Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal property is true of every size instance of the system. We consider systems formed by a synchronous parallel composition of a single control process with an arbitrary number of homogeneous user processes, and show that the PMCP is decidable for properties expressed in an indexed propositional temporal logic. While the problem is in general PSPACE-complete, our initial experimental results indicate that the method is usable in practice.
Introduction
Systems with an arbitrary number of homogeneous processes occur in many contexts, especially in protocols for data communication, cache coherence, and classical synchronization problems. Current verification work on such systems has focussed mostly on verifying correctness for instances with a small number of processes. This does not indicate whether larger size instances are error-free, and so does not guarantee correctness in general. We are thus interested in methods that verify correctness for arbitrary size instances. Even though sometimes there is indeed a specific upper bound on the number of processes in a system, verifying such large size instances is intractable because of state explosion.
The general problem, then, is the Parameterized Model Checking Problem (PMCP): to determine whether a temporal property is true of every size instance of the the system. This is known to be undecidable in general [AK 86, Su 88] ; however, it is decidable algorithmically for restricted classes [GS 92, EN 95] , and there are methods with some degree of automation [Lu 84, ShG 89, KM 89, WL 89, V 93, CGJ 95] . This previous work (with the exception of [KM 89]) was oriented toward asynchronous systems.
We propose a fully automated approach to the PMCP for synchronous systems. We consider synchronous systems with a unique control process and an arbitrary number of homogeneous user processes. Each system is thus parameterized by the number of user processes. The processes are specified by labeled transition graphs, in which guards on each transition check the state of the control process as well as certain conditions on the global state. The correctness properties are expressed in an indexed propositionM branching temporal logic, and are of the following types:
This work was supported in part by NSF grant CCR 9415496 and SRC Contract 95-DP-388. The authors can be reached at emerson, kedar@cs.utexas .edu and at http-//www, cs. utexas, edu/users/{emerson, kedar}.
1. Over the control process : formulae of the form Ah and Eh, where h is a linear4ime formula with atomic propositions over control process states, 2. Over all user processes: Ai Ah(i) , and Ai Eh(i), where h(i) is a linear-time formula with atomic propositions over control process states, and over user process states indexed with i.
3. Over every distinct pair of user processes : Ai#j Ah(i,j), and A~j Fh(i,j) , where h(i, j) is a linear-time formula with atomic propositions over control process states, and over user process states indexed with either i or j.
We show that the PMCP for the first type of formulae is decidable for this class of systems, and is PSPACE-complete. This decidability result is based on constructing an abstract graph in which every computation of every size instance of the system is represented by some path in the graph. However, the abstract graph may have "bad" paths that do not correspond to computations of any size instance. The heart of the algorithm is a method for identifying good paths in the abstract graph. This algorithm can be implemented in space polynomial in the size of the control and user processes. We show by a generic reduction that the PMCP is PSPACE-hard. As a result of the symmetry inherent in the system, the PMCP for the other types of formulae reduces to the PMCP for the first type. We have implemented this algorithm in SMV [McM92] and used it to check correctness of a bus arbitration protocol. Our initial experimental results indicate that the algorithm should be useful in practice. Section 2 defines the system model and the logic used for expressing correctness properties. Section 3 describes the abstract graph representation, and Section 4 the algorithm for the PMCP for formulae of type (1). Section 5 shows the reduction of the PMCP for formulae of types (2) and (3) to the PMCP for formulae of type (1). Section 6 describes our implementation of the algorithm, and the application to the bus protocol. Section 7 concludes the paper with a discussion of related work.
2
The system model and logic
We refer to the collection of system instances formed by control process C and copies of a generic user process U as a (C, U) family. The control and user processes are specified as finite-state labeled transition graphs. We use the terms "process" and "labeled transition graph" interchangeably. For a process P, let
Sp denote its set of states, Rp its transition relation, and ~p its initial state 2. The system instance of size n is a synchronous parallel composition of C with n copies of process U, and is denoted as C NUn --C [l U1 [I U2... II U,~. Ui is the ith copy of U, which is obtained from U by uniformly subscripting the states of U with i as shown in the example below a. where a transition in a process is said to be enabled in a global state iff the corresponding guard is true when. evaluated in that global state. We write s ~ g iffguard g is true in the global state s. s ~ (3i g(i)) ifffor some k E [1..n], g (k) is true given the propositions that hold at s(0) (the control state), and s(k) ( To make the correspondence between global states and abstract states precise, we define families of abstraction functions {r {r where r : Sa: -+ Set, and r : S~,
Then (c, S) represents s E Gn iff (c, S) = Ca(s).
