University of Windsor

Scholarship at UWindsor
Electronic Theses and Dissertations

Theses, Dissertations, and Major Papers

2005

Improvements on handling design errors in communication
protocols.
Lihua Duan
University of Windsor

Follow this and additional works at: https://scholar.uwindsor.ca/etd

Recommended Citation
Duan, Lihua, "Improvements on handling design errors in communication protocols." (2005). Electronic
Theses and Dissertations. 2404.
https://scholar.uwindsor.ca/etd/2404

This online database contains the full-text of PhD dissertations and Masters’ theses of University of Windsor
students from 1954 forward. These documents are made available for personal study and research purposes only,
in accordance with the Canadian Copyright Act and the Creative Commons license—CC BY-NC-ND (Attribution,
Non-Commercial, No Derivative Works). Under this license, works must always be attributed to the copyright holder
(original author), cannot be used for any commercial purposes, and may not be altered. Any other use would
require the permission of the copyright holder. Students may inquire about withdrawing their dissertation and/or
thesis from this database. For additional inquiries, please contact the repository administrator via email
(scholarship@uwindsor.ca) or by telephone at 519-253-3000ext. 3208.

Improvements on Handling Design Errors in
Communication Protocols

by
Lihua Duan

A Thesis
Submitted to the Faculty of Graduate Studies and Research
through Computer Science
in Partial Fulfillment of the Requirements for
the Degree of Master of Science at the
University of Windsor

Windsor, Ontario, Canada
2005
©2005 Lihua Duan

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

1*1

Library and
Archives Canada

Bibliotheque et
Archives Canada

Published Heritage
Branch

Direction du
Patrimoine de I'edition

395 Wellington Street
Ottawa ON K1A 0N4
Canada

395, rue Wellington
Ottawa ON K1A 0N4
Canada
Your file Votre reference
ISBN: 0-494-09791-4
Our file Notre reference
ISBN: 0-494-09791-4

NOTICE:
The author has granted a non
exclusive license allowing Library
and Archives Canada to reproduce,
publish, archive, preserve, conserve,
communicate to the public by
telecommunication or on the Internet,
loan, distribute and sell theses
worldwide, for commercial or non
commercial purposes, in microform,
paper, electronic and/or any other
formats.

AVIS:
L'auteur a accorde une licence non exclusive
permettant a la Bibliotheque et Archives
Canada de reproduire, publier, archiver,
sauvegarder, conserver, transmettre au public
par telecommunication ou par I'lnternet, preter,
distribuer et vendre des theses partout dans
le monde, a des fins commerciales ou autres,
sur support microforme, papier, electronique
et/ou autres formats.

The author retains copyright
ownership and moral rights in
this thesis. Neither the thesis
nor substantial extracts from it
may be printed or otherwise
reproduced without the author's
permission.

L'auteur conserve la propriete du droit d'auteur
et des droits moraux qui protege cette these.
Ni la these ni des extraits substantiels de
celle-ci ne doivent etre imprimes ou autrement
reproduits sans son autorisation.

In compliance with the Canadian
Privacy Act some supporting
forms may have been removed
from this thesis.

Conformement a la loi canadienne
sur la protection de la vie privee,
quelques formulaires secondaires
ont ete enleves de cette these.

While these forms may be included
in the document page count,
their removal does not represent
any loss of content from the
thesis.

Bien que ces formulaires
aient inclus dans la pagination,
il n'y aura aucun contenu manquant.

i

*i

Canada
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

ID 2 ^ 3 X 3

A bstract
W ith the rapid development of the Internet and distributed systems, communica
tio n protocols play a more and more im portant role. The correctness of the design
of these communication protocols becomes crucial especially when critical appli
cations are concerned. Common logical design errors in communication protocols
include deadlock states, unspecified receptions, channel overflow, non-executable
transitions, etc. Such design errors can be removed via protocol synthesis, or be
detected through reachability analysis. The former may introduce more states and
transitions than needed and the latter suffers from state space explosion problem.
Here we present an improvement on existing technique to transform a protocol design
into a deadlock-free one where the number of introduced new states and transitions
can be considerably reduced. We also propose a sound reduction technique on a class
of protocol designs to significantly reduce their sizes in order to perform reachability
analysis.

K e yw o rd s: Communication Protocols, Protocol Synthesis, Formal Verification,
Protocol Design, Communicating Finite State Machines.

iii

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Acknowledgm ents
First and foremost, I would like to express my heartfelt thanks to my supervisor,
Dr. Jessica Chen, for her invaluable guidance, extensive time, extreme patience,
and enthusiastic encouragement during my entire master studies. W ithout her help,
the work presented here would not have been possible. Also, as an international
student, I would have had a much harder life w ithout her support and advice. I
appreciate her for all she has done for me very much and it w ill always remain w ith
me held deeply in my memory.
I would like also to thank my committee members, Dr. Scott Goodwin, Dr. Tim
TYaynor, and Dr. Luis Rueda, for spending their precious tim e to read this thesis
and providing their comments and suggestions to this thesis.
Furthermore, I would like to thank my friends and fellow graduate students in
my group for their help and discussions.
M y special thanks goes to the secretary at the School of Computer Science, Ms.
M ary Mardegan, for her consistent help.
Last, but not least, I would like to thank a ll my fam ily members for their support
and encouragement for my studies.

iv

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

C ontents
A b s tra c t

iii

A cknow le dgm ents

iv

L is t o f Tables

v ii

L is t o f F ig ure s

v iii

1

In tro d u c tio n

1

2

R e la te d W o rk

5

2.1 Related W ork of Protocol Design C onstruction.....................................

5

2.1.1

Protocol Synthesis Approaches

................................................

5

2.1.2

The Idea of A lur et al...................................................................

7

2.2 Related W ork on Reduction During Protocol V e rific a tio n ...................

9

2.2.1

P artial Order Reduction (P O R )................................................

2.2.2

Simultaneous Reachability Analysis (SRA) and Blocking-based

9

Simultaneous Reachability Analysis (B S R A )............................... 10
2.2.3

Prefix-based T e chniq ues............................................................

11

3

P re lim in a ry

12

4

P ro p e rtie s o f P ro to c o ls

18

4.1 Common Errors of P roto cols...................................................................

18

4.2

4.1.1

Deadlock S ta te s...........................................................................

18

4.1.2

Unspecified Reception S tates......................................................

19

4.1.3

Channel O verflow ............................................................................ 20

4.1.4

Nonexecutable T ra n s itio n s ............................................................. 22

4.1.5

Stable States and State A m biguities.............................................. 23

Advanced Properties of P ro to c o ls .........................................................
v

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

24

5

C o n s tru c tio n R ules D u rin g P ro to c o l D esign

26

5.1

26

Previous W ork
5.1.1

.......................................................................................

Projection of Global Observations and In itia l Design Con
struction ........................................................................................... 28

5.1.2

6

7

Construction Rules Rule^et and Rulere<i........................................ 29

5.2

Examples and Deadlocks in the ConstructedD e sig n ................................32

5.3

Improvement on Construction Rule Rule'neg ...........................................38

5.4

Summary and C om parison........................................................................ 46

R e d u c tio n R ules D u rin g D esign V e rific a tio n

51

6.1

Reduction R ules.......................................................................................

51

6.2

Preserving E rror States P ro p e rty .........................................................

54

6.3

Preserving Channel Overflow P ro p e rty ................................................

58

6.4

Preserving Nonexecutable Transitions Property

6.5

Summary and E xa m p le s ............................................................................62

6.6

A Discussion.................................................................................................68

.....................................61

C on clu sion and F u tu re W o rk

69

R eferences

71

V ita A u c to ris

75

vi

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

L ist o f T ables
1

The Reduction Efficiency of Rule'neg Compared w ith Rulen e g.................48

2

The Properties Preservation Table of Reduction R ules.............................63

3

The Efficiency Table of Reduction Rule for Example 1

63

4

The Efficiency Table of Reduction Rule for Example 2

64

v ii

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

L ist o f F igu res
1

An Example to Show the Idea of A lur et al.........................................

8

2

Model An Erroneous Channel Using C FS M ........................................

13

3

An Example of Two-process Protocol Containing Various Design Errors

4

An Simple Example of An Unbounded P ro to c o l................................. 21

5

Counterexample of Invalid Claim 1 ....................................................

6

Demonstration to Ruleaet for Protocol D e s ig n ......................................... 30

7

Demonstration to Rulered for Protocol D e s ig n ......................................

8

The Constructed Designs of Example 5 .1 .................................................. 33

9

The Constructed Designs of Example 5 .2 ..............................................

34

10 The Constructed Designs of Example 5 .3 ..............................................

36

19

22

31

11 The Constructed Designs of Example 5 .4 .................................................. 37
12 The Constructed Designs of Example 5.3 Using the Improved Rule'neg

44

13 The Constructed Designs of Example 5.4 Using the Improved Rule'neg

45

14 The Constructed Designs w ith Rules in [6] of Example 5 . 3 .................. 47
15 The Constructed Designs w ith Rules in [6] of Example 5 . 4 .................. 47
16 The Constructed Designs of Example 5 .5 ............................................. 49
17 Demonstration to the Reduction Rules for Deadlock Verification . . .

52

18 Demonstration to the Invalid Reduction for E rror State Verification

. 57

19 A Counterexample of the Invalid Rule for E rror States Verification .

. 58

20 An Example to Show Rule 1 Does Not Preserve the Property of
Nonexecutable T ra n s itio n s ................................................................... 62
21

The Application of the Rule 1 upon Example 1 ..................................

22

The Global Specification of Example 1 ..................................................... 65

23

The Application of the Rule 1 upon Example 2 ......................................66

24

The Global Specification of Example 2 ..................................................... 67

v iii

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

64

1 IN TR O DU C TIO N

1

1

Introduction

W ith the rapid development of the Internet and distributed systems, communica
tions among individual processes play a more and more im portant role. Protocols
are the core of the communication networks. A protocol is communication software
th a t specifies the interactions among a set of communicating entities by exchanging
messages over the channels. In other words, “A protocol defines the form at and
the order of messages exchanged between two or more communicating entities, as
well as the actions taken on the transmission and/or receipt of a message or other
event” [18]. These entities, in some literature, are also called communicating pro
cesses. Very often, each process is modeled as a communicating finite state machine
(CFSM)[2, 3] and each channel between two processes is modeled as an error-free
simplex FIFO queue.
A protocol design consisting of a set of CFSMs may suffer from logical errors.
The common logical errors include deadlock states, channel overflow, nonexecutable
transitions, etc. Once a faulty protocol is put into use, especially for critical ap
plications, the loss can be enormous. Thus, it is crucial to construct an error-free
protocol design and form ally verify its correctness before the implementation. Typ
ical approaches to achieve this goal are as follows.
(1) Protocol synthesis. Given a partially specified protocol design, a complete de
sign is constructed form ally and autom atically so that the constructed design
does not manifest any logical errors. In reverse engineering, a set of obser
vations of an existing communication system can be regarded as a pa rtially
specified protocol design, and the recovery of the presumed design is the work
of protocol synthesis.
(2) Formal verification. There are two directions in the literature: theorem prov
ing and finite state based model checking. The former involves three aspects,
namely, formal modeling of the design, formal modeling of the design proper

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

1 IN TRO DUCTIO N

2

ties, and the inference rules to prove the design satisfies the properties. For the
latter, the design is interpreted as operational models, such as Finite States
Machines (FSM) or Labeled Transition Systems (LTS), and the design proper
ties are norm ally modeled by temporal logic languages. These approaches use
state exploration techniques to check if the design conforms to the properties.
In the context of this thesis, when we mention formal verification it means the
finite state based model checking approach since the protocol is modeled as a
set of CFSMs.
In a software life cycle, protocol synthesis is used in the design phase, and formal
verification is used in the design verification. A software engineer may have different
concerns under these two situations though he/she is always dealing w ith the logical
errors in the protocol design. In the design phase, a major concern is to construct a
minimum design that is error free and satisfies all the requirements of the customers.
In the design verification, he/she w ill confront state explosion problem; i.e., the state
space increases exponentially w ith the increase of the size of the protocol design,
so one of the m ajor concerns is to reduce the number of states meanwhile all the
logical errors in the design can s till be detected. This thesis is motivated by these
concerns, and some improvements are made upon existing methods.
In the design phase, when a set of observations is given, we aim at constructing a
deadlock-free design from it. The work in this thesis is motivated by [6]. In [6], three
construction rules were proposed, and we want to improve the th ird rule, namely,
Ruleneg, in a sense to add fewer states and transitions while the constructed design
is s till deadlock-free. Given a 2-process protocol design, the original rule adds the
entire negation ( “negation ” means if a transition in the specification is a sending
transition w ith the label —m, then the negation of that transition is a receiving
transition w ith the label +m ; vice versa. ) of the specification of one process onto
the specification of the other process. Actually, some of the newly added states and
transitions make no contribution to the removal of deadlock states. Therefore, in

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

1 IN TR O DU C TIO N

3

our improved Rule'neg we consider only the partial specification of one process that
can really help to remove the deadlock states, and thus fewer states and transitions
are added to the specification of the other process.
In th e design verification, th e m eth o d we propose aim s a t reducing th e num ber

of states of the specification of each process before the global reachability analysis.
Actually, our method can be regarded as pre-processing of the global reachability
analysis, and other reduction methods, such as partial order reduction, can be ap
plied to our derived specifications. We develop two reduction rules to deal w ith a
specific pattern of transitions in the protocol specification, that is, at some state,
there is a choice about the execution order of two transitions; whatever option is
chosen, after the execution of these two transitions, the same state is entered eventu
ally. Reduction Rule 1 deals w ith the choice of a sending transition and a receiving
transition while Reduction Rule 2 deals w ith the choice of two sending transitions to
different processes. When the conditions of the rules are met, some transitions can
be considered as redundant transitions for formal verification and are removed, thus,
the search state space is reduced. Furthermore, we prove Reduction Rule 1 preserves
deadlock and unspecified reception states and channel overflow errors but may not
preserve non-executable transition errors. When the error of non-executable transi
tions is concerned, Reduction Rule 1 should not be used. We also prove Reduction
Rule 2 preserves a ll these four errors. In this thesis, we only discuss the verification
of these four errors; the verification of other advanced properties is beyond the scope
of this thesis. In the end, we discuss the efficiency of our reduction method w ith two
examples. The drawback of this method is that if the protocol specification does
not contain any pattern conforming to the conditions of the rules, the application
of our method has no effect.
The rest of the thesis is organized as follows. Section 2 discusses the related
work on the construction of protocol design and the reduction techniques of pro
tocol design verification. Section 3 introduces the terminology and notation used

