In this paper, the notion of fair reachability is generalized to cyclic protocols with n 2 machines. Substantial state reduction can be achieved via fair progress state exploration. It is shown that the fair reachable state space is exactly the set of reachable states with equal channel length. As a result, deadlock detection is decidable for P, the class of cyclic protocols whose fair reachable state spaces are nite. The concept of simultaneous unboundedness is de ned and the lack of it is shown to be a necessary and su cient condition for a protocol to be in P. Through nite extension of the fair reachable state space, it is also shown that detection of unspeci ed receptions, unboundedness, and nonexecutable transitions are all decidable for P. Furthermore, it is shown that any protocol P is logically correct if and only if there is no logical error in its fair reachable state space. This study shows that for the class P, our generalized fair reachability analysis technique not only achieves substantial state reduction but also maintains very competitive logical error coverage. Therefore, it is a very useful technique to prove logical correctness for a wide variety of cyclic protocols.
Introduction
One of the most popular models for protocol speci cation and validation is the communicating nite state machine model. In this model, processes are modeled as nite state machines communicating with each other via FIFO channels. Reachability analysis can be employed to systematically explore the entire protocol state space to validate the logical correctness of a protocol against some common errors, such as deadlocks, unspeci ed receptions, unboundedness, and nonexecutable transitions. However, for general protocols, nding out whether a logical error exists is not always decidable 1]. Furthermore, even when decidability is ensured, the explosion of state space during reachability analysis renders its use impractical for most real world protocols. As a result, much of the research has been devoted to identifying the class of protocols with decidable logical errors and devising state reduction techniques to overcome the state explosion problem during state space exploration. For a survey of these methods, please refer to 17].
Fair reachability analysis was proposed as one of the improved reachability analysis techniques for protocols with two machines 16, 5] . In fair reachability analysis, two machines are forced to make progress at the same time whenever possible. State reduction is achieved by only generating those fair progress states. More importantly, if the reduced state space isnite, logical correctness of a protocol can be decided, although in some cases, nite extension of the reduced state space is necessary 5]. However, the concept of fair reachability and its e ectiveness for general protocols with more than two machines have not yet been studied. To ll this gap, we investigate the generalization of this technique to cyclic protocols with n 2 machines. Through the study, its e ectiveness for cyclic protocol validation is shown.
The rest of the paper is organized as follows. In the following section, we brie y review previous research on fair reachability analysis and cyclic protocols, and highlight the results presented in this paper. Then the communicating nite state machine model is introduced. In Section 4, we generalize the fair reachability notion for cyclic protocols and study the basic properties of fair reachable state space. It is shown that for the class of cyclic protocols with nite fair reachable state spaces, deadlock detection is decidable; however, for detection of other logical errors, fair reachable state space is not su cient. In Section 5, we show how nite extension can be performed on a nite fair reachable space so that logical errors other than deadlock can be detected e ectively and e ciently. We summarize the paper with open problems in Section 6. The proofs of some lemmas and theorems in this paper are given in the appendix.
Previous Work
Fair reachability analysis was proposed as a strategy for reducing state explosion during validation of protocols modeled as two communicating nite state machines. Rubin and West rst observed the redundancy of state exploration in reachability analysis due to equivalent sequences of interleaving transitions 16] . Based on this observation, they proposed a canonical sequence technique that forces the two machines to progress at the same speed during state exploration. They reported a large percentage reduction in state generation when this technique was incorporated into reachability analysis. In 5], Gouda and Han named this technique fair reachability analysis. For protocols whose fair reachable state spaces are nite, detection of deadlock and unspeci ed reception were shown to be decidable in 16] , while detection of boundedness was proved to be decidable in 5]. Gouda et al also showed that if one of the channels is bounded, then the protocol has a nite fair reachable state space 4].
Recently, Cacciari and Ra q extended the above idea to protocols with \internal" transitions using a technique called reduced reachability analysis 2]. In their approach, two machines are allowed to proceed at the same time only if the parallelwise condition is satis ed. They showed that detection of deadlock and unspeci ed reception are decidable for protocols whose reduced reachable state spaces are nite. However, it is not clear under what conditions a protocol can have a nite reduced reachable state space.
One important aspect about fair reachability analysis is that in each fair reachable state, the length of each channel is equal 16, 4] . We call this property the equal channel length property of fair reachable state space. A reduced reachable state space generated in 2] does not always have this property. This is, we feel, one of the major reasons that makes it more di cult to nd a (su cient) condition for the class of protocols with nite reduced reachable state spaces.
