Chapter 2:

Modelling Concurrent Systems

Prof. Ali Movaghar

Verification of Reactive Systems
Spring 91
Outline

A prerequisite for model checking is to
provide a model of the system.

We introduce transition systems, a standard class
of models to represent hardware and software
system.

We explain different aspects for modeling
concurrent systems.

Finally we explain about the state-space explosion
problem encountered in model checking!

2
Transition Systems

Transition Systems (TSs) model the
behavior of systems.

TSs are directed graphs where nodes
and edges represent states and
transitions respectively.

3
Transition Systems (Con.)

A state describes information about a
system at a certain moment of its
behavior:

The current color of a traffic light.

The current values of all program variables
+ the program counter.

The current value of the registers together
with the values of the input bits.

4
Transition Systems (Con.)

Transitions specify how the system evolve
from one state to another.

A switch from one color to another (for traffic
light).

The execution of a program statement

The change of the registers and output bits for a
new input.

In following we formally define a transition
system.

5
Transition Systems (Con.)

Definition: A transition system TS is a tuple
(S,Act,→,I,AP,L) where:

S is a set of states;

Act is a set of actions;

→⊆ S×Act×S is a transition relation;

I⊆ S is a set of initial states;

AP is a set of atomic proposition, and

L: S → 2AP is a labeling function.

TS is called finite if S, Act, and AP are finite.
6
Transition Systems (Con.)
α

We write s  → s′ instead of (s, α,s′) ∈→ .

The intuitive behavior of a TS is :

The TS starts in some initial state s0 ∈ I and evolves
according to the transition relation →.

Evolution means: if s is the current state, a transition
α
s  → s′is selected nondeterministically and taken.

Take means: the action α is performed and the TS

evolves from state s to state s΄.

This procedure is repeated in state s΄ and finishes once

a state is encountered that has no outgoing transition.

7
Transition Systems (Con.)

The labeling function L relates the set of
propositions L(s) ∈ 2AP to any state s.

L(s) stands for atomic propositions a ∈ AP
which are satisfied by state s.

Hence, given a propositional logic formula φ, s
satisfies formula φ , if L(s) satisfies it:
s |= ϕ iff L(s) |= ϕ

8
Transition Systems (Con.)

Example 2.2: Beverage Vending Machine
(BVM)
pay
get_coffee get tea
get_tea

insert_coin

coffee select tea

S={pay,select,coffee,tea}

Act={insert_coin,get_coffee,get_tea,τ}
9
Transition Systems (Con.)

The atomic propositions in the TS
depends on the properties under
consideration.

AP=S, L(s) = {s}, or

AP={paid,drink} to verify “The vending
machine only delivers a drink after paying”.
Hence, L(pay)={}, L(coffee) = L(tea) =
{paid,drink}, L(select)={paid}.

10
Transition Systems (Con.)

To formally model a system using LTs,
we should define the set of Act and AP.

Actions are only necessary for modeling
communication mechanism. When action
names are irrelevant (e.g. internal actions),
we use symbol τ or even remove it.

Propositions are always chosen depending
on the characteristics of interest.

11
Transition Systems (Con.)

Let TS= (S,Act,→,I,AP,L) be a transition
system. For s ∈ S , α ∈ Act , the set of direct
α–successor of s is :
α
Post(s, α) = {s′ ∈ S|s  → s′}, Post(s) = ∪ Post(s, α)
α∈Act

Similarly the set of α-predecessor of s is

defined by:
α
Pr e(s, α) = {s′ ∈ S|s′  → s}, Pr e(s) = ∪ Pr e(s, α)
α∈Act
12
Transition Systems (Con.)

The notation for the sets of direct
successors are expanded to subsets of
S (C ⊆ S ):
Post(C, α) = ∪ Post(s, α), Post(C) = ∪ Post(s)

Similary s∈C s∈C

Pr e(C, α) = ∪ Pr e(s, α), Pr e(C) = ∪ Pr e(s)

s∈C s∈C

13
Transition Systems (Con.)

State s in transition system TS is called
terminal if and only if Post(s)={}.

Transition systems modelling a
sequential computer program, terminal
states represents terminination of the
program.

14
Transition Systems (Con.)

The behavior of a transition system is
formally defined by the notion of
executions (also called runs).

Informally, an execution of a TS results
from the resolution of the possible non-
determinism in the system.

