Model checking with Message Sequence Charts Doron Peled Collaborators: R. Alur, E. Elkind, B. Genest, E. Gunter, G. Holzmann, A. Muscholl, Z. Su Bar Ilan.

Model checking withMessage Sequence Charts

Doron PeledCollaborators: R. Alur, E. Elkind,

B. Genest, E. Gunter, G. Holzmann, A. Muscholl, Z. Su

Bar Ilan University, Ramat Gan

Topics

Syntax and semantics Checking Race Conditions High Level MSCs Extensions Model Checking

MSCs

An ITU standard notation (Z120). Visual + Textual forms. Specifies behaviors of

communication protocols. Existing algorithms + tools.

MSC visual notation

P1 P3P2

M1

M2

M3

M4

M5

M6

MSC Textual formmsc MSC;inst P1: process Root, P2: process Root, P3: process Root; instance P1; out M1 to P2; in M5 from P2; in M6 from P3; endinstance; instance P2; in M1 from P1; out M2 to P3; out M3 to P3; in M4 from P3; out M5 to P1; endinstance;

P1 P3P2M1M2

M3

M4M5

M6

instance P3; in M2 from P2; in M3 from P2; out M4 to P2; out M6 to P1; endinstance;endmsc;

Partial order semanticsIn fact, there are two possibilities for semantics, which makes it problematic/interesting

P1 P3P2M1 M2

M3

M4M5

M6

s s

s

s

s

r

r

r

r

r

r

s M1

M2

M3

M4

M5

M6

HMSCs

P1 P3P2 P1 P3P2

P1 P3P2P1 P3P2

connect approve

failreq_service

report

An execution: infinite or maximal sequence of MSCs concatenated

connect approve

fail

report Req_service

A

C D

B

Execution: ACACD

connect

connect

fail

fail

Req_service

report

report

Visual semantics

Sends before corresponding receives.

Events on the same process line execute in order of appearance, from top to bottom.

Visual order (wysiwyg)

P1 P3P2M1 M2

M3

M4M5

M6

s s

s

s

s

r

r

r

r

r

r

sM1

M2

M3

M4

M5

M6

Causal Order:Order only what is controlable

•Sends before matching receive.

•Receive or sends before sends of same process (M3 and M4).

•Two receives on the same process sent from the same process.

P1 P3P2M1M2

M3M4M5

M6

Causal Order

P1 P3P2M1

M2

M3M4

M5

M6

s s

s

s

s

r

r

r

r

r

r

s M1

M2

M3

M4

M5

M6

The problem: Races

The existence of two possible semantics is a source of confusion.

Users may see one semantics as more intuitive or the other.

The discrepancies between the two semantics, causing potentially different order of events, is called “races”.

Races

P1 P3P2M1M2

M3M4M5

M6

P1 P3P2M1 M2

M3

M4

M5

M6

Races: check if every pair of events ordered by the visual order appears in the transitive closure of the causal order.

Calculating the transitive closure

Structure (E, R). E – Events, R E E. R* The transitive closure. Defined as

follows:a R*b if there is a sequencex1 x2 … xn where a=x1, b=xn,and xi R xi+1 for 1i<n.

Complexity: in general cubic. But in our case: quadratic (every event has 1 or 2 successors).

Causal Order

P1 P3P2M1

M2

M3M4

M5

M6

s s

s

s

s

r

r

r

r

r

r

s M1

M2

M3

M4

M5

M6

Visual order (wysiwyg)

P1 P3P2M1 M2

M3

M4M5

M6

s s

s

s

s

r

r

r

r

r

r

sM1

M2

M3

M4

M5

M6

P2P1 P3

M1

M2

M3

M4

M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3Finding races:

Rules: order between

- receive and a later send.- two sends from same process.- send and corresponding receive.- fifo order.

Race: In visual order but not in transitive closure of causal order.

Co-regions

P1 P3P2M1

M2

M3M4

M5

M6

Co-regions are boxes around events that explicitly say:allow these events to appear in any order!

Can also deal with timeP1 P2

[2,4]

[3,5]

[2,3]

[7,10]

Use time differencematrices.

Races in HMSCs. Definition

For each HMSC M execution Ex, define thelinearizations according to the visual orderlinvis(Ex) and the linearizations according to the causal order lincaus(Ex). Extend to all executions: linvis(Ex) and lincaus(Ex).

Always linvis(Ex) lincaus(Ex). RacesRaces : when linvis(Ex) lincaus(Ex).

