Content uploaded by Nils Timm
Author content
All content in this area was uploaded by Nils Timm on Oct 08, 2014
Content may be subject to copyright.
On Symmetries and Spotlights –
Verifying Parameterised Systems
Nils Timm and Heike Wehrheim
Department of Computer Science, University of Paderborn
D-33098 Paderborn, Germany
{timm84,wehrheim}@uni-paderborn.de
Abstract. Parameterised model checking is concerned with verifying
properties of arbitrary numbers of homogeneous processes composed in
parallel. The problem is known to be undecidable in general. Neverthe-
less, a number of approaches have developed verification techniques for
certain classes of parameterised systems. Here, we present an approach
combining symmetry arguments with spotlight abstractions. The tech-
nique determines (the size of) a particular instantiation of the parame-
terised system from the given temporal logic formula, and feds this into
an abstracting model checker. The degree of abstraction with respect to
processes occurring during model checking determines whether the ob-
tained result is also valid for all other instantiations. This enables us
to prove safety as well as liveness properties (specified in full CTL) of
parameterised systems on very small instantiations.
Keywords: symmetry reduction, spotlight abstraction, parameterised
verification, model checking.
1 Introduction
Parameterised systems consist of an arbitrary number of homogeneous processes
usually composed in parallel. The objective in verifying parameterised systems is
to show certain correctness properties regardless of the number of processes in-
volved. Examples can be found in all sorts of distributed algorithms, like mutual
exclusion, leader election or cache coherence. Verifying parameterised systems is
undecidable in general [3]. Model checking can of course prove properties for par-
ticular instantiations by fixing the number of processes, however, this is limited
to reasonably sized numbers.
Nevertheless, a lot of approaches have been developed which verify particular
classes of parameterised systems, or which devise methods that are sound but
not complete. These include techniques which apply regular model checking [2],
induction [15] or decision procedures for second order logics [4] to the verification
of parameterised systems. Regular model checking represents sets of states by
regular expressions and performs a reachability analysis by means of transduc-
ers. This technique is quite costly as it involves a number of automata theoretic
constructions. In [1] a more efficient method has been proposed which however
J.S. Dong and H. Zhu (Eds.): ICFEM 2010, LNCS 6447, pp. 534–548, 2010.
c
Springer-Verlag Berlin Heidelberg 2010
On Symmetries and Spotlights – Verifying Parameterised Systems 535
can only treat safety properties. The approach in [4] models parameterised sys-
tems in the logic WS1S and computes an abstraction of it on which properties
can be shown. This technique requires to manually define abstraction relations.
The invisible invariants technique of [15] computes inductive invariants on small
instantiations by model checking and uses theorem proving for showing these to
be inductive on the parameterised system as well. The method of [7] also uses
model checking on small instances, where the number of instances (the cutoff)is
computed from the description of the parameterised system, given this satisfies
a particular format.
In this paper, we base our method on symmetry arguments. Symmetry and
symmetry reductions [8,10] have long been proposed to reduce the state space
in model checking. The general idea is to consider symmetric states, which only
differ in permutations of values, as equivalent. Instead of constructing the whole
state space, only equivalence classes (orbits) are built. These symmetries may
refer to data values as well as process names. Parametric systems are inherently
symmetric: usually either all processes are similar, or they can at least be divided
into (a finite number of ) classes of similar processes. The symmetry idea is
applied in [7] to compute cutoffs, and in a sense also in [16], which counts the
number of (symmetric) processes being in particular states.
Similar to [7] we will compute the size of an instance of the parameterised
system. However, this size is not determined from the system description but
straightforwardly from the temporal logic formula used to specify the correctness
property. The size is simply 1 plus the number of different process variables
occurring in the formula. If we for instance want to show a mutual exclusion
property over a parameterised system, specified as
∀i,j,i=j:AG¬(i@crit ∧j@crit)
(no processes iand jcan ever be at their critical sections at the same time), the
size is three (one process in addition to those mentioned). The parameterised sys-
tem is instantiated with this number and the instantiation is fed into the model
checker 3Spot [17]. 3Spot is our three-valued model checker [17] which employs
both predicate abstraction and spotlight abstraction [18]. The third value “don’t
know” is used to represent unknowns which may arise due to the abstraction.
Since we use a three-valued logic both true and false results can be transferred
to the unabstracted system, only an unknown result necessitates abstraction
refinement.
It is however the principle of spotlight abstraction which helps us towards our
goal of proving (or disproving) the property not only for the particular instance
but for the parameterised system as a whole. Spotlight abstractions completely
abstract away the processes whose behaviour is irrelevant for the property to
be checked. If the additional process in the instantiation is not drawn into the
spotlight during the model checking run (i.e. completely abstracted away), the
obtained result is valid for the parameterised system as well. Thus, it is the
degree of abstraction occurring during the model checking run which tells us
whether we can transfer our result to any number of processes. Since we employ
536 N. Timm and H. Wehrheim
a three-valued model checker this holds for “true” and “false” results. Only in
case that the additional process is moved into the spotlight, the result tells us
nothing about the parameterised system.