Fair reachability analysis is of importance not only because it can reduce the number of global states explored, but also because it has the capability to handle some protocols with unbounded channels 5]. Although in 16], the authors claimed to extend this technique to protocols with n 2 communicating nite state machines, so far, we have not seen any followup reports on this issue.
It should be noted that for bounded protocols, the classic reachability technique can be used for protocols with n 2 communicating nite state machines. But research in analysis of protocols with unbounded channels has been mostly limited to only cyclic protocols 11, 12, 14, 15] . Jan Pachl is probably the rst person who formalized and investigated the class of cyclic protocols, though many of his important results are contained in his unpublished research report 11]. His method is based on the channel expression concept. In 11] , he showed that the detection of deadlock and unspeci ed reception are decidable for the class of cyclic protocols with one channel whose channel expressions are recognizable. However, he wrote in 11] that the decision procedure is hopelessly ine cient for any practical purpose.
In 14], Peng and Purushothaman showed that for the class of cyclic protocols with exactly one unbounded channel, deadlock detection problem is decidable. Their method relied on the construction of a \stable cover set" and the construction of a nite automaton to recognize the stable cover set. It is not clear, however, whether this procedure can be automated e ciently.
In 15], they proposed a data ow approach to analyzing deadlock and unspeci ed reception for a protocol with n 2 machines by computing a superset of the set of reachable states as an approximate solution for a set of data ow equations. While this approach works for general protocols, the results of the analysis are incomplete. It is unknown for what class of protocols the data ow analysis can yield an exact solution. Furthermore, this approach also su ers from state explosion, as stated by the authors in 15].
In summary, for the analysis of cyclic protocols with n 2 communicating nite state machines, only the decidability aspect has been studied. The complexity of decision procedures has been largely ignored. For practical analysis, it is highly desirable that the decision procedure be e cient. Moreover, none of these techniques were targeted to the detection of unboundedness and nonexecutable transitions. In addition, all the methods proposed for cyclic protocol validation analyze global states from the channel language perspective 10]. Reachability analysis, which has been a main focus in the analysis of protocols with two machines, has not been fully integrated into any of these approaches. As a matter of fact, it seems that there is a gap between protocols with two machines and protocols with more than two machines. Most of the methods, if not all, that have been proposed for the two machine case have not yet been carried over to the n 2 case.
In this paper, we bridge this gap by looking into the possibility of applying the fair reachability technique to the validation for cyclic protocols with n 2 communicating nite state machines. This study produces many interesting new results. Our contributions in this paper are summarized as follows: First, we show that the set of fair reachable states is exactly the set of reachable states with equal channel length. As a result, deadlock detection is decidable for the class of cyclic protocols whose fair reachable state spaces are nite. Second, we show that the fair reachable state space of a cyclic protocol is nite if and only if (i for short) the channels of the protocol are not simultaneously unbounded. For the rst time, the class of cyclic protocols with nite fair reachability graphs can now be exactly characterized. Even for the n = 2 case, this condition is weaker than the one in 5]. For completeness, we also show that this condition is undecidable for cyclic protocols. Third, for logical errors other than deadlock, we show how a nite fair reachable state space can be nitely extended so that these errors can be detected e ectively and e ciently. As a result, all logical errors are decidable for the class of cyclic protocols with nite fair reachable state spaces. During the study, we also discover a complete characterization of fair reachable state space in terms of logical error coverage. Fourth, regarding the class of cyclic protocols whose deadlock and unspeci ed reception detection are decidable, for n = 2, our result properly includes the ones studied in 16, 5] ; for n 2, our result properly contains the one examined in 14] and complements the ones investigated in 15, 11, 12] . More importantly, our decision procedure is much more straightforward and e cient for practical analysis, which was lacking in both 14, 15] and 11, 12] . Furthermore, we also show the decidability of unboundedness and nonexecutable transition detection for the class of cyclic protocols with nite fair reachable state spaces, which are not addressed in any previous approaches except the one in 5] for unboundedness in the n = 2 case.
