Foundations of Software Technology and Theoretical Computer Science (2010) Submission

Using SAT-solvers to check divergence (and synchronizations) in MSC graphs Florent Avellaneda & Rémi Morin Aix-Marseille université — UMR 6166 — CNRS Laboratoire d’Informatique Fondamentale de Marseille 163, avenue de Luminy, F-13288 Marseille Cedex 9, France A BSTRACT. Divergence appears in MSC specifications when an unbounded number of messages can be pending within a communication channel. Several algorithms and tools have been designed to check this kind of unexpected property. This paper shows that divergence is very close to SAT and SAT-solvers can be used to check divergence (and similar properties) efficiently.

Introduction Message Sequence Charts (MSCs) are a popular model often used for the documentation of telecommunication protocols. They profit by a standartized visual and textual presentation (ITU-T recommendation Z.120) and are closed to other formalisms such as sequence diagramms of UML. An MSC gives a graphical description of the intended communications between processes. Usually it abstracts away from the values of variables and the actual contents of messages. However, this formalism can be used at some early stage of design to detect errors in the specification [1, 2, 3, 4, 6, 7, 9, 11, 12, 14]. In this work we focus on the problems of checking process divergence, as introduced in [2], and computing an appropriate buffer size for channels, as already investigated in [11]. Message sequence graphs (MSGs), or equivalently high-level MSCs, are a usual formalism to describe possibly infinite sets of scenarios in some algebraic way. Because asynchronous distributed systems provide no information about the relative speed of processes or the delay for a message to be delivered, divergence can appear in specifications : This means that there is no bound on the number of pending messages along an execution of specified scenarios. However a simple criterion allows us to decide whether a given MSG is not divergent [2, Th. 5]. We have to check that all connected components of the communication graph of any (simple) loop are strongly connected. Given a non-divergent MSG, a natural issue is to compute a buffer size for channels so that any pending message can be stored within the system before it gets delivered. As established by Lohrey and Muscholl, checking whether a buffer size is appropriate for all scenarios of a (possibly divergent) MSG is co-NP-complete [11, Th. 4.6]. Since the MSG used in the proof of this theorem shows no loop, this result extends immediately to non-divergent MSGs. Thus, computing an optimal appropriate buffer size for a non-divergent MSG is hard. In order to cope with this difficulty, we show in Prop. 2.2 that x × n is an appropriate buffer size for any non-divergent MSG with x processes and at most n identical message exchanges in all transitions. This rather small bound relies of course on the requirement that the MSG is not divergent. Divergence remains thus an interesting property to check. NOT FOR DISTRIBUTION

2 In [2], Ben-Abdallah and Leue designed an algorithm to check divergence, which is exponential in the number of states in the MSG and linear in the number of channels. One has simply to search for all simple loops and to compute the strongly connected components of the resulting communicating graph [15]. It follows that checking Divergence is in NP. Now an interesting alternative algorithm was suggested in [1] : It consists in first fixing a diverging channel and some associated partition of processes and next searching for a simple loop matching these message exchanges, by computing the strongly connected components of the MSG reduced to the corresponding transitions [15]. This second approach is exponential in the number of processes, but only linear in the number of transitions in the MSG. These two natural approaches are somehow opposite but each may be efficient in some cases, according to the number of states and processes. For that reason, designing an efficient algorithm for checking divergence may be hard. As stated in [1, Th. 7] checking divergence of MSGs is NP-complete. We give first a simple and linear reduction from the boolean satisfiability problem (SAT) to divergence. Moreover we present also a rather simple reduction from divergence to SAT. These reductions show that divergence and SAT are really close problems. The reduction to SAT allows us to use SAT-solvers to search for divergence in MSC specifications. Similarly, slightly more involved techniques can be developped to check strong and weak synchronizations. This study is supported by some experimental results and a short comparison to MSCan [4].

1 Background Following a classical approach in concurrency theory the executions of a distributed system are regarded as labeled partial orders (called pomsets). Although our results hold for non-FIFO channels we assume in this paper that all channels are FIFO in order to simplify the presentation. Furthermore, for the same reason, the actual content of messages is abstracted from the notion of MSCs similarly to the approach adopted in [5, 6, 8]. The results presented here can also be extended to the more general framework of compositional MSCs [6]. A pomset over an alphabet Σ is a triple t = ( E, 4, ξ ) where ( E, 4) is a finite partial order and ξ is a mapping from E to Σ without autoconcurrency : ξ ( x) = ξ (y) implies x 4 y or y 4 x for all x, y ∈ E. A pomset can be seen as an abstraction of an execution of a concurrent system. In this view, the elements of E are events and the letter ξ (e) describes the basic action of the system that is performed by the event e ∈ E. Furthermore, the order 4 describes the causal dependence between events [10]. Let t = ( E, 4, ξ ) be a pomset and x, y ∈ E. Then y covers x (denoted x ≺· y) if x ≺ y and x ≺ z 4 y implies y = z. An order extension of a pomset t = ( E, 4, ξ ) is a pomset t′ = ( E, 4′ , ξ ) such that 4⊆4′ . A linear extension of t is an order extension that is linearly ordered. It corresponds to a sequential view of the concurrent execution t. Linear extensions of a pomset t over Σ can naturally be regarded as words over Σ. By LE(t) ⊆ Σ⋆ , we denote the set of linear extensions of a pomset t over Σ. An ideal of t is a downward-closed subset H ⊆ E : x ∈ H ∧ y 4 x ⇒ y ∈ H. The restriction t′ = ( H, 4 ∩( H × H ), ξ ∩ ( H × Σ)) is called a prefix of t and we write t′ 6 t. For all z ∈ E, we denote by ↓t z the ideal of events below z, i.e. ↓t z = {y ∈ E | y 4 z}. We denote by |t|a the number of events x ∈ E such that ξ ( x) = a.