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

1 IN TR O DUCTIO N

4

throughout the thesis. Section 4 shows some common errors of protocols and the
advanced properties of protocols. In Section 5, we improve the th ird construction
rule to construct a deadlock-free protocol design w ith adding fewer states and tran
sitions when a set of observations is given. In Section 6, we propose a method w ith
two reduction rules to reduce the protocol specifications during design verification.
In the last section we address the conclusions of this thesis and future work.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK

2

5

R elated Work

2.1

R elated Work of P rotocol D esign C onstruction

2.1.1

P ro to c o l S ynthesis A pproaches

The methods of protocol synthesis are divided into two categories: protocol-oriented
synthesis methods and service-oriented synthesis methods. The former completes
the protocol design w ith the given incomplete one; and the latte r constructs the
underlying protocol w ith the specification of the service that the protocol should
provide. Saleh [25] gave an annotated bibliography on the synthesis of communica
tion protocols. The method discussed in Section 5 belongs to the first category: we
start from incomplete traces/observations, complete the design so that the interac
tions between its protocol entities proceed w ithout manifesting any logical errors.
The related work we discuss here shares some common assumptions: 1) The
channels are FIFO and reliable; 2) The formal model is communicating finite state
machine (CFSM), which we w ill give formal definition in next section.
One of the most influential papers in protocol-oriented synthesis is presented by
Zafiropulo et al. in [34], and it is referred to as the ZWRCB methodology. Given
two CFSMs, which might be incomplete or erroneous, the methodology proceeds as
follows:
(1) The designer adds one sending transition to one machine;
(2) The designer executes an algorithm that is based on the synthesis rules to
add the corresponding receiving transitions to another machine. In the paper,
three rules are developed to add the receive transitions.
This procedure continues u n til the term ination condition is met, th a t is, the same
state is reentered by the same receiving transition. Note, the designer should interact
w ith the procedure whenever a designer’s decision is needed.
Their approach is different from ours in the following aspects:

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK

6

(1) Theirs is a forward engineering method while ours may be used as a reverse
engineering method. Though the given design might be incomplete, in their
approach, it is assumed that some inform ation in the form at of the design
graph is given. Ours may start from a set of traces, and we have to construct
the design from them.
(2) Theirs can deal w ith the protocol w ith cycles while ours can only deal w ith
tree-like graphs. This is because the former can identify when and which states
are repeated from the graph directly while ours cannot identify the states from
the implementation.
(3) The ZWRCB method first flattens the graph of each machine into a tree and
adds all the missing receiving transitions into the tree. Then use a “flooring”
operation to merge identical states and edges. In contrast to that, we construct
the design directly w ithout an intermediary graph.
(4) The ZWRCB method only considers that one sending transition may have
m ultiple responding receiving transitions; but actually, the sending transition
may have m ultiple occurrences; i.e., for the sending transition and the cor
responding receiving transition, a one-to-many relationship is possible, and a
many-to-one relationship is possible, and a many-to-many relationship is also
possible.
(5) The ZWRCB is semi-automatic while ours is automatic.
The work of Sidhu [26] synthesizes n-process synchronous protocol designs from
the inform al specification; e.g., English description or inform al graphical representa
tions. He developed the global specification as a reachability tree which is the same
as the one in [34]. In particular, he formalized the states of the global specification
as an n x n m atrix which contains the inform ation of each process and each chan
nel. The author gave some suggestions for preserving the error-free property during

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK

7

protocol synthesis but no rule is given to guarantee its error-freeness. Our approach
starts from a set of formal — but maybe incomplete — traces and the approach
results in an error-free design.
The work of Gouda and Yu [12] is lim ited to two CFSMs and is based on the as
sumption th a t protocols are asymmetric where one machine M has a higher p rio rity
than the other. The algorithm takes machine M and constructs two communicating
machines M ' and N ' such th a t 1) M ' is constructed from M by adding some re
ceiving transitions to it, and 2) the communication between M ' and N ' is bounded
and free from errors. They only add receiving transitions while we add both sending
transitions and receiving transitions.
The work of Choi [8] is lim ited to two CFSMs. It starts from a set of well-formed
protocol sequences, then applies a synthesizing algorithm to generate the CFSMs,
and finally uses equivalence relations to reduce the CFSMs.
The work of Kakuda and Wakehara [16] synthesizes protocols for an unlim ited
number of processes. The key idea of their approach is components. First, the
protocol specification of one process is split into many components according to
which process it communicates w ith; second, it matches the components from 22
patterns developed by the paper to get a refined deadlock-free design; finally, it
synthesizes the refined components to a protocol specification.

2.1.2

T h e Id e a o f A lu r e t al.

In [1], A lu r et al. answers the following questions: does a given design exactly
describe an implementation? That is, is the design realizable by an implementation?
If it is realizable, does it contain any deadlock states? Furthermore, what are the
conditions that guarantee a deadlock-free realizable design?
An example in [1] is given in Figure 1 to show the idea of A lu r et al. It is
the setting of a nuclear power plant. Two clients, Pi and P2, can perform remote
updates on the processes which control the plant: process UR controls the amount

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK
UR

8
NA

P2

P1

UR

NA

P2

P,

UR

NA

P2

inc

inc

double

double

inc

double
double

inc
double

M SC,

double

inc

inc

MSC2

Figure 1: An Example to Show the Idea of A lu r et al.
of Uranium fuel in the daily supply and process N A controls the amount of N itric
Acid in the daily supply. It is necessary that these amounts be equal in order to
avoid a nuclear accident. The “inc” message denotes a request to increment the fuel
amount by one unit, while the “double” message denotes a request to double the
fuel amount. M S C \ and M S C 2 are the design of this system. The authors argue
th a t any system implemented according to this design w ill definitely have a trace
like M S Chad which w ill result in an incorrect fuel m ix and furthermore an nuclear
accident. They then conclude this system must be redesigned.
Their ideas share some sim ilarities w ith ours:
• Analyze and construct a deadlock-free design from a given set of traces though
they are in the form of message sequence charts in [1];
• Solve the sim ilar problem; i.e., if we project these traces to the distributed
components at first, then compose them to a global specification, more traces
w ill be created than the previous ones.
We also have some differences:
• Our approach is to construct a deadlock-free design while their approach is
to verify if a design is deadlock-free. Our approach adds transitions to the
protocol specification directly according to our rules; and after one execution
of our rules, we construct all the possible traces. A lur et al. propose two
conditions for a deadlock-free design and thus two algorithms to check if these

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK

9

two conditions are satisfied respectively; if the design is not deadlock-free,
the run stops and one faulty trace is given. Once there is a faulty trace, the
protocol of the system has to be redesigned.
• We use a different formalism, namely, CFSM, and it has strength and weak
ness. The strength is that the design is always realizable: we do not need
to consider solving the realizability problem. This is because the finite state
machine is an abstraction of the behavior of the corresponding real machine.
On the other hand, message sequence charts they use can contain more in
formation, for example, a message sequence chart implies a ll the partial order
relations among the events while we cannot find this inform ation from the
known traces. Thus, their approach can find more traces than ours.

2.2

R elated Work on R eduction During P rotocol Verifica
tion

2.2.1

P a rtia l O rd e r R e d u c tio n (P O R )

P artial order reduction [11, 10] is a series of state reduction techniques used in the
verification tool SPIN. It avoids redundant interleaving of transitions by selective
search. POR uses the concept of trace equivalence to pa rtitio n the set of a ll the
possible transitions. Two traces are equivalent if one can be transformed into the
other by swapping adjacent independent transitions. One representative trace is
selected from each equivalence class, thereby reducing the state space.
POR is different from our method proposed in Section 6 in the following aspects.
First, it is applied during the global reachability analysis while our reduction rule
can be applied on the protocol specifications before the global reachability anal
ysis. In some sense, our method proposed in Section 6 can be considered as the
pre-processing of POR. Second, though both methods try to find out what kind of
interleavings are unnecessary for verification, POR focuses on the interleavings in

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK

10

the global specification while our method focuses on the interleavings in the proto
col specifications. Third, distinguishing the independent transitions is a huge and
complicated task for partial order reduction since it needs to consider the partial or
der relations am ong different processes, b u t for our m ethod, it is straig h tfo rw ard to

distinguish if two transitions are independent w ithin one process, namely, if sending
messages or receiving messages are enabled at the same time but to or from different
channels, they are independent. Fourth, the sleep set method in POR is sim ilar to
ours in a way that both deal w ith special patterns of independent transitions. But
the sleep set method is based on the record of the tracing history so it is dynamic
while our method is static. F ifth , POR is more efficient than ours as far as reduced
states and transitions are concerned.
2.2.2

S im ultaneous R e a c h a b ility A n a lysis (S R A ) and B locking -ba sed Si
m ultane ous R e a c h a b ility A n a lysis (B S R A )

Simultaneous Reachability Analysis (SRA) [22, 17] and Blocking-based Simultane
ous Reachability Analysis (BSRA) [20, 21] are reduction techniques to tackle the
state explosion problem during protocol reachability analysis in another direction.
SRA allows m ultiple process to proceed simultaneously and merge all the involved
transitions as one transition w ith m ultiple simultaneously executable actions. How
ever, each process can execute at most one transition each time. BSRA is based on
the idea of SRA and made some improvements in the sense th a t more transitions
can be merged each tim e by introducing the notion of blocking points. In BSRA,
transitions of receiving messages in different processes and transition sequences of
sending messages to different processes are merged into one transition in the global
network of the protocol. Its idea is to use local blocking points, which are states
w ith one or more outgoing receiving transitions, or w ith no outgoing transitions
at all. The merging must start and stop at local blocking points. The algorithm
preserves deadlocks and non-executable transitions, but channel overflow and un

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

2

RELATED WORK

11

specified receptions are not guaranteed to be preserved. However, the algorithm can
be modified to preserve these two properties. For example, to verify the property
of channel overflow of a channel c, the algorithm w ill delay the consumption of the
messages in c as much as possible; the algorithm can only check one channel of one
execution.
The reduction technique works in an eager semantics in a sense that when a
message is sent to the channel, it w ill be consumed in the next transition during
reachability analysis. Thus, the interleaving w ith delayed executions is reduced.
Note: They used a different definition of unspecified receptions from ours in
that they do not consider the possibility of succeeding transitions consuming the
messages already in the channels.

2.2.3

P re fix-b a se d Techniques

[15, 5] proposed a prefix-based algorithm to solve state explosion problem during
formal verification, and it is called reachability testing. One im portant concept is
“race variant” , which is the common prefix of some traces. A ll possible traces are
partitioned according to race variants: traces w ith the same race variant as their
prefix are in the same equivalence class. The idea of the algorithm is to control
an execution up to a certain point (the end of race variant) and then exhaustively
explore the possible paths after that point. In the next run, a ll the inform ation of
the previous run is abandoned. That is how it solves the state explosion problem.
The most challenging task of this method is how to identify and compute the race
variants. A partial order “happened before” relation is defined to help to identify
the race variants.
It is a technique starting from application levels for verifying concurrent programs
and it is implemented as prototype tool RichTest.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

3

3

PRELIM INARY

12

Prelim inary

We consider an n-process communication protocol (or n-process protocol, protocol
for short) as a fixed number of processes communicating w ith each other by sending
and receiving messages over error-free simplex channels. Each process is a protocol
entity which is represented by a communicating finite state machine ( CFSM), and
each error-free simplex channel is represented by an unbounded FIFO queue. The
following definition of CFSM is formalized as in [6].
D e fin itio n 3.1 (C o m m u n ic a tio n F in ite S tate M achines) A communication f i 
nite state machine is a quadruple (S,M ,s°,—>) where
• S is a finite set of states and s° E S is the in itia l state,
• M is a finite set of messages and
• —>C S x {+ m , —m\m E M } x S is a set of transitions.
A transition (s, p,, s') E —» of a process, also denoted as s -!—> s', intuitively,
changes the state of the process from s to s' by event pi. We use —m to denote the
event of sending message m, and + m to denote the event of receiving message m.
Moreover, we w ill use Em to denote the set of events of sending/receiving messages
in M \ i.e., E M = { + , —} x M . In this thesis, since we use graphs to represent
the specifications of processes and protocols, we also call the events th a t cause the
transitions the labels of the transitions, as we do in graph theory, for convenience.
Note: an erroneous channel, which is also called a noisy channel or an unreliable
channel, distorts the messages passing through it. In the appendix of [34], Zafiropulo et al. used a CFSM to model the behavior of an erroneous simplex channel
responding to one particular message x. Whenever a message x is received, the pro
cess representing the behavior of the channel moves to the state s1 from the in itia l
state. Then it a rb itra rily chooses one of the following actions to return to the in itia l

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

3

13

PR ELIM INA R Y

a
+x

-x

Figure 2: Model An Erroneous Channel Using CFSM
state from state sl : 1) non-event, which models the behavior th a t the channel loses
the message x\ 2) sending x', which models the behavior th a t the channel corrupts
X] or 3) sending x, which models the behavior that the channel lets the message
go through unchanged. Figure 2 shows the process of an erroneous channel using
CFSM. Furthermore, an erroneous channel may reorder the messages if it contains
more than one message. Solving problems caused by erroneous channels, error recov
ery, numbering messages and synchronous hand-shaking techniques may be applied.
I t is another im portant topic of protocol design area, and some research work has
been done upon it, such as [23, 7], etc. In this thesis, we focus on solving problems
caused by concurrent actions rather than those of erroneous channels, so we restrict
our discussion to error-free, FIFO channels, which means the channels always send
what they have received in the same order.
In a protocol, we use binary relation ( i, j) to denote the existence of a simplex
channel from process Pi to process Pj, and we use

to denote all messages that

can be put onto it. For convenience, we assume th a t the messages in different chan
nels are a ll distinct. This assumption is reasonable because the sender should know
the destination of the message in order to send it out to the channel and the receiver
should know the source of this message. In a sense, each message has a header to
label its source and destination, and to make the messages in different channels
disjoint. Now, we can give the definition of n-process communication protocols.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