Mazurkiewicz Traces

Alphabet {a,b,c}Independence: aIb, bIcEquivalence classes of words (denoted using

representatives): aabb and abba equivalent[aabb ]=[abba ]

Regular trace language: can be defined usingconcatenation, star, union, intersection.

Note: [ab ]* is not recognizable (by automata, and [abc ]* is not recognizable by stack machine).

In general [L] for a regular language L is not necessarily regular or context-free.

Traces can be concatenated: [vw]=[v][w]. Thus, [ab ][ab ]=[abab ]

Semi-traces Similar to traces, but sometimes can letters

can commute only in one direction. Useful for describing communication

systems: can commute receive with a later send between the same pair of processes, but not necessarily send with a later receive: sssrrrssrsrrsrssrrsrsrsr -/->rssrsr

A message sequence chart can be modeled as a semi-trace.

Concatenation of MSCs Extending the lines of

the process to include all messages.

When we concatenate MSC A before MSC B, it does not mean that all events of A precede all the events of B.

P1 P3P2M4

M5

M6

P1 P3P2

M1M2

M3

A

B

Concatenation of MSCs Extending the lines of

the process to include all messages.

When we concatenate MSC A before MSC B, it does not mean that all events of A precede all the events of B.

Receiving M2 may occur after sending M4.

Can simply concatenate the corresponding semi-traces!

P1 P3P2

M1M2

M3

M4

M5

M6

A; B

Concatenation

P1 P3P2 P1 P3P2

P1 P3P2P1 P3P2

connect approve

fail req_servicereport

P1 P2 P3

connect

failreport

approve

connect

connect

fail

report

A B

C D

Execution: concatenation of a maximal path in the HMSC. Concatenation of MSCs Concatenation of semi-traces.

Other problems…Global decision

P1 P2 P1 P2

+ =?

What if one process will start to behave according to M1

and the other will start according to M2?

Some decision procedures for this problem + MSC restrictions

M1 M2

Races for HMSCs Undecidable [MP99]

Intuition: moving from visual to causal semantic introduces more commutations:Two receives on the same process line (from different processes) are dependent on visual and independent on causal order.

Build regular L where each letter becomes an MSC with one message.

Universality of semi-trace languages. Is [L]=* is similarly undecidable.

a

b

c

aIc, bIc in Visual order.

All letters/events are independent in causal semantics.

The case in the middle:No HMSC graph, but multiple MSCs [EGP07]

We call a collection of finite MSCs an ensemble. This is usually what is given by engineers.

A polynomial algorithm for checking races.

NP-Complete if we allow co-regions. But, to be race free, one may need

exponential number of MSCs (in size of a single MSC).

Calculating the “discord” [EGPS07]

The “discord” is a measure of the possible deviation of the actual execution order from what seems to be the order according to the HMSC.

This discrepancy is similar to “races” and stems from the fact that in concatenation, an event from earlier MSC can precede one from later MSC.

Intuitively: the discord tell the designer that (s)he may think that the message order is X, but at worst it can be Y.

Use “Allen’s logic” to describe order.

B

A

B

A

B

A

AbB (A before B)

AoB (A overlaps B)

AdB (A during B)

Calculate from HMSC the order between pairs of messages. The

Vertical lines: the two messages in focus.

Dashed lines: chains of messages, i.e.,s r s …s r where adjacent r and s are from same process.

Faint lines: more chains of messages that can be inferred from situation.

These are 4 out of 22 cases.

The discord tells us what is the maximal “inversion” between the message order according to the HMSC structure, and actual order

P1 P3P2M4

M5

M6

P1 P3P2

M1M2

A

B

M2 M4

M2 cannot appear completely after M4; at worst, it can start after M4 has started but before it ended, and finish after M4 finishes. In Allen’s logic, M4oM2.

The discord is, informally, a mesasure of this worst situation.

Calculating the discord for two messages: Co-NP complete in number of processes and size of HMSC.

Model checking Write both specification and system as

HMSCs, or Write specification in LTL. Interpret over

the linearizations of the partial orders. In both cases: undecidable. We’ll show the intersection case. For the

LTL case: encode the linearizations of one of the HMSCs with LTL: for each MSC node, only one linearization is necessary.

Post Correspondence Problem List of pairs:

w1:(aab,aa), w2:(aba,ab), … wn:(a,bb).Want to find if we find a set of indexesi1, i2, …, ik, such that concatenatingthe lefthand words and concatenatingthe righthand words is the same.