The method currently works for completely symmetric systems (all processes
the same, statements do not depend on process identifiers) as well as systems
in which the processes can be divided into classes of similar programs. It allows
for communication via shared variables. We exemplify the technique on a simple
mutual exclusion and a readers/writers algorithm. The technique can be clas-
sified as being completely automatic, usually carrying out checks on very small
instances (since the properties usually refer to a very limited number of different
processes, most often just two) and thus being fast, and being sound but not
complete.
2 Definitions
We look at systems of the following form (called fully symmetric systems):
global u1:type,...,ul:type where ϕginit
n
i=1 Pi:: local v1:type,...,vh:type where ϕlinit
some program text
where u1,u2... are global variables from some set Vg,v1,v2... are local vari-
ables from a set Vland P1to Pnare identical processes. For both local and
global variables an initialisation is given in terms of a formula ϕ(ϕlinit ,ϕ
ginit ,
respectively). We assume this to give us a unique initial value for all variables
(initialisation predicates are deterministic). We furthermore implicitly assume
the set of local variables to contain a dedicated variable pc , a program counter.
The numbers 1 to nact as process identifiers,fromasetPID =[1..n]. Within
a process Pi, its process id cannot be referred to, and the local state of Piis
not accessible by Pj,i=j. The processes are completely symmetric, i.e. each
process Piexecutes exactly the same code. For convenience we sometimes just
write P=||n
i=1 Pi.
The following example of a mutual exclusion algorithm by means of a sema-
phore serves for illustrating our technique for fully symmetric systems (written
in a language similar to SPL [13]):
global y:sem where y=1
n
i=1 Pi::
⎡
⎢
⎢
⎢
⎢
⎣
loop forever do
⎡
⎢
⎢
⎣
0: Non-Critical
1: request y;
2: Critical
3: release y;
⎤
⎥
⎥
⎦
⎤
⎥
⎥
⎥
⎥
⎦
Astate of such a system consists of a valuation of the global variables Vgand -
for every process - valuations of the local variables, with values taken from some
On Symmetries and Spotlights – Verifying Parameterised Systems 537
domain D. We define V=Vg∪(Vl×PID) to be the overall set of variables
and hence a state is a mapping s:V→D. We refrain from explicitly defining
types and type-preserving assignments. We assume to have - amongst others - a
domain for locations called Loc, and the variable pc is assigned to values of Loc
only. The valuation of a global variable v∈Vgin a state sis denoted by s(v),
the valuation of a local variable v∈Vlof a process Piin sis denoted by s(v,i).
The set Vi=Vg∪Vlis the set of variables of a single process Pi,andwewrite
s[i] to describe the local view of Pion a state s:forv∈Vg,s[i](v)=s(v), and
for v∈Vl,s[i](v)=s(v,i).
Transitions in such systems are caused by some local process Piexecuting
its next statement (if enabled). The transitions of process Piare described by a
predicate Rion primed and unprimed global and local variables. The predicate
Riis derived from the program text, and consequently in our setting of fully
symmetric systems predicates Riare the same for all i∈PID. The predicate Ri
for the mutual exclusion example is
(pc =0∧pc=1∧y=y)
∨(pc =1∧y=1∧pc =2∧y=0)
∨(pc =2∧pc=3∧y=y)
∨(pc =3∧y=0∧y=1∧pc=0)
We write Ri(s[i],s[i]) to describe the case when the predicate Riis true for the
local views: (s[i],s[i]) |=Ri.
As a computational model for our systems we use Kripke structures.
Definition 1. AKripke structure over a set of atomic propositions AP is a
4-tuple K =(S,s0,R,L)where
–S is a set of states,
–s0∈S is the initial state,
–R:S×S→{true ,false}is a transition function,
–L:S×AP →{true,false}is a function labelling states with atomic propo-
sitions.
Apathτof a Kripke structure Kis an infinite sequence of states s0s1s2... with
R(si,si+1)=true;τidenotes the i-th state of τand Tsdenotes the set of all
paths starting in s∈S.