For a guard g, and state ( 
Propositionl. For any n and any s E 6~, /f (e,S) = en(s)~ then for every guard expression g, s ~ g if)" (c, S) I -g.
[]
The set of transitions is defined as follows: A tuple ((c, S), X, (c', S')) E R.a iff 1. (3p c 2+ c' E Rc A (c, S) l I -p) (A transition from c to d is enabled for the control process)! 2. (Va,b (a,b) G X :~ a E S Ab E S' A (3q a ~b E nu A (c,S)[]-q)).
(For every pair (a, b) in X, there is an enabled transition from a to b in the user process). 3. X is total on S, and X -1 is total on S ~, (Every state in S has a successor in SI, and every state in S t has a predecessor in S). it follows from Proposition 4 that if A satisfies a linear temporal formula over all paths, then so does every size instance of the family. However, if the formula is false for some path in A, it does not follow that it is false for some instance, as not every path in .4 arises from a corresponding path in some instance; those that do are called "good".
Definition5. A path p in ,4 is goodiff 3n 3(r E ~n %(~r) = p. I3
Definition6. A path # in Gi covers a path a in Gj (i >_ j) iff %(#) = 7j(r and for every k ~ N, a E U, ~a(~r~) >_ ~:a(crk It follows that r = r and that #a(~r~) _> #a(crk) for all a E U. To complete the proof, we need to show that Ca' ~ ' Since (r ~rk+l) is a transition of ~n, there exist guards p, ql,...qn, such that ~k (0) -~+ ~k+l (0) is the last state in p', then (s, X, t) E R.4. By inductive hypothesis, for some n', there is a path ~' E G~, such that %,(or ~) = pJ. Let r ~ be the last state in ~r'.
For each a E U, let m~ = I{b I (a, b) e X)I. If for some a, m~ > #a(r'), one can construct a path covering ~r' such that if u is the final state on that path, then m~ < r Repeating this construction for each user state a for which it is necessary, we obtain, for some n, a path cr in 6~ such that c~ covers or', and for every a, ma < #a(r), where r is the last state on ~r.
As m~ < #a(r) for each a, one can associate at least one index i ~ [1..n] with each pair ~, b) in Z. For every pair (a, b) in X, there is an enabled transition from a to b in the user process. Thus, there is a state u G ~n generated by performing the enabled transition from ai to bi in each process Ui where index i is associated with the pair (a, b), and the enabled transition for the control process. It is easy to verify that r (u) = t, and hence, cru is a path in ~,~ such that % (cru) = p.
4
Verifying properties of the control process
The properties of the control process are of the form Ah or Eh, where h is a linear-time temporal formula with atomic propositions over the states of C. To model-check such a property, we follow the automata-theoretic approach of Proof Suppose 5 is an accepting good path in ~4. As ~A is good, for some n, there is a path in G~ that matches 5~ on the sequence of states of C, and is hence accepted by B. Therefore, Ah is false in G~, and hence is not universal.
In the other direction, if Ah is not universal, then for some n, there is a path c~ in G~ from the initial state that is accepted by B. From Lemma 4, 7n (cr) is a path in A, which is good by construction. The sequence of states of C in 7~(cr) is the same asin ~, hence there is a run of B on 7,~(c ~) that forms an accepting good path in .M.
[] Intuitively, a cycle in A/[ is good if, starting at some global state which maps to a state in the cycle, there is no transition in that cycle that causes the count of processes in a specific local state to be "drained" (i.e. decreased monotonically) as the sequence of transitions along the cycle is executed repeatedly. For example, a self-loop with the transition label {(a, b)} will decrease the count of processes in state a with every execution of the transition, while one with transition label (a, b), (b, a)} may not. Notice that in the latter case, there is a cycle a --+ b -+ a n the transition label considered as a graph. This presence of cycles in the transition labels is the intuition behind the characterization of good cycles of A4. To determine if such cycles are present, we resolve a cycle in 2~4 into a "threaded graph" (cf. [ES 95]) which shows explicitly which local user state in an abstract state is driven into which other local user state in the next abstract state. This information is obtained from the transition label. The threaded graph is defined below: A graph is isolated iff its edge set is empty. For any directed graph G, let maxscc(G) be the graph representing, the decomposition of G into its maximal strongly connected components (sccs).
V ( maxscc( G) ) = { C I C is a maximal strongly connected component of G} (maxsce(V)) = {(C, D) I C, t (s, t! E(a)}
We refer to vertices of maxscc(G) as max-scc s. It is a fact that maxscc(G) is acyclic for any graph G. 
is a good cycle in AJ iff maxsce(G~) is isolated.