3

14

PRELIM INARY

D e fin itio n 3.2 (n-process C o m m u n ica tio n P ro to c o ls ) An n-process commu
nication protocol P is a triple (L, M , T) where
• L C { ( i , j ) \ i , j E [ l, n ] , i ± j } f o r n > 2,
• M = { M itj\(i, j ) e L } with M i}j n M kJL = 0 i f { i , j ) ^ (k , l) and
• T =

e [1,n\, M i =

U M jti) } is a set of

CFSMs.
In the context of this thesis, we use Pi to represent the i th process of n —process
protocol P, and use T* to represent the CFSM of process Pj.
An n-process Communication Protocol is m inim al if no reduction can be made to
(CFSMi)?=1 using standard determinization and reduction algorithms in automata
theory [14].
A global state of a protocol is composed of a local state of each process and a
content of each channel. The content of the channel can be represented as a string
u) of messages which might be empty. In this thesis, we may use “state” as a short
for “global state” and “local state” w ill be used in an explicit way. We use an n x n
m atrix to represent a global state as in [31]. Let s* denote the local state of process
Pj, and let c jjj denote the content of simplex channel

Then we have a global

s:
Si

^1 ,2

^1 ,3

<^2,1

S2

<W,3

^3 ,1

<^3,2

S3

Wn, 2

U n ,3

k-h ,n

■■

^ 2 ,n

. ••

<^3,n

•

sn

The evolution of a protocol is described in terms of the transitions from one
global state to another. Such transitions are b u ilt up on the basis of the transitions

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

3

PRELIM INARY

15

of each process, taking into account their effect on the contents of related channels.
We use M to denote the length of a string u and considering it is a FIFO channel,
we w ill assume the following functions on strings:
• del(u)) (M > 1) returns the string resulting after the first element of ui is
deleted;
• ins(u>, m ) returns the string resulting after m is appended at the end of cu;
• o;[z] (|cj| > 1) returns the ith element of u.
The in itia l global state is characterized in this way: 1) each process P i, i G [1, n],
is at its in itia l state

2) a ll channels are empty; i.e., for any i f f G [1, n], i ^ j ,

u iij = e. In this thesis, we assume protocols are periodic; i.e., after an execution
of the protocol, it returns to the in itia l global state; therefore, we do not have any
additional final global state, and the in itia l global state is regarded as the only final
global state.
If each process of a protocol cannot execute its next sending transition u n til
it receives the reply to the previous sent message, it is a synchronous protocol.
Otherwise, it is an asynchronous protocol. In this thesis, we discuss methods of
general protocols but especially suitable for asynchronous protocols.
D e fin itio n 3.3 (N e tw o rk o f a P ro to c o l) The network N of protocol P = (L ,
{ M ij | ( i, j ) € L } ,{( S i,M j,s ° ,—>j))f=1) is a quadruple (S, M , s°, —>), where
&

IW .n S ^

- M = {Ji=1_ n M i ;
S

^ FI(iJ)eL

- —>C S x E m x S is the set of transitions defined as follows: Vs, s' G S,
m G M k>i where s =
s

n<=i,...,««< x

I

I

K

j

€ MfJ),

s' if f 3(k, I) G L, m G M kj, and s[ G Si such that

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

3

16

PRELIM INARY
• u k,i[ 1] = m,

s

+m

•

Si

•

s'

=

i
>i S\ ,

r ii= l,...,i—l,Z+l,...,n

Si

x

s[

X

Il( itj)eLA(i,j)^(k,l) u i ,0

del{uk,l);

X

s' if f 3(k, I) G L, m G M*,^, and s'k G S'*, such that
—m

/

• s' = rii=i,...,fc-i,fc+i,...,nSj x sfe x n(ij)eLA(ijV(fc,z)

x in s(u k,i,m );

The network of a protocol is actually a directed graph in which global states are
denoted as nodes and transitions are denoted as arcs. In this thesis, we use the net
work of a protocol and the global specification of a protocol interchangeably; we use
the protocol specifications of a protocol and CFSMs of a protocol interchangeably.
Note: M *j means a string over alphabet M itj and it is possibly an empty string.
D e fin itio n 3.4 (R eachable S tates) Let N — (S, M , s°, —►
) be a network of pro
tocol P. A state s G S is reachable i f s = s°, or fo r some r > 1, 3s1,...,s r G S,
3 /x i,..., p,r G Em such that sr = s and s*_1

s%fo r i = 1,..., r.

D e fin itio n 3.5 (Traces) Let N — (S, M , s°, —>) be a network of protocol P and
s G S is a reachable state. I f s = s°, then the trace p of s is s. Otherwise, fo r some
r > 1, 3s1, ..., sr G S, 3 /^ i,..., pr G Em,

sl fo r i = 1,..., r, such that sr = s.

Let p = p ip 2--hr, then p G E*M is a trace of s, and we have s°

s.

Intuitively, a state s is reachable iff there exists a trace p leading to it from the
in itia l state. R w ill denote the reachable global state space of a protocol P. Clearly,
R C S since R contains only those states in S that are reachable. We also use p[i]
to denote the «th element of p and \p\ to denote the length of the p.
A trace p G E*M is well-formed if all receiving events have their corresponding
sending events; a well-formed trace p G E*M is complete if all sending events have
their corresponding receiving events.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

3

17

PRELIM INARY

D e fin itio n 3.6 (W e ll-fo rm e d T race) Ve G E M, Q £ E*M, e is possible a fter a
trace g i f 3m G M , such that either e is a sending event —m or e is a receiving
event + m only when the number of —m of g is more than the number of + m of g.
A trace p G E*M is well-formed i f fo r every prefix g of p, the next event e is possible

a fter g.
D e fin itio n 3.7 (C o m p le te Trace) A well-formed trace p G

is complete i f fo r

all m G M , the number of —m of p is equal to the number of + m of p.
D e fin itio n 3.8 (D e te rm in is tic N e tw o rk ) Let N — (S, M , s°, —►
) be a network
of protocol P, and p G E*M is a trace. s° after p is a set of states defined as
{s|s° —

s}. N is deterministic i f fo r all p G E*M, s° a fter p has at most one

element; otherwise, it is nondeterministic.
In this paper, if not specified, the network of a protocol is deterministic.
Unlike a trace, we define the fragment of a trace p as a path a which can start
from any state, and we have a G E*u . Moreover, for any s G R , we have the following
expressions of the formulas:
• s1
• s

>sr+1 if 3s2,

sr G S such that s*

where a G E*M if 3s' such that s

s';

• s -+-* where a G E*M if fis' such that s

s'.

s*+1 for i = 1,..., r;

• <J\.o2 is the concatenation of two paths Oi and cr2, and we have s ai'a2 >s",
where

G E*M, if 3s, s', s" G S, such that (s

s') A (s'

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

s").

4

18

PROPERTIES OF PROTOCOLS

4

P roperties of Protocols

4.1

C om m on Errors o f Protocols

In this thesis, we assume the channels between protocol entities are reliable, and
the receiver can eventually get the message that is sent to it if it waits long enough;
i.e., we do not discuss the protocols w ith explicit tim e constraints such as tim e
out. W ith in this framework, we discuss some properties of protocols that people are
concerned w ith, i.e., potential design errors, namely, deadlock state, nonexecutable
transitions, state ambiguities, and channel overflow. The reason why we call them
potential design errors is because some of these errors are designed on purpose by
the designers. For example, the designers may intend to terminate the protocol at
a deadlock state when its function is complete rather than returning to the in itia l
state. However, it is always useful to identify these potential errors.

4.1.1

D ea dlock S tates

A deadlock is a reachable global state s where a ll channels are empty and no process
can send a message.
D e fin itio n 4.1 (D ea dlock S tates) Let P = (L , { M i j \ ( i , j ) e T }, {(S*, M j,
) } ”=1) be a protocol and N = (S ,M ,s o ,—>) a network of P.

A state s is called

deadlock i f it is reachable and s = rii=i,...,n5i x Tl(i,j)eL£ an<d fa £ [1 ,n ],m € M i,
such that Si
Figure 3, which is a m odification of [34], shows an example of various potential
design errors. A t the beginning of the interaction, both process Pi and P2 are at
their in itia l states. When Pi enters state r 1 by sending the message x , P2 enters
state t 1 by sending the message z at the same time. Then Pi receives the message

2

and enters state r 2, while P2 receives the message x and enters state t 2. Now both
process are w aiting to receive messages while all channels are empty and no process

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

4

PROPERTIES OF PROTOCOLS

+Z

19

-z

-X

+x

+u
+z
+x
+z

+x|

+z

T1

-u

T2

Figure 3: An Example of Two-process Protocol Containing Various Design Errors
can possibly send a message. Thus, the global state containing r 2 and t 2 as its local
states for process Pi and P2 respectively is a deadlock state in the network of the
protocol.

4.1.2

U n sp e cifie d R e ce p tio n S tates

An unspecified reception is a reachable global state s where the head of an incoming
channel cannot be consumed by the related process at s and at all reachable global
states succeeding s.
D e fin itio n 4.2 (U n sp e cifie d R e ce p tio n S tates) Let P = (L, { M itj \ ( i , j ) G L },
{(S i,M i,s <-,- ^ i) } f=i) be a protocol and N = (S', M , so, —>) a network of P. A state
s is called an unspecified reception state i f it is reachable and s = H j= i ...,n si x
[i]
I I ( i , j ) e L U i j , where U i j 6 M fp such that 3(k,l) e L, ujk,i
e, s
H -, and
\/t (z S, a £ E*m, such that s — > t : t

M -.

Our definitions of deadlock states and unspecified reception states conform to
the notions in most literature, such as [34, 6], etc.. However, in some literature,
such as [1], the definitions of deadlock states and unspecified receptions are com
bined together as deadlock states since both the deadlock states and the unspecified
reception states share the common problem; i.e., they both get stuck and there is

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

4

PROPERTIES OF PROTOCOLS

20

no outgoing transition from them in the network of the protocol, therefore, we w ill
use error state for a shorthand of deadlock state or unspecified reception state.
In Figure 3, there is an unspecified reception error. Let us look at the following
scenario. Both process Pi and P2 are at their in itia l states. The process P2 sends
the message

2

and enters the state t 1. The process Pi receives the message z and

enters the state r 1, then Pi continues to send the message y. Now it is stuck. Both
processes are waiting for receiving messages while the head of channel ( 1 , 2 ), namely
y, cannot be consumed by P2. Thus, the global state containing these two local
states is an unspecified reception state in the network of the protocol.

4.1.3

C hannel O ve rflo w

A channel overflow error may occur if: 1) the length of the content of a channel may
be infinite, since no channel in the real world can have an infinite length to contain
the content; 2 ) the length of the content of a channel is finite but it is greater than
the physical lim ita tio n of the channel.
D e fin itio n 4.3 (C ha nn el O ve rflo w E rro r) Let P = (L , { M i j \ ( i , j ) G L },{(S i,
M i, s°, —>i)}?=i) be a protocol, N = (S, M , so, —>) the network of P. For any s G S,
s = ni=i,...,„s< x El( i , j ) e L W ij, where u>ij G M f , and the physical lim itation of the
channel (i , j ) is k^j.
S, p G E*m such that s°

a channel overflow error occurs over channel (i , j ) i f 3s G
s and kitj < \oJif.

D e fin itio n 4.4 (B ou nde d P ro to c o l) Let P = (L, { M L j|(i, j ) G L }, {(Si, M u s i
—b)}?=1) be a protocol and N = (S, M , so, —0 a network of P. I f 3k, k is an integer,
fo r any state s =

x I I (i,j)eLu i,j> where

G M t*-, such that \uiij\ < k,

then the protocol P is a bounded protocol. Otherwise, it is unbounded. I f k is the
least integer satisfying condition \uiij\ < k, we say the protocol is k —bounded.
Figure 4 shows a simple example of unbounded protocol: if process P2 delays
receiving the messages in channel ( 1 , 2 ), the length of the content may be infinite

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

4

21

PROPERTIES OF PROTOCOLS

Figure 4: An Simple Example of An Unbounded Protocol
and we cannot find an integer always greater than it. The example in Figure 3 is a
2-bounded protocol. A ll synchronous protocols are 1 -bounded protocols.
A possible solution to tackle the channel overflow errors for an unbounded pro
tocol is to m odify the protocol itself either considering the recovery mechanism or
making the protocol bounded. To tackle the channel overflow error for a A;—bounded
protocol, we can set the physical lim ita tio n of channels greater than k or m odify the
protocol itself.
The definition of the bound of a protocol P comes from the network of P which
may suffer from the state explosion problem, but it is hard to find a better way.
Next, we w ill show that it is not easy to find the bound of P from other specifica
tion, such as CFSMs of P. Let us start w ith the following claim.

Claim,-. Given a protocol P = ( L , { M ij\ ( i, j) G !,},{(,% , M i, s°, —N)}”=1), P is
unbounded if in any C F S M i, 3a G E*Mo where a —

such th a t for any

I G [1, r], iii is in set { —} x M itj for some j G [1, n] and s| -^-A s?,...,

P ro o f:

sj.

The condition of the claim actually guarantees there is a cycle of sending

transitions in a CFSM. W ith this condition it is obvious th a t the process can always
send the messages to the channel. Thus, it is possible there exists a trace w ith an
infinite length.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

□

4 PROPERTIES OF PROTOCOLS

22

Figure 5: Counterexample of Invalid Claim 1
Intuitively, a protocol is unbounded if any of its CFSMs has a sending transi
tion cycle. This cycle is called a livelock in some literature. A ctually, the above
condition is sufficient but not necessary: the reverse is invalid. Figure 5 shows a
counterexample: There is no sending transition cycle in any of the CFSMs, but the
communication between Pi and P 3 is not bounded when Pi and P 2 keep talking and
P3 is not going to receive any messages from the channel (1,3).
For a sim ilar reason, both directions of the following claim are invalid.
Invalid Claim: P is k —bounded iff 3j G [1 ,n \,a G E*M. of C FS M i, where
a = H i ...Hr, such that V7 G [1, r — 1], hi is in set { —} x M y , Hr is in set { + } x M y ,
sj

s f , ...,

-^ A s [+1, and k is the maximum number of hi th a t go to the same

channel i , j for some j .
In fact, if we can find such k as that in the above claim, we can only conclude
th a t the protocol is at least k—bounded. Thus, to decide the bound of a protocol,
knowing only the inform ation of each C F S M i of P is not enough, we have to know
the composition of them, i.e., the network N of P.

