be the set of receive and send commands over the channel set

Ch

and the set of message types .

Denition 2.1

A lossy channel system is a structure of the form

L

= (

S;Ch;

;Act;,

!

;s

0) where

S

is a nite set of control states,

Ch

is a nite set of channels,

is a nite set of message types,

Act

is a nite set of actions which includes

as the special silent action.

,

!

S

Comm

(

Ch;

)

Act

S

is the transition relation. An instance of the transition

relation would be written as

s

c?;

,

!

s

0.

s

0

2

S

is the start state.

Denition 2.2

Given a Lossy channel system

L

= (

S;Ch;

;Act;,

!

;s

0) dene the labeled

transi-tion system of

L

as

L(

L

) = (?

;

?!

;

h

s

0

;"

i)

where

?

S

W

(

Ch;

) is a (possibly innite) set of states of the labeled transition system,

h

s

0

;"

i2? is the start state of the system, and

?!?

Act

? is the transition relation.

? and ?! are inductively dened (as the least sets) satisfying the following rules.

{

if

=h

s;w

[

c

:=

x

]i 2? and

s

c?;

,

!

s

0 then h

s

0

;w

[

c

:=

x

]

i2? and h

s;w

[

c

:=

x

]i

?! h

s

0

;w

[

c

:=

x

]

i. This instance of ?! captures the act of receiving a message.

{

if

= h

s;w

i 2 ? and

s

c!;

,

!

s

0 then

h

s;w

[

c

:=

w

(

c

)

]i 2 ? and h

s;w

i

?! h

s

0

;w

[

c

:=

w

(

c

)

i. This instance captures the act of sending a message.

{

if h

s;w

[

c

:=

xy

]i2? then h

s;w

[

c

:=

xy

]i2? and h

s;w

[

c

:=

xy

]i

?!h

s;w

[

c

:=

xy

]i.

This instance of the transition relation denotes the silent action of losing a message. Note that the system does not change state during a message loss.

Given a Lossy channel system

L

, an execution sequence of

L

is a path through the labeled transition system of

L

starting fromh

s

0

;"

i; it is written in the form

=h

s

0

;"

i

0 ?!h

s

1

;w

1 i

1 ?!

:::

.

The trace of such an execution sequence is the sequence of non-

actions in an execution sequence, and is dened by the homomorphism induced by the map

tr

(

) =

"

=

otherwise

Since message losses do not happen arbitrarily, and can generally be quantied probabilistically, we now introduce the notion of a Probabilistic lossy channel system.

Denition 2.3

A Probabilistic lossy channel system

L

Pr_{} = (}

_L

_;

_Pr

_;

_}

_{) where}

_L

_{is a lossy channel}

system,

}

2 (0

;

1) captures the probability of message loss in any state, and

Pr

: (

,

!) ! (0

;

1]

assigns a (relative) probability to the transitions of the system. We will write

s

c?;

,

! p

s

0 instead of

Pr

(

s

c?;

Consider a stateh

s;w

i. We will say that a transition

s

c?;

,

!

s

0is enabled in state

h

s;w

iprovided

w

=

w

0[

c

:=

x

] for some

x

and

w

0. An output transition (of the form

s

c

!;

,

!

s

0) is always enabled

in h

s;w

ifor all

w

. DeneR, the total relative probability, of a state as follows:

R(h

s;w

i) = f

p

j

s

c!;

,

!p

s

0

is enabled in

h

s;w

ig+ f

p

j

s

c?;

,

! p

s

0

is enabled in

h

s;w

ig

Given a probabilistic lossy channel system

L

Pr_{} its semantics, a labeled Markov chain, based on}

L(

L

), is dened as follows:

Denition 2.4

Let

L

Pr_{} be a Probabilistic lossy channel system, and let} L(

L

) = (?

;

?!

;

h

s

0

;"

i).

Then M(

L

Pr} ) = (L(

L

);

P

), where

P

: (?!)! (0

;

1] assigns a probability to the transitions of the

labeled transition systemL(

L

). The probability distribution function is dened as follows (note: it

distributes1?