As atomic propositions we use the following: (v=d) for global variables
v∈Vgand data values d∈D,(i@l)foraprocessidiand a location l,and
(v@i=d) for a local variable v∈Vl, a process id iand a data value d.Fora
symmetric system P=||n
i=1 Pi, we define its Kripke structure K=(S,s0,R,L)
as follows:
–States: S:= V→D(the set of type-preserving valuations to variables),
–Initial state: s0:= s∈Swith sVg|=ϕginit ∧∀i∈PID :s[i]|=ϕlinit
(due to the initialisation predicates being deterministic, this gives us the
same initial values for the local variables in all processes),
538 N. Timm and H. Wehrheim
–Transition relation:
R(s,s):=∃i∈[1..n]:Ri(s[i],s[i])
∧∀j=i,∀v∈Vl:s[j](v)=s[j](v),
–Labelling function:
L(s,p):=⎧
⎨
⎩
s(v)=dfor p=(v=d)
s(pc,i)=lfor p=(i@l)
s(v,i)=dfor p=(v@i=d).
For specifying properties of Kripke structures we use the computational tree
logic (CTL). In the next section we will see that CTL is the base logic only,
the properties we actually like to show about parameterised systems are a little
more complicated since we wish to quantify over processes.
Definition 2. LetAPbeasetofatomicpropositionsandp∈AP. The syntax
of CTL is given by
ψ::= p|¬ψ|ψ∨ψ|ψ∧ψ|EX ψ|AX ψ|EF ψ|
AF ψ|EGψ|AGψ|E[ψUψ]|A[ψUψ].
The validity of a CTL formula ψon a Kripke structure Kis denoted by K,s0|=ψ.
Definition 3. Let K =(S,s0,R,L)be a Kripke structure over AP, p ∈AP and
ψ∈CTL. Then the evaluation of ψin a state s of K , K ,s|=ψ, is inductively
defined as follows
K,s|=p:= L(s,p)
K,s|=¬ψ:= ¬(K,s|=ψ)
K,s|=ψ∨ψ:= K,s|=ψ∨K,s|=ψ
K,s|=EX ψ:= s∈SR(s,s)∧K,s|=ψ
K,s|=EGψ:= τ∈Tsi∈N(K,τ
i|=ψ)
K,s|=E[ψUψ]:=τ∈Tsi∈N((K,τ
i|=ψ)∧0≤j<i(K,τ
j|=ψ))
(The remaining CTL operators can be derived by the usual dualities.)
3 Symmetries
Here, we look at Kripke structures representing parameterised systems P=||n
i=1
Pi. We like to show properties of such systems for all the processes in it, thus
our property formulae take the following form:
∀i1,...,id,(il=ij)1≤l,j≤d,l=j:ψ(i1,...,id)
where i1to idare variables for process identifiers and ψ∈CTL. The number
dof process variables appearing in a formula Fis called the process diameter
On Symmetries and Spotlights – Verifying Parameterised Systems 539
of F. The following two formulae express properties we would like to show for
our mutual exclusion algorithm: F1:∀i,j,i=j:AG ¬(i@2 ∧j@2) (a safety
property about mutual exclusion, process diameter 2) and F2:∀i,j,i=j:
AG((i@2 ∧j@1) ⇒AF (j@2)) (a liveness property about starvation freedom,
process diameter 2).
The ultimate goal is to show such properties F(i1,...,id) for any number of
processes running in parallel, i.e. show that ∀N>d:K,s0|=F(i1,...,id)
where Kis the Kripke structure representing ||N
i=1 Pi.
For the verification we want to exploit the symmetry in such systems and there-
fore use a technique inspired by symmetry reductions [8]. The symmetries con-
cern process ids only, i.e. we permute processes, but no data variables.
Definition 4. Aprocess permutation is a bijective function π:PID →PID .
Process permutations can be lifted to states: for a state swe define π(s)asfol-
lows: π(s)(v)=s(v) in case of global variables v∈Vg,andπ(s)(v,i)iss(v,π(i))
in case of local variables including the program counters. Process permutations
can also be applied to atomic propositions: π(v=d)=(v=d),π(i@l)=
(π(i)@l)andπ(v@i=d)=(v@π(i)=d).
For using process permutations for verification, they should in some sense pre-
serve the semantics of systems:
Definition 5. Aprocesspermutationπis a symmetry for a Kripke structure
K=(S,s0,R,L)if the following conditions are met
1. R(s,s)⇔R(π(s),π(s)),
2. for all atomic propositions p ∈AP :
L(s,p)⇔L(π(s),π(p)),
3. π(s0)=s0.
Note that in contrary to permutations used in classical symmetry reduction, we
apply the permutation on the atomic propositions as well, i.e. we do not require
L(s,p)⇔L(π(s),p).
Proposition 1. On fully symmetric systems all process permutations are sym-
metries.
Proof. First, we look at the transition relation. We only show the ’⇒’-direction.
The ’⇐’-direction is proved analogously.