4.1.4

N o n e xe cu ta b le T ra n s itio n s

Since the network N of a protocol P is the composition of all the process entities,
it is straightforward that transitions in N involving process p is a subset of the

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

4

23

PROPERTIES OF PROTOCOLS

transitions defined in the corresponding CFSM of the process Pi.

On the other

hand, the transitions defined in the CFSM of the process Pi may not be a subset
of transitions in N involving the corresponding process Pi. In the CFSM of the
process Pi, some states may never be reached and some transitions may never be
executed under normal conditions. We are more concerned about nonexecutable
transitions because whenever these transitions are identified, we can trace and find
the unreachable states.
D e fin itio n 4.5 (N on exe cutab le T ra n s itio n s ) Let P = (L, {M itj\(i, j )
{(Si, Mi,

s ° , —► i)}£=i )

be a protocol, N — (S, M ,

H G EMi an event of process Pi.

A transition Si

So , —>)

G L },

the network of P, and

s' of process Pi is nonexe

cutable i f fo r all s G S that are reachable and contain Sj as its local state of process
Pi, $s' G S, such that s

s', where si is the local state of process Pi at s '.

In Figure 3, no normal transition sequence can cause state t 2 of P 2 to receive
message x, hence t 3 is not entered and message u cannot be sent. Consequently,
state r 3 of process Pi cannot be reached and the receiving transition w ith label + z
is nonexecutable.

4.1.5

S tab le S tates and S ta te A m b ig u itie s

A tuple ( s i,..., sn) of states is stable when all the channels between them are empty.
Identifying stable-state tuples is useful for detecting loss of synchronization if the
protocol is intended to be a synchronous protocol.
D e fin itio n 4.6 (S ta b le -sta te T uples) L e tP = (L, { M itj \ ( i , j ) G L }, {(Si, Mi, s°,
- b)}?=i) be a protocol. I f 3 s G S, such that V (i,j) G L,uJij = e, then (sp ...,sn) is

a stable-state tuple, where Si is the local state of process Pi at s.
For 2-process protocol, a pair (s i,s 2) of process Pi and P2 is stable when the
channels between them are empty.

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

4

PROPERTIES OF PROTOCOLS

24

A state am biguity exists when more than one state in one process can coexist
stably w ith the exact same state of the other process.
D e fin itio n 4.7 (S ta te A m b ig u ity ) Let P = ({(1 ,2 ), (2 ,1 )}, { M i)2, M 2)i} , {(Si,
M i, s®, —>i)}i=1) be a 2-process protocol. (s i,s 2) is a stable-state pair at s, where
s G S, si, s2 is the local state of process Pi and P2 at s respectively. A state ambigu
ity exists when 3s' G S such that (s i,s 2) is a stable state pair with either (si = s'x)
or (s2 = s ').
In Figure 3, when process P i sends messages x and y and enters state r 2 even
tually, P2 receives the message x and y and returns to its in itia l state eventually.
(r ° ,t° ) and (r2,t°) are both stable-state pairs. Hence, t° of P2 can coexist w ith two
states of P i, namely, r° and r 2, and it has a state ambiguity.
Note: The notion of state ambiguity is useful when 2-process protocols are con
cerned. State am biguity is not necessarily an error, and it depends on the designer’s
intention. In this thesis, we do not discuss the potential error of state ambiguity.

4.2

A dvanced P roperties o f Protocols

In the previous subsection, we discussed several simple traditional properties of pro
tocol design, namely, deadlock states, nonexecutable transitions, channel overflow,
and state ambiguity. W ith the development of the IT industry, more advanced prop
erties have come into our concern. Among them, properties most used are divided
into two categories: safety properties and liveness properties. As described in [19],
intuitively, a safety property insists that “bad things” do not happen, a liveness
property insists that “good things” do eventually happen. For example, the prop
erty described in English could be “for all the paths from in itia l state, a global state
containing the local state s* of process P, must eventually happen” ; “there exists
a path in which all the global states do not containing the local state Si of process
Pi” ; etc. Actually, all the design errors we discussed in the previous subsection

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

4

PROPERTIES OF PROTOCOLS

25

are in the fam ily of the safety properties. In the literature, protocol properties are
flexibly specified as tem poral formulas using some temporal logic languages, such
as linear-tim e propositional temporal logic (LP T L), computation tree logic (C TL),
etc. How to verify these properties is a problem of model checking. Since model
checking is not our focus, in this thesis, we only give a general procedure to verify
a general property of a protocol.
As we know many properties can be represented as LP TL formulas. In [33], it
is proved th a t it is possible to build a Buchi automaton [4] that accepts exactly the
infinite words satisfying the temporal formula. A construction of a Buchi automaton
from a formula can be found in [32, 27]. The following procedure can be found in
[33, 30]:
(1) B uild a Buchi automaton for the negation of the specified formula / which
represents the required liveness property, and the resulting automaton A f
accepts a ll sequences of states that violate the formula / ;
(2 ) Compose Af and (CFSM i)f =1 of the protocol P as product A;
(3) Check if A is empty.

I f A is empty, it means P satisfies the property / ,

otherwise, P does not satisfy the property / .
In this thesis, we do not discuss the advanced properties of protocols. The reduc
tion rules in Section

6

cannot be generalized for the detection of these properties.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

5

26

C onstruction Rules During P rotocol D esign

In this section, we discuss the following problems: Given a set of observations, do
they correspond to a deadlock-free design? If they do not correspond to a deadlockfree design, can we construct a deadlock-free design containing all these observations
w ith reasonable construction rules? Is this design minimum? If we cannot construct
such a design, what else do we need to do? Can more observations be helpful?
Our work of the construction of protocol designs is an improvement of the work
of Chen and U ral in [6 ]. We use the first two construction rules, namely, R ule^t
and Rulered, and four examples in [6 ]. The th ird rule Ruleneg of the paper solves
the deadlock state problems by m irroring the specification of one process onto the
specification of the other process; however, we prove this rule adds more states and
transitions than needed, and in this thesis, we improve Ruleneg in the sense that the
added states and transitions are no more than and often less than those added by
original Ruleneg while it is s till guaranteed that no deadlock states are left.

5.1

P revious Work

The proposed method in [6 ] is presented in the context of reverse engineering. The
method is used to recover a deadlock-free design when a set of global observations
of an existing implementation is given.
D e fin itio n 5.1 (G lo b a l ob serva tions) A global observation is a well-formed and
complete trace that starts from and ends at the global in itia l state without passing
through the local in itia l state of any process twice.
We do not require that the given set of global observations is complete; i.e., all
the possible traces are included or all the transitions of presumed design are exe
cuted at least once since these assumptions are too strong for reverse engineering.
Actually, the classical algorithms in automata theory, such as the subset algorithm,

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

27

m inim ization algorithm in [14], which were proposed decades years ago, can con
struct the design for the first case. However, when a set of observations is given,
we can assume the observation is conducted by some experienced people who know
what functions of the system are of the user’s concern and can recognize the start
and the end of the observation; it is possible that the concerned functions are only
part of all the functions of the existing system. We cannot construct any design
beyond the observations. Under the following assumptions, our solution guarantees
th a t the constructed design is deadlock-free.
• The functionality of the implementation of a protocol design is periodic; i.e.,
all the observations start from and end at the in itia l state.
• The presumed design has no other cycles when the protocol specifications are
expressed as CFSM graphs except those starting from and ending at the in itia l
state. This is because other cycles can not be recognized if the states in the
graph cannot be identified; i.e., an observer cannot realize whether some state
has already been repeated during an execution. In the literature, some tech
niques have been developed to identify the states such as the D-method based
on distinguishing sequences in [13], the U-method based on UIO sequences
in [24], the W -method based on characterization sets in [9], etc. However,
all these methods require the knowledge of the protocol design. In reverse
engineering, the implementation is a black box and no design is available, so
far, there is no complete solution to the state identification problem in reverse
engineering although partial solution has been proposed in [28].
• Both the protocol specifications and the network of the protocol are determin
istic.
• More than one trace is observed. If only one trace can be observed then it is
the correct design and no further work is necessary.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

28

The method has two steps:
(1) Project each observation to the individual process, and construct the draft
design C D 0(O), in which the projections of each process start from and end
at the local in itia l states;
(2) A pply construction rules to the draft design. There are two directions: 1)
A pply Ruledet first and then Rulered, this direction does not change the se
mantics of the draft design, and some deadlock states can be removed, but
the constructed design may not be deadlock-free;

2)

A pply Ruledet first and

then Ruleneg. This method w ill add new semantics to the draft design, all the
deadlock states are removed and the constructed design is deadlock free.

5.1.1

P ro je c tio n o f G lo b a l O bservations and In itia l D esign C o n s tru c tio n

In this subsection, we discuss the first step of the method. We use the same projec
tion derivation rule as in [6 ]. Given a trace p, we can derive proj(p, i ), the projection
of o on process Pp.
e
proj(p, i)

if p — e

- r r iijp r o j (p', i)

if p = - m idp'for j

e [ 1 , n]

+ m jjiproj(p', i )

if p = +mjti(f fo r j

e [1, n]

p ro j(p ' , i)

if p =

- m ijp 1or Pm^ip' for l , j e [1,n ] , l ^ i

p ro j (p, i ) reflects the sequence of events w ithin the trace p that are related to
process Pj. Since p starts from and ends at the global in itia l state w ithout going
over it, p ro j(p ,i) starts from and ends at the local in itia l state w ithout going over
it.
Given a set of traces £ = { p i, ..., pr }, we can derive a set of projections on process
Pi, denoted as p ro j{E ,i), where pro j(E , I) = {pro(p3, i )\ j

6

[1 , r],p ro j(p j ± e)}. We

use p ro jiE , i ) over £ for process Pi, for i — 1,..., n, to construct C FS M i.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

29

CONSTRUCTION RULES DURING PROTOCOL DESIGN

D e fin itio n 5.2 (G e nerate d C F S M ) Given a set of projections p ro j(E ,i) =
{b i, ..., bk} over E on process Pi, where bi ^ e fo r I = 1

, k, k > 1. The C F S M

over p ro j{E ,i) is (S', M*, s°, —>) where:
• S = {s l’j \l E [1, k] , j E [1, |6i| - 1]} U{s 0} ;
• s° E S is the in itia l state;
• Mi =

U M jj);

• —>C S x E m , x S is the least relation satisfying
- s° ---- -U s1,1, fo r I G [1 , k];
_ sl,j- 1

sl,j^ j Qr l e ^

-

fo r I E

- s°

[1 , k ] , j

G [2) \bt \ -

1 ];

= \ k \ , j > 2; and

s° fo r I E [1, k\, \bi\ = 1.

In the following, we use C D q(E) to denote the constructed design (L, M , (T j}”=1),
where Tj is the C F S M over p ro j(E ,i) as defined in the above definition.

5.1.2

C o n s tru c tio n R ules Ruledet and Rulered

In this subsection, we review the first two construction rules, namely, Ruledet and
Rulered to construct protocol design in [6 ]. Note, these two rules are applicable to
n —process protocols.
When two processes send messages concurrently, we call this phenomenon a
collision.

The incomplete observations can cause deadlock states or unspecified

receptions only when there are collisions in the presumed design.

We have the

following proposition (See [6 ] for proof).
P ro p o s itio n 5.1 I f the presumed design of the set of observations is deadlock free,
unspecified reception free, and free from collisions, and the constructed design C D (0 )
is deterministic, then C D {0 ) is free from deadlocks and unspecified receptions.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

30

CONSTRUCTION RULES DURING PROTOCOL DESIGN

Figure

6:

Demonstration to Ruledet f° r Protocol Design

Let T{ = (Si, M i, sf, —

be the C F S M of process Pi in a given C D 0(O).

Ruledet'. I f 3 s f,s f,s f e Si, si ^ sf, 3\i G E M, such th a t sf -A -s f and sf -^> sf,
then
(1) Remove sf from 5*;
(2) Remove s|

from —

(3) V // G E m, sf € Si, such th a t sf

sf, substitute sf

sf by sf

sf in —

Note, this rule is Ruledet in [6 ]. How this rule is applied is shown in figure

6.

Rulered■ I f 3s-, sf € Si, sf ^ s f, V/i G E m, Si G S'*, such th a t sf -A- s* iff sf -A - s*,
then
(1) Remove sf frornSf,
(2) Remove sf

s* from —>■* for any s* G 5* and fi G E M',

(3) V// G jEW, Si e Si, such th a t s* -A- s f, substitute s* -A - sf by s* -A- sf in
Note, this rule is Rulered in [6 ]. How this rule is applied is shown in Figure 7.
Ruledet can remove the deadlocks and unspecified receptions caused by nonde
term inism and Rulered can help to reduce the design. Meanwhile, these two rules
do not introduce any new deadlocks or unspecified receptions.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

31

Figure 7: Demonstration to Rulere(i for Protocol Design
T h e o re m 5.2 Ruledet does not introduce any new deadlock or unspecified reception
to tree-like constructed designs.
T h e o re m 5.3 Rulered does not contribute to the removal of any deadlock or un
specified reception, nor does it introduce new errors to the constructed design.
Besides the properties we discussed, Ruledet preserves trace equivalence. First,
we given some useful definitions in the set theory.
D e fin itio n 5.3

• A re la tio n is a set of ordered pairs.
•

A relation R in a set X is re fle x iv e i f (Vx G X ) ( x , x ) G R.

•

A relation R in a set X is a n tis y m m e tric i f (x,y) G R A (y, x) £ R => x = y.