}

among non-lossy transitions enabled at a state and

}

among the lossy transitions):

P

(h

s;w

i

?!h

s

0

;w

0

i) = 8 > > > > > > > > > > < > > > > > > > > > > : }

jwj+

(1?})p R(hs;wi) if

s

c?;

,

! p

s

0

; w

=

w

0[

c

:=

w

0(

c

)]

;

=

; s

=

s

0 (1?})p

R(hs;wi) if

s

c?;

,

! p

s

0

; w

=

w

0[

c

:=

w

0(

c

)]

;

(

6

=

; or s

6=

s

0) (1?})p

R(hs;wi) if

s

c!;

,

!p

s

0

; w

0=

w

[

c

:=

w

0(

c

)

]

p

R(hs;wi)

if s

c!;

,

!

s

0

; w

=

" and w

0=

"

[

c

:=

]

}

jwj otherwise

We will write h

s;w

i

?!p h

s

0

;w

0

i instead of

P

(h

s;w

i

?!h

s

0

;w

0

i) =

p

.

The probabilities arising in Markov chains are explained with reference to a measure space, dened as follows:

Denition 2.5 ([23, 27])

Given a labeled Markov chain M(

L

Pr} ) = (L(

L

);

) dene a measure

spaceS(M(

L

Pr} ))) = (

;

F

;

), for assigning probabilities, where

is the set of all innite execution sequences of

L

starting at

0, F is a Borel eld generated from the basic cylindric sets

F(

0 1 ?!

1 1

?!

:::

n) =f

2j

=

0

1 ?!

1

2

?!

:::

n

:::

g

is a probability function dened by

(F(

0

1 ?!

1

:::

n

?!

n)) =

p

1

p

2

:::p

n

where

0

1 ?!p

1

1

2 ?!p

2

:::

n.

We will implicitly assume that any nite execution sequence terminating in a dead state is extended to an innite execution sequence by adding a sink state, as it customarily done in Markov chain literature.

Automaton characterization of Linear Temporal Logic

Given that we propose to use automata-theoretic techniques for model-checking we will make use of the following known facts:

The set of sequences (or models) that satisfy a Linear temporal logic formula are describable

Non-deterministic Buchi automata are equivalent in expressive power to Deterministic Muller

automata and there exist eective translations between the two classes of automata [26]. Furthermore, there is an eective translation from LTL to deterministic Mueller automaton. Consequently, in the rest of this paper we will concentrate on (Deterministic) Muller automata.

Formally, we have:

Denition 2.6

A Muller automaton is a tuple

B

= (

T;q

0

;F

) where:

T

= (

;Q;

) is a table where (

q

2)

Q

is a set of states, is the alphabet, which does not

contain

, and :

Q

!

Q

is the transition function,

F

2Q is a set of sets of accepting states.

Given an innite word

=

0

1

;:::

2! a run of the automata

B

on

is the innite sequence

of states

r

=

q

0

q

1

:::

such that

q

i+1= (

q

i

;

i) for

i

0. Let

inf

(

r

) be the set of states that appear

innitely often in

r

.

B

accepts an innite word

i the run,

r

, of

B

on

satises the constraints that

inf

(

r

)2

F

. Let

Lang

(

B

) be the set of all innite words accepted by an automaton

B

.

We will consider a Muller automaton

B

to be complete provided its transition function is total - i.e., at every state of the automaton there is transition for each

2. Note that for every

Muller automaton

B

there is a complete Muller automaton ^

B

such that the languages they accept are the same. ^

B

can be constructed from

B

by adding a dead state ?and dening

^

B(

q;

) =?

provided B(

q;

) is not dened, and B^(

?

;

) =?. In the rest of the paper when we specify

B

we implicitly use ^

B

.

Satisfaction and its probability

Consider a lossy channel system

L

. An execution sequence

in L(

L

) satises a Muller automaton

B

provided

tr

(

)2

Lang

(

B

). This denition applies equally

well to probabilistic lossy channel systems. Consequently, given a Probabilistic lossy channel system

L

Pr_{} and a Muller automaton}

_B

_{, dene the probability of satisfaction as}

(

L

Pr_}

_;B

_{) =}

₍f

j

is an execution sequence in

M(

L

Pr} )

and tr

(

)2

Lang

(

B

)g)

:

The problem we shall solve is, therefore, the following:

Given a probabilistic channel system

L

Pr_{} and a Muller automaton}

_B

_is

₍

_L

Pr_}

_;B

_{) = 1?}

3 Properties of labeled transition systems

We will now introduce some basic facts about the states that appear in the labeled transition system of a lossy channel system and prove properties about execution paths in the labeled transition system.

Let

be the partial order dened as

x

y

i

x

=

0

:::

nand

y

=

y

0

0

:::y

n

n

y

n+1,

for some

y

i 2

;

0

i

n

+ 1. The orderingcan be lifted easily to vectors of strings

W

(

Ch;

)

and to states

S

W

(

Ch;

) as (a)

w

1

w

2 i

8

c

2

Ch

:

w

1(

c

)

w

2(

c

) and (b)

h

s;w

ih

s

0

;w

0

i i

s

=

s

0 and

w

1

w

2.