FSTTCS

2010

1.1 Message sequence charts Message sequence charts are defined in the Z.120 recommendation of the ITU-T with a formal syntax and graphical rules (Fig. 1). They can be seen also as particular pomsets over some alphabet that we introduce first. Let I be a finite set of processes (also called instances). For any instance i ∈ I , the alphabet Σi is the disjoint union of the set of send actions Σ!i = {i!j | j ∈ I \ {i }} and the set of receive actions Σ?i = {i?j | j ∈ I \ {i }}. The S alphabets Σi are disjoint and we let ΣI = i∈I Σi . Given an action a ∈ ΣI , we denote by Ins( a) the unique instance i such that a ∈ Σi , that is the particular instance on which each occurrence of action a occurs. Finally, for any pomset ( E, 4, ξ ) over ΣI and any e ∈ E, we denote by Ins(e) the instance on which the event e occurs : Ins(e) = Ins(ξ (e)). We let K = {(i, j) ∈ I × I | i 6= j} denote the set of all channels between the instances I . Let M = ( E, 4, ξ ) be a pomset over ΣI . We say that two events e, f ∈ E match each other if e sends a message from i to j and f receives this message on j : Formally, we put e ; f if ξ (e) = i!j, ξ ( f ) = j?i, and moreover |↓ M e|i!j = |↓ M f | j?i . Definition 1.1 An MSC M = ( E, 4, ξ ) is a pomset over ΣI such that M1 : ∀e, f ∈ E : Ins(e) = Ins( f ) ⇒ (e 4 f ∨ f 4 e) M2 : ∀e, f ∈ E : e ; f ⇒ e 4 f M3 : ∀e, f ∈ E : [e ≺· f ∧ Ins(e) 6= Ins( f )] ⇒ e ; f M4 : ∀(i, j) ∈ K : | M |i!j = | M | j?i By M1 , events occurring on the same instance are linearly ordered : Non-deterministic choice cannot be described within an MSC. Axiom M2 formalizes that the receipt of any message will occur after the corresponding send event. By M3 , causality in M consists only in the linear dependency over each instance and the ordering of pairs of corresponding send and receive events. Altogether M1 to M3 state that the partial order 4 represents precisely the causal order [10]. Finally M4 ensures that there is a one-to-one correspondance between send and receive actions for each channel. We denote by MSC the set of all MSCs.

1.2 Message sequence graphs We come now to the definition of the concatenation of two MSCs. Let M1 = ( E1 , 41 , ξ 1 ) and M2 = ( E2 , 42 , ξ 2 ) be two MSCs. The product M1 · M2 is the MSC ( E, 4, ξ ) where E = E1 ⊎ E2 , ξ = ξ 1 ∪ ξ 2 and the partial order 4 is the transitive closure of 41 ∪ 42 ∪{(e1 , e2 ) ∈ E1 × E2 | Ins(e1 ) = Ins(e2 )}. Definition 1.2 A Message Sequence Graph (for short : an MSG) is an automaton A = ( Q, ı, −→) where Q is a finite set of states, with initial state ı ∈ Q, and −→⊆ Q × MSC × Q is a finite set of transitions labeled by MSCs. The language L(A) recognized by an MSG A collects all MSCs M for which there exists a M

M

1 n path ı = q0 −→ ... −→ qn such that M = M1 · ... · Mn . MSGs are usually provided with a subset F ⊆ Q of final states. In that case the definition of L(A) requires additionnaly that qn ∈ F. However this feature plays no role in our study, so we simply omit it. For convenience we will assume that all states of an MSG are reachable from its initial state.

3

4 !

"

#

!

"

#

! " # $ % ! !

"

"

#

"

#

!

"

"

%

#

!

#

$ !

F IG . 1. An MSC

"

#

F IG . 2. An MSG

F IG . 3.