R(s,s)⇒∃i∈[1..n]:Ri(s[i],s[i])
∧∀j=i,∀v∈Vl:s[j](v)=s[j](v)
⇒∃h=π(i):Rπ(i)(π(s[i]),π(s[i]))
∧∀j=h,∀v∈Vl:π(s[j])(v)=π(s[j])(v)
⇒R(π(s),π(s))
540 N. Timm and H. Wehrheim
Second, the labelling function. Here, we have to distinguish three cases:
1. p=(v=d):
L(s,(v=d))
⇔s(v)=d
⇔π(s)(v)=d
⇔L(π(s),(v=d))
⇔L(π(s),π(v=d))
2. p=(i@l):
L(s,(i@l))
⇔s(pc,i)=l
⇔π(s)(pc,π(i)) = l
⇔L(π(s),π(i)@l)
⇔L(π(s),π(i@l))
3. p=(v@i=d):
L(s,(v@i=d))
⇔s(v,i)=d
⇔π(s)(v,π(i)) = d
⇔L(π(s),π(v@i=d)) 2
If a process permutation is a symmetry, then we can also permute paths in the
Kripke structure, thereby again getting valid paths.
Proposition 2. Let πbe a symmetry for a Kripke structure K =(S,s0,R,L)
and τ=s0s1s2... a path in K . Then π(τ)=π(s0)π(s1)π(s2)... isapathinK
as well with L(si,p)=L(π(si),π(p)) for all atomic propositions p ∈AP and
i∈N.
This is a key property for our symmetry argument since it lets us prove proper-
ties about certain subsets of processes which will then also hold for other subsets
gained by permutation. In general our approach to verifying properties about
symmetric systems works as follows. For a formula ∀i1,...,id:ψ(i1,...,id)we
first of all only consider the temporal logic part, i.e. ψ(i1,...,id). For deter-
mining its validity for a symmetric system, we instantiate the process variables
ijwith concrete values pj∈PID (pairwise different) and look at the formula
ψ(p1,...,pd). Our first theorem states that the application of a permutation
does not change the validity of such properties.
Theorem 1. Let ||n
i=1 Pibe a fully symmetric system, K =(S,s0,R,L)the
corresponding Kripke structure over AP and πa process permutation which is a
symmetry for K . Moreover, let ψbe a CTL formula and s ∈S. Then
K,s|=ψ(p1,...,pd)⇔K,π(s)|=ψ(π(p1),...,π(pd)) .
Proof. Induction on the structure of ψ. The argumentation is based on Defini-
tion 5 and Proposition 2. For short we write ψfor ψ(p1,...,pk)andπ(ψ)for
ψ(π(p1),...,π(pk)).
On Symmetries and Spotlights – Verifying Parameterised Systems 541
–ψ=p,p∈AP:
K,s|=p
⇔L(s,p)
⇔L(π(s),π(p))
⇔K,π(s)|=π(p)
–ψ=¬ψ1:
K,s|=ψ
⇔K,s/|=ψ1
⇔K,π(s)/|=π(ψ1)
⇔K,π(s)|=π(ψ)
–ψ=ψ1∨ψ2:
K,s|=ψ
⇔K,s|=ψ1∨K,s|=ψ2
⇔K,π(s)|=π(ψ1)∨K,π(s)|=π(ψ2)
⇔K,π(s)|=π(ψ)
–ψ=EX ψ1:
K,s|=ψ
⇔s∈SR(s,s)∧K,s|=ψ1
⇔π(s)∈SR(π(s),π(s)) ∧K,π(s)|=π(ψ1)
⇔K,π(s)|=π(ψ)
–ψ=EGψ1:
K,s|=ψ
⇔τ∈Tsi∈N(K,τ
i|=ψ1)
⇔π(τ)∈Tπ(s)i∈N(K,π(τi)|=π(ψ1))
⇔K,π(s)|=π(ψ)
–ψ=E[ψ1Uψ2]:
K,s|=ψ
⇔τ∈Tsi∈N((K,τ
i|=ψ2)∧0≤j<i(K,τ
j|=ψ1))
⇔π(τ)∈Tπ(s)i∈N((K,π(τi)|=π(ψ2)) ∧0≤j<i(K,π(τj)|=π(ψ1)))
⇔K,π(s)|=π(ψ)2
This is all we need with respect to symmetries: for symmetric systems a property
is true if and only if its permutation is true. Up to here, we however have no
means of dealing with the ∀N>din our formulae. For parameterisation we
next combine this technique with spotlight abstractions.
