Model-checking Inherently Fair Linear-time Properties

⋆

Thierry Nicola, Frank Nießner and Ulrich Ultes-Nitsche

telecommunications, networks & security Research Group

Department of Computer Science, University of Fribourg

Chemin du Mus

´

ee 3, 1700 Fribourg, Switzerland

Abstract. The concept of linear-time veriﬁcation with an inherent fairness con-

dition has been studied under the names approximate satisfaction, satisfaction up

to liveness, and satisfaction within fairness in several publications. Even though

proving the general applicability of the approach, reasonably efﬁcient algorithms

for inherently fair linear-timeveriﬁcation (IFLTV) are lacking. This paper bridges

the gap between the theoretical foundation of IFLTV and its practical application,

presenting a model-checking algorithm based on a structural analysis of the syn-

chronous product of the system and property (B

¨

uchi) automata.

1 Introduction

To be able to verify liveness properties of a system [1], it is almost always necessary

to include a fairness hypothesis in the system description [3]. Indeed, introducing a

fairness hypothesis makes it possible to ignore behaviors that correspond to extreme

execution scenarios and that, in any case, would not occur in any reasonable implemen-

tation. Even though this intuition is clear, making fairness precise is somewhat more

complicated: should one be “weakly” or “strongly” fair, “transition” or “process” fair,

or isn’t “justice” or even “compassion” what fairness should really be [6]? Intuitively,

the notion to be formalized is that of a property being true provided one is given “some

control” over the choices made during inﬁnite executions. In other words, one wants to

characterize the properties that can be made true by “some fair implementation” of the

system.

Such a characterization has been given in previous years, leading to the exploring

linear-time veriﬁcation with an inherent fairness condition. Inherently fair linear-time

veriﬁcation (IFLTV) has been studied under the name approximate satisfaction [10],

satisfaction up to liveness [11], and satisfaction within fairness [12, 14,15]. All men-

tioned papers deal with the general concept of IFLTV [11] as well as the relation of

IFTLV to abstraction [10, 11] and partial-order methods [4, 16], and the combination

of the two state-space reduction techniques [15]. What has not yet been considered is

the actual implementation of IFLTV by means of a reasonably efﬁcient model-checking

algorithm. Here, ”reasonably efﬁcient“ refers to algorithms behaving not too badly on

⋆

Supported by the Swiss National Science Foundation under grant number 200021-103985/1

and by the Hasler Foundation under grant number 1922.

Nicola T., Nießner F. and Ultes-Nitsche U. (2005).

Model-checking Inherently Fair Linear-time Properties.

In Proceedings of the 3rd International Workshop on Modelling, Simulation, Veriﬁcation and Validation of Enterprise Information Systems, pages 3-8

DOI: 10.5220/0002574300030008

Copyright

c

SciTePress

practical examples, since the general model-checking problem is PSPACE-complete

[11].

In this paper, we present a model-checking algorithm for IFLTV based on a struc-

tural analysis of the synchronous product of the two B

¨

uchi automata representing sys-

tem and property respectively. The system will always be represented by a labeled tran-

sition system (deterministic B

¨

uchi automaton in which all states are accepting) where

the property, in the most general case, will require a non-deterministic B

¨

uchi automaton

to represent it. We will start with the case in which the property automaton is determinis-

tic, and develop the IFLTV model-checking algorithm for this case. Deterministic B

¨

uchi

automata cover already all safety and many liveness properties [1,7]. We will then dis-

cuss how to extend the result for the deterministic case to inherently non-deterministic

properties. Finally we will comment on the additional effort of IFLTV of inherently

non-deterministic properties.

2 Motivation

The motivation for IFLTV is twofold: ﬁrst, IFLTV possesses an inherent fairness con-

dition, and second, IFLTV related to observable differences in system behavior.

2.1 Inherent Fairness

Consider the following “telecommunications” system: two users of the system may call

one another; if the called user is not busy, the call will reach her/him; otherwise the

call is rejected. A calling user has no control of whether the called user is engaged in

another call (busy) or not. Such a system is normally modeled by a nondeterministic

choice: whenever a user attempts to call another user, the system model decides non-

deterministically whether the called user is busy or not. In such a scenario, there exists

the extreme execution in which, whenever a user is called, the user is busy. Such exe-

cutions are normally ignored by using an explicit fairness assumption [3] restricting the

allowed executions of the system. Applying IFLTV frees one from the need of ﬁnding

an explicit fairness restriction on the system model by having a fairness assumption

inherent in its deﬁnition.