Generalized fair reachability analysis for cyclic protocols was rst reported in 7], along with the decidability result of deadlock detection for the class of cyclic protocols with nite fair reachability graphs. Then, the fair reachability notion was revised to achieve further state reduction and allow for easier proofs. The results on basic formulation and deadlock detection were given in PSTV'94 8], while the results on detection of other logical errors were presented in ICNP' 94 9] . This paper is the combination of results in 8] and 9] with a few modi cations. 3 The CFSM Model Notation: (1) We use to denote concatenation. Given a set M. M denotes its re exive and transitive closure under concatenation. jMj denotes its cardinality. For Y 2 M , jY j denotes its length. denotes an empty string, j j = 0. (2) Given n, for any 1 i n, 0 j < n, i j = i+j if i + j n else i j = (i + j) mod n; i j = i ? j if i > j else i j = i ? j + n, where mod stands for the modulo operation. (3) An interval i::j] is an ordered set of at most n consecutive integers i; i 1; : : :; i k = j, where (1 i n)^(0 k < n). The corresponding (unordered) set is denoted as fi::jg. Let i 0 ::j 0 ] and i::j] be intervals, i 0 ::j 0 ] i::j] i fi 0 ::j 0 g fi::jg. Unless speci ed as 1::n], we assume j i::j]j < n. (4) We designate n as the number of processes in a protocol. Unless otherwise speci ed, we assume n 2 and let i; j range over 1::n].
In the communicating nite state machine (CFSM) model, a protocol is speci ed as a set of n processes P = (P 1 ; P 2 ;: : :; P n ), where each process P i is a nite state machine that can communicate with other processes via FIFO channels. For each P i , S i denotes the set of local states in P i . The initial local state of P i is denoted as s 0 i . A channel from P i to P j ; i 6 = j, is denoted as C ij . The set of messages that P i can send to P j is denoted as M ij . The content of C ij , denoted as c ij , is a sequence of messages sent from P i to P j . When C ij is empty, c ij = . A transition cycle C i in P i is a cycle in the transition graph of P i . It is a sending (receiving) cycle in P i i all the transitions in C i are sending (receiving) transitions. s i is a sending (receiving) local state i all transitions de ned in s i are sending (receiving) transitions. We use the notation 0 = (s i ; ) to give a name 0 for this transition, and use the notation s 0 i = (s i ; ) to denote that s 0 i is the local state resulting from the execution of the transition. By de nition, each P i is deterministic but partially de ned.
A protocol P = (P 1 ; P 2 ;: : :; P n ) is cyclic i each P i has exactly one input channel C i 1i and exactly one output channel C ii 1 . From now on, we are dealing with cyclic protocols. For results established later in this paper, it should be clear that they apply to cyclic protocols only.
Example: A cyclic protocol with four processes is depicted in Figure 1 . This protocol will be used as the example throughout this paper.
For a cyclic protocol P = (P 1 ; P 2 ;: : :; P n ), a global state (state for short) S is represented as a 2n-tuple (s 1 ; s 2 ; : : :; s n ; c n1 ; c 12 ; : : :; c n?1n ), where s i is the local state of P i , and c i 1i is the content of channel C i 1i . In particular, the initial 
Generalized Fair Reachability Analysis
In this section, we generalize the fair reachability notion to cyclic protocols with n 2 machines by incorporating the concepts of synchronization and concurrency into the formulation of fair progress vectors. With that, we show that the set of fair reachable states is exactly the set of reachable states with equal channel length. Then, we establish a necessary and su cient condition for a cyclic protocol to have a nite fair reachable state space. We also study the logical error detection capability of fair reachable state space. For conciseness, we use \fair reachability" for \generalized fair reachability" from now on.
Basic Formulation
Given a cyclic protocol P = (P 1 ; P 2 ;: : :; P n ). Let Convention: The notations de ned above are implicitly bound to a state S. For brevity, S is dropped from the notations when S is given and no confusion arises. This convention is adopted throughout the paper when a new notation is introduced. Whenever distinction is necessary, the binding arguments, such as S, will be put into the notation. For example, when we talk about the set of executable transitions in P i in both S :k] : X j?1 7 ! X j via transition j , and X k = S 0 . The length of e, denoted as jej, is de ned as the number of transitions in e, i.e., jej = k 0. The corresponding local execution sequence in P i is denoted as e i . The length of e i , denoted as je i j, is de ned as the number of transitions in e i . We use the notation e 4 = fe 1 ; e 2 ; : : :; e n g to denote the correspondence among an execution sequence and its local execution sequences. fe 1 ; e 2 ; : : :; e n g is called a local execution sequence set from S to S 0 . When S = S 0 , fe 1 ; e 2 ;: : :; e n g is called a local execution sequence set for S 0 . For each reachable state S, there exists at least one execution sequence. Let e and e 0 be two execution sequences for S, e e 0 i they have the same local execution sequence set. It is obvious that is an equivalence relation over the set of execution sequences for S. Each local execution sequence set characterizes a set of execution sequences for S. For Based on this lemma, we can show that each reachable state with equal channel length is fair reachable. Theorem 4.1 F is exactly the set of reachable states with equal channel length.