15
Transition Systems (Con.)

Definition: A finite execution fragment
σ of TS= (S,Act,→,I,AP,L) is an
alternating sequence of states and
actions ending with a state:
αi+1
σ = s 0 α1 s1 α 2 ... α n s n such that si → si +1 ∀0 ≤ i ≤ n

where n is called the length of execution

fragment σ.
16
Transition Systems (Con.)

An infinite execution fragment ρ of TS is an
infinite alternating sequence of states and
actions:
αi+1
ρ = s 0 α1 s1 α 2 ... such that si → si +1 ∀0 ≤ i

A maximal execution fragment is a finite
execution fragment that ends in a terminal
state or an infinite execution fragment.

An execution fragment, started in an initial
state s0∈S, is called initial.
17
 Transition Systems (Con.)

Example 2.8 : executions of the BVM
get_coffee = cget
get_tea = tget
insert_coin = coint

coin τ tget coin τ tget

ρ1 = pay  → select  → tea → pay  → select  → tea → ...
τ tget coin τ cget
ρ2 = select  → tea → pay  → select  → coffee → ...
coin τ tget coin τ
σ = pay  → select  → tea → pay   → select  → tea.

ρ1 and σ are initial, while only ρ1 and ρ2

are maximal. 18
Transition Systems (Con.)

Definition: An execution of transition
system TS is an initial and maximal
execution fragment.

in example 2.8, ρ1 is an execution while ρ2
and σ are not.

19
Transition Systems (Con.)

Definition: A state s∈S is called
reachable in TS= (S,Act,→,I,AP,L) if
there exists an initial, finite execution
fragment
α1 α2 αn
s0  → s1  → ...  → s n = s.

Reach(TS) denotes the set of all
reachable states in TS.

20
Sequential Hardware Circuits

Example 2.11: consider the sequential
circuit with input variable x, output
variable y and register r where
λ y = ¬(x ⊕ r) and δr = x ∨ r

21
Sequential Hardware Circuits
(Con.)

The circuit behavior is modeled by the
transition system TS with state space
S=Eval(x,r) where Eval(x,r) stands for
the set of evaluations of x and r

The initial states of TS are
I={<x=0,r=0>,<x=1,r=0>}.

The set of actions is irrelevant and
omitted here.
22
Sequential Hardware Circuits
(Con.)

The transitions results directly from the
functions λy and δr :

For instance if the next input bit (x) equals
i=0,1, then < x = 0, r = 1 >→< x = i, r = 1 >

23
Sequential Hardware Circuits
(Con.)

AP={x,y,r} and the labeling relation L
assign the set of atomic proposition
which has a value equal to 1.

The state <x=0,r=1} is labeled with {r}
since the circuit function ¬(x ⊕ r) result 0
for y.

24
Sequential Hardware Circuits
(Con.)

Alternatively, using the set of
proposition AP΄={x,y}, the register
evaluation is invisible, we obtain:

L΄(<x=0,r=0>)={y} L΄(<x=0,r=1>)={}
L΄(<x=1,r=0>)={x} L΄(<x=1,r=1>)={x,y}

We can still formalize the property that

“the output bit y is set infinitely often”.

25
Sequential Hardware Circuits
(Con.)

This approach can be generalized for
the sequential circuits with n input
x1,…,xn, m output bits y1,…,ym and k
registers r1,…,rk :

S = Eval(x1,…,xn,r1,…,rk ).

I ={a1,…,an,c0,1,…,c0,k)| a1,…,an∈{0,1} }
where c0,i is the initial value of ri .

26
Sequential Hardware Circuits
(Con.)

AP={x1,…,xn,r1,…,rk ,y1,…,ym}.

L(a1,…,an,c1,…,ck) ={xi|ai=1}∪{ri|ci=1}∪
{yi| s |= λyi(a1,…,an,c1,…,ck) =1}
τ

(a1 ,..., a n , c1 ,..., c k )  →(a1 ,..., a n , c1′ ,..., c′k ) if
and only if c′j = δrj (a1 ,..., a n , c1 ,..., ck ) .

27
Data-Dependant Systems

Example 2.12: Consider an extension
of BVM (Example 2.2) which

counts the number of coffee and tea left ;

returns inserted coin if the machine is
empty.

For simplicity, BVM is modeled by two
locations start and select.