Proof Sketch (LHS ~ RHS): Suppose that maxscc(G~) is not isolated but 5 is good. Hence, there are max-scc's C and D such that some pair of vertices (x, i) in C and (y, j) in D is connected in G~. For any n, consider an infinite path g in ~. such that %(e~) = 5~. We say that a process with index l E [1..n] and local state al is in component F at the kth state in cr iff (a, k) E F.
Let m be the number of states in 5. Starting with the ith transition in c~, at every mth successive transition, at least one of the processes m C, say one with index l, must change its local state from xl to yz. Thus, the count of processes in components above D decreases at each such step. As the maxscc decomposition is acyclic, this number cannot increase. Thus, eventually, the number of processes in components above D must become negative, which is impossible as cr is infinite. Hence, 5 is not good.
(RHS ~ LHS): Suppose that maxscc(G~) is isolated. For each max-scc of G$, construct a cycle in G~ that includes each edge in that component at least once. For each a E U, let m~ be the number of occurrences of the vertex (a, 1) in the set of cycles. Let n = Z~eum a. We will construct a path ~ in ~ such that 7n (c~) = 5"~. The idea behind the construction is to allot a set of processes for each constructed cycle, and to ensure that each transition of every process is along the cycle that it is alloted to.
The inductive assumption is that at the ith step (i < m), a path ~ has been constructed such that ~(~r ~) is the prefix of 5.~ up to the ith state, and if s is the last state of ~r', then #a(s) is the number of occurrences of (a, i) in the set of constructed cycles. Hence, after m steps, the last state sm is a permutation of the first state sl. Repeating the construction at most n times produces a path or with last.state identical to sl, and such that 7~(ct) = cir. Thus, 7,~ (~r ~) = ($.~)~ = ~f.~, and so ~ is a good cycle.
[] For a finite path a with m states in .A define ~ to be the relation over Su • Sv where (a, b) E ~ iff there is a path from (a, 1) to (b, m) in g~. We say that relation R is cyclic iff for every edge in the graph of R, there is there is a cycle in the graph that includes that edge.
Lemma 13. For a cycle ~ in Jv~ maxscc( G~ ) is isolated iff ~ is cyclic.
[] 
Iog(IScllS•[) + n). The algorithm uses space logarithmic in the size of A~.
Proof By Theorem 14, a property Ah is not universal iff there is a finite path in .M to a green state and a following cycle ~ from that state such that ~ is cyclic. The algorithm "guesses" a path to a green state, and a cycle ~ from it, recording only the current state of M, and ~ for the prefix ~ of ~ that has been examined. As (a; X; s) = ~ o X, ~ can be computed incrementally.
Recording a state of.A~ takes space (log( Sc |Sn D + t Su1) 9 Computing a successor state can be done in space proportional to (log[S~ [ § log]Sol + log[Sv[ q-L) (as this requires checking if (c, S) [[ .-p for guards p). Storing 5 --7 takes space |Su 12, and checking if ~ is cyclic can be done within the same space bound. Thus, the overall space usage is O .
Remark. There are two special cases where the algorithm can be optimized. If the user processes are deterministic, every cycle ~ in ~4 is good (as G~ must be isolated). If the correctness property is a safety property, the algorithm need check only finite accepting paths, which are good by Lemma 8. In both cases, the check for good cycles can be eliminated, which is a substantial saving.
[] A reduction from a generic PSPACE T~ring Machine shows that checking if AG-,accept is not universal is PSPACE-hard.
Theorem 16. Deciding if a property over computations of C is not universal is PSPA CE-complete.

Corollary 17. Deciding if a property over computations of C is universal is PSPA CE-complete.
The algorithm given above for determining if a property is not universal is nondeterministic and uses polynomial space. So, using Savitch's construction, there is a deterministic algorithm with time complexity 0(2 k(lsvl2+z~ for some k. We present a "natural" deterministic algorithm with the same worst case time complexity in [Su[. Let K = IS~t x 2 lsu]~ . The algorithm follows from this observation:
Proposition l8. If p is a finite path in Je[ from s to t of length greater than K, then there is a path ~ from s to t in Ad of length at most K such that -~ = 5.
Proof
Define an equivalence relation on states s of p by si --sj iff sl = sj and Xo o X1. . . Clearly there are at most K equivalence classes. So if the length of p is greater than K, there must be distinct indices i and j such that si =-sj. Assume that i < j. Then the path p~ formed by appending the suffix from sj to the prefix up to si is a path in 34 that is shorter than the path p, and is such that p~ = ~. Repeating this construction a finite number of times produces a path 5 with the desired properties.