An important implication of this theorem is that the notion of fair reachability is consistent with the notion of fair execution sequence in the sense stated in the following theorem. Theorem 4.2 Let fe 1 ; e 2 ;: : :; e n g be a local execution sequence set for S. If fe 1 ; e 2 ;: : :; e n g is a fair local execution sequence for S, then any other local execution sequence set fe 0 1 ; e 0 2 ; : : :; e 0 n g for S is also a fair execution sequence for S. In other words, if S is fair reachable, then it is fair reachable via any execution sequence for S.
Finiteness of F
Given a cyclic protocol P. We perform fair reachability analysis for P by generating the fair reachable state space F. In order for the procedure to terminate, F has to be nite. For n = 2, a su cient condition has been established for P to have a nite F, namely, one of the channels being bounded 4]. However, no necessary and su cient condition, even for n = 2, has been established so far. On the other hand, it is known that F can be nite even if P has a reachable sending cycle. This motivates us to look for other factors for causing F to become in nite.
We rst investigate the class of cyclic protocols without reachable sending cycles. We notice that for a cyclic protocol without sending cycles, the notion of unboundedness is equivalent to that of \simultaneous unboundedness". Then, we show that for a simultaneously unbounded cyclic protocol, we can nd a fair reachable state whose channels are simultaneously unbounded.
Lemma 4.4 Given a cyclic protocol P = (P 1 ; P 2 ; : : :; P n ), if there is a reachable state S = (s 1 ; s 2 ; : : :; s n ; c n1 ; c 12 ; : : :; c n?1n ) such that 8 i 2 1::n] : jc ii 1 j K for some constant K 0, then there exists a fair reachable state S 0 = (s 0 1 ; s 0 2 ; : : :; s 0 n ; c 0 n1 ; c 0 12 ; : : :; c 0 n?1n ) such that 8 i 2 1::n] : jc 0 ii 1 j K.
With these two lemmas, we can establish an equivalence between the niteness of R and niteness of F for the class of cyclic protocols without sending cycles. Theorem 4.3 Given a cyclic protocol P without reachable sending cycles. F is nite i R is nite.
A rephrase of this theorem gives us a necessary and su cient condition for a cyclic protocol with a nite F to be unbounded, a generalization of the result in 5] for n = 2 to n 2. Theorem 4.4 Given a cyclic protocol P with a nite F. P is unbounded i it has a reachable sending cycle.
Now we can con rm that simultaneous channel unboundedness is the fundamental factor in causing F to become in nite. Theorem 4.5 Given a cyclic protocol P. F is nite i P is not simultaneously unbounded.
This necessary and su cient condition provides an exact description of the class of cyclic protocols with nite fair reachable state spaces from the protocol operational semantics viewpoint. To the best of our knowledge, this is the rst necessary and su cient condition for a cyclic protocol to have a nite fair reachable state space. However, as expected, the decidability aspect of this condition is negative, as is stated in the following theorem. The proof of the theorem is based on showing it is true for n = 2, an easy reduction by using the decidability result of boundedness detection established in 5]. Theorem 4.6 It is undecidable whether a cyclic protocol P has a nite F.
The next theorem says that if a cyclic protocol has a nite F, then we will be able to nd the least upper bound K 0 such that each reachable state has at least one channel whose length is bounded by K. Theorem 4.7 Given a cyclic protocol P with a nite F. Let K be the longest channel length among all the states in F. Then each reachable state of P has at least one channel whose length is bounded by K.
Denote P as the class of cyclic protocols whose F's are nite. From now on, we will restrict our study to class P. In the rest of the paper, unless otherwise stated explicitly, when we mention a cyclic protocol P, we mean P 2 P; when we mention F, we mean that it is nite. State reduction achieved by fair reachability analysis is measured by the factor R n F. In general, F is much smaller than R, thus the saving is substantial. However, the study of logical error coverage of F is crucial to evaluating the usefulness of fair reachability analysis. For n = 2, it was shown that both deadlock and unspeci ed reception are detectable within F 16] , and that unboundedness can be detected via nite extension of F 5]. Note that even for n = 2, nonexecutable transition detection has not been studied in the context of F. For n 2, we know that F is exactly the set of reachable states with equal channel length. Since all deadlock states are of equal channel length zero, we have the following theorem on deadlock detection. Theorem 4.8 Deadlock detection is decidable for P.
Fault
In fact, we showed in 8] that livelock detection is also decidable for P. However, it is not di cult to see that for detection of logical errors other than deadlock, F is not su cient, and thus nite extension of F is needed. inspecting F cannot detect unboundedness caused by P 3 and an unspeci ed reception in channel C 34 . In this case, the behavior of P 3 and P 4 were not explored during state generation. As we will see in the following section, this is caused by the sending cycle in P 1 , and this is not a coincidence.