1.3 Divergence, strong synchronization and weak synchronization The communication graph of an MSC M is the directed graph whose nodes are the processes which send or receive a message in M (called the active processes of M) and such that there is an edge i → j whenever M contains a message exchange from i to j [2, 7, 8]. For instance the communication graph of the MSC from Fig. 1 is depicted on Fig. 3. Observe here that this graph is strongly connected. The communication graph of a set of MSCs is the union of their communication graphs. The communication graph of a loop in some MSG is the communication graph of the MSCs appearing in this loop. Several interesting classes of MSGs can be defined according to the communication graphs of all loops, or all simple loops, in the MSG. Let us first introduce some basic notions dependent on a fixed channel. Definition 1.3 Let A be an MSG and (i, j) ∈ K be a channel. Then – (i, j) is called divergent in A if there exists some simple loop whose communication graph contains an edge from i to j but no path from j to i. – (i, j) is called weakly-synchronized in A if i and j are connected in the communication graph of any simple loop for which both i and j are active. – (i, j) is called strongly-synchronized in A if i and j are strongly connected in the communication graph of any simple loop for which both i and j are active. An MSG A is called divergent if at least one channel is divergent in A. Observe here that an MSG is divergent iff there exists a simple loop whose communication graph contains a connected component that is not strongly connected. Thus this definition coincides with the criterion introduced in [2]. As explained in [1], checking Divergence of a given MSG A is in NP. Actually this problem is NP-complete [1, Th. 7]. Being divergent is not a good property, because no finite buffer size can store all pending messages along all executions, as we will see in the next section (Cor. 2.3). On the other hand, being synchronized is often a requirement for a nice behaviour of the system. For that reason, an MSG A is called weakly-synchronized (resp. strongly-synchronized) if all channels are weakly-synchronized (resp. strongly-synchronized) in A. It is easy to check that an MSG is weakly-synchronized (resp. strongly-synchronized) iff the communication graph of any simple loop is connected (resp. strongly connected). It follows immediately that an MSG is strongly-synchronized iff it is weakly-synchronized and not divergent.

FSTTCS

2010

Remark 1.4 Similar notions have been investigated in the literature. First, an MSG is called bounded [1], locally-synchronized [8, 14], or regular [7] if the communication graph of any loop is strongly connected. Any locally-synchronized MSG is strongly-synchronized, but the converse fails. Second, an MSG is globally-cooperative [6, 7] if the communication graph of any loop is connected. Any globally-cooperative MSG is weakly-synchronized, but again the converse fails. Thus, as opposed to divergence, the restriction to simple loops makes a difference in the definition of weak and strong synchronization. Checking whether an MSG is locally-synchronized (or globally-cooperative) is known to be co-NP-complete [7, Prop. 6]. With no surprise, we will observe here that checking weak (or strong) synchronization of an given MSG is also co-NP-complete. In this paper, we aim at investigating how to make use efficiently of SAT-solvers in order to check divergence, strong synchronization and weak synchronization of MSGs.

2 Bounded channels in message sequence graphs In this section we recall the connection between divergence and channel-bound established in [2]. We show that it is easy to compute an appropriate (possibly non-optimal), simple, and relatively small buffer size for non-divergent MSGs. However divergence of a channel is also proved here to be NP-complete with a simple linear reduction. An analoguous observation is presented for weak-synchronization, too.

2.1 Width of a channel Let M = ( E, 4, ξ ) be an MSC. An execution of M is a sequential view of its events, that is, a linear extension s of M. Each stage of this execution corresponds to a prefix t of s. Now the maximal number of messages in transit within the channel from i to j along the execution s is maxt6s (|t|i!j − |t| j?i ). Since this value depends on s, the width of M for channel (i, j) is defined as follows : Wi,j ( M ) = max max (|t|i!j − |t| j?i ) s ∈LE( M ) t6s

captures the maximal number of messages sent and not yet received at any stage of any execution of M. For all MSGs A, we put Wi,j (A) = max M∈L(A) Wi,j ( M ). Note here that L(A) is infinite as soon as A contains loops. Therefore Wi,j (A) can be infinite, too. Definition 2.1 A channel (i, j) is bounded in an MSG A if Wi,j (A) < ∞. An MSG A is channelbounded if all channels are bounded in A. The value Wi,j (A) is interesting since it represents the optimal size of the buffer from i and j so that this channel cannot overflow in any execution of A.

2.2 An upper-bound for the width of a non-divergent channel Let A be a fixed MSG. Proposition 2.2 Let ( P1 , P2 ) ∈ K be a fixed channel and n = ∑ M ′ | M |P1 !P2 be the number of q −→q occurrences of action P1 !P2 in transitions from A. If the channel ( P1 , P2 ) is not divergent in A then WP1 ,P2 (A) 6 n × x where x = |I| is the number of processes.