28
Data-Dependant Systems
(Con.)

We exploit conditional transitions g:α to
model the data-dependant behavior of
the system, where g is a condition and
α is an action which is possible once g
holds.

Hence below transitions model insertion
of coin and refilling the machine:
true:coin true:refill
start → select start  → start

29
Data-Dependant Systems
(Con.)

Suppose the variables of ncof and ntea
record the number of bottles of coffee
and tea respectively.
ncof > 0:cget ntea > 0:tget
select  → start select  → start

ncof = 0 ∧ ntea = 0:ret _ coin

select  → start

30
Data-Dependant Systems
(Con.)

The effect of each action on variables ncof
and ntea is shown below:
Action Effect
refill ncof:= max; ntea:=max
cget ncof:=ncof-1
tget ntea:=ntea-1
coin No change
ret_coin No change

The graph consisting of locations as node and

conditional transition as edge is not a TS.
31
Data-Dependant Systems
(Con.)

However a TS
can be obtained
by unfolding this
graph.

32
Data-Dependant Systems
(Con.)

This approach in modeling data-
dependant systems can be formalized
by program graphs over a set of Var of
typed variables.

A program graph over a set of typed
variables is a digraph whose edges are
labeled by conditions on these variables
and actions.
33
Data-Dependant Systems
(Con.)

The effect of the actions is formalized
by means of mapping
Effect: Act×Eval(Var) → Eval(Var)

This indicates how the evaluation η of
variables is changed by performing an
action.

34
Data-Dependant Systems
(Con.)

Definition: A program graph overt set Var of
type variables is a tuple (Loc,Act,Effect,
→,Loc0,g0) where:

Loc is a set of locations and Act is a set of actions;

Effect : Act×Eval(Var) → Eval(Var);

→⊆ Loc×Cond(Var)×Act×Loc;

Loc0⊆Loc is a set of initial locations;

g∈Cond(Var) is the initial condition.

35
Data-Dependant Systems
(Con.)

We write ℓ  g:α
→ ℓ′ instead of (ℓ, g, α, ℓ′) ∈→.

The condition g is called guard of the
conditional transition.

The behavior in location ℓ ∈ Loc depends
on the current variable evaluation η. A
non-deterministic choice is made
between transitions whose guard is
satisfied in evaluation η (η |= g).
36
Data-Dependant Systems
(Con.)

Each program graph can be interpreted
as a transition system which results
from unfolding.

In other words, the semantics of a
program graph is defined by a transition
system.

37
Data-Dependant Systems
(Con.)

The states of the corresponding TS
consist of a location ℓ ∈ Loc of program
graph together with an evaluation η of
the variables: 〈ℓ, η〉 .

Initial states are initial locations that
satisfy the initial condition g0.

The set AP is comprised by locations and
boolean conditions for the variables.
38
Data-Dependant Systems
(Con.)

The labeling of states is such that 〈ℓ, η〉
is labeled with ℓ and with all conditions
(over Var) that hold in η.

The transition relation is defined as
follows: whenever ℓ  g:α
→ ℓ′ and g holds
in the current evaluation η, then :
〈ℓ, η〉 
α
→〈 ℓ′, Effect(α, η)〉

39
Data-Dependant Systems
(Con.)

Definition: The transition system
TS(GP) of program graph GP=
(Loc,Act,Effect, →,Loc0,g0) over set Var
is the tuple (S,Act,→,I,AP,L) where:

S = Loc ×Eval(Var);

→ ⊆ S ×Act ×S is defined by the following
rule: g:α
ℓ → ℓ′ ∧ η |= g
〈 ℓ, η〉 α
→〈 ℓ′, Effect(α, η)〉
40
Data-Dependant Systems
(Con.)

I ={ 〈 ℓ, η〉 | ℓ ∈ Loc0 ,η|= g0};

AP = Loc ∪ Cond(Val);

L(〈 ℓ, η〉 )={ℓ }∪{g∈ Cond(Var) | η|= g}.

The definition TS(PG) determines a very
large set of propositions AP. But
generally only a small part of AP is
necessary to formulate system
properties.
41
Structural Operation
Semantics

The transition relation of TS(PG) is
defined using the so-called SOS-
notation: premise
conclusion

Which implies if the proposition above the
“solid line” holds, then the proposition
under the fraction bar holds as well.