•

Arelation R in a set X is tra n s itiv e i f (x, y) G R A (y, z) e R

•

A relation R in a set X is an equivalence re la tio n i f R is reflexive, sym

(x, z) G R.

metric and transitive.
• A relation R in a set X is a p a rtia l o rd e r i f R is reflexive, antisymmetric,
and transitive.
• A p a rtia lly o rd e re d set is an ordered pair (X, ■<) in which X is a set and
-< is a partial order in X.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

32

• I f Vx, y G X , (x ^ y) V (p ^ x), then ^ is calZed a to ta lly orde re d set or a
chain.
D e fin itio n 5.4 (T race E quivalence) [29] L e tT r(p ) denote the set of traces of p.
Two processes p and q are trace equivalent, notation p = r r 9, ifT r ( p ) = Tr(q). In
trace semantics, two processes are identified if f they are trace equivalent.
T h eorem 5.4 Given a tree-like CFSM, Ruledet preserves trace equivalence.
P ro o f: We first prove one transform ation of Ruledet and m ultiple transformations
can be induced. Let Vp G T r(T t), p = p ip 2 -..pr , and T \ is the transform ation
function of Ruledet■ We have three conditions: 1) 3 p i,l G [1, r], such that pi = p
and p passes sf and sf; 2) 3/p, I G [1, r], such that pi = p but p does not pass both
s j and sf; i.e., p passes sf and sf; 3) flp i,l G [l,r ] , such that pi = p.

For case 1), though the transition sf

sf is removed, this transition is replaced

by sf —
— s f and all the transitions starting from sf has been moved to sf. Also
because the graph is tree-like, no other transition can enter sf and the trace passing
s f but not passing sf does not exist. Hence, p is s till in the set of T r ^ iiT t ) ) .

For case 2) and 3), p is not changed at all, so p is s till in the set T r^tF fT i)).
Thus, we have T r{T [) C T r(tF i(T i)). On the other hand, since Ruledet removes
the transitions w ith consideration of replacement of affected traces, no new trace is
created and every trace in T r ifF fT i) ) should also be in T r(T i). Hence, we also have
Tr{dFi{Ti)) C T r(T i). Therefore, T r(T j) = T r(tF i(T i)). Ruledet preserves the trace
equivalence.

5.2

□

E xam ples and D eadlocks in th e C onstructed D esign

In this subsection, we give some examples to show that constructed designs may
contain deadlock state errors and unspecified reception errors and how Ruledet can
remove the errors of Example 5.1-5.2, while leaving some errors of Example 5.3-5.4
unremoved, which can be removed by using Ruleneg.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

33

T2

T1

Note: T h e dashed states may cause deadlock.

(A)

Construction Design C D 0(O) of Example 5.1

T2

T1

(B)

Figure

8:

Construction Design R uledet(C D 0(O) )of Example 5.1

The Constructed Designs of Example 5.1

Example 5.1 (from [6 ]) Consider a protocol w ith two processes and two channels
between them. We have a set of traces as:

O

= { —£ l,2 + £1,2 — -2-2,1 + 22,1 " 2/1,2 + 2/l,2j ~ ^1,2 + ^1,2 ~ 2/1,2 + 2/1,2 ~ ^2,1 + 32,1}

Figure

8

(A) shows the constructed design C D 0(O). T i and T2 in C D 0(O) are the

C F S M s over p r o j( 0 , 1) and p r o j( 0 , 2) respectively. Let us look at the following
scenario: Tx sends Xi)2 and enters r 3, then T2 receives X i>2 and enters t l . Now it
reaches a global state
(

r 36 e

\ 6

\

(1 /

in the network of this design, and it is a deadlock state because both 7 \ and T2
are expecting to receiving messages while both channels are empty. Let us apply
Ruledet to C D 0(O) and the deadlock states are removed. The specification after the
construction is shown in Figure

8 (B).

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

34

T2
Note: T h e dashed states may cause unspecified
receptions.

(A) Construction Design CD0(O) of Example 5.2

T1

T2

(B) Construction Design R ule de( (CD0(O)) of Example 5.2

(C) Construction Design Rulered (R u le det (CD0(O ))) of Example 5.2

Figure 9: The Constructed Designs of Example 5.2

Example 5.2 (from [6 ]) Consider a protocol w ith two processes and two channels
between them. We have a set of traces as:
O = { —# 1,2 + ^1,2 ~ ^ 2,1 +

22,1

— « 2,1 + U2,l, “ # 1,2 + ^ 1,2 “ 2/ 2,1 + V2,1 — Ul,2 + u l,2}

Figure 9 (A) shows the constructed design C D 0(O). 7\ and T2 in C D q(O) are the
C F S M s over p r o j( 0 , 1) and p r o j( 0 . 2 ) respectively. Let us look at the following
scenario: T\ sends Xi$ and enters r 3, and T2 receives x lj2 and enters t 1, then sends

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

35

CONSTRUCTION RULES DURING PROTOCOL DESIGN

z2,i and enters t 2. Now it reaches a global state

V ZM

t2

in the network of this design, and it is an unspecified reception state because T i is
expecting to receive y2,i while only z2,i is available in the channel. This example
is suitable for applying Ruledet and Rulered. A fter applying these two rules, the
deadlock states are removed and the specification is minimized. The specification
after the construction is shown in Figure 9(B) and (C).

Example

5.3(from [6 ]) Considera protocolw ith two processes and two channels

between them. We have a setof traces as:

O

= { —#1,2 +

2/2,1

x l,2 ~ u l,2 ~

+

U i t2

+ 2/2,1 ~

32,1

+

22,1,

“ 2/2,1 —x l,2 + 2/2,1 —22,1 + x l,2 + 22,1 —U\^ + ^ 1,2 }
Figure 10 shows the constructed design C D 0(O). Ti and T2 in C D 0(O) are the
C F S M s over p r o j( 0 ,1) and p r o j( 0 , 2 ) respectively. Let us look at the following
scenario: T\ sends x 1;2 and enters r 1, then T 2 receives x ^ 2 and enters I 1, after that,
T2 sends y2ii and enters t 2, then T\ receives 1/2,1 and enters r 2. Now it reaches a
global state
{ r2

v
e

e)
t

2J

in the network of this design, and it is a deadlock state because both T i and T2 are
expecting to receive messages while both channels are empty. However, this example
is a little complex, and after Ruledet is applied, we can s till observe that potential
deadlock state in Figure 10(B).

Example 5.4 Consider a protocol w ith two processes and two channels between them.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

-X ,

+x,

+u

+Z;

+X,

+u

-2,1

-U .

T2

T1

Note: The dashed states may cause deadlock.

(A)

Construction Design CD0(O) of Example 5.3

-X ,
+X,

+Z-.

+u.

+x.

+u

Note: The dashed states may cause deadlock.

(B)

Construction Design Ruledel(CD0(O)) of Example 5.3

Figure 10: The Constructed Designs of Example 5.3

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

37

CONSTRUCTION RULES DURING PROTOCOL DESIGN

J'V

5*9

(?)

r29.;

(t*)
+*1*

>33)

5*9

Note: The dashed states may cause deadlock.

Note: The dashed states may cause deadlock.

(A)

(B)

Construction Design CD0(O) of Example 5.4

Construction Design Ruledgt (CD0(O)) of Example 5.4

Figure 11: The Constructed Designs of Example 5.4
We have a set of traces as:
O =

{ — Z/2,1 + 2/2,1 — x l,2 + x l,2 — ^ 2 ,1 — Ul , 2 + U l , 2 + w 2,l

- V 2,i + o2,i - elj2 + e i)2 - / i ,2 + / i ,2 -

0 -2,1

—2/2,1 + 2/2,1 — ^ 2,1 + '022,1 —02,1 +
—u i ,2 + w1>2 — 2/ 2,1
— 2X1,2 +

+

01,2

U 1,2

+

+ 2/ 2,1 -

-X l,2 -

+ X i t2

02,1

02,1

0 2,1

+ ^ 2,1 - h ,i + b2,i,
— ^ 1,2 + ^ 1,2

~ b2;i + 62,i - e i)2 + ex,2 - f i, 2 + f i, 2,

x l,2 — W 2,l

02,1 + 02,1 + ^ 1,2

+

w 2,l —

-

62,1 + &2,1 + el ,2 - / l ,2 +

a2,i

+

a2,i

2/2,1 - 01,2

+

2/ 2,1 - 0 ^2,1 + 012,1 - 02,1 + 02,1

e Xi2 -

f l , 2,

— e i ,2 — 02,1 + 02,1 _ &2,1 + &2,1 + el ,2 _ / l ,2 + / l , 2}

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

38

Figure 11(A) shows the constructed design C D 0(O). T i and T2 in C D 0(O) are
the C F S M s over p r o j( 0 , 1) and p r o j( 0 ,2) respectively. It contains four deadlock
states in the network of this design, namely,
/

t1

V

r 19

e \ /
f3

r 29

V

e \

t5

f r 22
V

The first deadlock state is due to nondeterminism, and the rest are due to the
rules of composing the network of a protocol, which allow at some global state,
the next transition can be any available transition from the protocol specifications.
W ith the rules, more traces than the given set of observations may be created. For
Example 5.4, the application of Ruledet removes the first deadlock state as shown in
Figure 11(B), but the other two deadlock states remain.
The reasons of occurrences of the deadlock states and unspecified receptions
include nondeterminism as shown in Example 5.1-5.2 and incompleteness of obser
vations as shown in Example 5.3-5.4. In the next subsection, we give construction
rule Rule'neg to remove the deadlock states caused by incomplete observations for
the 2 -process protocol.

5.3

Im provem ent on C onstruction R ule Rule'neg

From the point of view of software engineering, the desirable properties of a protocol
design include:

1)

it meets all the requirements of the customers;

2)

it does not

manifest any logical error; 3) the design is minimum so that after design phase,
programming and testing can be more efficient.
As we mentioned in the previous subsection 5.2, we introduce the improved
Rule'neg to remove the deadlock state caused by incomplete observations while
Rule'neg adds no more states or transitions to the design than Ruleneg. Note, both
Ruleneg and Rule'neg can only be applied to 2-process protocols. Also, w ithout spe
cial indication, Rule'neg means the improved Rule'neg, not the original Ruleneg.
First, we give the definition of negation of a trace.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

39

D e fin itio n 5.5 (N e g a tio n o f Traces) Let a be a path, the negation of a, denoted
by a, is defined as
e

a= e

—ma' a = +m a'
+ m a'

<t

= —ma'

Let pos(u) denote the sequence of all the events of receiving messages in u in
the same order, and neg{uj) the sequence of all the vents of sending messages in

uj

in the same order, we have

pos(u)

e

u> = e

+ m p o s (u ')

u

=

+ m u '

pos(uj')

u j

=

—

e

neg{uj)

u;

mw

= e

—m n e g (u j')

uj

=

—m u '

n e g {u i')

uj

= + ra u /

D e fin itio n 5.6 Let P be a 2-process protocol, a is a path from the local in itia l
state in T i, and a' is a path from the local in itia l state in T2. a and a' can form a
trace in the network of P i f we can execute all the transitions in a and a' without
encountering any deadlock state or unspecified reception.
We apply Rule'neg to tree-like CFSMs. For each tree-like CFSM, the sequence
of events between s° and s is unique w ithout passing s° twice. We use neg(s) and
pos(s) to denote the sequence of sending and receiving events respectively from s°
to s. Note, C D q and R u le ^fiG D ^{0 )) contain only tree-like CFSMs.
Let P be a given determ inistic protocol w ith two CFSMs T i and T2. We assume
there is no unspecified reception error in the constructed protocol design. Rule'neg
aims at removing the error of deadlock states.
Rule'neg:

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

40

CONSTRUCTION RULES DURING PROTOCOL DESIGN
(1) In T<2 , while 3srj £ £ 2 )

s2 > but for all m ^ i £ A/2,1

£

£2

such that

si ^ U s l do:
in Ti, if 3s} £ Si, s f - ^ s } , such that pos(s}) = pos(sl), neg(s\) — neg(sl),
and a and o' can form a trace in the network of P, but $s\ for all
such that s}

— m i’2

7711,2

£ M i ,2

>s f, then

(a) select one path q from s} to the local in itia l state sf;
(b) append q to s} in T 2 ; i.e., add the new states of q into S2 , and add the
new transitions of q into —>2 ;
(2) If 3s1, s2 £ (S^s1 7^ s2) such that pos(s1) — pos(s2) and neg(s1) — neg(s2),
then
(a) remove s2 from S2 ;
(b) Vp £ Em, s £ S2 , such that s2

s, substitute s2

s by s1

s in —»•2;

(c) V/x £ E m , s £ 1S2 , such that s

s2, substitute s

s2 by s

s1 in _ >2.

A straightforward algorithm that applies the first step of Rule'neg can be w rit
ten by adapting Depth-First-Search A lgorithm (DFS). For a 2-process protocol P,
suppose u is the maximum number of states among CFSMs, and v is the maximum
number of transitions among CFSMs, the tim e complexity of the adapted algorithm
is 0 ( ( u + v)2). For step 2, in [6 ], an algorithm is proposed w ith the tim e complexity
0(uv).
Rule'neg is applied to the design after the application of R,uledet, so it works on a
determ inistic design w ith the tree-like structure, and the structure is preserved after
the execution of step (2). Step (1) of Rule'neg is to find the potential deadlock states
and append a path w ith a sending event as its first event to each potential deadlock
state. Since the sending transitions can always be executed, the potential deadlock
states w ill not be deadlock states any more. Also, it is sufficient to check only one

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

41

CONSTRUCTION RULES DURING PROTOCOL DESIGN

protocol specification of P , that is, either T i or T2, and all its potential deadlock
states are removed. This is because when no state in one machine is a potential
deadlock state, the global states containing these states as local states cannot be
deadlock states.
Note that the application of Rule'neg adds new semantics to the specification
of P, however, since a good design very often includes the m irroring of the other
protocol specification in one protocol specification, the design constructed by this
rule is quite reasonable.
Also, pos(s{) = pos(s2) and neg(s\) — neg{s\) does not necessarily mean the
path reaching s2 and the path reaching .sj can form a trace in the network of P, that
is, there exists a trace in the network of P such that the projections of this trace on
Pi and P2 are exactly those two paths. To avoid adding undesired transitions, we add
the condition that a in T2 and o' in Tx can form a trace in the network of P and reach
some global state which contains both S2 and s]; as its local states. For example, we
have two paths, which are the fragments of two observations: px = —x Xj2—1/ 2 ,1 + 112,i~
+

32,1

32,1

—U\ t2 + x i )2+ Ui)2, and p2 = —£ 1,2 +

24,2

—y2jX+ 2/2,1 —u i ,2 + wi,2 —24,1 + z2jX.