The ordering

S

W

(

Ch;

) satises an important property generally referred to as Higman's

property, stated as follows:

Theorem 3.1 (Higman [19])

In every innite sequence

0

;

1

:::

of states there is an innite

subsequence

i0

;

i1

;:::

such that 8

j

:

i

j

i

Returning now to the states of the labeled transition system an important observation is that the set of states of any lossy channel system are downward closed, i.e.,

if

2?

then

8

0

:

0 2?

Note that this captures the notion that a message can always be lost from any state.

Given a lossy channel system

L

, its labeled transition system L(

L

) can be looked upon as a

directed (labeled) graph. A strongly connected component (scc)

C

of L(

L

) is a maximal subset

of nodes (i.e.,

C

?) such that all nodes in

C

are reachable from each other. We will consider

only those sccs which are reachable from the start state. We will call an scc

C

a closed strongly

connected component (cscc) provided there are no paths from a state in

C

to a state in ??

C

.

The following lemma is a consequence of the above theorem.

Lemma 3.1

Every cscc

C

of a lossy channel system is downward closed.

Consider the empty buer states (of the form h

s;"

i) in a cscc

C

. Clearly they should be

reachable from each other. More formally, we have:

Lemma 3.2

Let

L

be a lossy channel system. Let ?empty be the set of all empty buer states.

2?empty\

C

, for a cscc

C

, i

1.

is reachable from h

s

0

;"

i.

2. 8

0

2?empty\

C;

and

0 are reachable from each other.

3. 8

0

2?empty?

C;

0 is not reachable from

.

Proof

Both if and only if parts follow from the denition of closed strongly connected component.

Since the set of empty buer states of

L

Pr_{} is nite and can, thus, be partitioned in only nitely}

many ways, we have the following:

Lemma 3.3

The set of csccs of the labeled transition system associated with a lossy channel

system is nite.

The previous lemma would be useless if there are no closed strongly connected components of a system. An example where there are no closed strongly connected components is a graph where (a) each natural number is a node, and (b) there is an edge from node

n

to node

n

+ 1. However, such graphs can not arise from lossy channel systems; this is due to the fact that there will always be back edges due to message losses. To that end we now prove that

Lemma 3.4

Every innite execution path in L(

L

) visits only a nite number of sccs

Proof

Given an innite execution sequence

=

0

1

:::

there is an innite subsequence of related

states, i.e., there is an innite subsequence

i0

i1

:::

such that

8

j

0 :

i

j

< i

i

+1 and

i j

i j +1.

Since there is a path in the labeled transition system from

ij to

ij +1 and from

ij +1 to

ij (by

message losses) both of them are in the same scc. Thus all of the states in the innite sux of

(starting from

i0 are in the same

scc). Consequently, there can only be a nite number of sccs

visited on any innite execution path.

Given the previous lemma we can now state (formally) that pathological cases of graphs do not arise in our context.

Proof

Assume to the contrary. Then there is an innite execution sequence visiting an innite number ofsccs, violating the previous lemma.

We will now dene the empty buer states as the representatives ofcsccs, and show that they

can be computed:

Denition 3.1

Given a labeled transition system L(

L

), of a lossy channel system

L

, and a cscc

C

of L(

L

) dene

rep

(

C

) = (

V

C

;E

C) as the representative vertices and edges of

C

, where

V

C = f

s

2

S

jh

s;"

i2

C

g and

E

C =f

s

c!;

,

!

s

0

j

s

2

V

Cg[f

s

c?;

,

!

s

0

j9

x

:h

s;w

[

c

:=

x

]i

?!h

s

0

;w

[

c

:=

x

] ig.

That the representatives of the closed connected components can be computed follows from the decidability of reachability problem for lossy channel systems [1], which allows one to check for any pair of states, whether one is reachable from the other.

Theorem 3.2 ([1])

There is algorithm which given a lossy channel system

L

, and two states

;

0,

can decide whether

0 is reachable from

.

Given this algorithm one could easily identify those subsets of empty buer states that form the representatives for csccs.

Theorem 3.3

There is an algorithm which given any lossy channel system

L

will compute the representatives of the csccs ofL(

L

).

3.1 Sequences visiting csccs

The main reason for identifying csccs is that they provide the basis for sets of sequences whose

probability is non-zero.