4 Spotlights
By having instantiated our formula with concrete process ids, we have obtained
alocal property, referring to only some of the processes in PID. Instantiations
of F1and F2could be AG ¬(1@2 ∧2@2) and AG ((1@2 ∧2@1) ⇒AF (2@2)),
respectively. Local properties of parallel processes can be checked using spotlight
542 N. Timm and H. Wehrheim
abstractions and the tool 3Spot. 3Spot is a verification tool based on the concept
of predicate abstraction and abstraction refinement [17], which - however - does
not only apply predicate abstraction to the code of processes in a parallel com-
position but also abstracts away complete processes. Those processes that are
referred to in the property to be checked are taken into the spotlight whereas all
others are kept in the shade. On the processes in the spotlight we apply ordinary
predicate abstraction. The processes in the shade are automatically abstracted
into one approximative process P⊥. This process only coarsely reflects the be-
haviour of the shade processes. In particular, P⊥neglects the original control
flow of the processes in the shade. Instead it approximates operations on global
variables occurring in shade processes by continuously modifying predicates over
those variables. Due to the approximative character of P⊥and the inherent loss
of information about the shade processes, predicates might be set to unknown.
“Unknown” is in fact a valid value as we operate with three-valued logics (Kleene
logic [9]), where predicates can be true, false or unknown.
Spotlight abstraction now works as follows:
1. We start with a spotlight which only contains those processes the property
formula speaks about. For the verification, we construct a predicate abstrac-
tion of these processes and combine this in parallel with the approximative
process representing all processes in the shade.
2. On this abstraction the formula is checked. If the check returns true or false,
we are done. The result also holds for the non-abstracted, original system.
3. If the check returns “unknown”, the abstraction needs to be refined. We
either add a new predicate, or take one process out of the shade into the
spotlight. Then we proceed with step 2.
Note that P⊥only modifies predicates about global variables. Thus, any set of
shade processes which share the same operations on global variables Vgwill
give us the same approximative process PVg
⊥. For our semaphore example and
the predicate (y= 1) an arbitrary number of processes in the shade would be
automatically abstracted into
P{y}
⊥:: ⎡
⎣
loop forever do
(y=1):=false if (y=1)=false
unknown else
⎤
⎦
approximating the possible operations request and release on the global sema-
phore variable y.
For employing 3Spot in our verification procedure for parametric systems, we do
not only have to instantiate process variables in the formula, but we also have
to fix the number nof processes in ||n
i=1 Pi. This number is set to d+ 1, i.e. one
more than the process diameter of the formula, in the case of formula F1thus
to 3. Now we check the following property with 3Spot
P1|| P2|| P3|=AG ¬(1@2 ∧2@2) ?
On Symmetries and Spotlights – Verifying Parameterised Systems 543
Since the property is only referring to processes 1 and 2, the abstraction starts
with 1 and 2 in the spotlight. It turns out that throughout the whole model
checking procedure process 3 is kept in the shade and the verification succeeds
with a definite answer (yes) without ever considering process 3. More specifically,
3Spot shows the following to be true:
P1|| P2|| P{y}
⊥|=AG¬(1@2 ∧2@2)
Here, P{y}
⊥is the abstraction of process 3. As explained above this is also the
abstraction of any number of parallel processes performing request and release
operations on the global variable y. The correctness result for spotlight abstrac-
tion now lets us transfer this result to the original parallel system.
Theorem 2. Let (||d
i=1 Pi)|| PVg
⊥be a spotlight abstraction of a symmetric
system for which checking property ψ(1,...,d)yields true. Then for any N >d
we get
||N
i=1 Pi|=ψ(1,...,d).
Proof: In [17] we have shown that if (||d
i=1 Pi)|| PVg
⊥is a spotlight abstraction
of a parallel system with a fixed number of processes and ψ(1,...,d) yields true
for (||d
i=1 Pi)|| PVg
⊥then we can transfer this result to the unabstracted system.
Here, we consider symmetric systems of an arbitrary size. Due to symmetry, the
approximative process PVg
⊥and therefore the entire spotlight abstraction is the
same for any number N>dof processes. 2
In the next step, we need to transfer the result for particular process identities to
arbitrary process variables. Theorem 1 exactly allows us to do this: verification
results for (1,...,d) also hold for all permutations of (1,...,d). Since all possible
instantiations of process variables i1to idcan be obtained this way (note that
we required all variable values to be pairwise different), the verification result
also holds in general.
Corollary 1. Let (||d
i=1 Pi)|| PVg
⊥be a spotlight abstraction of a symmetric
system for which checking property ψ(1,,...,d)yields true. Then the following
holds:
∀N>d:||N
i=1 Pi|=∀i1,...,id,(il=ij)1≤l,j≤d,l=j:ψ(i1,...,id)
An analogue result is achieved for negative outcomes of the model checking runs:
outcome “false” can also be transferred to the full system. In summary, we have
the following verification steps: For a symmetric parameterised system ||n
i=1 Pi
and a formula Fexecute the following steps for checking ∀N:||N
i=1 Pi|=F:
1. Determine the process diameter dof F.
2. Instantiate Fwith process identities 1 to dfor i1to id:ψ(1,...,d).
3. Check P1|| ... || Pd|| Pd+1 |=ψ(1,...,d).
4. If the result is “yes”/“no” and Pd+1 is not in the spotlight in the final
abstraction, return true/false.Elsereturnunknown.