Project these two observations to Tx and T2, we have uj\ = —x X:2 + y2;X+ z2}X —uXj2
and

= - 2:1,2 + 2/2,1 - « i ,2 +

32,1

in Tx, and

= —2/2,1 -

32,1

+ ^ 1,2 + « i ,2 and

lo\ = +2q,2- 2/2,1 + M i,2 - 32,1 in ^ 2 - Thus, we can see pos(uj\) = pos(ujl) = + 2/2,1 + ^ 2,1
and neg(u\) = negiuj^) = —x X)2 — uX:2, but these two paths cannot form a trace in
the network of P. Furthermore, we can see none of these states in the P is a deadlock
state so far.
Since T 2 is determ inistic and tree-like, a is unique. However, the paths that can
match a in T i might be more than one. Since we assume there is no unspecified
reception, there are two cases for those matching paths:

1)

paths that match a and

do not cause deadlock at s\: 2) paths that match cr but cause deadlock at s\. For
case 1 ), since there is no deadlock and unspecified reception error, it means there
exists a sending transition among next transitions at

in Tx. For case 2), since

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

42

there is a deadlock but not unspecified reception error, it means the next transitions
at s\ are all receiving transitions. If we choose one of the paths starting from sj
and ending at the in itia l state s? in the latte r case, whose first event is the label of
a receiving transition, appending the negation of the path to state s3>, the potential
deadlock w ill be removed since a sending transition is always executable. Because
of a sim ilar reason, we can see although more than one state in T i might cause
deadlock states w ith Sg, we only need to consider one such state and append the
negation of one of its followed paths to the in itia l state to si,, all potential deadlock
states are removed.
P ro p o s itio n 5.5 For any constructed design P with only tree-like deterministic
CFSMs, Bsl G S2 ,

s2, Vm2)i G M 2)l7 j^s2 G S2 such that S2 — m2A >s\. I f there

is a deadlock state in the network of P, o' exists in T\ such that a and o' can form
a trace in the network of P.
P r o o f : From the definition of deadlock states, we know when the deadlock occurs,

both of the channels are empty. It means every sending transition has the matching
receiving transitions, and vice versa. Suppose s1 is a deadlock state containing Sj as
its local state of process P2, it means there must exist o' in T i such that o' includes
the events th a t receive all the messages sent to the channel ( 2 , 1 ) by the events in
o and meanwhile a includes the events th a t receive all the messages sent to the
channel (1,2) by the events in o'. Thus, o and o' form a trace in the network of P.

□
P ro p o s itio n 5.6 For any constructed design P with only tree-like CFSMs, the de
sign after the application of Rule'neg is deadlock free.
PROOF: When we apply Rule'neg on T 2, all the risky states, i.e., all the states that

have no outgoing sending transitions, w ill be examined. The risky states may be
real deadlock states, and may be not. There are three cases: 1) si; cannot find a

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

matching state ,s( in T i; 2) there are matching states

43

for s% but for each s} there

is at least one outgoing sending transition at sj; 3) si, find a matching state

and

there is no outgoing sending transition at sj, we say S2 is a potential deadlock state.
For case 1), from P ro p o sitio n 5.6, we know si, is n o t a deadlock state.

For case 2), because a sending transition is always executable, the global state
containing both s} and si; cannot be a deadlock state.
For case 3), Rule'neg deals w ith the potential deadlock states. The application
of Rule'neg w ill add a sending transition to every potential deadlock state, thus, the
potential deadlock is removed. Furthermore, the appended path is the negation of
the path in T\ and it means the appended path w ill not introduce any new deadlock
state.

□

P ro p o s itio n 5.7 Rule'neg adds no more states and transitions than the original
Ruleneg.
PROOF: The original Ruleneg adds the entire negation of T l onto T2, while the goal

of the improved Rule'neg is to add the transitions that really help to remove deadlock
states, which are part of the negation of T i. In the worst case, the improved Rule'neg
adds the entire negation of T i as the original Ruleneg.

□

Now we can use Rule'neg to remove the deadlock in the Example 5.3. Figure 12
shows th a t the application of Rule'neg has two steps: first, it identifies t 2 as a potential
deadlock state and appends the negation of path + 22,1 —Wi,2 to f 2; second, it merges
state t6 and state t 7 because pos(t6) = pos(t7) and neg(t6) = neg(t7).
Figure 13 shows how Rule'neg works on Example 5.4. The application of this
example is a b it different from Example 5.3 in a way that the first step of Rule'neg
has been applied twice before moving to the second step. This is because we put a
“while” -statement in the rule condition.
Unlike Ruledet and Rulered, Rule'neg can only be applied to 2-process protocols.
This is because for n —process protocols (when n > 3), the specification of one

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

44

+x,

+u:

!+ Z ;

+U,
+Z;

T2

T1

(A) Construction Design Ruleneg' (Ruledet(CD0(O))) of Example 5.3 - Step 1

+x,

-U,

+u,

+Z;

+x.

+z:
T1

+u.

T2

(B) Construction Design Ruleneg' (Ruledet(CD0(O))) of Example 5.3 - Step 2

Figure 12: The Constructed Designs of Example 5.3 Using the Improved Rule'neg

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

45

+xi.

+u.

+e1.

+e,

+ei.

(A) Construction

iign Rulene9' (R u /e ^ , (C D 0(O ))) of Example 5.4
- Step 1

(B) Construction Design R u le ^ ' (R u /e ^ , (C D 0(O ))) of Exam ple 5.4
- Step2
Also Apply R u le ^ t o T 1

Figure 13: The Constructed Designs of Example 5.4 Using the Improved Rule'neg

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

46

process involves the interaction w ith other processes (usually more than one process),
and the m irroring of it w ill also involve more than one process, which w ill make the
semantics of the m irroring specification ambiguous. Furthermore, Rule'neg assumes
th ere is no unspecified reception error an d aim s a t rem oving all th e deadlock states

w ithout composition of the network of P.

5.4

Sum m ary and Comparison

The work in this section is inspired by the work in [6] and now we compare them.
The idea of removing the deadlock states w ithout the composition of network of P
is exciting because the composition of the network of P may cause state explosion
problem. Our Rule'neg improves the original Ruleneg in the sense that it removes
a ll the deadlock states w ith less augmentation of transitions. Disadvantage of the
improved Rule'neg comparing to the original one is that the complexity of the algo
rith m is increased because of the selection of relevant paths while the original rule
just copies the entire negation of T\ on to T2.
Figure 14 shows the constructed design using the original Ruleneg in [6]. We can
see the added path +U\$ —2/2,1 from t l to t 3 has no contribution to the removal of
deadlock, which is not added as shown in Figure 12. For example 5.4, Figure 15
shows the constructed design using the original Ruleneg. Comparing it w ith the
constructed design using the improved Rule'neg in Figure 13, we can see 3 more
states and 5 more transitions are added, sim ilarly, they do not contribute to the
removal of the deadlock states.
Comparing Rule'neg w ith Ruleneg for these two examples, we evaluate the reduc
tion efficiency as in Table 1.
Note that Rule'neg can work independently w ithout applying R ule^t before it,
th a t is, Rule'neg can apply on C D 0(O) directly while Proposition 5.5-5.7 s till hold.
We apply R ule^t before Rule'neg because of two reasons: 1) we want to remove
the states and transitions that are unnecessary to take into account for Rule'neg

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

+X ,

+U.

+Z;

+X1

+u.

T2
T1

Figure 14: The Constructed Designs w ith Rules in [6 ] of Example 5.3

+x.

+u,

'+w.

-v2

+V,

-v2
+w.

+W ;

+v2

+v.

+x.

-w.

+U-

-V j

-e,

-e ,

T1

+e,

T2

Figure 15: The Constructed Designs w ith Rules in [6 ] of Example 5.4

R eproduced with permission o f the copyright owner. Further reproduction prohibited without permission.

5

48

CONSTRUCTION RULES DURING PROTOCOL DESIGN

Reduction Efficiency

Ruleneg adds

Rule'neg adds

states

transitions

states

transitions

states

transitions

T2 in Example 3

1

3

0

1

100%

67%

T2 in Example 4

5

9

2

4

50%

56%

Table 1: The Reduction Efficiency of Rule'neg Compared w ith Ruleneg
and minimize the specification first;

2)

Ruledet may reduce the number of potential

deadlock states, thus, the times of appending the negation of some paths in Ti
are reduced. For example, in Figure 11(A), t 1 in T 2 is a potential deadlock state,
and Rule'neg w ill be applied to this state; but after applying Ruledet, this state is
merged to t9 and it is not a potential deadlock state any longer, which is shown in
Figure 11(B), then Rule'neg w ill not be applied to this state.
The improved Rule'neg assumes there is no unspecified reception in the con
structed design. Actually, resolving unspecified reception error is an open problem.
The following example shows unspecified reception is hard to tackle w ith incomplete
observations.
Example 5.5 (from [6 ]) Consider a protocol w ith two processes and two channels
between them. We have a set of traces as:
O

—

{

3^1,2

+ ^ 1,2 —2/2,1 + 2/2,1, —22,1 + ^2,1 —^ 1,2 + ^ 1,2 }

Figure 16(A) shows the constructed design C D 0(O). T\ and T2 in C D 0(O) are
the C F S M s over p r o j( 0 , 1) and p r o j( 0 ,2) respectively. Let us look at the following
scenario: T\ sends X\$ and enters r 2 while T 2 sends z2,i and enters t 1. Now it reaches
a global state

(

r2

x i >2 \

y ^ 2,1

t1 J

in the network of this design, and it is a deadlock state because T\ is expecting to
receive 2/2,1 while channel ( 2 , 1 ) contains only z2j and T2 is expecting to receiving

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

+u

T1

T2
Note: The dashed states may cause deadlock.

(A)

Construction Design CD0(O) of Example 5.5

-u.

ir

+u.
+Z2

+x.

-X ,

+v,

+Z;

T1

+x.

T2

(B)

Presumed Design of Example 5.5

Figure 16: The Constructed Designs of Example 5.5

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

5

CONSTRUCTION RULES DURING PROTOCOL DESIGN

50

u \ t2 while channel ( 1 ,2) contains only x i;2- We can see neither of our rules can be
applied to this example to remove the deadlock states.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

51

6 REDUCTION RULES DURING DESIGN VERIFICATION

6

R eduction Rules During D esign Verification

To verify a concurrent system using the state exploration technique, the state ex
plosion problem is always a big concern. The solution is to reduce the possible
exploration space. In the literature, the researchers usually focus on the state re
duction techniques during the global reachability analysis, such as [11], etc. It is
also possible to conduct the reduction on the protocol specifications right before the
global reachability analysis.

6.1

R eduction Rules

In this subsection, we discuss two reduction rules. We call CFSMs specifying each
process of a protocol as protocol specifications comparing to the notion of the global
specification during reachability analysis. We assume the protocol specifications are
m inim al and determ inistic. W ith in the framework, we give the following two rules
to reduce the protocol specifications.
Reduction Rule 1: Given an n-process protocol P = (L , { M i j\ ( i , j ) G L }, {(Si, M it
i) , if for any process P*, 3s-, s f, s f, sf G Si} rai)fc,ra M G M*, where k ,l G

[1 , n], such that
is}
• M

sf) A (si

sj) A (sf

s f) A (sf

sf), and

G S, mUj, miiV G Mi, where u, v G [1, n], such that (sf 7^ s i) A ((s( +TO^ >sf)

V (s' - = ^ s f )) or (sf ^ sj) A ((s f

sf) V (sf

then remove state sf and transitions sf +m ’1 >sf and sf

s '));

mi,k >sf from the spec

ification of process P*.

Reduction Rule 2: Given an n-process protocol P = ( L , { M ij\ ( i, j) G L}, {(Si, Mi,
»“ ►*)}£=!)> ^ f° r any process Ph 3 s f,s f,s f,s f G St , m ^ m ^ i G M<, where k ,l G

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

52

REDU C TIO N RULES DURING DESIGN VERIFICATIO N

Reduction Rule 1

Reduction Rule 2

Figure 17: Demonstration to the Reduction Rules for Deadlock Verification
[1 , n], k

I, such that

• M G S, mUji, m itV G M i, where u ,v e [1, n\, such that (s^ ^ sf)A ((s- +mu'‘ >sf)

then remove state sf and transitions s • ——

sf and sf —

sj from the spec-

ification of process Pi.

For Rule 1, the first condition requires there is a specific pattern of transitions in the
protocol specification, that is, at some state, there is a choice about the execution
order of a sending transition and a receiving transition:
transition first, then the receiving transition;

2)

1)

execute the sending

execute the receiving transition

first, then the sending transition. Whatever option is chosen, after the execution of
these two transitions, the same state is entered eventually. The second condition

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

REDUCTION RULES DURING DESIGN VERIFICATION

53

requires the states and the transitions to be removed should not have any other
states or transitions involved. The sent message and the received message in Rule 1
can be exchanged w ith the same process or different processes. Rule 2 considers a
sim ilar choice pattern but both of the transitions are sending transitions. For Rule
2, we require th a t these two messages must go to different channels. If these two
messages go to the same channel, because the channel is FIFO, the choice w ill have
different impact on the content of the channel, that is, if the orders of the messages
are different, the contents of the channel are different even though the messages are
same. Furthermore, different states in the global specification are entered after the
execution of these transitions. Thus, no state or transition can be removed. The
second condition of Rule 2 also requires the states and the transitions to be removed
should not have any other states or transitions involved. How to apply Rule 1 and
Rule 2 is shown in Figure 17.
A straightforward algorithm that applies Rule 1 can be w ritten by adapting
Depth-First-Search A lgorithm (DFS). For an n —process protocol P, suppose u is
the maximum number of states among CFSMs, and v is the maximum number of
transitions among CFSMs, the tim e complexity of the algorithm applying Rule 1
is 0 (n (u + ?;)). Similarly, the tim e complexity of the algorithm applying Rule 2 is
0 (n (u + v)).
The reduction efficiency of our rules depends on the protocol design itself. If the
protocol is a synchronous protocol, then our rule is of no use. Actually, no reduction
techniques are useful in that case. If the protocol has some concurrent transitions,
the reduction w ill be useful.
Next, we prove the application of the Rule 1 preserves the properties of error
states, and channel overflow while Rule 2 preserves the properties of error states,
nonexecutable transitions, and channel overflow. First, we prove that the application
of the Rule 1 and Rule 2 preserves the property of error states of a protocol design.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6 REDUCTION RULES DURING DESIGN VERIFICATION

6.2

54

P reserving Error States P roperty

As we mentioned in Section 4, we use error state for a shorthand of deadlock state
or unspecified reception state since at either of these states the execution gets stuck
and no outgoing transition is possible.
Our rules preserve a strict error states property; i.e., during reachability anal
ysis, the error states should remain erroneous in the global specification after the
applications of the rules. A looser requirement can be: if the global specification
has an error state, then after the application of the rules, the global specification
s till has an error state. It does not bound the error w ith the state. We start the
proof w ith Rule 1. Intuitively, the form of this kind of pattern is an interleaving of
two enabled transitions at the same state s i. A t this state, process Pi can either
get a message from one channel, or send a message to some other channel. Both of
these transitions can be executed separately. Now we check the behavior of these
four states during reachability analysis. Due to the presence of the existence of
sending transition s j

sf, any global state containing state si as its local state

for the process Pi is not an error state. Because of a sim ilar reason, neither are
the states containing state sf. We can check transition sf +mi't >sf to see if this
receiving transition w ith label + m iti may introduce an error state. Thus checking
, l

1

p ath S i

Q

O

>sf A s f

A

■,

>sf becomes unnecessary.