Denition 3.2

A set of execution sequences of L(

L

) is said to end in a cscc

C

provided there

exists a nite sequence

0 from h

s

0

;"

i to a state h

s;w

i of

C

such that (a) h

s;w

i is the only state

from

C

in

0 and (b) all sequences

2 are of the form

0

00 and all states visited on

00 are in

C

.

Note that in the denition given above it is implicit that all sequences in the set share a common prex. A commonly used theorem in the context of (nite) Markov chains is that a set of sequences that do not visit all of the states of closed strongly connected component innitely often has a zero measure. This fact is implicitly made use of by Courcoubetis and Yannakakis [13]. However, we are dealing with innite state Markov chains. Fortunately, the underlying graph (i.e., the control graph) is nite which provides us with a similar result.

Lemma 3.6

Let be a set sequences that end in acscc

C

but do not visit a state

e

2

E

C innitely

often. The measure of is 0.

Proof

According to nite markov chain theory a set of sequences that end in acscc and which

does not visit a state innitely often has measure zero (as the states visited form a transient set). Since from every stateh

s;w

i in

C

we can reach every other control state

s

0 represented in

C

, the

control component is not dependent on the buer content. Consequently, the result from nite state markov chain theory applies to the control states of the Markov chain associated with a PLCS

L

.

To transfer this result to edges of a PLCS

L

let an edge

e

:

s

c#;

,

! p

s

0 be given, where

c

#

could be either

c

?

of

c

!

. Consider a new structure (say PLCS with silent actions)

L

0 with the

edge

e

replaced by edges

e

1 :

s

c#;

,

! p

s

new and

e

2 :

s

new

;

,

! 1

s

0; the second edge signals no change

to the buer contents. A Markov chain L(

L

be constructed. Clearly, execution sequences and basic cylindrical sets of L(

L

) and L(

L

0) are in

correspondence with each other, and so are their measures. Since edge

e

is absent innitely often in a set of sequences ofL(

L

) i the control node

s

new is absent innitely often in the corresponding

sequences of L(

L

0), we can infer that

() = 0.

A direct implication of the lemma above is the following:

Lemma 3.7

Let be the set of all sequences, with a common prex, that end in a cscc

C

of a

lossy channel systemL(

L

), such that every sequence

2 uses each edge

e

2

E

C innitely often.

Then

()

>

0.

4 The cross product

In a manner similar to Vardi [27] and Courcoubetis and Yannakakis [13] we will take a cross-product of the control graphs of a lossy channel system and a Muller automaton, such that new automaton encodes both the sequences of the original lossy channel system and also its run on the Muller automaton. In particular, the product graph makes a move on both the lossy channel system and the Muller automaton on non-

actions.

Denition 4.1

Let

L

= (

S;Ch;

;Act;,

!

;s

0) and

B

= (

T;q

0

;F

)

;

where

2

Act;

and

T

= (

Act

? f

g

;Q;

). Dene

L

B

as a lossy channel system with the structure(

S

T

;Ch;

;Act;,

!T

;

h

s

0

;q

0 i),

where the set of states

S

T and the transition relation

,

!T are the least sets satisfying the following

constraints:

h

s

0

;q

0

i2

S

T. Ifh

s;q

i2

S

T and

s

c!;

,

!

s

0 then h

s

0

;q

i2

S

T and h

s;q

i

c!;

,

!T h

s

0

;q

i.

Ifh

s;q

i2

S

T and

s

c?;

,

!

s

0 then h

s

0

;q

i2

S

T andh

s;q

i

c?;

,

! T h

s

0

;q

i.

Ifh

s;q

i2

S

T,

s

c!;

,

!

s

0,

6

=

and (

q;;q

0)

2 then h

s

0

;q

0

i2

S

T and h

s;q

i

c!;

,

!T h

s

0

;q

0 i.

Ifh

s;q

i2

S

T,

s

c?;

,

!

s

0,

6

=

and (

q;;q

0)

2 then h

s

0

;q

i2

S

T and h

s;q

i

c?;

,

! T h

s

0

;q

0 i.

The product machine

L

B

is a lossy channel system in its own right, and thus L(

L

B

) is

well dened. Consider an execution sequence of the form

=hh

s

0

;q

0

i

;"

i

0 ?!hh

s

1

;q

1 i

;w

1 i

1 ?!

:::

.

The sequence captures two pieces of information: the execution

= h

s

0

;"

i

0 ?! h

s

1

;w

1

i

:::

of

L

and the run of

tr

(

) on the Muller automaton

B

, which is

q

0

q

1

:::

. To formally reason about these

execution sequences dene the notion of projection as follows:

Denition 4.2

For every state

= hh

s;q

i

;w

i dene

#

L

= h

s;w

i and

#

B

=

q

. For every

execution sequence

= hh

s

0

;q

0

i

;"

i

0 ?! hh

s

1

;q

1 i

;w

1 i

1

?!