[] Theorem 19. There is a deterministic algorithm to determine if a property is not universal with exponential worst case time complexity in [Su] .
Proof Sketch From Proposition 18, it suffices to look for cycles (in Theorem 14) of length at most K. This can be done using an iterative squaring of the transition relation of 34, with overall time complexity exponential in IScr].
Symmetry reduction
Let zr be a permutation over the set {0...n} that fixes 0. For a state s = (c, ul,..., vn) in ~n, the permuted state 7r(s) is defined by (7r(s))(i) = ai iff s(zr-l(i)) = ar-l(i), for i E [0.
.n]. For example, the state (c, ul,v2, wa) under the permutation r --{.
(1 --~ 2).(, 2 --4 3)(, 3 --4 1)} becomes (c, wl, u2, v3) . As r = r from Propos~tlon 1, the truth value of any guard is the same in both s and ~r(s). Hence there is complete symmetry among the user processes in any size instance of a (C, U) family, and the PMCP for formulae of type (2) We have implemented this algorithm to verify a bus arbitration protocol based on the SAE J1850 draft standard [SAE 92] .for automobile applications. This is a protocol where many microcontrollers can transmit symbols along a shared single-wire bus in a car. As a consequence of this restriction, symbols are encoded by the width of a pulse. Nodes on the bus may begin transmitting different messages simultaneously; only the node with the highest priority message should complete transmission after the arbitration process. Symbol 0 has priority over symbol 1, and priority between messages over the alphabet {0, 1} is determined lexicographically. The microcontrollers are modeled as user processes, and the bus as the control process. The property which we have verified, using the result in Theorem 23, is that whenever two users begin simultaneous transmission of symbols 0 and 1 respectively, the user transmitting 1 continues transmission unless it loses arbitration. Hence, messages with lower priority cannot prevail over higher priority messages. We implemented the algorithm by generating SMV [McM92] code to describe the abstract process transitions, given a description of the next-state relation of the user and control processes. Since the correctness property is a safety property, we were able to simplify the implementation as described following Theorem 15. Each user process has about 50 states, while the control process together with the automaton for the property has about 400 states. Verification took less than a minute on a SPARC 5. We emphasize that this establishes correctness of the bus protocol for an arbitrary number of attached microcontrollers. that if, for some k, C II U II ,4 is appropriately bisimilar to C II U II .4, then it suffices to model check instances of size at most k to solve the PMCP. However, they do not show that such a cutoff k always exists, and their method is not guaranteed to be complete. Pong and Dubois [PD 95 ] propose a similar abstract graph construction for verification of safety properties of cache coherence protocols. They consider a synchronous model with broadcast actions. Although sound for verification, their method appears to be incomplete. Lubachevsky [Lu 84] makes an interesting early report of the use of an abstract graph similar to a "region graph" for parameterized asynchronous programs using Fetch-and-Add primitives; however, while it caters for (partial) automation, the completeness of the method is not established and it is not clear that it can be made fully automatic.
Our approach, in contrast, is a fully automated, sound and complete one (i.e.~ always generates a correct "yes" or "no" answer to the PMCP). Another such approach appears in [GS 92]. They also consider systems with a single control process and an arbitrary number of user processes, but with asynchronous CCStype interactions. Unfortunately, their algorithm has exponential space (double exponential time) worst case complexity.
Our framework thus differs from [GS 92] in these significant respects: (a) the parallel composition operator is synchronous; (b) we permit guards testing "everywhere" conditions (i.e., of the form V/g(/)); (c) it is more tractable (PSPACE vs. EXPSPACE) 5 . Partial synchrony can also be handled in our framework. These factors permit us to represent a wider range of concurrent systems. For example, the bus protocol described in Section 6 relies on the ability to test everywhere conditions, which are not permitted in [GS 92] . There is a noteworthy limitation in the modeling power of our present framework. Because of the covering lemma (Lemma 7), an algorithm for mutual exclusion cannot be implemented in our model (cf. [GS 92]'s control process-free model), even with the control process. We suspect it is possible to overcome this restriction, and are working on it.
Finally, it is interesting to note that we can show that for fully asynchronous computation (interleaving semantics), the PMCP for our model becomes undecidable. This is shown by a simple simulation of a two counter machine by a (C, U) family. Essentially, the zero-test of a two counter machine can be expressed as an everywhere condition, and increments can be encoded because precisely one process fires at each step in the computation.