Following the same formulation as 5], we reduce the detection of logical errors other than deadlock in P to two local state reachability problems as follows: P-I Given a local state s i , decide whether s i is reachable. P-II Given a local state s i and a message m 2 M i 1i , decide whether (m; s i ) is reachable. It should be clear that for P, if we can solve P-I (P-II), then we can solve unboundedness (unspeci ed reception) detection, and if we can solve both P-I and P-II, then we can solve detection of nonexecutable transitions. Although neither P-I nor P-II is decidable in general 1], we will show that both of them are decidable for P in the following section.
Finite Extension of F
In this section, we study the nite extension of F to detect logical errors other than deadlock for P. For brevity, we use the term \ logical errors" for \logical errors other than deadlock" in the rest of this section, unless otherwise explicitly stated.
Intuitively, there is a simple argument that shows that both P-I and P-II, and thus all logical errors, are decidable for the class of cyclic protocols P via fair reachability plus nite extension. Then the only issue remaining is how e cient the process is. The argument goes as follows: If a local state s k is reachable, then there is a reachable state X such that s k 2 X. Thus, there is a local execution sequence set fe 1 ; e 2 ;: : :; e n g from S 0 to X in R. From fe 1 ; e 2 ;: : :; e n g, a partial fair execution sequence pfs can be derived to get to fp. Note that fp is in the path of the execution sequence from S 0 to X and fp 2 F. If s k 2 fp, then we are done. Otherwise, from fp, a nite extension in R exists { simply the remainder of the execution sequence from fp to X. Hence, s k is locatable by nite extension from F. A similar argument can be used for the reachability of (m; s k ).
What are the problems with this argument? First, it only shows existence but no algorithm.
Secondly, it provides no upper bound on how far to extend when the execution sequence in R is unknown (as is generally the case). Yet, the preceding argument can serve as a general guideline in understanding the formality presented below.
As we have already seen, the need for nite extension in F results from the fact that some of the reachable local states are not fair reachable. Therefore, the purpose of nite extension is to uncover those local states. In what follows, we rst identify a necessary condition for the existence of such local states. Then we show how to minimize the size of the extension set, i.e., the set of states in F that need to be extended. In Subsection 5.2, we present a nite extension procedure based on partial states from the extension set. In the last subsection, we summarize the discussions with the decidability results for P-I and P-II, and a characterization of F in terms of logical error coverage.
Identifying the Extension Set
Suppose s k is reachable but not fair reachable. Then none of the reachable states containing s k is in F. Let X be any reachable state with s k 2 X, and fe 1 ; e 2 ;: : :; e n g be a local execution sequence set for X. Let pfs and fp be the partial fair execution sequence and the fair precursor for X w.r.t fe 1 ; e 2 ;: : :; e n g, respectively. Based on the preceding discussion, it is clear that s p k 6 = s k and thus je k j 6 = 0. Furthermore, we can nd a maximal interval i::k] in fp such that 8j 2 i::k] : je j j 6 = 0. Note that each p j from e j at s p j is executable. When i 6 = k, the execution of remaining transitions in e k depends only on the execution of transitions in e j , j 2 i::
Starting from fp, we construct the set of states fair reachable from fp as follows: In each such state S, each fair progress vectorṽ is computed as usual except that v j must take on the transition from e j if (j 2 i::k])^(je j j 6 = 0). Note that during the construction, some of the e j 's may become empty when (j 2 i::k])^(i 6 = k). However Therefore, to solve both P-I and P-II for P, we only need to extend those states in F T . Now the question becomes how states in F T can be extended in a nite way.
Partial State Exploration
From the previous subsection, we know that in order to solve both P-I and P-II, we only need to extend parts of a state S indexed by an interval i::j] whenever U i::j] 6 = ;, for each S 2 F T .
Such an interval i::j] is called a proper incompatible interval in S. Denote IJ as the set of proper incompatible intervals in S. Clearly, (IJ; ) is a partial order set. Let ImJ be the set of maximal elements in (IJ; ). Each element in ImJ is called a maximal proper incompatible interval in S. As will be clear shortly, for nite extension on S, we only need to consider those intervals in ImJ. Figure 3 , in which the \hidden local states" 2 in P 3 and (c; 2) in P 4 are uncovered.
End of Example.
Fault Coverage of F Revisited
Let's recapitulate the discussion so far on nite extension of F. We began by observing that F itself is not su cient for detection of logical errors, and then reduced the logical error detection problems to two local reachability problems P-I and P-II. We found that the major obstacle to solving these two problems is the existence of ppitv's in some states in F since these ppitv's prevent the fair progress state exploration procedure from reaching some reachable local states.
