In this paper, the notion of fair reachability is generalized to cyclic protocols with n > 2 communicating finite state machines. An equivalence is established between the set of fair reachable states and the set of reachable states with equal channel length. As a result, deadlock detection is decidable for cyclic protocols with finite fair reachability graphs. The concept of simultaneous unboundedness is defined and the lack of it is shown to be a necessary and sufficient condition for a cyclic protocol to have a finite fair reachability graph. For the first time, we are able to exactly characterize the class of protocols whose fair reachability graphs are finite. As far as decidability of deadlock detection is concerned, our result extends the class of cyclic protocols studied by Peng & Purushothaman, and complements the one investigated by Pachl. More importantly, our decision procedure is much more straightforward and efficient, as compared to Pachl's and the one by Peng & Purushothaman. In this respect, we have improved the complexity of deadlock detection for the class of cyclic protocols with finite fair reachability graphs. To further demonstrate the strength of generalized fair reachability analysis, we also show that livelock detection is decidable for the class of cyclic protocols with finite fair reachability graphs.
Introduction
The communicating finite state machine model is one of the most widely used formal models for protocol specification and verification [1] . In this model, a protocol is specified as a set of finite state machines exchanging messages via FIFO channels. A simple state space exploration technique, also known as reachability analysis is used to systematically generate the entire global state space reachable from the initial global state. Protocol validation is done by checking each reachable global state against progress criteria in terms of deadlock, unspecified reception "Research reported in this paper was supported by NASA Center of Excellence in Space Data and Information Sciences Under USRA Subcontract No. 550-66. and boundedness. With this simple model and straightforward verification technique, some real world protocols have been successfully modeled and validated. However, there are two problems concerning this model that hampers its practical usefulness to industrial strength applications. First, progress properties are in general undecidable for protocols modeled as communicating finite state machines [1] , in particular, exhaustive state enumeration is only feasible for bounded protocols. Second, even with bounded protocols, reachability analysis suffers from the state explosion problem. Most real world protocols are large and complex, with tens of thousands of global states. In this case, even though reachability graphs are finite, the analysis becomes very inefficient due to the brute.force state exploration.
Much research has been devoted to looking for classes of protocols whose progress properties are decidable and devising techniques to limit state explosion during analysis. As a result, many techniques have been proposed. These methods differ in the classes of protocols they can handle, the ease of being automated, and the overhead they incur. For a survey ofthese methods, please refer to [19] .
One of the proposed improved techniques is called fair reachability [18, 10] , where each machine is forced to make a move whenever possible during state exploration. In fair reachability, global state exploration is reduced by avoiding redundant exploration of equivalent interleaving execution sequences during the analysis. This technique has been shown effective in validation for protocols modeled as two communicating finite state machines [18, 10] . However, the concept of fair reachability and its effectiveness for general protocols with more than two machines has not been studied. To fill this gap, we investigate the generalization of this technique to cyclic protocols. Through the study, its effectiveness for cyclic protocol validation is shown.
The rest of the paper is organized as follows: In section 2, we briefly review previous research on fair reachability analysis and highlight our results presented in this paper. Then, the communicating finite state machine model is formally introduced in the following section.
In section 4, we generalize fair reachability to cyclic protocols with n ~ 2 communicating finite state machines. Based on this, we present a sufficient condition for a cyclic protocol to have a finite fair reachability graph, which is a generalization of the one shown in [8] . To build a theoretical foundation for generalized fair reachability analysis, we study the characterization of fair reachable state space in section 5. From the investigation, we obtain the key results of this paper: an equivalence between the set of fair reachable states and the set of reachable states with equal channel length, and a necessary and sufficient condition for a cyclic protocol to have a finite fair reachability graph. To demonstrate the strength of our approach, we show in section 6 that both deadlock detection and livelock detection are decidable for the class of cyclic protocols with finite fair reachability graphs. We conclude the paper with open problems in section 7.