2.2 Observability

Assume two systems, both randomly selecting initially an unbounded positive integer

n. The ﬁrst system will operate n steps and then stop. The second system will either

operate n steps and stop, or decide nondeterministically to operate forever. An outside

observer will never be able to distinguish the two systems: if a system has stopped,

it may be either system; if it has not stopped, it may again be either system. Only

inﬁnite observations could distinguish the two systems which is apparently practically

impossible. So, system one is as good as system two from that point of view. Linear-time

veriﬁcation, however, distinguishes the two systems as one system does not satisfy the

property “performing only ﬁnitely many operations” where the other one does. IFLTV

is as powerful as linear-time veriﬁcation, but insensitive to differences requiring inﬁnite

observations. We therefore consider IFLTV the more practical veriﬁcation technique.

4

3 Preliminaries

The behavior of a distributed system is a set of inﬁnitely long sequences of actions from

a ﬁnite set Σ of actions. Thus behaviors are ω-languages on Σ. Since each (inﬁnite)

behavior is the inﬁnite continuation of ﬁnite behaviors of the distributed system, and

since each preﬁx of a ﬁnite behavior is itself a ﬁnite behavior of the system, the set of

behaviors of a distributed system is the Eilenberg-limit [2] of a preﬁx-closed language.

1

Let Σ

∗

be the set of all ﬁnitely long sequences on Σ, let Σ

ω

be the set of all

inﬁnitely long sequences, and let Σ

∞

= Σ

∗

∪ Σ

ω

. Let L ⊆ Σ

∗

.

– pre(M) = {v ∈ Σ

∗

| ∃x ∈ Σ

∞

: vx ∈ M } is the set of all ﬁnite preﬁxes of

M ⊆ Σ

∞

. Then pre(x) = pre({x}) is that of x ∈ Σ

∞

.

– L is preﬁx-closed if and only if pre(L) = L.

– lim(L) = {x ∈ Σ

ω

| ∃

∞

w ∈ pre(x) : w ∈ L} is the Eilenberg-limit of language

L [2,13].

2

– A property P on Σ is a subset of Σ

ω

. Behaviour lim(L) satisﬁes property P (writ-

ten: “lim(L) P ”) if and only if lim(L) ⊆ P [1].

– cont(w, M ) = {v ∈ Σ

∞

| wv ∈ M} is the leftquotient of M ⊆ Σ

∞

by w ∈ Σ

∗

.

To introduce an implicit fairness assumption into the satisfaction relation, relative

liveness properties [5, 11] are deﬁned as a satisfaction relation of properties [10, 11].

This satisfaction relation is called inherently fair linear-time veriﬁcation (IFLTV) rela-

tion in this paper. There are three different ways of deﬁning IFLTV. Two are important

regarding this paper and are presented subsequently:

1. lim(L) satisﬁes inherently fair P ⊆ Σ

ω

(written: “lim(L) P ”) if and only if

∀w ∈ pre(lim(L)) : ∃x ∈ cont(w, lim(L)) : wx ∈ P .

2. lim(L) P if and only if pre(lim(L)) = pre(lim(L) ∩ P ).

From the second deﬁnition it follows that we can check the IFLTV relation by exam-

ining the automaton representing lim(L)∩P . Since pre(lim(L)) ⊇ pre(lim(L)∩P is

always true, we only have to ﬁnd a condition ensuring pre(lim(L)) ⊆ pre(lim(L)∩P .

Will we examine this condition subsequently for the case in which P is represented by

a deterministic B

¨

uchi automaton. We use B as a shorthand for behavior lim(L), which

is always deterministic.

We construct subsequently the automaton A

B∩P

representing the intersection of

behavior and property (the so-called synchronous product automaton) for the case of

deterministic P . This yields an IFLTV model-checking algorithm for the deterministic

case.

1

It is important to note that dealing only with languages is not a restriction since ﬁnite au-

tomata can completely (including state information) be encoded by their local languages [2]

(the languages over transition triples (state, event, successorstate)).

2

Read “∃

∞

... : ...” as “there exist inﬁnitely many different ... such that ...”.