However, we noticed that it su ces to do nite extension in those states in F T in order to uncover all the \hidden" reachable local states. We further observed that only those partial states in each S 2 F T indexed by some interval in ImJ of S are needed for extension in order to solve both P-I and P-II for P. Finally, we showed that both problems are solvable for any partial state via nite extension. Hence, we are able to establish the following decidability result:
Theorem 5.2 Both P-I and P-II are decidable for P. Therefore, detection of unspeci ed reception, unboundedness and nonexecutable transition are all decidable for P.
During the process, we have also discovered the following important characterization of F in terms of fault coverage. Theorem 5.3 Given a cyclic protocol P 2 P. P has an unspeci ed reception but F ur = ; only if F ub 6 = ;. P is unbounded but F ub = ; only if F ur 6 = ;. P has a nonexecutable transition that is not detectable via F only if F ur F ub 6 = ;. Therefore, P is logically correct i F does not contain any logical errors.
Combined with the result that deadlock detection is decidable via F in Subsection 4.4, we can see that F is very competitive in fault coverage, quite to the contrary of the pessimistic suspicion from the surface at the beginning of this section. For iterative validation, we may stop state exploration whenever an error state is found in F, x that error, and repeat the process until no more errors are found in F. In this way, nite extension of F is not necessary. If we want to detect all the errors in one{phase generation of F, then F might need to be nitely extended if F T 6 = ;. In this case, the nite extension procedure can be optimized for e ciency.
We have already seen how time complexity can be reduced by limiting nite extension to only those states in F T , and for each such state, to only those partial states indexed by intervals from ImJ of that state. In fact, we can do better by ne-tuning the decision procedures.
For example, if we are to detect unspeci ed reception, nite extension is necessary only when F ur = ; and F ub 6 = ;, and is only performed on those states in F ub . Detection of other errors can be ne-tuned in a similar way. As for space complexity, F itself already o ers substantial reduction of R. When nite extension is needed, the additional space for an extension graph MRG k is usually small compared to the size of F due to the channel constraint. Moreover, after MRG k is generated, we can check logical errors in MRG k , mark the corresponding state accordingly if there is an error, and then discard it for good. Using this strategy, considerable space can be saved, especially when n gets larger. This is in contrast to the approach taken in 5] for n = 2, which keeps all the extension graphs during unboundedness detection. In summary, for the class of cyclic protocols P, generalized fair reachability analysis has very competitive error-detection capability, and can be carried out both e ectively and e ciently.
Conclusion
In this paper, we generalized the fair reachability analysis technique to cyclic protocols with n 2 communicating nite state machines. Given a cyclic protocol P, we showed that its fair reachable state space F is exactly the set of reachable states with equal channel length, and established the lack of simultaneous unboundedness in P as a necessary and su cient condition for P 2 P, the class of cyclic protocols whose F's are nite. The e ectiveness of generalized fair reachability analysis was demonstrated by showing for class P, deadlock is detectable within F while all other logical errors are detectable via nite extension of F. More importantly, we discovered a characterization of F in terms of fault coverage, namely P is logically correct i F is free of logical errors.
Fair reachability analysis was originally proposed as a technique to tackle state explosion during reachability analysis 16]. The same argument also applies to our work reported in this paper. By forcing the system to progress through a fair execution sequence, we have cut down the redundancy of state exploration due to equivalent execution sequences. We also showed how nite extension can be carried out e ciently in terms of both time and space by minimizing the extension set and the number of partial states needed to be extended for each state in the extension set.
The strength of our approach lies in the natural generalization of the existing fair reachability technique and its simple, straightforward, and e cient decision procedures, which were missing in both 14, 15] and 11, 12] . This study shows that generalized fair reachability analysis not only achieves substantial state reduction, but also maintains very competitive logical error detection capability. Therefore, it is a very useful technique to prove logical correctness for a wide variety of cyclic protocols.
During the write-up of this paper, we were informed of the independent work by Peng on extending fair reachability to a model called \single-link communicating nite state machines " 13] . In this model, each process can have multiple output channels but has only one common input channel to store messages from other processes. Although cyclic protocols are included in this model, the notion of fair reachability in this model is quite di erent from ours in that only two machines are allowed to make progress at one time restricted by the so-called \weight-balance" constraint in 13]. It is not clear, however, what class of protocols in his model is amendable for his analysis technique. For cyclic protocols, our fair reachability formulation has the following advantages: First, our fair reachability state space maintains the same nice equal channel length property as for n = 2 16, 5] . Second, both concurrency and synchronization vectors in our fair reachability notion allow more than two machines to progress at the same time. As a result, for most cyclic protocols, our analysis achieves greater state reduction than the one in 13]. Third, aside from deadlock, our approach can also detect other logical errors such as unspeci ed reception, nonexecutable transition, and unboundedness, which are not covered in 13] .