We introduce some notations: Ti denotes the CFSM of process Pi, T( denotes
the CFSM after applying Rule 1 once, P i denotes the mapping of Rule 1 from Tj to
T[, then we have P \ : R —>Tf. Furthermore, we overload the notation of P i to the
network of P. Let N be the network of P before Rule 1, and P i(N ) is the network
of P after applying Rule 1 to some process Pi once. If we can prove one application
of Rule 1 preserves the error state property of a protocol, then m ultiple applications
are implied.
P ro p o s itio n 6.1 I f a global state in N is reachable but not an error state, then

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

REDUCTION RULES DURING DESIGN VERIFICATION

55

either this global state presents in P \{N ) which implies it is reachable but not an
error state or this global state is removed.
PROOF: Because of the removal of s f, the states that have the state sf as their local
state for process Pi are removed. Then we discuss the states that remain. Suppose
s £ S' is a global state in N that is reachable but not a error state. Since s is a
reachable state, there exists a trace g £ E*M from the in itia l state, g = P1 P2 ■■■Pr,
such that s0

S i,..., sr_ i

sr and sr = s. Since s is not an error state, there

is a path a £ E*M, which starts from s and ends at some error state or the in itia l
state(in this case, all the states on the trace are not error states). Thus 3/,, t is an
integer, a = pr+i,

Pt, such that s

sr+i , ..., st_ i

st and either st is an error

state or st = s0. Then we have p = p.a and it is a trace that passes on s. Let
pe =

and p,f = —m^k, where e, / £ [1 ,t],e < f . Then pe and p f represent

the labels of transition sf —•—* >sf and transition sf ——^ sf respectively.
Trace p must contain both pe and p f. We prove it by contradiction. First, we
suppose p contains pe and does not contain p j.

Since p f is an event to send a

message and it can always be executed, and there is no other transition th a t can
leave from state sf, p w ill contain p f too. Second, we suppose p contains p f and
does not contain pe. Since there is no other transition entering state sf except the
transition w ith label pe, such p does not exist. Hence, there are two cases to be
considered:

1)

p does not contain pe and p j\

2)

p contains both pe and p f.

For case 1), the application of rule 1 w ill not affect p of s. Thus, s is not an
error state in P i(N ).
For case 2 ), let se_1 be the last global state that contains sf as its local state for
process Pj, se and s ^ 1 the first and the last global state that contains sf as its local
state for process P* respectively, and sf the first global state that contains sf as it
local states for process Pi. Since p contains both pe and p f , p can be decomposed
as p — g'.pe.j.pf.a', where se_1
state,

7

se and s^ _1

sf. If se and s^ _1 are the same

= e. It is obvious that the transition w ith label —ra ^j is in g' and that the

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6 REDUCTION RULES DURING DESIGN VERIFICATION
transition w ith label -Fm y is in a'. The transitions in

7

56

are from other processes

other than process Pi and independent from either the transition w ith label p e or
the transition w ith label p./; otherwise, transitions in

7

cannot be inserted between

them because of the specification of process Pj. Let p' = o'.pf.~/.pe.a' which is
obtained by exchanging the positions of pe and Pf. Because of the existence of path
gi _

>g 2 yys 2 .. +mfc’z >

jn

protocol specification of process Pi, trace p' must

exist in P ffN ). Thus, s is not an error state in P ffN ).

□

P ro p o s itio n 6.2 I f a global state in P i(N ) is reachable but not an error state, then
this global state in N is reachable but not an error state.
PROOF: Trivial. Sim ilar proof to the proof of Proposition 6.1.

□

P ro p o s itio n 6.3 A global state in N is an error state if f this global state in P i (N )
is an error state.
P r o o f : Trivial. Sim ilar proof to the proof of Proposition 6.1.

□

T h eorem 6.4 P i preserves the property of error states of a protocol P.
P r o o f : From Proposition 6.1-6.3, we know there are fewer states in P ffN ), but

those states in N but not in T \ (N ) are not error states. For those states in both N
and P ffN ), we have that they are not error states in N iff they are not error states
in P i(N ) and that they are error states in N iff they are error states in P ffN ).
Thus, P i preserves the property of error states of a protocol P.

□

Similarly, we introduce some notations for Rule 2: P 2 denotes the mapping of
Rule 2 from Ti to T(, then we have P -2 '■P

T[. Furthermore, we overload the

notation of P? to the network of P. N is the network of P before the application
of Rule 2, and p 2 {N ) is the network of P after applying Rule 2 to some process Pi
once.
T h eorem 6.5 P 2 preserves the property of error states of a protocol P.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

57

6 REDU C TIO N RULES DURING DESIGN VERIFICATION

+m.

,+m.

+m.

+m.

+m.
Invalid Rule

Figure 18: Demonstration to the Invalid Reduction for Error State Verification

□

P r o o f : Sim ilar to the proof o f theorem 6.4.

Now, we show the following rule is not valid in terms of preserving error states. How
the rule works is shown in Figure 18.

Invalid Rule: Given an n-process protocol P = (L, {M itj\(i, j ) G L }, {(Si, M i, sf, —
)}"=1), for any process Pi, 3 sf, sf, sf, sf G Sit mkti, raM G M {, where k, I G [1, n), k /
I, if
.

(Sf

„2
si) A (si

,

„4 \
s!)
A
A

(

(Sf

+ m i 'i

'

„3'\
„3
sf)
A f(Sf

+ mM

a

,

si), and

• M G S', mu>i, m i)V G M i, where u, v G [1, n], such th a t (s( ^ s f ) A((s(
(s'

s f)) or (s' * sf) A ((s f
o

_

_

sj) V (sf
,

,

then remove the state sf and the transitions s•

i

TTi

u,t > s f ) V

s '));
^

q

_

sfand s f

o

"f* H T j 2

4

«

sf trom

the specification o f process Pi.

We give a counterexample in Figure 19 to show this rule is invalid. It is a 3process protocol. In the reachability analysis, the global states containing sf are
not error states since the receiving transition sf

+ - —3 >sf

can be executed. The

global states containing sf may be error states in N if event sequence is chosen as
+ m i)2 — m 2)i rather than + m i)2 — m 2]3 — m2li for T2. B ut after applying Invalid

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

REDUCTIO N RULES DURING DESIGN VERIFICATION

58

-m
-m ,

-m .

+m ,

-m,2,1

-m
12

T1

Invalid Rule

Figure 19: A Counterexample of the Invalid Rule for E rror States Verification
Rule, the states containing S3 become error states and the states containing S3 are
removed. Thus, the error states property of the reachability analysis are changed in
terms of our strict definition of preserving error states.

6.3

P reserving Channel Overflow P roperty

Channel overflow occurs because the physical lim ita tio n of a channel is less than the
length of content of possible traces. We want to prove after the transform ation of
Rule 1 and Rule 2, channel overflow properties is preserved; i.e., for each channel
( i , j ) G L the network N of P has a channel overflow error iff P (N ) has a channel
overflow error where T is the mapping of Rule 1 or Rule 2. We have the following
theorem.
T h e o re m

6.6

IF\ preserves the property of channel overflow of a protocol P.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6 REDUCTION RULES DURING DESIGN VERIFICATION

59

P roof:

We prove the following equivalent statement: V(i, j ) E L, there exists a trace in
T \{N ) that have equal length of the content to or longer length of the content than
th a t o f th e rem oved traces. T h e state m e n t is equivalent to th e above because i f th e

removed traces are not the only traces that have the longest length of the content of
the channel (i , j ) , the overflow of the channel ( i , j ) w ill s till occur after those traces
are removed.
We divide the set of all traces of N into two families: traces affected by the
reduction T \ and traces not affected by the reduction T\.

For those traces that

are not affected by the reduction P i, the traces are remained as they were and the
contents of the channels are not changed. Hence, for any ( i , j ) £ L, if the trace
causes a channel overflow in N, then it also causes a channel overflow in P i (N).
For the traces affected by the reduction, we have two cases: 1) traces that only
contain + m i/,

2)

traces that contain both Pm/,* and —m*,*,. As shown in the proof

of Proposition 6.1, the removed traces that only contain —mitk do not exist because
there are no other incoming transitions of si except si

• • sf according to the

requirement of rule 1.
For case 1), traces in N that contain only +771/,* can be decomposed as p =
Q.+mi j . 7 , where q is a trace from the global in itia l state to the last global state that
contains sf as the local state for process Pi,

7

is a path starting from the first global

state th a t contains sf as the local state for process P* but not surpass the last global
state th a t contains sf as the local state for process P*.
P m /,*.7 is removed from N . For channel (/, i), suppose

7

might be empty. A fter P i,
— len at the last global

state containing sf. A fter the receiving transition sf +m,'‘ >s f, we have operation
del{uj^i) to channel (I, i), and |u;/,j| is len — 1 . According to the specification of p ,
we know that between sf +mi,z >sf and sf —m%'k >sj, it is impossible to have other
receiving transitions in Ti. However,

7

may have sending transitions from process

Pi to Pj. Let the number of such transitions be inc, then \ui,i\ = len — 1 + inc.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

60

6 REDUCTION RULES DURING DESIGN VERIFICATION

W ith the specification of p , because the sending transition w ith label —ra ^ can
always be executed and the transition in

7

is not relevant to it, we have the trace

p' = Q. —mitk-7 in T i ( N ) . A t the ending state of trace p', in channel (I, i ), the length
of the content is len + in c , which is obviously greater than that of p; for channel
(i, k), the length is increased by

1

because of the sending transition sf —— A sf and

we have operation ins{u^*, m ^ ) to channel (i, fc); for any other channel except (Z, z)
and

p has the same length as fJ.

For case 2), as we have discussed in the proof of Proposition 4.1, for each p of
N that contains both P ra ^ and —ra ^ , there exists p' in both N and N ' such that
p = p. + m iii.r). —m^k-cr and p' = p. —ra j^. 7 . H-ra^.cr, where p is a trace,
paths and both may be empty. The transitions w ith labels in the

7

7

and a are

are not relevant

to the transitions we removed. It is straightforward that at the ending state of p,
V(z, j ) G L, p has the same length as p'.
Hence, the reduction T \ does not change the overflow property in this case.
T h e o re m 6.7

□

preserves the property of Channel Overflow of a protocol P.

PROOF: A ll the proof of other traces except those containing only

— m iti

is sim ilar to

the proof of Theorem 6.7, so we only discuss the traces containing only —ra ^ here.
We decompose those traces as p = p. — ra y . 7 , where p is a trace from the global
in itia l state to the last global state that contains s j as the local state for process P*.
7

is a path from the first global state that contains sf as the local state for process

Pi but not surpass the last global state that contains sf as the local state for process
Pi.

7

m ight be empty. A fter P 2) —m ^ . 7 is removed from N.

From the specification of Ti, we know that both transitions of sending message
—m^k and —rn,hi are enabled at sf. This means that the cause, which has the partial
order relationship w ith these two transitions and should happen before these two
transitions, have happened before sf. Thus, the cause must be in p and must not
in

7

. Because of the rules of composing the network of P, there exists a trace

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

61

REDUCTION RULES DURING DESIGN VERIFICATION

p' =

q.

— rnl k. — mi:i .7 in both N and N 1. A t the ending state of p', for channel

{i, k), the length is greater by 1 than that of p. For any other channel, the length is
the same as that in p. Hence, channel overflow property is preserved.

□

Now we show InvalidR ule may not preserve channel overflow property. The
problematic traces are those containing only

We can decompose each trace as

p = g.+m ^i. 7 , but we cannot always find a trace that has longer length of content for
a ll channels. For example, p' = g are not suitable because

7

may have some sending

transitions from process Pk or process Pi to process Pi, p' = p. T r n ^ . +

7

is not

suitable because channel (k, i ) w ill have less length.

6.4

P reserving N onexecutable Transitions P roperty

When we discuss deadlock states or channel overflow, we ta lk about the properties
of executable transitions of P. I f the transitions are nonexecutable, actually, the
reduction w ill not give us relief on the state explosion problem since those transitions
w ill not be composed into the network of P. For Rule 1, if some transitions are
removed, we w ill not know if they are executable by comparing Tj and the projection
of N on Ti. However, Rule 2 can preserve the property of nonexecutable transitions
by inference from the remained transitions.
P ro p o s itio n

6 .8

For Rule 2, transitions s]

if f transitions s} —

—

s2

^

s2

— rL iL>sj are executable

sf A sf — rPULf sj are executable.