544 N. Timm and H. Wehrheim
The obtained result is by symmetry then a valid result for the parameterised
system. In this manner we can also disprove the liveness property F2by having
only two processes in the spotlight.
3Spot might take the process Pd+1 into the spotlight. In this case a defi-
nite outcome cannot be transferred to the full system because then there is no
approximative process representing an arbitrary number of additional process
instances. Hence, it is unknown whether ψholds for all instantiations of the
parameterised system. So this approach gives us a fully automatic, sound but
not complete procedure for reasoning about parameterised, symmetric systems.
5 Generalisation
Our approach can be generalised to classwise symmetric systems. Such systems
are not fully symmetric, but they consist of classes of symmetric processes. An
example for a system consisting of two classes is the following solution to the
readers/writers problem:
global y:sem where y=nRd
i∈PIDRd Readeri::
⎡
⎢
⎢
⎢
⎢
⎣
loop forever do
⎡
⎢
⎢
⎣
0: Non-Critical
1: request (y,1);
2: Critical-Write
3: release (y,1);
⎤
⎥
⎥
⎦
⎤
⎥
⎥
⎥
⎥
⎦
j∈PIDWrt Writerj::
⎡
⎢
⎢
⎢
⎢
⎣
loop forever do
⎡
⎢
⎢
⎣
0: Non-Critical
1: request (y,nRd );
2: Critical-Write
3: release (y,nRd );
⎤
⎥
⎥
⎦
⎤
⎥
⎥
⎥
⎥
⎦
Here, we have two classes of processes, readers and writers. Furthermore, nRd
is a parameter associated with the number of reader processes. The semantics
of the semaphore statements request (y,c)andrelease (y,c)aregivenby
await y≥c;y:= y−cand y:= y+c, respectively. Thus, the generalised
semaphore yensures that multiple (up to nRd ) readers can enter the critical
section at the same time, whereas if one writer is modifying data, no other
process has access to the critical section. All readers and all writers execute the
same program code. More generally, a classwise symmetric system consisting
of kclasses is defined as P=||k
m=1 Pmwhere Pm=||i∈PIDmPiis a parallel
composition of fully symmetric processes of a class mwith process identifiers
from a set PID m.AllsetsPID m,wherem∈[1..k], are pairwise disjoint. Thus,
On Symmetries and Spotlights – Verifying Parameterised Systems 545
every process in a classwise symmetric system has a unique id. All classes share
a set of global variables Vgwhereas each class has a distinct set of local variables
Vm
lwith ∀m1,m2∈[1..k]:Vm1
l,Vm2
lpairwise disjoint. Furthermore, each Vm
l
contains a dedicated program counter pcm. The overall set of variables of Pis
V=Vg∪k
m=1(Vm
l×PIDm).
Given this setting, we can define the semantics in a way similar to fully sym-
metric systems. States of a classwise symmetric system are defined as mappings
s:V→D. The local view of a process Piin a state sis again denoted by s[i],
referring to its unique identifier i. Transitions in such a system caused by the
execution of a statement in some process Piare described by a predicate Rion
the primed and unprimed local views of Pi. Due to the symmetry of processes
in a class m,predicatesRiare the same for all i∈PIDm.
Classwise symmetric systems can be represented as Kripke structures as well.
As atomic propositions we use the same as before: (v=d), (i@l)and(v@i=d).
For a system P=||k
m=1 Pmwith Pm=||i∈PIDmPithe corresponding Kripke
Structure K=(S,s0,R,L) is defined as follows:
–States: S:= V→D,
–Initial state: s0:= s∈Swith sVg|=ϕginit ∧∀m∈[1..k],∀i∈PIDm:
s[i]|=ϕlinitm,
–Transition function:
R(s,s):=∃m∈[1..k],∃i∈PIDm:Ri(s[i],s[i])
∧∀i2∈PID m,i2=i,∀v∈Vm
l:s[i2](v)=s[i2](v)
∧∀m2=m,∀j∈PID m2,∀v∈Vm2
l:s[j](v)=s[j](v),
–Labelling function:
L(s,p):=⎧
⎨
⎩
s(v)=dfor p=(v=d)
s(pcm,i)=lfor p=(i@l),i∈PIDm
s(v,i)=dfor p=(v@i=d),i∈PID m,v∈Vm
For classwise symmetric systems P=||k
m=1 Pmwe like to show properties that
refer to distinct classes but arbitrary processes in each class. More precisely, a
property formula takes the following form:
F=∀i1
1,...,i1
d1,...,∀ik
1,...,ik
dk:ψ(i1
1,...,i1
d1,...,ik
1,...,ik
dk)
where ψ∈CTL and im
1to im
dmwith m∈[1..k] are pairwise different variables
for process identifiers in PIDm.Thus,foreveryclassmreferred in Fthere is
a distinct process diameter dm. For our readers/writers example we have two
classes of symmetric processes: readers with the corresponding set of process
identifiers PIDRd and writers with PIDWrt . A safety property about mutual
exclusion (no reading and writing at the same time, and no writing concurrently)
can be formalised as: F3:∀i∈PIDRd ,∀j1,j2∈PIDWrt :AG¬(i@2 ∧j2@2) ∧
AG¬(j1@2 ∧j2@2) where the process diameter is 1 for readers and 2 for writers.