Previous Work
Fair reachability analysis was proposed as a strategy for reducing state explosion during validation of protocols modeled as two communicating finite state machines. Rubin and West first observed the redundancy of state exploration in reachability analysis due to equivalent sequences of interleaving transitions [18] . Based on this observation, they proposed a canonical sequence technique that forces the two machines to progress at the same speed during state exploration. They reported a large percentage reduction in state generation when this technique was incorporated into reachability analysis. For protocols whose reachability graph is finite, they proved that both the deadlock detection and unspecified reception detection problems are decidable. In [10] , Gouda and Han named this technique fair reachability analysis. The reachability graph thus generated is termed a fair reachability graph. They showed that for protocols whose fair reachability graph is finite, the boundedness detection problem is also decidable. A sufficient condition for protocols to have a finite reachability graph was also established in [8] ; namely, if a protocol has one of the two channels bounded, then its fair reachability graph is finite. Therefore, for n = 2, the detection of deadlock, unspecified reception, and unboundedness are all decidable for the class of protocols with at least one bounded channel. Recently, Cacciari and Rafiq extended the above idea to protocols with "internal" transitions, where an internal transition of a process is defined as a transition that changes the local state of the process but does not change the content of any channel associated with that process [2, 3] . They called their technique reduced reachability analysis. In [2] , they showed that using this technique, both deadlock and unspecified reception, among other properties, are decidable for protocols whose reduced reachability graphs are finite. In [3] , they showed that it is undecidable whether a protocol has a finite reduced reachability graph. However, it is not clear what class of protocols are amendable for reduced reachability analysis [3] .
One important aspect about fair reachability analysis is that in each fair reachable state, the length of each channel is equal [18, 8] . We call this property the equal channel length property of fair reachability analysis. On one hand, reduced reachability analysis by Cacciari and Rafiq resembles fair reachability analysis in that it forces two machines to move at the same time if the parallelwise condition is satisfied [2] . On the other hand, if the parallelwise condition is not satisfied, only one machine is allowed to move at one time. As a result, the set of reduced reachable states no longer has the equal channel property. This is, we feel, one of the major reasons that makes it more difficult to find a (sufficient) condition for the class of protocols with finite reduced reachability graphs.
Fair reachability analysis is of importance not only because it can reduce the number of global states explored, but also because it has the capability to handle some protocols with unbounded channels. Although in [18] , the authors claimed to extend this technique to protocols with n > 2 communicating finite state machines, so far, we have not seen any follow-up reports on this issue.
It should be noted that for bounded protocols, the classic reachability technique can be used for protocols with n > 2 communicating finite state machines. But research in analysis of protocols with unbounded channels has been mostly limited to only cyclic protocols [13, 14, 16, 17] . Jan Pachl is probably the first person who formalized and investigated the class of cyclic protocols. His method is based on the channel expression concept [13, 14] . In (14] , he showed that the deadlock detection problem is decidable for the class of cyclic protocols with recognizable channel expressions. But many of his important results on cyclic protocols are contained in his unpublished research report [13] , in which he showed that the deadlock detection problem and the unspecified reception detection problem are decidable for the class of cyclic protocols with one channel whose channel expressions are regular. However, he wrote in [13] that the decision procedure is hopelessly inefficient for any practical purpose. In [16] , Peng and Purushothaman showed that for the class of cyclic protocols with exactly one unbounded channel, the deadlock detection problem is decidable. Their method relied on the construction of a "stable cover set" and the construction of a finite automaton to recognize the stable cover set. It is not clear, however, that this procedure can. be automated efficiently. In [17] , they proposed a data flow approach to analyzing deadlock and unspecified reception for a protocol with n ;::: 2 machines by computing a superset of the set of reachable states as an approximated solution for a set of data flow equations. (17) . Therefore, for the analysis of cyclic protocols with n > 2 communicating finite state machines, only the decidability aspect has been studied. The complexity of decision procedures has been largely ignored. For practical analysis, it is highly desirable that the decision procedure be efficient. Moreover, all these techniques proposed for cyclic protocol validation analyze global states from the channel language viewpoint [12] . Reachability analysis, which has been a main focus in the analysis of protocols with two machines, has not been integrated into any of these approaches at all. As a matter of fact, it seems that there is a gap between protocols with two machines and protocols with more than two machines. Most of the methods, if not all, that have been proposed for the two machine case have not yet been carried over to the n > 2 case.