5

4 Construction of A

B∩P

It must be guaranteed during construction of the product automaton that B P re-

mains valid. It is necessary to modify the classic algorithm of the synchronous product

construction. The additional feature ensures that the result automaton does not violate

B P , or if it does that it is detected. Let A

B

= (Q

B

, Σ, q

0

, F

B

, ∆

B

) the automaton

representing the behaviour and A

P

= (Q

P

, Σ, p

0

, F

P

, ∆

P

) the one of the properties.

The construction creates ﬁrst the new initial state (q

0

, p

0

) of the product automaton

A

B∩P

. Then for every transition (q

0

, a, q

i

) ∈ ∆

B

, where q

0

is the initial state, a ∈ Σ

and q

i

∈ Q

B

, there must be a transition (p

0

, a, p

j

) ∈ ∆

P

, where p

0

the initial state of

A

P

, a ∈ Σ and p

j

∈ Q

P

. If that does not hold, we abort, because B 6 P . Otherwise

we add the state (q

i

, p

j

) and the transition ((q

0

, p

0

), a, (q

i

, p

j

)) to A

B∩P

.

We continue that process of adding new states and transitions until the product au-

tomaton A

B∩P

is complete (no more states and transistions can be added), or we have

found that for a state (q, p) in A

B∩P

, there is a transition (q, a, q

′

) ∈ ∆

B

without a

matching transition (p, a, p

′

) ∈ ∆

P

. The accepting states (q, p) in A

B∩P

are those

where q is an accepting state of A

B

and p is an accepting state of A

P

.

Only if the above construction could be completed, B 6 P potentially holds true

and we have to continue exploring the graph structure of A

B∩P

.

5 Model Checking IFLTV by Exploring Strongly Connected

Components of A

B∩P

Our algorithm is based on a structural analysis of the graph representing A

B∩P

. We

partition the graph into its maximal Strongly Connected Components and Strongly Con-

nected Bottom Components:

– A strongly connected component (SCC) is a set of nodes of a graph such that for

any two nodes v

1

and v

2

in the SCC are paths from v

1

to v

2

and vice versa.

– An SCC is maximal if and only if by adding any addition node to the SCC, the

resulting set of nodes is not an SCC anymore.

– A strongly connected bottom component (SCBC) is an SCC such that no node out-

side the SCBC can reached from nodes within the SCBC. Note that SCBC are

always maximal.

The model-checking algorithm that we aiming at can now be stated by the following

theorem:

Theorem 1. B P if and only if A

B∩P

can be constructed as described in the previ-

ous section and all SCBC of A

B∩P

contain at least one accepting state.

Proof. ’⇒’: We assume that if A

B∩P

cannot be constructed as deﬁned in the previous

chapter or it contains at least one SCBC without any accepting state, then B 6 P :

Let (q, p) be a state produced during the construction of A

B∩P

which causes the

construction to stop. Then there is a transition (q, a, q

′

) in A

B

without a matching

transition (p, a, p

′

) in A

P

. Let w be a string along a path from (q

0

, p

0

) to (q, p) in

6

the partially constructed A

B∩P

. Then wa is in pre(B) but not in pre(B ∩ P ). Hence

B 6 P .

If the construction of A

B∩P

completed, but it contains an SCBC without accepting

states, then let w be a string along a path in A

B∩P

leading into that SCBC. Then w is

in pre(B) but not in pre(B ∩ P ). Hence B 6 P .

’⇐’: We assume B 6 P and show that either A

B∩P

cannot be constructed as

deﬁned in the previous chapter or it contains at least one SCBC without any accepting

state:

If B 6 P then there exists a string w which is in pre(B) but not in pre(B ∩ P ).

Hence w either does not exist along a path from the initial state in A

B∩P

at all — then

the construction of A

B∩P

did not complete — or w cannot be continued within A

B∩P

to reach inﬁnitely often an accepting state — which implies that there is an SCBC

without accepting states in which continuing w is trapped. ⊓⊔

6 The Non-deterministic Case

As in general, there exist properties requiring non-deterministic B

¨

uchi automata to rep-

resent them, the model checking algorithm resulting from the previous section does not

cover all cases. It seems to be likely that the loss of information when determinising

A

B∩P

is insigniﬁcant with respect to IFLTV, i.e. we probably can determinise A

B∩P

and then decide B 6 P as presented in the previous section. This is, however, only a

conjecture that we have not proved yet.