5

6 As a side remark, we can establish the correspondance between non-divergence and channel-bound. Corollary 2.3 A channel (i, j) is bounded in A iff (i, j) is not divergent in A. Proof. Proposition 2.2 shows that if (i, j) is not divergent then it is bounded. Assume now that (i, j) is divergent. There exists some path from the initial state of A, labeled by M, which leads to some loop labeled by N whose communication graph admits an edge from i to j but no path from j to i. We claim that Wi,j ( M · N k ) > k for all k > 0. As a consequence, as already stated in [2, Th. 5], an MSG is channel-bounded iff it is not divergent. In [11, Th. 4.6], it is proved that computing the optimal buffer size max(i,j)∈K Wi,j (A) is NP-difficult. This result holds even if one restricts to non-divergent MSGs (because the proof is built on an MSG without loop). Proposition 2.2 above shows that m × x is an adequate buffer size for each channel if m is the maximal number of identical messages in all transitions from A, i.e. m = max(i,j)∈K ∑ M ′ | M |i!j . q −→q

2.3 Linear reductions from SAT to divergence (and weak synchronization) Let φ be a boolean formula with V variables x1 , ..., xV and N clauses C1 , ..., CN . We build an MSG Adiv (φ) with V + 2 processes and N + 1 states. Each variable is regarded as a process and we consider two new processes denoted by true and false. Each clause Ci is identified with a state and we consider an additional state denoted by Cn+1 . Consider now the MSG Adiv (φ) with initial state C1 such that M

– For each litteral l in clause Ci , we put some transition Ci −→ Ci+1 where M consists of a single message exchange from true to the variable x, if l = x, and from x to false if l = not( x). – A transition carrying an MSC with a single message exchange from false to true is added from Cn+1 to C1 . In particular any simple loop in Adiv (φ) visit all the states C1 , C2 , ..., Cn+1 (in that order) and there is a single transition from Cn+1 to C1 . Lemma 2.4 A boolean formula φ is satisfiable iff the channel (false,true) is divergent in Adiv (φ). Proof. Assume first that φ admits some satisfying assignment. For each clause we can choose a satisfied litteral. These choices determine a unique simple loop in A. The communication graph of this loop contains an edge from false to true but no variable x admits both an edge from true to x and an edge from x to false. So there is no path from true to false : the channel from false to true is divergent in Adiv (φ). Conversely, assume now that the channel from false to true is divergent in A. Then there exists a simple loop whose the communication graph admits no path from true to false. We can identify such a loop with a choice of a litteral for each clause. For each variable x, we cannot have a message from true to x and a message from x to false along this loop. Therefore we can derive from the communication graph an assignment satisfying φ. Consider now two new processes denoted by ⊤ and ⊥. Replace in Adiv (φ) the MSC carried by the additional transition from Cn+1 to C1 by the MSC with two message exchanges, one from true to ⊤, the other from ⊥ to false. We denote by Aws (φ) the resulting MSG. In any loop of Aws (φ), the two processes true and false are active but there is no message exchange between them any longer. These two processes belong to the same connected component

FSTTCS

2010

if and only if at least one variable is connected to both of them. Thus the communication graph of a simple loop in Aws (φ) is not connected iff true and false are not connected. In this situation, similarly to the proof of Lemma 2.4 we can derive a satisfying assignment for φ. Conversely any satisfying assignment for φ yields a simple loop whose communication graph is not connected. Note here that Aws (φ) is weakly-synchronized iff it is globallycooperative (Rmk 1.4) because if there exists a loop that is not connected then there is a simple loop that is not connected either. In that way we get the next statement. Lemma 2.5 Let φ be a boolean formula. The four following conditions are equivalent : (i) The formula φ is satisfiable. (ii) The channel (false,true) is not weakly-synchronized in Aws (φ). (iii) The MSG Aws (φ) is not weakly-synchronized (resp. not globally-cooperative). Note that Lemma 2.5 shows that checking weak-synchronization of a channel (or an MSG) is co-NP-complete. The linear constructions of Adiv (φ) and Aws (φ) from a boolean formula φ will be useful to evaluate the cost of our reductions to SAT for checking divergence and weak-synchronization. In particular we will produce some benchmarks of MSGs from a benchmark of boolean formulae using these reductions.

3 Using SAT-solvers In this section we explain how to use SAT-solvers to check divergence, weak synchronization, or strong synchronization of a channel in some given MSC. The reductions to SAT presented here are supported by some experimental results.

3.1 From Divergence to SAT Let A = ( Q, ı, ∆) be an MSG and (i, j) be a fixed channel. We shall build a boolean formula Φdiv (A, i, j) with two kinds of variables : The transitions δ ∈ ∆ and the processes M

k ∈ I . For any transition δ = q −→ q′ from ∆ we put dom(δ) = q and cod(δ) = q′ . Moreover we write s →δ r if the MSC carried by δ shows a message in channel (s, r). The transition variables δ assigned to true will determine a subset of selected transitions which forms a disjoint union of simple loops. Observe here that the connectivity criterion for the divergence of a channel (Def. 1.3) may be equivalently applied to all simple loops, all loops, or any collection of loops that contains all simple loops. In this way, a subset of transitions forms a family a disjoint simple loops if and only if the three next properties are satisfied : – a transition leaves a state iff some transition enters this state, – there is at most one transition leaving a given state, – there is at most one transition entering a given state.