In this paper, we bridge this gap by looking into the possibility of applying the fair reachability technique to progress analysis for cyclic protocols with n > 2 communicating finite state machines. This includes some new results. Our contributions in this paper are summarized as follows: (1) Fair reachability is formalized in terms of synchronization and concurrency, providing a deeper insight into the interactions among processes. (2) An equivalence is established between the set of fair reachable states and the set of reachable states with equal channel length. As a result, deadlock detection is decidable for the class of cyclic protocols whose fair reachability graphs are finite. (3) A necessary and sufficient condition is presented for cyclic protocols to have finite fair reachability graphs. This condition ensures that for the class of cyclic protocols whose channels are not simultaneously unbounded, the deadlock detection problem is decidable. For the first tiine, the class of cyclic protocols with finite fair reachability graphs can now be exactly characterized. (4) For completeness, we also show that it is undecidable whether a cyclic protocol has a finite fair reachability graph. (5) Regarding the class of cyclic protocols whose deadlock detection is decidable, for n = 2, our result properly includes the one studied in (18, 10] ; for n > 2, our result properly contains the one examined in (16) and complements the one investigated in [13, 14] . More importantly, our decision procedure is much more straightforward and efficient for practical analysis, which was lacking in both [16] and [13, 14) . (6) To further demonstrate the power of our generalized fair reachability analysis technique, we prove that livelock detection is also decidable for the class of cyclic protocols with finite fair reachability graphs, an easy generalization from the one established for n = 2 in [8) Generalized fair reachability analysis for cyclic protocols was first reported in [5) , along with the decidability result of deadlock detection for the class of cyclic protocols with finite fair reachability graphs. Since then, the fair reachability notion has been revised to achieve further state reduction and allow for easier proofs. Most importantly, we have discovered a necessary and sufficient condition for the class of cyclic protocols with finite fair reachability graphs, and proved the undecidability of this condition, a key contribution to the study of cyclic protocols.
It should be clear that in this paper, we only study detection of deadlocks and livelocks in cyclic protocols using generalized fair reachability analysis. For detection of other logical errors in cyclic protocols, pure fair reachability analysis is not sufficient, as will be addressed in another paper [7) .
Communicating Finite State Machines
In this section, we brie:Hy introduce the communicating finite state machine model. Due to space limitations, some of the common definitions in the model are omitted. For a complete treatment of the model, please refer to [1, 4) and the full version of this paper (6) . 
where mod stands for the modulo operation. (3) We define an interval [i .. j] for an ordered set of at most n consecutive integers i, ( 4) We designate n as the number of processes in a protocol. Unless otherwise specified, we assume n ~ 2 and let i,j range over [l..n].
In the communicating finite state machine model, a protocol is specified as a set of n finite state machines, where each machine communicates with other machines via FIFO channels.
Definition 3.1 A protocol P =(Pt. P2, ... , Pn), n ~ 2, is a four-tuple (S, M, 0, r), where
• Each P; is a process represented as a finite state machine.
• S = (S1 , S2, ... , Sn), where S; represents the finite set of local states of process P;.
Each Mj;, j =f i, represents the set of messages that can be sent from Pj to P;.
• 0 = (s~,sg, ... ,s~), where s? E S; is the initial local state for P;.
• r, a partially defined transition function: Uf=1(S; X M; ..... S;), where M; = (Uj;i;{ -ml mE M;j}) U (Uj,.d+mlm E Mj;}).
A channel C;j, i =f j, is modeled as a FIFO queue connecting P; to Pj. The contents of C;; is denoted as c;;, which is a sequence of messages mE M;;. If C;; is empty, c;; =f.
For each P;, a transition defined at local states; E S; is denoted as r(s;, a), where a EM;. When u = -m, it is a sending transition, representing the transmission of message m by P;.
When a = +m, it is a receiving transition, representing the reception of message m by P;.
We use the notation r; = r(s;,a) to give a name r; for this transition, and use the notation s: = r(s;, a) to denote that s: is the local state resulting from the execution of the transition.
A local state s; in P; is a receiving local state if and only if all transitions defined in s; are receiving transitions. By definition, each P; is deterministic but partially defined.
Given a protocol P = (Pt. P2, ... , Pn), a communication topology graph of Pis a directed graph such that each node of the graph is labeled as one process P;, and there is an directed edge from node P; to node P;, i =f j, if and only if there is a FIFO channel C;; from process P; to process Pj. A protocol is cyclic if and only if its communication topology graph is a ring in which there is a directed edge from each node P; to P;an· Thus, in a cyclic protocol, each P; has only one input channel C;eti and only one output channel C;;an· From now on, we are dealing with cyclic protocols. Although concepts and notations introduced in the remainder of this section are presented in the context of cyclic protocols, they can be adapted to general protocols witl].out significant changes. However, for results established later in this paper, it should be clear that they apply to cyclic protocols only.