:::

of

L

B

, dene

#

L

= h

s

0

;"

i

0 ?! h

s

1

;w

1

i

::::

#

B

is dened similarly but with the proviso that stateshh

s;q

i

;w

iin a maximal sequence

of

transitions contribute only one instance of

q

. The following facts follow from the denitions:

Lemma 4.1

If h

s;w

i is a reachable state of L(

L

) then there exists a state hh

s;q

i

;w

i which is

reachable inL(

L

B

).

Lemma 4.2

A sequence

is an execution sequence ofL(

L

B

) i

=

#

L

is an execution sequence

of

L

and

#

B

is a run of

tr

(

) on

B

.

Furthermore, for every sequence

0

of

L(

L

) there is an unique execution sequence

of L(

L

B

)

such that

#

B

=

0.

Proof

The rst part is obvious, and the second follows from the fact that the Muller automaton

B

is deterministic.

5 Compatibility of

cscc

s and the main theorem

Since

L

B

is a lossy channel system in its own right we can talk about the csccs of L(

L

B

).

In particular, the representatives of the csccs of L(

L

B

) can be easily computed. Given a cscc

C

0of

L(

L

B

) the structure

rep

(

C

0) is well dened. In the following we need the notion of a nal csccofL(

L

B

) being compatible with a csccofL(

L

).

Denition 5.1

A cscc

C

0 of

L(

L

B

) is nal provided its representative

rep

(

C

0) = (

V

C0

;E

C0) is

such f

q

jh

s;q

i2

V

C 0

g is a nal state set of the Muller automaton

B

.

The notion of compatibility is as follows:

Denition 5.2

Let

L

be a lossy channel system and

B

be a Muller automaton. A cscc

C

0 of L(

L

B

) is compatible with a cscc

C

of L(

L

) provided

A node h

s;q

i, for some

q

6=?, is in

V

C

0 i

s

is a node in

V

C.

An edge h

s;q

i

c!;

,

! h

s

0

;q

0

i, for some

q

6=? and

q

0

6

=?, is in

E

C0 i

s

c!;

,

!

s

0 is in

E

C.

An edge h

s;q

i

c?;

,

! h

s

0

;q

0

i, for some

q

6=? and

q

0

6

=?, is in

E

C0 i

s

c?;

,

!

s

0 is in

E

C.

Suciency of compatibility

Before we can show that compatibility is sucient we provide a sucient characterization of sequences that are accepted by the Muller automaton.

Lemma 5.1

Let

C

be a csccof L(

L

) which is compatible with a nalcscc

C

0of

L(

L

B

). Let

be an execution sequence of L(

L

) which ends in

C

and which takes all of the edges in

E

C innitely

often. Then

tr

(

)2

Lang

(

B

).

Proof

Given that

B

is a deterministic, and that

C

and

C

0 are compatible, the sequence

has a

unique run

r

on

B

. Furthermore there is a unique sequence

ofL(

L

B

) that ends in

C

0such that

#

B

=

r

and

#

L

=

.

The set of states

V

C0#

B

=

Q

C0 is one of the nal state sets of

B

, as

C

0 is a nal

cscc. Since

r

=

#

B

and

Q

C

0 =

V

C0

#

B

we have

inf

(

r

)

Q

C

0. To show that

tr

(

)

2

Lang

(

B

) we need to

demonstrate that

Q

C0 =

inf

(

r

). Suppose

Q

C0?

inf

(

r

)6=;. We will show that this contradicts our

assumption that

visits all edges in

E

C innitely often.

Let

q

2

inf

(

r

). This implies that there is some control stateh

s;q

ithat is visited innitely often

on

. Let

q

0

2

Q

C0?

inf

(

r

). There exists a control stateh

s

0

;q

0

i of

C

0and

h

s

0

;q

0

i does not appear

innitely often on

. But there is a path from h

s;q

itoh

s

0

;q

0

i in the representative of thecscc

C

0,

rep

(

C

0). Let the path be

h

s;q

i

x1;1

,

! h

s

1

;q

1 i

x2;2

,

! h

s

2

;q

2 i

:::

xn;n

,

! h

s

0

;q

0

i, where

x

is are of the form

c

?

m

or

c

!