7

8 These conditions can be formalized by the following boolean conditions :

Loops =

 V W δ→ δ′    ′ )=cod( δ ) δ ∈∆ dom ( δ   V W   δ→ δ′   ^ ′ δ ∈∆

        

δ6= δ′

cod ( δ )=dom( δ)

and

(¬δ ∨ ¬δ′ )

V

dom( δ)=dom( δ′ )

V

(¬δ ∨ ¬δ′ )

δ6 = δ′ and cod ( δ)=cod( δ′ )

Recall that a → b is equivalent to ¬ a ∨ b. Therefore Loops, and all following formulae, are almost in conjunctive normal form (CNF), which is required for most SAT-solvers. We will also distinguish a subset of processes, those assigned to true. The formula will require that all processes reachable from the fixed process j in the communication graph of the selected transitions are assigned to true (but possibly some other processes, too). In particular the variable j should be assigned to true. This requirement can be formalized in CNF as follows : ^ Reachable j = j ∧ (¬δ ∨ ¬s ∨ r) s→δ r

Note here that each clause ¬δ ∨ ¬s ∨ r is equivalent to (δ ∧ s) → r. This expresses the fact that if process s is reachable from j and δ is selected then r is reachable from j, provided that δ carries an MSC that specifies a message exchange from s to r. Now the channel (i, j) is divergent in A if there exists a simple loop (or a set of simple loops) in A whose communication graph shows a direct message exchange from i to j but no path from j to i, which means that the variable i must be assigned to false. Thus it remains only to express the following condition Divergencei,j = (¬i ) ∧

_

δ

i→δ j

To conclude we consider the formula Φdiv (A, i, j) = Loops ∧ Reachable j ∧ Divergencei,j . Theorem 3.1 The channel (i, j) is divergent in A iff the boolean formula Φdiv (A, i, j) is satisfiable. Thus, in order to check the divergence of an MSG A we need simply to use a SAT-solver and ask about the satisfiability of Φdiv (A, i, j) for all channels (i, j). Of course one should save time and restrict this computation to channels that are effectively used in A.

3.2 Reduction from weak-synchronization to SAT Consider again an MSG A = ( Q, ı, ∆) with N states and some fixed channel (i, j). We build a boolean formula Φws (A, i, j) over N × |∆| + |I| variables : Each process k ∈ I corresponds to a variable and for each x ∈ [1, N ] and each transition δ ∈ ∆ we consider a variable δx . For convenience we write δN = δ for each δ ∈ ∆. The formula Φws (A, i, j) consists of four parts and borrows the specification of Loops : Φws (A, i, j) = Loops ∧ Simple_Loop ∧ Connected j ∧ Unconnectedi,j

FSTTCS

2010

Thus we require again that the transition δ assigned to true form a collection of disjoint simple loops. We will formalize by Simple_Loop the property that these transitions are connected : Consequently they form a simple loop (or nothing).  V  (¬δ1 ∨ ¬δ1′ )   ′ ′  δ,δ ∈∆ with δ6 = δ  V  ( δx → δx + 1 ) ^ Simple_Loop = δ∈∆ and x ∈[1,N −1] !    V W   δx → δx − 1 ∨ δx′ −1   ′ δ∈∆ and x ∈[2,N ]

cod ( δ )=dom( δ)

This formula states that – at most one transition δ is assigned to true at the first level ; intuitively this transition can be regarded as the first step of a loop. – any transition assigned to true at some level x < N is also assigned to true at level x + 1 : the set of selected transitions increases at each level. – the starting state of any transition assigned to true at some level x > 1 but not at level x − 1 should be the ending state of some transition assigned to true at level x − 1. This ensures that the set of transitions at each level is connected. Since each simple loop in A contains at most N transitions, any simple loop can be described according to this formula. Moreover any assignment satisfying Loops ∧ Simple_Loop describes a simple loop in A. Similarly to the formula Reachable j , we require now that all processes reachable or coreachable from j be assigned to true. This is guaranteed by Connected j below. Connected j = j ∧

^

((δ ∧ s → r) ∧ (δ ∧ r → s))

s→δ r

Clearly any process in the connected component of j within the communication graph of the selected transitions must be assigned to true in any satisfying assignment. It remains to require that i and j are active processes in the selected simple loop, but i is assigned to false. This means that i and j appear in to the communication graph of the simple loop but they are not connected. This condition is formalized by Unconnectedi,j :   ! Unconnectedi,j = 