Given a cyclic protocol P = (Pt. P2, ... , Pn), a global state S is represented as a 2n-tuple (St. s2, ... , sn, Cnt. c12, ... cn-tn), where s; is the local state of P; in global state S, and c;eti is the content of channel C;91; in global state S. In particular, the initial global state S 0 is denoted as (s~,sg, ... ,s~,f, .. . ,€).
For the sake of brevity, a global state is called a state for short. As a convention, we use capital letters S,X to denote a state and small letters s;, x; to denote a local state of P;. Logical correctness of a protocol P can be determined by constructing the reachability graph for P and checking each node for logical errors. This state exploration technique is called reachability analysis. Obviously, in order for this technique to be useful, the reachability graph must be finite. In fact, it was shown that for protocols with n = 2, none of the logical errors are decidable [1] . Therefore, logical correctness is not decidable for cyclic protocols. For completeness of this paper, we present this general result as a theorem below. 
Generalized Fair Reachability
In this section, we extend the fair reachability notion for cyclic protocols with n ~ 2 machines. The concepts of concurrency and synchronization are described to provide better understanding of the interactions among processes and both are incorporated into the formation of fair progress vectors. With that, the generalized fair reachability relation is formulated. Based on this relation, we are able to show that all fair reachable states are reachable states with equal channel length. A sufficient condition is established for a cyclic protocol to have a finite fair reachability graph. This condition is a generalization of the one in [8] . Due to space limitations, lemmas and theorems presented in the rest of the paper are stated without proof. Please refer to the full paper [6] for details.
Fair Progress Vector Space
Given a cyclic protocol P = (PbP2, ... ,Pn)· LetS= (sbs2, ... ,sn,Cnt.Cl2,•··•cn-ln) be a state and r; = r( s;, u) be a transition defined at local state s;. r; is executable at s; in S if and For a dead end stateS, it is "dead" in the sense that no fair progress vectors can be derived from S. However, S might still have some transition executable at some local state s;. 
Generalizing Fair Reachability Relation
In this subsection, we generalize the fair reachability notion from (cyclic) protocols with two communicating finite state machines to cyclic protocols with n > 2 communicating finite state machines. The validity of this extension is also discussed. The result of applying von Sis such that 'Vi E [l..n] : si = r(s;, +m;el) and c\iffil = ciiaw Denote ~->j as the reflexive and transitive closure of >-'>J· Given two states SandS', S' is fair reachable from S if and only if S ~->j S'. When S = S 0 , we sayS' is fair reachable. Unless otherwise stated, when we sayS' is a fair reachable state, we mean it is fair reachable from S 0 .
Given a protocol P, the set offair reachable states, denoted as F, is called the fair reachable state space of P. As is the case for reachable states, we can define logical errors for fair reachable states. Given S E F, S is a fair deadlock state if and only if S is a deadlock state. Similarly, we can define unspecified reception, nonexecutable transition and unbounded channel for S [7] .
Since in a fair progress vector, multiple processes can make a move, we want to make sure that such concurrent transition execution is well-defined in the sense that any executable interleaving sequence of these concurrent transitions will lead to the same state. Careful study on the formulation of the synchronization vector and the concurrency vector shows that both do satisfy the above requirement. Therefore, ...... , is well-defined for cyclic protocols. Inductively, the generalized fair reachability relation >--+ j is also well-defined.
A state S = ( 81> s2, ... , sn, Cnl, c12, . .. , Cn-ln) is a state with equal channel length if and only if lcnll = led= ... = lcn-lnl· Note that any deadlock state is a state with equal channel length of zero. Note also that the initial state S 0 is a state with equal channel length of zero. Moreover, any fair progress vector in S 0 maintains the equal channel length property in the resulting state. Using this argument inductively, we arrive at the conclusion that the set of fair reachable states is included in the set of reachable states with equal channel length, as stated in the following theorem.
Theorem 4.1 Any fair reachable stateS is a reachable state with equal channel length.
As a result, the set of all fair reachable states F is closed under application of fair progress vectors from their respective fair progress vector space. In section 5, we will also show that any reachable state with equal channel length is also fair reachable, and it is this result that leads to deadlock detection using fair reachability analysis.