7 Conclusion

We presented a model-checking procedure for inherently fair linear-time veriﬁcation

(IFLTV) based on an analysis of strongly connected components in the synchronous

product automaton for the behavior and property. We could show that model checking

with repsect to IFLTV can, in the case in which the property can be represented by a

deterministic B

¨

uchi automaton, be reduced to checking that constructing the synchro-

nous product automaton does not ignore any transitions present in the automaton of the

behavior, and that the product automaton does not contain strongly connected bottom

components without accepting states.

For the case of non-deterministic B

¨

uchi properties we conjectured that the con-

struction should be similar — however, a proof of this conjecture is part of future work.

Additional future work will be experiments with an implementation of the discussed

algorithm.

References

1. B. Alpern and F. B. Schneider. Deﬁning liveness. Information Processing Letters, 21(4):181–

185, October 1985.

2. S. Eilenberg. Automata, Languages and Machines, volume A. Academic Press, New York,

1974.

7

3. N. Francez. Fairness. Springer Verlag, New York, ﬁrst edition, 1986.

4. P. Godefroid and P. Wolper. Using partial orders for the efﬁcient veriﬁcation of deadlock

freedom and safety properties. Formal Methods in System Design, 2(2):149–164, April 1993.

5. T. A. Henzinger. Sooner is safer than later. Information Processing Letters, 43:135–141,

1992.

6. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems—

Speciﬁcation. Springer Verlag, New York, ﬁrst edition, 1992.

7. F. Nießner, U. Nitsche, and P. Ochsenschl

¨

ager. Deterministic ω-regular liveness properties.

In S. Bozapalidis, editor, Proceedings of the 3rd International Conference on Developments

in Language Theory (DLT’97), pages 237–247, Thessaloniki, Greece, 1998.

8. U. Nitsche. Application of formal veriﬁcation and behaviour abstraction to the service in-

teraction problem in intelligent networks. Journal of Systems and Software, 40(3):227–248,

March 1998.

9. U. Nitsche. Veriﬁcation of Co-Operating Systems and Behaviour Abstraction, volume 7 of

GMD Research Series. GMD, Sankt Augustin, Germany, 1998. Publication of PhD thesis.

ISBN: 3-88457-331-4.

10. U. Nitsche and P. Ochsenschl

¨

ager. Approximately satisﬁed properties of systems and simple

language homomorphisms. Information Processing Letters, 60:201–206, 1996.

11. U. Nitsche and P. Wolper. Relative liveness and behavior abstraction (extended abstract).

In Proceedings of the 16th ACM Symposium on Principles of Distributed Computing

(PODC’97), pages 45–52, Santa Barbara, CA, 1997.

12. S. St James and U. Ultes-Nitsche. Computing property-preserving behaviour abstractions

from trace reductions. In Proceedings of the 20th Annual ACM Symposium on Principles of

Distributed Computing (PODC 2001), pages 238–245. ACM Press, August 2001.

13. W. Thomas. Automata on inﬁnite objects. In J. van Leeuwen, editor, Formal Models and Se-

mantics, volume B of Handbook of Theoretical Computer Science, pages 133–191. Elsevier,

1990.

14. U. Ultes-Nitsche and S. St James. Testing liveness properties: Approximating liveness prop-

erties by safety properties. In M. Kim, B. Chin, S. Kang, and D. Lee, editors, Formal Tech-

niques for Networked and Distributed Systems, FORTE 2001, IFIP TC6/WG6.1 - 21

st

Inter-

national Conference on Formal Techniques for Networked and Distributed Systems, August

28-31, 2001, Cheju Island, Korea, volume 197 of IFIP Conference Proceedings, pages 369–

376. Kluwer, 2001.

15. U. Ultes-Nitsche and S. St James. Improved veriﬁcation of linear-time properties within fair-

ness – weakly continuation-closed behaviour abstractions computed from trace reductions.

Software Testing, Veriﬁcation and Reliability (STVR), pages 241–255, 2003.

16. P. Wolper and P. Godefroid. Partial-order methods for temporal veriﬁcation. In E. Best,

editor, CONCUR’93, volume 715 of Lecture Notes in Computer Science, pages 233–246.

Springer Verlag, 1993.

8