_

s →δ j or j→δ r

δ ∧

_

δ

∧ ¬i

s →δ i or i→δ r

Theorem 3.2 The channel (i, j) is weakly-synchronized in A iff the boolean formula Φws (A, i, j) is not satisfiable. It is sufficient to check the non-satisfiability of all formula Φws (A, i, j), where i, j are two distinct processes, in order to decide that A is weakly-synchronized. Remark 3.3 In order to check the weak synchronization of channel (i, j), it may be efficient to guide somehow the SAT-solver in the enumeration of all simple loops by fixing some transition δ◦ that must appear in the loop. Clearly, the problem remains co-NP-complete. Still we can now simplify the formula Simple_Loop by requiring that δ◦ be the first transition in the loop, that is, δ1◦ be assigned to true. In this approach, one replaces |∆|2 /2 formulae by |∆| trivial formulae. Furthermore,

9

10 if no counter-example is found by the solver, then one can remove δ◦ from A before pursuing the verification process. In that way all symmetries generated by Simple_Loop vanish. Another basic improvement (also valid for divergence) would be to compute first the strongly connected components of A and check each component separately. As far as the strong-synchronization of an MSG is concerned, we can make use of Φdiv and Φws to check this property. However it is easy and maybe more efficient to design a specific boolean formula for this property. Consider Φss (A, i, j) = Loops ∧ Simple_Loops ∧ Reachable j ∧ Unconnectedi,j This formula is satisfiable iff there exists a simple loop for which i and j are active and there is no path from j to i in its communication graph. This means precisely that (i, j) is not strongly-synchronized in A. Theorem 3.4 The channel (i, j) is not strongly-synchronized in A iff at least one of the boolean formulae Φss (A, i, j) and Φss (A, j, i ) is satisfiable.

3.3 Some experimental results Lemma 2.4 has established a linear reduction from the satisfiability of a boolean formula φ to the divergence of some channel in Adiv (φ). Thus any SAT problem can be easily encoded into a divergence problem. Conversely Theorem 3.1 shows that checking the divergence of a channel (i, j) in some MSG A can be reduced simply to the satisfiability of Φdiv (A, i, j). Now for a given boolean formula φ we consider the time τ1 (φ) needed by a SAT-solver to solve φ, and the time τ2 (φ) needed by the same SAT-solver to solve the equivalent problem formalized by Φdiv (Adiv (φ), false, true). The ratio ρ(φ) = τ2 (φ)/τ1 (φ) represents somehow the cost of using our approach to solve the satisfiability problem for φ. In order to evaluate this ratio, we considered a benchmark of about 2000 boolean formulae used for a competition of SAT-solvers in 2002 and we chose to use the SAT-solver minisat2. For practical reasons, we restricted our study to the problems that could be solved in less than 200s on our computer (Intel Core 2 Quad Q6600, 2,4 GHz, 1Go RAM). Surprisingly we observed that the ratio is at most 3 for all problems with less than 700 clauses (Fig. 4). Considering larger problems with up to 150000 clauses, the ratio remained less than 220. Interestingly we also tested minisat2 on random formulae and observed that the time needed seems to be polynomial both in the number of clauses (with at most 3 literals in each clause) and in the number of literals (for formulae with 5000 clauses). MSCan is a tool dedicated to the verification of properties of MSGs [4]. The MSGs considered there are slightly different from ours because MSCs are carried by states, not by transitions. Given a boolean formula φ, we consider the MSG A′ (φ) (in the MSCan format) with n + 1 states, where n is the sum of the number of literals in each clause. This MSG is equivalent to Aws (φ) in that Aws (φ) is weakly-synchronized iff A′ (φ) is globallycooperative. By Lemma 2.5, this is also equivalent to the non-satisfiability of φ and the weaksynchronization of the channel (false, true) in Aws (φ). By Theorem 3.2 this is also equivalent to the non-satisfiability of Φws (Aws (φ), false, true). For a formula φ with x variables we consider first τ1 (φ) = t × x2 , where t is the time used to check the non-satisfiability of Φws (Aws (φ), false, true) by some SAT-solver. The factor x2 corresponds to the search for

FSTTCS

2010

F IG . 4. Ratio for divergence wrong loops among all channels. We consider also the time τ2 (φ) needed for MSCan to decide whether A′ (φ) is globally-cooperative. Then the ratio ρ(φ) = τ2 (φ)/τ1 (φ) represents in some way the speed-up obtained by using a SAT-solver instead of MSCan. Unfortunately we were not able to evaluate this ratio for significantly numerous formulae. The reason is that MSCan seems to be able to solve small problems, only, whereas minisat2 is almost instantaneous on these problems. More precisely, as opposed to minisat2, the time needed by MSCan seems to be exponential both in the number of clauses and in the number of literals. This drawback might result from an algorithm that first searches loops (with an exponential cost) and next computes the connected components of the corresponding communication graphs.