Based on this theorem, we can partition the fair reachable state space F into subsets by channel length. Let Fk, k :::>: 0, be the set of fair reachable states whose channel length is k. Note that the set of fair deadlock states is included in F 0 . As in reachability analysis, we construct a graph to systematically explore the fair reachability state space of a protocol during validation. Formally, a fair reachability graph FRG is a directed graph such that each node is labeled with a fair reachable state, and there is a directed edge from a node labeled with S to a node labeled with S' if and only if S >-> 1 S'. In particular, the node labeled with S 0 is called the initial node of FRG. Therefore, there is a directed path in FRG from the node labeled asS to the node labeled asS' if and only if S >-+j S'. From now on, we will use the term "a fair reachable state" and the term "a node labeled with that state in a FRG" interchangeably. We sometimes use S E FRG to denote that S is a fair reachable state. Note that the branching factor for each node in any FRG is finite, though FRG itself can be infinite.
Even if FRG is infinite, it may still be possible to characterize it with invariant properties and prove some results. Of course, we have not done so here. Thus, we can only say, when FRG is finite, it provides a useful tool to analyze the protocol. In [8] , Gouda et a! showed that for n = 2, if a (cyclic) protocol has one bounded channel, then its fair reachability graph is finite. The following theorem confirms that this result is also valid for n > 2. In fact, the above result also holds for a protocol with at least one bounded channel. Note that this sufficient condition is weaker than the one presented in (16] .
However, the converse of the above theorem is not true. For example, let P = (PI> P2 ) be a protocol such that: in P1. there is only one states~ with one sending transition r(s~, -m) = s~;
in P2, there is only one state sg with one receiving transition r(sg, +m) = sg. Clearly, channel C12 can grow unbounded. But the fair reachability graph of this protocol is finite with only one fair reachable state (s~,sg,E,E). Therefore, it would be highly desirable to find a necessary and sufficient condition to completely characterize the class of protocols whose fair reachability graphs are finite. This problem has not been solved in previous studies, even for n = 2. In section 5, we present a solution to this important problem.
Theory of Fair Reachability Analysis
In this section, we investigate two important theoretical aspects of fair reachability analysis. The first problem has to do with its error detecting capability, while the second one has to do with the termination of the state exploration procedure. Solutions for both problems contribute to the decidability results for cyclic protocols presented in the next section.
Partial Fair Execution Sequence
LetS= (st,B2,·· .,sn,Cn1,c12,.··•Cn-1n) and S' = (s~,s~, ... ,s~,c~1 ,c~2 , . .. ,c~_1 n) be two I states such that S >-+* S'. An execution sequence from S to S', denoted as e, is a sequence X 0 ::_. 
denoted as fs(S,S'). The length of fs(S,S')
, denoted as 1/s(S,S')I, is defined the number of fair progress vectors in the sequence, i.e., lfs(S,S')I = k. The corresponding local execution sequence in P; is also denoted as e;, i.e., fs(S,S') ~ {e1,e2, ... ,en}· Note that if Sis fair reachable, then Vj: 0 :5 j :5 k,Xi is fair reachable. In this case, S' is a fair reachable state.
When S = S 0 , fs(S,S') is simplified to fs(S), and is rewritten as
S 0 ~ S 1 ~ • • • ~ Sk, k ~
In this case, f s( S') is called a fair execution sequence of fair reachable state S'.
By definition, for each reachable state, there exists at least one execution sequence, but such a sequence might not be unique. However, some of these execution sequences may have the same set oflocal execution sequences. Let e ~ { et, e2, ... , en} and e' ~ { eL e~, ... , e~} be two execution sequences for a reachable state S. We define a relation= over the set of execution sequences for S as follows: e = e' if and only if Vi E [l..n] : e; = e:. It is straightforward that = is an equivalence relation over the set of execution sequences for S. Therefore, for any reachable state S, each such local execution sequence set characterizes a set of execution sequences for S. For state exploration, it is sufficient to examine these local execution sequence sets for each reachable state.
Formally, a local execution sequence set {ebe2, ... ,en} is schedulable for a stateS if and only if there is an execution sequence e for S such that the corresponding set of local execution sequences in e is {ebe2, ... ,en}· Similarly, a local execution sequence set { eb e2, ... , en} is fair schedulable for a state S if and only if there is a fair execution sequence fs(S) for S such that the corresponding set of local execution sequences in e is { e1. e2, ... , en}· Given a reachable stateS and one of its schedulable local execution sequence sets, { e1, e2, ... , en}, we want to construct for S from { e1, e2, ... , en} a fair execution sequence f s(Sk)
• S and there is no S' such that Sk ,__. 1 S' and S' ,__.