546 N. Timm and H. Wehrheim
Since we like to show such properties for an arbitrary number of processes
from each class running in parallel, we want exploit the symmetry again. As the
considered systems are not fully but classwise symmetric, we need a new notion
of process permutations.
Definition 6. Aclass-sensitive process permutation is a bijective function π:
k
m=1 PIDm→k
m=1 PIDmwith i ∈PID m⇔π(i)∈PID mfor all m ∈[1..k]
and i ∈PID m.
Class-sensitive permutations preserve the class affiliation of process identifiers.
Hence, on classwise symmetric systems all class-sensitive process permutations
are symmetries. Alike the fully symmetric case, we get the following result:
Theorem 3. Let ||k
m=1 Pmbe a classwise symmetric system, K =(S,s0,R,L)
the corresponding Kripke structure over AP and πa class-sensitive process
permutation which is a symmet ry for K . Moreover, let s ∈Sandψbe a
CTL formula referring to concrete process identifiers pm
j∈PIDm,j∈[1..dm],
m∈[1..k].Then
K,s|=ψ(p1
1,...,p1
d1,...,pk
1,...,pk
dk)
⇔K,π(s)|=ψ(π(p1
1),...,π(p1
d1),...,π(pk
1),...,π(pk
dk)) .
Thus, applying class-sensitive permutations preserves the validity of CTL prop-
erties referring to part icular processes of a classwise symmetric system. Via the
spotlight technique we can extend this result to formulas referring to arbitrary
processes. The process PVg
⊥now approximates all operations on global variables
occurring in any class of the considered system. Here, PID m
dmdenotes an arbi-
trary subset of PIDmwith dmelements.
Theorem 4. Let (||k
m=1||i∈PID m
dmPi)|| PVg
⊥be a spotlight abstraction of a class-
wise symmetric system for which checking property ψ(p1
1, ..., p1
d1, ..., pk
1, ..., pk
dk)
yields true. Then the following holds:
∀N1>d1, ..., Nk>dk:
||k
m=1||i∈PID m
NmPi|=∀i1
1, ..., i1
d1, ..., ∀ik
1, ..., ik
dk:ψ(i1
1, ..., i1
d1, ..., ik
1, ..., ik
dk)
As before, negative outcomes can be transferred to the original system as well.
This result lets us exploit once again symmetries to verify parameterised sys-
tems by using spotlight abstractions; now for a generalised notion of symmetric
systems, called classwise symmetric systems. For our readers/writers example
we can prove the safety property F3via 3Spot by taking just one reader process
and two writer processes into the spotlight. The verification was performed in
0.83s(on a 2.40GHz Core 2 Duo Windows system with 3GB memory).
6Conclusion
In this paper we have proposed a verification technique for parameterised systems.
It provides for a sound proof technique for full CTL properties by a combination
On Symmetries and Spotlights – Verifying Parameterised Systems 547
of symmetry reduction and spotlight abstraction. In case that the spotlight ab-
straction draws too many processes into the spotlight, the validity of properties
for the parameterised system is however left open. In the future we therefore intend
to investigate whether this technique can give us more results when we use larger
instantiations, i.e. larger than ”1 plus process diameter”. This might be essential
for reasoning about several liveness properties: the formula F4:∀i:AG(i@1 ⇒
AF (i@2)) refers to a single process only. Thus, the process diameter is one. How-
ever, for proving or disproving starvation freedom it is obviously necessary to have
at least one ”adversary” process in the spotlight and therefore an instantiation
larger than d+ 1. Further investigation might allow us to find appropriate instan-
tiation sizes for distinct types of temporal logic formulae. Moreover, our approach
could be easily modified to an iterative but possibly infinitely running procedure:
We gradually add processes Pd+2,Pd+3 ,...to the instantiation until we get a def-
inite answer without having all process instances in the spotlight. This might not
terminate in all cases (e.g. when the property cannot be proven on a finite-state
abstraction). Anyway, the formula F4can be disproved for the mutual exclusion
example in this way within two iterations and 0.25s.