Many open problems remain concerning our approach. First, although we have found a necessary and su cient condition for the class of cyclic protocols whose logical correctness is decidable, we are not sure how general it is in terms of tightening the boundary of cyclic protocols whose logical correctness is decidable. Further investigation of this aspect is necessary in order to fully evaluate its role in the decidability hierarchy. Second, a cyclic protocol is still simple in topology. It would be bene cial to look into the possibility of generalizing our work to protocols with more complicated and yet regular network topologies. Third, it is possible to incorporate internal transitions into the fair progress vector formulation to allow our technique to handle cyclic protocols with internal transitions and still achieve good state reduction. We are currently working on this issue. Fourth, fair reachability analysis is only one type of improved reachability analysis techniques studied in the two machine case. In this paper, the collective power of both fair progress and maximal progress state exploration is illustrated in the nite extension process, and has produced encouraging results. The results reported here should encourage more research on extending other existing techniques to the analysis of protocols with more than two machines. Finally, it would be interesting to investigate the possibility of carrying the fair reachability analysis technique over to other speci cation models, such as the extended nite state machine model. X j?1 7 ! f X j via fair progress vectorṽ j , and X k = S. We claim that S is of equal channel length by induction on k.
Basis: k = 0. In this case, S = S 0 . The claim holds trivially.
Induction: Suppose S is of equal channel length for k = k 0 0. We want to show for k = k 0 + 1. Note that X k?1 is fair reachable via a fair execution sequence of length k 0 . By induction hypothesis, X k?1 is of equal channel length. Now, X k?1 7 ! f S via fair progress vector v k . Ifṽ k is a concurrency vector, then it will either increase each channel length by one or decrease each channel length by one when applied to X k?1 . Ifṽ k is a synchronization vector, then it will not change the length of any channel when applied to X j?1 . Hence, S is also of equal channel length. The claim holds for k = k 0 + 1.
Therefore, S is a reachable state with equal channel length.
(If:) Suppose S is a reachable state with equal channel length K 0. We want to show that S is fair reachable. Let fe 1 ; e 2 ;: : :; e n g be a local execution sequence set for S and fp be the fair precursor of S w.r.t fe 1 ; e 2 ;: : :; e n g. Then fp is fair reachable. From the preceding argument, fp is of equal channel length. Let K 0 be the channel length in fp. Let (1) K 0 < K. Note that the length of channel C i 1i cannot be increased. By the time the protocol gets to S, the length of channel C i 1i will be less than K. (2) K 0 > K. Note that the length of channel C jj 1 cannot be decreased. By the time the protocol gets to S, the length of channel C jj 1 will be greater than K. C i 1i will be K ? 1. Note that the length of channel C i 1i cannot be increased. By the time the protocol gets to S, the length of channel C i 1i will be no greater than K ? 1.
(b) p j is a sending transition. Then after the execution of p j , the length of channel C jj 1 will be K + 1. Note that the length of channel C jj 1 cannot be decreased. By the time the protocol gets to S, the length of channel C jj 1 will be no less than K + 1.
In all cases, there will be a channel whose length is not K when the protocol gets to S, which contradicts the assumption that S is of equal channel length K. Hence, S is fair reachable.
Lemma 4.3 Given a cyclic protocol P without reachable sending cycles. If P is unbounded, then P is simultaneously unbounded.
Proof: Since P is unbounded, P has at least one unbounded channel. Without loss of generality, suppose channel C 12 is unbounded. Since C 12 is unbounded, there must exist an in nite execution sequence e 4 = fe 1 ; e 2 ;: : :; e n g such that for any k 0, there is a state reachable via a pre x of e such that jc 12 j > K. Moreover, since each process P i has no reachable sending cycles, each e i is composed of in nitely many sends and receives, and there can only be at most jS i j ? 1 consecutive receives before a send in e i , where jS i j is the number of states in P i . As a result, there must be at least one such execution sequence along which P can proceed inde nitely, i.e., no unspeci ed reception can occur along this sequence, otherwise C 12 will be bounded. Fix e 4 = fe 1 ; e 2 ;: : :; e n g as such an execution sequence.