• S via the remaining local transitions in { eh e2, ... , en} in state Sk. It is not difficult to show that given S and { e1. e2, ... , en}, f s(Sk), and thus Sk, is unique. Hence, f s( Sk) and Sk are called the partial fair execution sequence and the fair precursor for S with respect to {ebe2,. .. ,en}, respectively, denoted as pfs (S,{ehe2, . .. ,en}) and fp(S,{el!e2,···•en}). When {e11 e2, ... ,en} is given and no confusion arises, they are denoted as pfs(S) and fp(S) for short. Note that in state fp( S), at least one of the local execution sequences is in its tail state, i.e., 3i E [l.
.n], the local state of P; in fp(S) is equal to s;, the local state of P; inS. The construction of pfs(S) and fp(S) for S with respect to {ebe2, ... , en} is carried out by the following algorithm:
Step 1: Initially, set X = S 0 , and seq = S 0 •
Step 2: Construct tin state X as follows: Vi E [l..n] : t; is set to the transition in e; in state X if x; is not the tail state in e;; t; = A otherwise.
Step 3: Compute v from t. If no v can be derived from t, goto step 5.
Step 4: Let X' be the state resulting from the execution of v in X. Set seq= seq· v ·X and X= X'. Goto step 2.
Step 5: Output pfs(S) as seq and fp(S) as X. End of procedure. The correctness of above algorithm can be argued informally as follows. Let k be the number of iterations from step 2 through step 4 in the algorithm. Denote Sk as X at the time the algorithm terminates. First, observe that during each iteration, if a fair progress vector is formed, then at least two local execution sequences e; and eiEBl are involved. As a result, the number of transitions remained in e; and eiEBl are decreased by 1, respectively. Since the number of transitions in each ej is finite, termination of the algorithm is guaranteed. Second, it is straightforward that at the time the algorithm terminates, seq is the fair execution sequence for Sk with respect to { eb e2, ... , en}· Note that at this point, no fair progress vector can be derived from Sk with respect to the remaining transitions in {el! e2, ... , en}· Therefore, at the time the algorithm terminates, seq and X are indeed the partial fair execution sequence and fair precursor for S with respect to {el,e2,···•en}, respectively.
In section 4, we have shown that for a cyclic protocol, any fair reachable state is a reachable state with equal channel length. Now, with the partial fair execution sequence construction algorithm, we are able to show that the converse is also true.
Theorem 5.1 Any reachable state with equal channel length is fair reachable.
Thus, we obtain an equivalence between the s~t of fair reachable states and the set of reachable states with equal channel length. In other words, we now have a completely characterization for the fair reachability state space.
Theorem 5.2
The fair reachability state space is exactly the set of reachable states with equal channel length.
An important implication of this theorem is that the notion of fair reachability is consistent with the notion of fair execution sequence in the sense stated in the following theorem. Theorem 5.3 Let { e1, e2, ... , en} be a schedulable local execution sequence set for S. If { e1, e2, ... , en} is fair schedulable for S, then any other schedulable local execution sequence set {e~,e~, ... ,e~} for Sis also fair schedulable for S. In other words, if Sis fair reachable, then it is fair reachable via any ,execution sequence for S.
Finite Fair Reachability Graph
Fair reachability analysis for a cyclic protocol P depends on the construction of the fair reachability graph FRG for P. For fair reachability analysis to be useful, FRG thus constructed must be finite. However, no necessary and sufficient condition has been established so far to exactly characterize the class of cyclic protocols amendable for fair reachability analysis. Without such a condition, the class of cyclic protocols whose FRG's are finite cannot be completely described.
In this section, we solve this problem in two steps. First, we investigate the class of cyclic protocols without a sending cycle, i.e., no P; has a cycle in which all transitions are sending transitions. Through the study, we discover the concept of simultaneous unboundedness, which is more fundamental in causing a cyclic protocol to have an infinite fair reachability graph than is the notion of a sending cycle. Then, we go on to show that the lack of simultaneous unboundedness is indeed a necessary and sufficient condition for a cyclic protocol to have a finite fair reachability graph. For completeness, we also show the undecidability of whether a cyclic protocol has a finite fair reachability graph.