m

. Wlog, we assume that all of

1

;:::

n?1 are

(if that is not the case, then pick the

smallest

i

1 such that

i 6=

, truncate the path at h

s

i

;q

ii and set

s

0 to

s

i and

q

0 to

q

i). Recall

that, by the denition of the cross product, the automaton does not change state on a

action. Thus we have

q

=

q

1 =

:::

=

q

n?1. Since (

q

=)

q

n?1

6

=

q

0 we have that in h

s

n

?1

;q

n?1 i

xn;n

,

! h

s

n 6=

. This requires that

s

xn;n

,

!

s

0 be a transition in

E

C. As

does not take the transition

h

s

n

?1

;q

n?1 i

xn;n

,

! h

s

0

;q

0

iinnitely often,

(=

#

L

) does not visit

s

n ?1

xn;n

,

!

s

0innitely often. This

contradicts our assumption that

visits all the edges of

E

C innitely often. Thus there cannot

exist such a

q

0. Therefore

inf

(

r

) =

Q

C0 and

tr

(

)

2

Lang

(

B

).

We are now ready for one direction of the main theorem:

Lemma 5.2

Let

C

be a cscc of L(

L

) and

C

0 a nal

cscc of L(

L

B

) such that

C

and

C

0 are

compatible. Then we have

(f

j

2

Lang

(

B

)g)

>

0.

Proof

Consider a set of sequences of L(

L

) with a common prex and which visit

C

. can

be partitioned into 1 and 2 where 1 contains sequences that visit all of the edges in

E

C

innitely often and 2 contains sequences that do not visit at least one edge of

E

C innitely

often. Since the two sets are complementary, the measure of is the sum of the measures of 1 and 2. By Lemma 3.7

(1)

>

0. By Lemma 5.1 all sequences in 1 are accepting. Thus

0

<

(1)

<

(

f

j

tr

(

)2

Lang

(

B

)g), as needed.

Necessity of compatibility

Before we can get to the necessity of the notion of compatibility we will characterize the csccs of

L

B

. The following is possible because

B

is deterministic and

is complete (i.e., every state has a transition on every action label).

Lemma 5.3

If

C

0 is a

csccof

L

B

then there is a cscc

C

of

L

such that

C

0

#

L

C

.

Proof (sketch)

Assume there is no csccof

L

such that the required relation holds. Since

C

0 is

acsccthe set of states

C

0

#

L

are connected, i.e., there is a path between every pair of states in the

set. Clearly, this implies that

C

0

#

L

is part asccof

L

. If

C

0

#

L

is not ancsccthen there is a state

2

C

0

#

L

and

0

62

C

0

#

L

such that there is a path from

and

0, but not the other way around.

This implies that there is a state

2

C

0and a state

0 2

C

0 such that there is a path from

to

0,

but not the other way around { a contradiction. Consequently, the projection of acscc of

L

B

is acsccof

L

.

Lemma 5.4

If

(f

j

tr

(

)2

Lang

(

B

)g)

>

0 then there is a cscc

C

of L(

L

) which is compatible

with a nalcscc

C

0 of

L(

L

B

).

Proof

Let f

j

tr

(

)2

Lang

(

B

)g = . Assume

()

>

0. Every innite sequence has to end in

somescc(by Lemma 3.4). One can write = cscc[scc where cscc is the set of sequences that

end in somecsccand sccis the set of sequences that end in somescc(which is not closed). Since

cscc\scc=;, and since

(scc) = 0 (an

scc

is a set of transient states of the Markov chain) we

have

() =

(cscc). Since there are only a nite number ofcsccs there is at least one cscc

C

,

and a nite prex

0, where

C cscc ends in

C

(note all sequences in C have the same prex

0) such that

(

C)

>

0.

Pick a sequence

in C that visits all of the edges of

E

C. Clearly, this sequence has an

accepting run on

B

. Consequently, there is a sequence

2L(

L

B

) such that

#

L

=

,

#

B

=

r

and

inf

(

r

) is a nal state set of

B

. We rst argue that

ends in acscc (say

C

0). Then we show

that

C

and

C

0are compatible and that

C

0 is nal.