De ne a function f : 0::n ? 1] ! N, N being the set of natural numbers, as follows:
Based on the preceding argument, for any K 0, there is a state S = (s 1 ; s 2 ; : : :; s n ; c n1 ; c 12 , : : :; c n?1n ) reachable via a pre x of e such that jc 12 j = f(n 1) K 0 , where K 0 > K. If all other channels have more than K messages, we are done. Suppose not, starting from S, in the order from P 2 to P n , each process P i ; i 2 2::n], can receive jS i j f(n i) K 0 messages from channel C i 1i , and as a result, send at least f(n j) messages to channel C ii 1 . In the end, the protocol must arrive at a reachable state such that each channel should have at least K 0 messages. Therefore, there is a reachable global state in which the length of each channel greater than K, i.e., P is simultaneously unbounded. = fe 1 ; e 2 ;: : :; e n g be an execution sequence for S. Based on fe 1 ; e 2 ;: : :; e n g, we construct the partial fair execution sequence for S to get to fp, the fair precursor of S. Clearly, fp 2 F and is of equal channel length by Theorem 4.1. Suppose fp is of channel length K 0 . If K 0 K, then let S 0 = fp, and we are done. Suppose not, by Lemma 4.2, 9k 2 1::n] : je k j = 0. Note that from state fp and on, the length of channel C kk 1 cannot be increased with the execution of remaining transitions in e by other processes. Therefore, at the end of the execution of e, i.e., in state S, the length of channel C kk 1 will be less than K, which contradicts the fact that every channel in S has length no less than K. Hence, fp must have channel length no less than K.
In all cases, we can nd a fair reachable state whose channel length is no less than K. Theorem 4.5 Given a cyclic protocol P. F is nite i P is not simultaneously unbounded.
Proof: If Part. Suppose F is in nite, then S 1 k=0 F k is in nite. Thus, 8K 09K 0 > K : F K 0 6 = ;. Since any state in F is of equal channel length, P is simultaneously unbounded.
Only If Part. If P is simultaneously unbounded, then for any K 0, there is a reachable state S such that the length of each channel in S is greater than K. By Lemma 4.4, there is a fair reachable state S 0 such that each channel length in S 0 is greater than K. In other words, 8K 09K 0 > K : F K 0 6 = ;. As a result, F = S 1 k=0 F k is in nite. Theorem 4.6 It is undecidable whether a cyclic protocol P has a nite F. Proof: We claim that for n = 2, it is undecidable whether a (cyclic) protocol P has a nite F. We prove this claim by contradiction. In the proof, we make use of the decidability of boundedness detection for protocols with nite F's for n = 2, a result established in 5].
Suppose for n = 2, it is decidable whether a protocol has a nite F. Then the following algorithm will decide whether P is bounded:
Step 1: Check if F is nite for P.
Step 2: If F is in nite, output \P is unbounded".
Step 3: If F is nite, determine if P is bounded and output the result.
Step 4: End of procedure.
On the other hand, we know that boundedness detection is undecidable for protocols with n = 2 machines 1]. A contradiction.
Now that it is undecidable, for n = 2, whether a cyclic protocol has a nite F, it is straightforward that the theorem holds for n 2.
Theorem 4.7 Given a cyclic protocol P with a nite F. Let This also can be done within nite number of steps.
To sum up, the reachability of a local state s k can be decided within nite number of steps.
As a result, P-I is decidable for P. The decidability of P-II for P can also be shown in a similar way. Now that both P-I and P-II are decidable for P, it is straightforward that detection of unspeci ed reception, nonexecutable transition, and unboundedness are all decidable for P.
Theorem 5.3 Given a cyclic protocol P 2 P. P has an unspeci ed reception but F ur = ; only if F ub 6 = ;. P is unbounded but F ub = ; only if F ur 6 = ;. P has a nonexecutable transition that is not detectable via F only if F ur F ub 6 = ;. Therefore, P is logically correct i F does not contain any logical errors.
Proof: Suppose P has an unspeci ed reception but F ur = ;. Then there is a reachable state S such that (m; s k ) 2 S, s k is local receiving state, and (s k ; +m) is not de ned. Since F ur = ;, (m; s k ) is reachable but not fair reachable. By Lemma 5.1 and Lemma 5.3, F T 6 = ;. Since F T = F ur F ub , we must have F ub 6 = ;.
The proofs for unboundedness and nonexecutable transition can be carried out in a similar way. Now suppose P is logically correct, then there is no reachable error states in F. Conversely, if F is free of logical errors, then F T = ;. P cannot have a deadlock since all deadlock states are included in F. P cannot have any other logical errors either since otherwise we will have F T 6 = ; based on the discussion in the preceding paragraph. Hence, P is logically correct.