Conclusion In this paper we have presented a way to use SAT-solvers for checking properties of MSGs such as divergence, weak-synchronization and strong-synchronization. In order to present and use rather simple formulae, we have rephrased these problems for a fixed channel. As explained in Remark 3.3, it is probably more efficient to fix also a transition (or even two) before calling the solver, in order to provide it with simpler formulae and to take advantage of intermediate answers. A similar approach should be developped now for local-synchronization and global-cooperativity (Remark 1.4). Our preliminary experimental results are rather motivating. The cost of using this approach to solve SAT problems appears to be reasonable. We are at present trying to complete this study in order to confirm these surprisingly good figures by considering new benchmarks and random formulae. So far, our tests of MSCan were achieved by hand for each problem. We plan to automatize this task in order to produce a more accurate comparison, too. Finally we plan to compare our approach for checking divergence to the tool MESA [3].

Bibliographie [1] Rajeev Alur and Mihalis Yannakakis. Model checking of message sequence charts. In Jos C. M. Baeten and Sjouke Mauw, editors, CONCUR, volume 1664 of Lecture Notes in

11

12 Computer Science, pages 114–129. Springer, 1999. [2] Hanêne Ben-Abdallah and Stefan Leue. Syntactic detection of process divergence and non-local choice in message sequence charts. In Ed Brinksma, editor, TACAS, volume 1217 of Lecture Notes in Computer Science, pages 259–274. Springer, 1997. [3] Hanêne Ben-Abdallah and Stefan Leue. MESA : Support for scenario-based design of concurrent systems. In Bernhard Steffen, editor, TACAS, volume 1384 of Lecture Notes in Computer Science, pages 118–135. Springer, 1998. [4] Benedikt Bollig, Carsten Kern, Markus Schlütter, and Volker Stolz. MSCan - a tool for analyzing MSC specifications. In Holger Hermanns and Jens Palsberg, editors, TACAS, volume 3920 of Lecture Notes in Computer Science, pages 455–458. Springer, 2006. [5] Benedikt Bollig and Martin Leucker. Message-passing automata are expressively equivalent to EMSO logic. Theor. Comput. Sci., 358(2-3) :150–172, 2006. [6] Blaise Genest, Dietrich Kuske, and Anca Muscholl. A Kleene theorem and model checking algorithms for existentially bounded communicating automata. Inf. Comput., 204(6) :920–956, 2006. [7] Blaise Genest, Anca Muscholl, Helmut Seidl, and Marc Zeitoun. Infinite-state highlevel MSCs : Model-checking and realizability. J. Comput. Syst. Sci., 72(4) :617–647, 2006. [8] Jesper G. Henriksen, Madhavan Mukund, K. Narayan Kumar, Milind A. Sohoni, and P. S. Thiagarajan. A theory of regular MSC languages. Inf. Comput., 202(1) :1–38, 2005. [9] Gerard J. Holzmann. Early fault detection tools. In Tiziana Margaria and Bernhard Steffen, editors, TACAS, volume 1055 of Lecture Notes in Computer Science, pages 1–13. Springer, 1996. [10] Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM, 21(7) :558–565, 1978. [11] Markus Lohrey and Anca Muscholl. Bounded MSC communication. Inf. Comput., 189(2) :160–181, 2004. [12] P. Madhusudan. Reasoning about sequential and branching behaviours of message sequence graphs. In Fernando Orejas, Paul G. Spirakis, and Jan van Leeuwen, editors, ICALP, volume 2076 of Lecture Notes in Computer Science, pages 809–820. Springer, 2001. [13] Rémi Morin. Recognizable sets of message sequence charts. In Helmut Alt and Afonso Ferreira, editors, STACS, volume 2285 of Lecture Notes in Computer Science, pages 523– 534. Springer, 2002. [14] Anca Muscholl and Doron Peled. Message sequence graphs and decision problems on Mazurkiewicz traces. In Miroslaw Kutylowski, Leszek Pacholski, and Tomasz Wierzbicki, editors, MFCS, volume 1672 of Lecture Notes in Computer Science, pages 81–91. Springer, 1999. [15] Robert Endre Tarjan. Depth-first search and linear graph algorithms. SIAM J. Comput., 1(2) :146–160, 1972.

FSTTCS

Appendix

2010

13

14

A

Proof of Proposition 2.2

We proceed by contradiction and assume that WP1 ,P2 (A) > n × x. This means that there exists some MSC M = ( E, 4, ξ ) in L(A) for which WP1 ,P2 ( M ) > n × x. Then there is a linear extension s = ( E, 6, ξ ) of M such that maxt6s (|t|P1 !P2 − |t|P2 ?P1 ) > n × x. We fix s and a prefix t 6 s for which the number of messages in transit within the channel ( P1 , P2 ) is at least n × x + 1. The MSC M is the product of MSCs carried by successive transitions from A along a path which starts from the initial state. Since there are n distinct send events labeled by P1 !P2 in A, there are at least x + 1 messages in transit from P1 to P2 that correspond to the same N

message exchange in A, hence to the same transition q −→ q′ from A. Thus we have M = M0 · N1 · M1 · N2 · M2 · ... · Nx · Mx · Nx +1 · Mx +1 N