P ro of:

=>) Suppose transitions sf —r- ’k >sf A sf —UhU sf are executable, then at least
one global state containing s i as its local state for the process Pi can be reached.
.s j

sf A s f

sf are sending transitions, so they can always be executed

whenever that global state is reached.
<^=) Sim ilar proof as the other direction.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

□

62

6 R EDUCTIO N RULES DURING DESIGN VERIFICATIO N

©

-m

+m,

+

©
-m

+m,

-r

2,1

©
T1

T2

Figure 20: An Example to Show Rule 1 Does Not Preserve the Property of Nonex
ecutable Transitions
T h e o re m 6.9 T i preserves the property of nonexecutable transitions of a protocol
P.
P r o o f : From the above proposition, d u rin g the global analysis, i f we find
sj —

s? As? —

si —

sf A sf —

sj are executable, so are si —

sf A sf —

s4. otherwise,

sj are nonexecutable.

□

As far as nonexecutable transitions are concerned, Rule 1 and Invalid Rule may
not preserve the property since there always exists a chance th a t the receiving tran
sition are nonexecutable. An example in Figure 20 shows Rule 1 does not preserve
the property of nonexecutable transitions. For T2, it must receive a message from T i
before it can send a message to T\. Hence, the transitions t°

+m2,1

>t 2 A t 2 —

U

are nonexecutable. I f they are removed, there is no way to recover this inform ation.

6.5

Sum m ary and Exam ples

Now we summarize the reduction rules and their properties preservation of deadlock
states, channel overflow and nonexecutable transitions in Table 2.
Here we give a two-process protocol design which has neither deadlock state nor
nonexecutable transitions and show how the Rule 1 works. Figure 21 is the CFSMs

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

63

6 REDUCTION RULES DURING DESIGN VERIFICATION

Rule 1 Rule 2

Invalid Rule

Deadlock States

V

V

X

Unspecified Receptions

V

V

V

Channel Overflow

V

V

X

Nonexecutable Transitions

X

V

X

Table 2: The Properties Preservation Table of Reduction Rules
Original number

Reduced number

Reduction Efficiency

states

transitions

states

transitions

states

transitions

TI

7

8

1

2

14%

25%

T2

9

12

2

4

22%

33%

Global

36

71

5

13

14%

18%

Table 3: The Efficiency Table of Reduction Rule for Example 1
of the protocol P and Figure 22 is the generated global specification. Because there
are only two processes involved, Rule 2 is not suitable to be applied.
For this example, we evaluate the reduction efficiency of our method as in Table 3.

The second example has a deadlock state and two nonexecutable transitions,
which is represented by dashed lines in the protocol specification in Figure 23. Fig
ure 24 is the generated global specification. We see after the application of Rule 1,
the deadlock state is s till in the global specification and two nonexecutable transi
tions are not in the global specification.
For this example, we evaluate the reduction efficiency of our method as in Table 4.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

REDUCTION RULES DURING DESIGN VERIFICATION

T2

T1

(A)

The Original Protocol Specifications of The Example

T2

T1

(B)

The Reduced Protocol Specifications of The Example

Figure 21: The Application of the Rule 1 upon Example 1

Original number

Reduced number

Reduction Efficiency

states

transitions

states

transitions

states

transitions

TI

5

5

0

0

0%

0%

T2

7

8

1

2

14%

25%

Global

19

28

2

5

11%

18%

Table 4: The Efficiency Table of Reduction Rule for Example 2

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6 REDUCTION RULES DURING DESIGN VERIFICATION

65

Note: The dashed lines means
states and transitions are
reduced by the rule 1.

Figure 22: The Global Specification of Example 1

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

REDUCTION RULES DURING DESIGN VERIFICATION

+U/

T2

(A)

The Original Protocol Specifications of Example 2

%

(B)

The Reduced Protocol Specifications of Example 2
Note: The dashed lines present non-executable transitions and states.

Figure 23: The Application of the Rule 1 upon Example 2

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6 REDUCTION RULES DURING DESIGN VERIFICATION

67

+X|

+y
A Deadlock State!

*>

Note: The dashed lines means
states and transitions are
reduced by the rule 1.

Figure 24: The Global Specification of Example 2

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

6

REDUCTION RULES DURING DESIGN VERIFICATION

6.6

68

A D iscussion

In the literature, reduction techniques are performed during the global reachability
analysis, but the reduction method proposed in this section is performed before the
global reachability analysis. The former is dynamic and the latte r is static.
As we mentioned in Section 1, in model checking based formal verification, the
design is interpreted as operational models, such as Finite States Machines (FSM)
or Labeled Transition Systems (LTS), and the design properties are norm ally mod
eled by temporal logic languages. From the view of model checking, our method
conducts transform ation on the protocol design before checking if it satisfies the
property. For an n —process protocol P, we denote the specification of process Pi
as Tj, the performed transform ation as P , the desired design property as tjj- II is a
“parallel” operator which composes the processes of a protocol (that is, processes
w ill be executed together to form the network of that protocol), and h is an bi
nary relation operator which means “satisfies” . Ideally, ( T i|| T2|| ...|| Tn) b b iff
(^■(Ti)H P (T 2)\\ ...|| P (T n)) b ?/>, where b is a general property expressed by some
temporal logic language.
However, the work of this section is not th a t general. The lim ita tio n of our
work is in two aspects: 1) lim ited applicability of the transform ation rules, th a t is,
only two special patterns are considered; 2) the properties we can preserve is not
so general th a t any existing temporal language can express more properties than
those we discussed and the transform ation of applying our rules may violate other
properties. For example, when the desired property is “there exists a trace such that
the event receiving message m ij followed by the event sending message

, but

these transitions are removed in Tj by applying Reduction Rule 1, and such trace w ill
never be found in the global reachability analysis. In this case, the desired property
is violated. So our work may just be a start.

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

7

CONCLUSION AND FUTURE WORK

7

69

Conclusion and Future Work

In reverse engineering, when a set of observations is given, we aim at constructing
a deadlock-free design from it. In [6], three construction rules were proposed to
achieve this goal. In this thesis, we have improved the th ird rule Ruleneg. W ith
improved rule Rule'neg we take into account the contribution of the m irror of T i,
and only select the ones that can really help to remove the deadlock states. By
this improvement, fewer states and transitions may be added to T2. However, the
improved Rule'neg may not be an optim al solution in the sense of constructing a
minimum design w ithout deadlock errors, in the future, we w ill continue our study
to answer the question like “Does there exist an optim al solution for this problem?”
or “If such solution exists, how to achieve it? ” . This method only works for 2-process
protocols, and how to remove the deadlock states in n —process protocols is left as
future work. Furthermore, the problem of removing unspecified receptions remains
open.
In this thesis, we have also proposed a method to reduce the number of states
of protocol design right before global reachability analysis during protocol design
verification. We developed two reduction rules to deal w ith a specific pattern of
transitions in the protocol specification. Reduction Rule 1 deals w ith a choice of a
sending transition and a receiving transition while Reduction Rule 2 deals w ith a
choice of two sending transitions to different processes. When the conditions of the
rules are met, some transitions can be considered as redundant transitions for the
formal verification and are removed, thus, the search state space is reduced. Fur
thermore, Reduction Rule 1 preserves deadlock and channel overflow errors but may
not preserve non-executable transition errors. Reduction Rule 2 preserves all these
three errors. In the end, we discussed the efficiency of our reduction method w ith
two examples. The drawback of this method is if the protocol specification does not
contain any pattern conforming to the conditions of the rules, the application of our
method is not effective. In this thesis, we only discuss four logical errors, namely,

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

7

CONCLUSION AND FUTURE WORK

70

deadlock states, unspecified receptions, channel overflow, and non-executable tran
sitions, and other advanced properties verification is left for future work. Also, we
only discuss the pattern that two paths have two same events but of a different
order, discussion of paths w ith m ultiple events is left for future work.
Other possible future work include: (1) study the possibility of the present meth
ods in the context where the communication channels are not FIFO; (2) study the
possibility of the present methods in the context where the communication channels
are not error-free.

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

REFERENCES

71

References
[1] R. A lur, K. Etessami, and M. Yannakakis. Inference of message sequence charts.
In Proc. of the 22nd International Conference on Software Engineering (ICSE),
pages 304-313, 2000.
[2] G. Bochmann. Finite state descriptions of communication protocols. In Comp.
Networks, number 2, pages 361-372, 1978.
[3] D. Brand and P. Zafiropulo. On communicating finite state machines. In J.
ACM, number 30, pages 323-342, 1983.
[4] J. Buchi. On a decision method in restricted second order arithm etic. In Proc.
International Congr. Logic, Method and Philos. Sci. 1960, pages 1-12, 1962.
[5] R. Carver and Y. Lei. A general mdoel for reachability testing of concurrent
programs. In Proc. of IC FE M 2004, LNCS 3308, pages 76-98, 2004.
[6] J. Chen and H. Ural. Construction of deadlok-free designs of communication
protocols from observations. In The Computer Journal, volume 45, 2002.
[7] T. Cheung and A. Ghedamsi. A petri-net-based synthesis algorithm for network
protocol design. In TR-90-30, University of Ottawa, Dept, of Computer Science,
June 1990.
[8] T. Choi. A sequence method for protocol construction. In Proc. 6th IF IP Inter
national Workshop on Protocol Specification, Tesing and Verification, number 9,
pages 1-18, June 1986.
[9] T. Chow. Testing software design modeled by finite-state machines. In IEEE
Trans. Software Eng., volume SE-4, pages 178-197, 1978.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

72

REFERENCES

[10] E. Clarke, O. Grumberg, M. Minea, and D. Peled. State space reduction us
ing partial order reduction. In In ti Journal of Software Tools fo r Technology
Transfer, number 2, pages 279-287, 1999.
[11] P. Godefroid. Partial-order methods for the verification of concurrent systems:
An approach to the state-explosion problem. In Lecture Notes in Computer
Science, 1996.
[12] M. Gouda and Y. Yu. Synthesis of communicating finite-state mechines w ith
guaranteed progress. In IE E E Trans, on Commun., COM-32, pages 779-788,
July 1984.
[13] F. Hennie. Fault detecting experiments for sequential circuits. In Proc. 5th
Ann. Symp. Switching Circuit Theory and Logical Design, pages 95-110, 1964.
[14] J. Hopcroft and J. Ullman. Introduction to Automata Theory, Languages, and
Computation. Addison-Wesley, 1979.
[15] G. Hwang, K. Tai, and T. Huang. Reachability testing: An approach to test
ing concurrent software. In International Journal of Software Engineering and
Knowledge Engineering, volume 5, pages 493-510, 1995.
[16] Y. Kakuda and Y. Wakahara.

Component-based synthesis of protocols for

unlim ited number of processes. In Proc. COMPSAC’87, pages 721-730., 1988.
[17] B. Karacali and K. Tai. Model checking based on simultaneous reachability
analysis. In Proc. 7th Intl. SPIN Workshop on Model Checking of Software,
pages 315-324, 2000.
[18] J. F. Kurose and K. W. Ross.

Computer networking: a top-down approach

featuring the Internet. Addison Wesley, 2 edition, 2002.
[19] L. Lamport. Proving the correctness of multiprocess programs. In IE E E Trans
actions on Software Engineering, SE-3(2), pages 125-143, 1977.

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

73

REFERENCES

[20] Y. Lei and K.-C.Tai. Blocking-based simultaneous reachability analysis. In
Proc. 13th IE E E Intl. Symp. on Software Reliability Engineering, pages 316—
326, 2002.
[21] Y. Lei, D. Kung, and Q. Ye. A blocking-based approach to protocol validation.
In Department of Computer Science and Engineering, The University of Texas
at Arlington, CSE-2005-2, 2005.
[22] K. Ozdemir and H. Ural.

Protocol validation by simultaneous reachability

analysis. In Computer Communications, number 20, pages 772-888, 1997.
[23] C. Ramamoorthy, Y. Yaw, R. Aggarwal, J. Song, and W. Tsai. Synthesis of
tw o-party error-recoverable protocols. In AC M SIGCOMM’86 Symp., pages
227-235, 1986.
[24] K. Sabnani and A. Dahbura. A protocol test generation procedure. In Computer
Networks and ISDN Syst., volume 15, pages 285-297, 1988.
[25] K. Saleh. Synthesis of communications protocols: an annotated bibliography.
In A C M SIGCOMM Computer Communication Review, volume 26 of 5, pages
40-59, Oct. 1996.
[26] D. Sidhu. Rules for synthesizing correct communications protocols. In ACM
SIGCOMM Computer Communication Review, volume 12, pages 35-51, Jan
1982.
[27] A. Thayse and et al. From modal logic to deductive databases: Introducing a
logic based approach to A rtificial Intelligence. Wiley, 1989.
[28] H. U ral and H. Yenigun. Towards design recovery from observations. In Proc.
of IF IP FO RTE’OI, volume LNCS 3235, pages 133-149, Sept 2004.

R eproduced with permission of the copyright owner. Further reproduction prohibited without permission.

REFERENCES

74

[29] R. van Glabbeek. The linear tim e - branching tim e spectrum II: The semantics
of sequential systems w ith silent moves. In Concur 93, Springer LNCS 715,
pages 66-81, 1993.
[30] M. Vardi and P. Wolper. An automata-theoretic approach to automatic pro
gram verification. In Proc. 1st Symposium on Logic in Computer Science, pages
322-331, June 1986.
[31] C. West. General technique for communications protocol validation. In IB M
J. Res. Develop., volume 22, pages 393-404, July 1978.
[32] P. Wolper. On the relation of programs and computations to models of temporal
logic. In Proc. Temporal Logic in Specification, LNCS, volume 398, pages 75123, 1989.
[33] P. Wolper, M. Vardi, and A. Sistla.

Reasoning about infinite computation

paths. In Proc. 24th IE E E Symposium on Foundations of Computer Science,
pages 185-194, 1983.
[34] P. Zafiropulo, C. West, H. Rudin, D. Cowan, and D. Brand. Towards analyzing
and synthesizing protocols. In IEEE Trans. Commun., volume COM-28, pages
651-661, Apr. 1980.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

75

V ita

A u c to r is

Lih.ua Duan was born in 1976 in Taiyuan, China. She graduated from Beijing
University of Posts and Telecommunications, Beijing, China, 1999, where she re
ceived a Bachelor’s degree in Electrical and Electronic Engineering. She is currently
a Master’s candidate in the School of Computer Science at the University of Windsor
and expects to graduate in summer, 2005.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