For ease of presentation, we formalize the concept before the result. First, we notice that for a cyclic protocol without sending cycles, the notion of unboundedness is equivalent to simultaneous unboundedness. Lemma 5.1 Given a cyclic protocol P = { P1. P2, ... , Pn} without sending cycles. If one of its channels is unbounded, then all the other channels are unbounded.
Second, we show that for a simultaneously unbounded cyclic protocol, we can find a fair reachable state whose channels are simultaneously unbounded. With these two lemmas, we can establish an equivalence between the finiteness of reachability graph and finiteness of fair reachability graph for the class of cyclic protocols without sending cycles.
Theorem 5.4 Given a cyclic protocol P = { P1, P2, ... , Pn} without sending cycles, its fair reachability graph is finite if and only if its reachability graph is finite.
In fact, we can derive a stronger result based on the preceding proof.
Theorem 5.5 Given a cyclic protocol P = {PhP2, ... ,Pn} without reachable sending cycles, its fair reachability graph is finite if and only if its reachability graph is finite.
From this theorem, we can see that simultaneous channel unboundedness is another factor, and probably a more fundamental factor than sending cycle in causing a fair reachability graph to become infinite, as is confirmed by the following theorem.
Theorem 5.6 Given a cyclic protocol P =(PI> P2, ... , Pn), P has a finite fair reachability graph if and only if P is not simultaneously unbounded.
The next theorem says that if a cyclic protocol has a finite FRG, then we will be able to find the least upper bound K ~ 0 such that each reachable state has at least one channel whose length is bounded by K. In fact, K takes on the value that is the longest channel length any S E F can have.
Theorem 5.7 Given a cyclic protocol P with a finite FRG, we can determine the least upper bound K ~ 0 such that each reachable state of P has at least one channel whose length is bounded by K. Specifically, K is exactly the value such that FK ;/; 0 A FK+l = 0, i.e., the longest channel length among all the nodes in FRG.
The discovery of this necessary and sufficient condition is significant in that we are now able to exactly describe the class of cyclic protocols with finite fair reachability graphs from the protocol operational semantics viewpoint. To the best of our knowledge, this condition is the first necessary and sufficient condition for a cyclic protocol to have a finite fair reachability graph. However, as expected, the decidability aspect of this condition is negative, as is stated in the following theorem. The proof of the theorem is based on showing it is true for n = 2, an easy reduction by using the decidability result of boundedness detection established in [10] .
Theorem 5.8 Given a cyclic protocol P = (Pb P2, ... , Pn), it is undecidable whether P has a finite fair reachability graph.
Applying Fair Reachability Analysis
To demonstrate the power of our generalized fair reachability analysis technique, we show in this section that both deadlock detection and livelock detection are decidable for cyclic protocols with finite reachability graphs. The decidability of deadlock detection is a direct result from the theory of generalized fair reachability presented in section 5, while the decidability of livelock detection is an easy extension ton > 2 from the one established in [8] .
Deadlock Detection
Let P = ( P1, P2, ... , Pn) be a cyclic protocol. From the discussion in section 5, we know that the fair reachable state space F for P is exactly the set of reachable states with equal channel length. Hence, the set of deadlock states is included in Fo. IfF is finite, then deadlocks in P are detectable by constructing the finite fair reachability graph FRG for P. In addition, we know that the class of cyclic protocols that are not simultaneously unbounded is exactly the class of cyclic protocols whose FRG's are finite. As a result, we obtain the decidability of deadlock detection for this class of cyclic protocols, as stated in the following theorem.
Theorem 6.1 Given a cyclic protocol P whose fair reachability graph is FRG, P has a deadlock state if and only if there is a deadlock node in FRG. Hence, deadlock detection is decidable for the class of cyclic protocols whose fair reachability graphs are finite.
Livelock Detection
A livelock occurs in a protocol when each communicating entity is busy exchanging messages but doing nothing "useful". In [8, 9] , livelock is modeled by introducing a marking function into the communicating finite state machine model. For n = 2, they showed that livelock detection is undecidable for general protocols [9] , but is decidable for protocols with finite fair reachability graphs [8] .
In this subsection, we are going to generalize these results to cyclic protocols. In modeling livelock within the communicating finite state machine model, we adopt and generalize the definitions in [8] .
A There exists an infinite execution sequence e ~ { e1, e2, ... , en}, where and n; ~ 0. In other words, P has a livelock if and only if P can read a state from which P can loop indefinitely through a nonprogress cycle whose local execution cycles correspond to (C1,C2, ... ,Cn)-By the undecidability of livelock detection for n = 2 machines shown in [9] , we have the following: Theorem 6.2 Livelock detection is undecidable for cyclic protocols. Next, we show that livelock detection can be solved for cyclic protocols with finite fair reachability graphs [6] . The proof is a straightforward generalization from the one in [8] .