Related work. The generally undecidable problem of parameterised verification
has received a lot of attention in research. Several approaches (e.g. [8,5,7,14])
try to bypass this problem by summarising the considered system by a finite in-
stantiation, based on symmetry arguments. From Clarke et al. [5] we have taken
the idea of exploiting symmetry under permutations. In our work permutations
are furthermore applied to atomic propositions which is also done in [11]. The
work most closely related to ours is that of Emerson and Kahlon [7] who reduce
reasoning for parameterised systems of an arbitrary size to systems of a small
cutoff size. Contrary to the process diameter in our technique the cutoff size
does not depend on the property but on the description of the system. More-
over, their method is complete but restricted to processes of a certain structure
and properties in a fragment of CTL∗\X. Similar to [7], Namjoshi [14] proposes
a cutoff-based verification technique for parameterised systems with less restric-
tions to the structure of the processes but limited to safety properties.
The principle of spotlight abstraction was first introduced by Wachter and
Westphal [18] and later enriched with three-valued semantics in our previous
work [17]. To the best of our knowledge, we are the first to combine symmetry
reduction and spotlight abstraction in parameterised model checking. In former
approaches symmetry reduction has been used in combination with partial order
reduction [6] and heuristic search [12].
Acknowledgement. We thank Daniel Wonisch for help with extending 3Spot.
References
1. Abdulla, P.A., Delzanno, G., Henda, N.B., Rezine, A.: Monotonic abstraction: on
efficient verification of parameterized systems. Int. J. Found. Comput. Sci. 20(5),
779–801 (2009)
548 N. Timm and H. Wehrheim
2. Abdulla, P.A., Jonsson, B., Nilsson, M., Saksena, M.: A survey of regular model
checking. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp.
35–48. Springer, Heidelberg (2004)
3. Apt, K.R., Kozen, D.: Limits for automatic verification of finite-state concurrent
systems. Inf. Process. Lett. 22(6), 307–309 (1986)
4. Baukus, K., Lakhnech, Y., Stahl, K.: Parameterized verification of a cache co-
herence protocol: Safety and liveness. In: Cortesi, A. (ed.) VMCAI 2002. LNCS,
vol. 2294, pp. 317–330. Springer, Heidelberg (2002)
5. Clarke, E.M., Jha, S., Enders, R., Filkorn, T.: Exploiting symmetry in temporal
logic model checking. Formal Methods in System Design 9(1/2), 77–104 (1996)
6. Emerson, E., Jha, S., Peled, D.: Combining partial order and symmetry reduc-
tions. In: Brinksma, E. (ed.) TACAS 1997. LNCS, vol. 1217, pp. 19–34. Springer,
Heidelberg (1997)
7. Emerson, E.A., Kahlon, V.: Reducing model checking of the many to the few.
In: McAllester, D. (ed.) CADE 2000. LNCS, vol. 1831, pp. 236–254. Springer,
Heidelberg (2000)
8. Emerson, E.A., Sistla, A.P.: Symmetry and model checking. In: Courcoubetis, C.
(ed.) CAV 1993. LNCS, vol. 697, pp. 463–478. Springer, Heidelberg (1993)
9. Fitting, M.: Kleene’s three valued logics and their children. Fundamenta Informat-
icae 20(1-3), 113–131 (1994)
10. Ip, C.N., Dill, D.L.: Better verification through symmetry. Formal Methods in
System Design 9(1/2), 41–75 (1996)
11. Leuschel, M., Butler, M.J., Spermann, C., Turner, E.: Symmetry reduction for b
by permutation flooding. In: B, pp. 79–93 (2007)
12. Lluch-Lafuente, A.: Symmetry reduction and heuristic search for error detection in
model checking. In: 2nd Workshop on Model Checking and Artificial Intelligence
(MoChArt), pp. 77–86 (2003)
13. Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems: Safety. Springer,
New York (1995)
14. Namjoshi, K.S.: Symmetry and completeness in the analysis of parameterized sys-
tems. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 299–313.
Springer, Heidelberg (2007)
15. Pnueli, A., Ruah, S., Zuck, L.D.: Automatic deductive verification with invisible
invariants. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp.
82–97. Springer, Heidelberg (2001)
16. Pnueli, A., Xu, J., Zuck, L.D.: Liveness with (0, 1, infinity)-counter abstraction.
In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 107–122.
Springer, Heidelberg (2002)
17. Schrieb, J., Wehrheim, H., Wonisch, D.: Three-valued spotlight abstractions. In:
Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 106–122.
Springer, Heidelberg (2009)
18. Wachter, B., Westphal, B.: The spotlight principle. In: Cook, B., Podelski, A. (eds.)
VMCAI 2007. LNCS, vol. 4349, pp. 182–198. Springer, Heidelberg (2007)