where each Ni corresponds to an occurrence of the transition q −→ q′ and moreover N shows a message exchange from P1 to P2 . In particular for each 1 6 i 6 x, the product MSC Ni · Mi corresponds to a loop in A. Since the channel ( P1 , P2 ) is non-divergent in A, all connected components of the communication graph of Ni · Mi are strongly connected. Therefore there exists a path γi = P2 , Qi,1 , Qi,2 , ..., Qi,hi , P1 from P2 to P1 in the communication graph of Ni · Mi . We denote by si and s′i the sending and the receipt of a message exchange from P1 to P2 in Ni . We have s1 ≺ s2 ≺ ... ≺ sx +1 , s1′ ≺ s2′ ≺ ... ≺ s′x +1 , and moreover sx +1 < s1′ since the messages sent by s1 , s2 ,... sx +1 are still in transit in t. We say that a process Q is stuck in Ni · Mi if all events from Ni+1 · Mi+1 · ... · Nx +1 · Mx +1 on process Q will occur stricly after sx +1 along the linear extension s. For instance P2 is stuck in N1 · M1 because events on P2 in M1 · Ni+1 · Mi+1 · ... · Nx +1 · Mx +1 take place after s1′ and this event occurs after sx +1 . Clearly, if Q is stuck in Ni · Mi , then it is also stuck in Nj · M j whenever i 6 j 6 x + 1. Note here that P1 is not stuck in Nx · Mx , otherwise sx +1 should take place strictly after itself. The contradiction will result from the next observation : if a process Qi+1,j is stuck in Ni · Mi then Qi+1,j+1 is stuck in Ni+1 · Mi+1 , because Qi+1,j+1 will wait for a message from Qi+1,j along the MSC Ni+1 · Mi+1 , and this message will be delivered only after it is sent, that is, after sx +1 . We can check by an immediate induction that there are at least i processes stuck in Ni · Mi , for all 1 6 i 6 x. We have already noticed that P2 is stuck in N1 · M1 . Assume now that there are j processes stuck in Ni · Mi , with 1 6 i 6 j and i < x. Along the path γi+1 = P2 , Qi+1,1 , Qi+1,2 , ..., Qi+1,hi+1 , P1 in the communication graph of Ni+1 · Mi+1 , there exists some process stuck in Ni · Mi followed by some process that is not stuck in Ni · Mi , because P2 is stuck and P1 is not. From the preceding remark, this process is stuck in Ni+1 · Mi+1 . Consequently there are at least j + 1 processes stuck in Ni+1 · Mi+1 , with j + 1 > i + 1. To conclude, all processus, including P1 , are stuck in Nx · Mx . Contradiction.

FSTTCS

B

2010

About strong synchronization

Observe that the communication graph of any loop in Adiv (φ) is always connected because it contains an edge from false and true. Consequently φ is satisfiable iff the channel (false,true) is not strongly-synchronized in Adiv (φ). However in order to compare SATsolvers to tools dedicated to the formal verification of MSGs, it is more convenient to translate a boolean formula into an MSG that is divergent (resp. strongly-synchronized) iff the formula is satisfiable. M For that reason, replace now in the MSG Adiv (φ) the transition Ci −→ Ci+1 of each N

litteral of Ci by a transition Ci −→ Ci+1 where N consists of two message exchanges back and forth from the two active processes of M. Let Ass (φ) be the resulting MSG. Then the communication graph of any (simple) loop in Ass (φ) is again connected because there is an edge from false to true. Moreover the two processes true and false are strongly connected in that directed graph iff all active processes are pairwise strongly connected. Note also that Ass (φ) is strongly-synchronized iff it is locally-synchronized (Rmk 1.4) because if there exists a loop whose communication graph is not strongly connected then there is a simple loop whose communication graph is not strongly connected either. The proof of Lemma 2.4 can be slightly adapted to establish the following fact. Lemma B.1 Let φ be a boolean formula. The six following conditions are equivalent : (i) The formula φ is satisfiable. (ii) The channel (false,true) is divergent (resp. not strongly-synchronized) in Ass (φ) (iii) The MSG Ass (φ) is divergent (resp. not strongly-synchronized). (iv) The MSG Ass (φ) is not locally-synchronized (Rmk 1.4).

C

Proof of Theorem 3.1

Assume that (i, j) is divergent in A. There exists some simple loop γ whose communication graph contains an edge from i to j but no path from j to i. Assign to true all transitions from this loop and to false the other. Assign to true all processes reachable from j in the communication graph of γ, and to false the other. Then the resulting assignment satisfies Φ(A, i, j). Conversely assume that Φ(A, i, j) is satisfiable and consider some satisfying assignment. The subset of transitions assigned to true form a set of (disjoint) simple loops. Moreover the set of processes reachable from j in the communication graph of γ are assigned to true, but i is assignment to false : Therefore there is no path from j to i. It follows that (i, j) is divergent in A. The proofs of Theorem 3.2 and Theorem 3.4 are similar.

15

16

F IG . 5. Ratio for divergence for up to 150000 clauses