Theorem 6.3 Given a marked cyclic protocol P whose fair reachability graph FRG is finite, P has a livelock if and only if there is a fair execution cycle in FRG such that each of its corresponding local execution cycle is nonempty and is marked non progress. Therefore, livelock detection is decidable for the class of cyclic protocols with finite fair reachability graphs.
Conclusion
In this paper, we generalized the fair reachability analysis tecllnique to cyclic protocols with n ~ 2 communicating finite state machines. We established an equivalence between the set of all fair reachable states and the set of all reachable states with equal channel length, and discovered a necessary and sufficient condition for the class of cyclic protocols whose fair reachability graph are finite. The effectiveness of generalized fair reachability analysis is demonstrated by showing both deadlock detection and livelock detection are decidable for the class of cyclic protocols with finite fair reachability graphs. The strength of our approaclllies in the natural generalization of existing fair reachability technique and its simple, straightforward, and efficient decision procedure, which were missing in both [16, 17] and (13, 14] .
Fair reachability analysis was originally proposed as a technique to reduce state explosion during reachability analysis [18] . The same argument also applies to our work reported in this paper. By forcing the system to progress through a fair execution sequence, we have cut down the redundancy of state exploration due to equivalent execution sequences. Thus, our generalized fair reachability technique also significantly reduces the complexity of protocol verification.
In [7] , we study the detection of other logical errors for the class of cyclic protocols whose fair reachability graphs are finite. Therefore, for the class of cyclic protocols that are not simul-ta.neously unbounded, logical correctness can be validated algorithmically using our generalized fair reachability analysis technique. However, finite extensions of a. fair reacha.bility graph are needed in order to detect logical errors other than deadlocks, as was the case for boundedness detection for n = 2 in [10] . This phenomenon shows that pure fair reachability analysis is not sufficient to handle all the logical errors for the class of cyclic protocols with finite fair reachability graphs. However, for this class of cyclic protocols, the finite fair reachable state space does serve well a.s a. basis from which other logical errors can be detected.
It is possible to incorporate internal transitions into our fair progress vector formulation to allow our generalized fair rea.cha.bility technique to handle cyclic protocols with internal transitions and still achieve good state reduction in the analysis. We are currently working on this issue.
During the write-up of this paper, we were informed of the independent work by Peng on extending fair reacha.bility to a model called "single-link communicating finite state machines" [15] . In this model, each process can have multiple output channels but has only one common input channel to store messages from other processes. Although cyclic protocols are included in this model, the notion of fair reachability in this model is quite different from ours in that only two machines are allowed to make progress at one time restricted by the so-called "weightbalance" constraint in [15] . It is not clear, however, what class of protocols in his model is amendable for his analysis technique. For cyclic protocols, our fair reachability formulation has the following advantages: (1) Our fair reachability state space maintains the same nice equal channel length property as for n = 2 [18, 10] . (2) Both concurrency and synchronization vectors in our fair rea.chability notion allow more than two machines to progress at the time. As a result, for most cyclic protocols, our analysis achieves greater reduction in state generation than the one in [15] . (3) Aside from.deadlock, our approach can also detect livelocks and other logical errors, which are not covered in [15] .
Many open problems remain concerning our approach. First, although we have found a. necessary and sufficient condition for the class of cyclic protocols whose logical correctness is decidable, we are not sure how general it is in terms of tightening the boundary of cyclic protocols whose logical correctness is decidable. Further investigation of this aspect is necessary in order to fully evaluate its role in the decidability hierarchy. Second, a cyclic protocol is still simple in topology. It would be beneficial to look into the possibility of generalizing our work to protocols with more complicated and yet regular network topologies. Third, fair reachability analysis is only one type of improved reachability analysis techniques studied in the two machine case. The result of our work here should encourage more research on extending other techniques to the analysis of protocols with more than two machines. In [7] , the collective power of both fair progress and maximal progress [11, 13] state exploration is illustrated in the finite extension process, and has produced encouraging results. But more work along this line is necessary. Finally, it would be interesting to investigate the possibility of carrying the fair reachability analysis technique over to other specification models, such as the extended finite state machine model.