Supose we take indexes 1, 2, n, 1. We get:

lefthand: aab aba a aab righthand: aa ab bb aa

PCP reduction

P1 P2

P3 P4P3 P4

P1 P2

P5 P6

P5 P6

ab

a ab

P5 P6

P5 P6

P1 P2

P3 P4P3 P4

P1 P2

w2

b

w1

b

w1

w2

bab

The communication structure of an MSC (HMSC)

P1 P3P2M1

M2

M3

P1 P3P2

An edge exist from a process Pi to a process Pj exists if there is a communication from Pi to Pj.

Some solutions:

Obtain decidability under the following condition [MP99,AY99]:Every HMSCs cycle covers a strongly connected component of the communication graph. An edge exist from a process Pi to a process Pj if there is a communication from Pi to Pj.

Pattern matching: The specification HMSCs allows any additional gaps [MPS98].

Put limit on message queues [Holzmann].

Problem with describing protocols

s1

t2

t1

s3

s2

P1 P2

P1:snd

P1:snd P1:rcv

P2:snd

P2:rcv

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Problem with describing protocols

P1 P2

Solution: Compositional HMSCs

P1 P2

P1 P2

Even emptiness is undecideable!

(E1+E2+…+Em)+ (G1+G2+…+Gm)+ F

a

a

bw3

b

a

bw2

E3 G2

F

Left closed HCMSCs

Does not allow unmatched receive event that is not yet matched by a previous unmatched send.

HCMSC is realizable if every path is matched.

Can be checked in polynomial time using a nondeterministic stack machine.

How to check for realizability?

What can go wrong?1. More unmatched

receives than sends.2. The k th unmatched

send before a mathced pair, the k th receive after.

3. The k th unmatched send has name C, the k th unmatched receive has name D.

How to check with a stack machine for each pair of processes?

1+2: Push a £ for each unmatched send, pop a £ for each unmatched receive.

3: Guess that it’s a name mismatch upon seeing an unmatched send.Ignore further sends. Pop £ as usual for receives, until corresponding receive occurs.

Now we can translate finite state protocols to HCMSCs Any finite state

protocol can be translated.

Trivial translation: any transition in finite state graph makes one HCMSC node, with possibly an unmatched message.

This does not give more information than finite state graph.

Try to optimize: take some paths.

Nexttime: O p

P2P1 P3

M1

M2

M3

M4

M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3

pp

p

The logic TLC [APP] over MSCs.

Label events with propositions.

Interpret over any execution path of the MSCs (Partial order logic!)Not over the linearizations of the executions.

¬O ¬p

P2P1 P3

M1

M2

M3

M4

M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3

pp

p

p p

O p

P2P1 P3

M1

M2

M3

M4

M5

M6

M1

M2

M3

M4

M5

M6

P1 P2 P3

p

p

p

P2P1 P3

M1

M2

M3

M4

M5

M6

p

p

M1

M2

M3

M4

M5

M6

P1 P2 P3Until: pUq

p

q p

p

pp

p

pppp

q

q

true U q = <>q

P2P1 P3

M1

M2

M3

M4

M5

M6

p

p

M1

M2

M3

M4

M5

M6

P1 P2 P3¬(trueU¬p) = []p

pp

p

pp

p

pppp p

p pp p

p

p

p

p p

p

pp

p p

Some specifications

[](req --> <> ack) Every request is followed by acknowledge.

¬<>(transA /\ <> (transB /\ <>transA)) Transaction B cannot interfere with transaction A.

[](beginA --> O (transA U finishA )) The execution of transaction A is not interrupted by any other event.

connect approve

fail

report Req_service

HMSC linearizations

Intuition behind algorithm for Op

2

5

7

3

64

8

10

12

11

1

9

M1

M2

M3

M4

M5

M6

P1 P2 P3

23456789

10

1

1211

Aut. with 2 successors relations.

There are two cases:

- p holds for matching receive.

Then use 2nd successor rel.

- p holds for successor in proc.

Then wait to see event of same

process.

Intersect:

System autom. (linearizations)

Property autom. (of ¬prop)

23456789

10

1

1211

OverviewMSC

HMSC

Finite, one scenario

HCMSC

Cannot express behavior of some protocols

BoundedHMSC

Connectedcommunication

HMSC

Undecidable linear model checking

Emptiness undecidable

RealizableHCMSC

Partial order model checking

Findingraces

Checking realizability

Conclusions

MSCs and HMSCs are a useful standard in designing protocols.

Studying MSCs is based on partial order models such as traces.

MSCs and HMSCs behave in a different way than traditional transition systems, based on the interleaving model: challenging problems.

The problems of finding races, discords and model checking provide some interesting solutions.