Let

be such that it ends in an scc

C

0. If

C

0 is not a

cscc, then there must be a path from

a control state h

s

1

;q

1

i that appears on

to a state h

s

2

;q

2

i outside the scc. Since

#

L

=

, we

can infer that

s

1 is a control state of

C

. As h

s

2

;q

2

i lies outside

C

0, there is a path from h

s

1

;q

1 i to h

s

2

;q

2

i but none from h

s

2

;q

2

i toh

s

1

;q

1

i in

C

0. This implies that in

C

, there is a path from

s

1 to

s

2 but there is no path from

s

2 to

s

1, contradicting our assumption that

C

is a

cscc. Therefore

C

0 is a

From Lemma 5.3 we have

V

C0

#

L

V

C. Consider

V

C 0

#

L

, the projection of control states of

C

0 on

C

. Given that

visits all states in

V

C,

visits some subset of

V

C0 and

#

L

=

we have

V

C

V

C0#

L

. Thus

V

C =

V

C0#

L

. In very much the same manner, by considering all of the sequences

in C that visit all of the edges in

E

C0 we can also show that

E

C =

E

C0

#

L

. Thus

C

and

C

0 are

compatible. We are now left with showing that

C

0 is nal.

Consider

V

C0#

B

. Let

q

2

inf

(

r

) and

q

0

2

V

C0#

B

?

inf

(

r

). Just as in the proof of Lemma 5.1, it

is can be shown that this leads to a contradiction to our assumption that

visits all edges of

E

C.

Thus there can be no such

q

0. We conclude that

V

C0#

B

=

inf

(

r

) and that

C

0 is nal.

Main theorem

Given proofs to both directions we can now infer the following:

Theorem 5.1

(f

j

tr

(

)2

Lang

(

B

)g)

>

0

i

there is a cscc

C

of L(

L

) which is compatible with a nalcscc

C

0 of

L(

L

B

).

The Algorithm

Given the Main theorem our algorithm can now be explained as follows: given a PLCS

L

Pr_{} and a Muller automaton}

_B

_{(a) construct the complement of}

_B

_(say,

_neg

₍

_B

_{)), (b)}

construct

L

neg

(

B

), and (c) check whether there is nal cscc of L(

L

B

) which is compatible

with acsccofL(

L

). If the answer is yes then report that

(L}Pr

;B

)6= 1 else report

(LPr}

;B

) = 1.

Clearly, the preceding algorithm terminates, and by our Main theorem it is correct. We thus have the following:

Theorem 5.2

There exists an algorithm which when given an PLCS

L

Pr_{} and a Muller automaton}

B

, it can decide whether

(

L

Pr_}

_;B

_{) = 1.}

Corollary 5.1

There exists an algorithm which when given an PLCS

L

Pr_{} and a LTL formula}

it can decide whether the probability of execution sequences that satisfy

is 1.

6 Discussion

The central result of our paper is that it is possible to decide whether the set of sequences of a probabilistic lossy channel system

L

Pr_{} satisfying a LTL formula}

_{, or a Muller automaton}

_B

_{, has}

probability 1. This might be surprising given that the traditional model-checking problem for non-probabilistic Lossy channel systems is undecidable, and given that our algorithm does not depend upon the probabilities involved. Clearly, the only explanation is that the two problems are not equally powerful. To illustrate this, consider the LTL specication

=:2}@

s

(@

s

is an atomic

proposition that holds in

s

and does not hold in any

s

0

6

=

s

) which is true of sequences in which the control state

s

is not visited innitely often. Assume that for a Probabilistic lossy channel system

L

Pr_{} the probability of}

_{being true is 1. Does this mean that there are no innite execution}

sequences of

L

Pr_{} in which the control state}

_s

_{is visited innitely often? This is not the case. By}

saying that the probability of

is 1, we are essentially saying that there are nocsccs of

L

Pr} which

contains a control state

s

. Consequently, it is possible that there is ascc

C

, which is not acscc,

Given the afore-mentioned distinction between model-checking and probabilistic model-checking, one could ask - \so what is the use of probabilistic model-checking?" The use of probabilistic model-checking comes from the fact that the theory of performance analysis describes satisfaction of properties in terms of steady state probabilities. The work in this paper can be seen as \describ-ing satisfaction of LTL properties in terms of steady control-state probabilities." This vibes well with the notion that reactive systems (such as network protocols) are supposed to work for ever, and that their long time behavior is what is important. Furthermore, ignoring non-closed sccs is

tantamount to making fairness assumptions (such as that with enough number of tries a message sent will be received by the intended recipient); a fact captured by the Kooman's fair abstraction rule [24].

Finally, the utility of probabilistic model-checking, and the results presented here, is that it provides a combined approach to formal methods based reasoning and performance evaluation. The interpretation of our result is that such a combined analysis could possibly be carried out when formal methods based reasoning (by itself) might be impossible.

We close the paper with a nal remark that Probabilistic lossy channel systems can be used to specify lower level protocols (and network programs) that have to cope with failure in message delivery more realistically, and that having a model-checking procedure for it increases its utility.

References

[1] P. Abdulla and B. Jonsson. Verifying programs with unreliable channels. InIEEE Symposium on Logic in Computer Science, 1993.

[2] P. Abdulla and B. Jonsson. Undecidable verication problems for programs with unreliable channels. In

Proceedings of the Annual International Colloquium on Automata, Languages and Programming, 1994. [3] P. A. Abdulla, K. Cerans, B. Jonsson, and Y.-K. Tsay. General decidability theorems for innite-state systems. InProceedings, 11th Annual IEEE Symposium on Logic in Computer Science, pages 313{321, New Brunswick, New Jersey, 27{30 July 1996. IEEE Computer Society Press.

[4] R. Alur, C. Courcoubetis, and D.L. Dill. Model-checking for probabilistic real-time systems. In Au-tomata, Languages and Programming: Proceedings of the 18th ICALP, volume 510 of LNCS, pages 115{136, 1991.

[5] A.P. Sistla, M.Y. Vardi, and P. Wolper. The complementation problem for Buchi automata with applications to temporal logic. Theoretical Computer Science, 49:217{237, 1987.

[6] A. Aziz, V. Singhal, F. Balarin, R. Brayton, and A. Sangiovanni-Vencieceli. It usually works: The temporal logic of stochastic systems. In P. Wolper, editor, Computer Aided Verication (CAV '95), volume 939 ofLecture Notes in Computer Science, Liege, Belgium, June 1995. Springer-Verlag. [7] Bartlett, Scantlebury, and Wilkinson. A note on reliable full-duplex transmission over half duplex lines.

Comm. ACM, 12(5):260{265, 1969.

[8] G. Bochmann. Finite state description of communication protocols. Comput. Networks, 2:362{372, 1978.

[9] A. Bouajjani, R. Echahed, and P. Habermehl. Verifying innite state processes with sequential and parallel composition. InConference Record of the 22nd ACM SIGPLAN-SIGACT Symposium on Prin-ciples of Programming Languages (POPL'95), pages 95{106, San Francisco, California, January 22{25, 1995. ACM Press.

[10] CCITT. CCITT Recommendation Z.100: Specication and Description Language SDL. ITU General Secretariat, 1988.

[11] G. Cece, A. Finkel, and S. P. Iyer. Unreliable channels are easier to verify than perfect channels.

[12] R. Cleaveland, J. Parrow, and B. Steen. The Concurrency Workbench: A semantics-based tool for the verication of nite-state systems. ACM Transactions on Programming Languages and Systems, 15(1):36{72, January 1993.

[13] C. Courcoubetis and M. Yannakakis. The complexity of probabilistic verication. Journal of the ACM, 42(4):857{907, July 1995.

[14] A. Finkel. Decidability of the termination problem form completely specied protocols. Dist. Comput., 7:129{135, 1994.

[15] M. G. Gouda, E. M. Gurari, T.H. Lai, and L.E. Rosier. On deadlock detection in systems of commu-nicating nite state machines. Comput. Artif. Intell., 6(3):209{228, 1987.

[16] H. Hansson. Time and Probability in Formal Design of Distributed Systems. Elsevier, 1994.

[17] H. Hansson and B. Jonsson. A logic for reasoning about time and chance.Formal Aspects of Computing, 3, 1994.

[18] S. Hart and M. Sharir. Probabilistic propositional temporal logics. Information and Computation (formerly Information and Control), 70, 1986.

[19] Higman. Ordering by divisibility in abstract algebras.Proceedings of the London Math. Society, 3, 1952. [20] G. Holzmann. Design and Validation of Computer Protocols. Prentice-Hall, 1991.

[21] ISO. Estelle: a formal description technique based on an extended state transition model

ISO/TC97/SC21/WG16{1 DP9074, 1986. ISO/TC97/SC21/WG16{1 DP9074.

[22] P. Iyer and M. Narasimha. Probabilistic lossy channel systems. In Foundational Aspects of Software Engineering, Lecture Notes in Computer Science. Springer-Verlag, 1997.

[23] J. G. Kemeny, J. L. Snell, and A. W. Knapp. Denumerable Markov Chains. Van Nostrand, New Jersey, 1966.

[24] C. J. Koomen. Algebraic specication and verication of communicationsprotocol.Science of Computer Programming, 1985.

[25] W. Peng and S. Purushothaman. Analysis of a class of communicating nite state machines. Acta Informatica, 29, 1992.

[26] W. Thomas. Automata on innite objects. In J. van Leeuwen, editor,Handbook of Theoretical Computer Science, volume B, pages 133{191. North-Holland, 1990.