If the premise is a tautology, the rule is
called axiom.
42
Structural Operation
Semantics (Con.)

The relations defined by SOS rules are
the smallest relation satisfying the
indicated axioms and rules.

The semantics of many modeling
languages like process algebras are
defined using SOS rules.

43
Parallelism and
Communication

In reality most hard- and software
systems are not sequential but parallel.

We describe several mechanisms to
provide operational models for parallel
systems by means of TSs.

These Mechanisms range from simple
mechanism where no communication take
place between TSs to message-passing
one.
44
Parallelism and
Communication (Con.)

Assume the operational (stepwise)
behavior of the processes that run in
parallel are given by transition systems
TS1, …, TSn.

Our goal is to define an operator ||
such that TS = TS1 || TS2 || … || TSn is
a transition system that specifies the
behavior of parallel composition of TSs.
45
Parallelism and
Communication (Con.)

It should be noted that each TSi may be
a transition system that is composed of
several transition systems:
TSi = TSi,1 || TSi,2 || … || TSi,n

Hence complex systems can be
described in a rather structured way
using the parallel composition in a
hierarchical way.
46
Parallelism and
Communication: Interleaving

In this model, it is assumed that a
system is actually composed of a set of
independent components.

Hence, the global system state is
composed of the current individual
states of the components.

47
Parallelism and Communication:
Interleaving (Con.)

Actions of an independent components
are merged or “interleaved” with
actions from other components.

Thus concurrency is presented by pure
interleaving : nondeterministic choice
between activities of parallel processes.

48
Parallelism and Communication:
Interleaving (Con.)

Example: Two independent traffic
lights

||| denotes interleaving operator.

||| =

49
Parallelism and Communication:
Interleaving (Con.)

An important justification for
interleaving is the fact that the effect of
currently executed, independent actions
α and β is identical to the effect when α
and β are executed in arbitrary order:

Effect(α|||β,η)=Effect(α;β)+ Effect(α;β)

where ; stands for sequential execution and +
stands for non-deterministic choice.

50
Parallelism and Communication:
Interleaving (Con.)

Definition: The transition system
TS1|||TS2 where TSi=(Si,Acti,→i,Ii,APi,Li)
is defined by

(S1×S2,Act1∪Act2, →,I1×I2,AP1∪AP2,L)

Where the TS → is defined by :
s1  α
→1 s1′ α
s 2  →2 s 2′
〈s1 ,s 2 〉 α
→〈s1′ ,s 2 〉 〈s1 ,s 2 〉 
α
→〈s1 ,s 2′ 〉

Labeling function is defined :
L(〈s1 ,s 2 〉 ) = L(s1 ) ∪ L(s 2 )
51
Parallelism and Communication:
Com. via shared variable

Consider two independent value
assignments x:=x+1 ||| y:=y-2.

The order of their execution is not
important, so they can be easily
interleaved.

||| =

52
Parallelism and Communication:
Com. via shared variable

Consider two parallel assignments on a
shared variable x, x:=2.x ||| x:= x+1.

The different order of execution results in
different final value for x

||| =

53
Parallelism and Communication:
Com. via shared variable

Thus interleaving is not appropriate when two
components compete on a shared variable.

Hence to deal with parallel programs with
shared variables, an interleaving operator will
be defined on the level of program graphs
PG1 and PG2.

TS(PG1 ||| PG2) describe a parallel system
communicating via shared variables.

54
Parallelism and Communication:
Com. via shared variable

Definition: Program graph PG1 ||| PG2
over Var1∪Var2, where for i=1,2, PGi=
(Loci,Acti,Effecti, →i,Loc0,i,g0,i), is
defined by

PG1 ||| PG2=(Loc1×Loc2,Act1∪Act2,Effect,
→,Loc0,1×Loc0,2, g0,1 ∧g0,2) where

→ is defined by the rules :

55
Parallelism and Communication:
Com. via shared variable

ℓ1  g:α
→1 ℓ1′ ℓ 2  g:α
→2 ℓ 2′
〈 ℓ1 , ℓ 2 〉 g:α
→〈 ℓ1′ , ℓ 2 〉 〈 ℓ1 , ℓ 2 〉  g:α
→〈 ℓ1 , ℓ 2 〉

Effect(α,η)=Effecti(α,η) if α∈Acti.

Program graphs PG1 and PG2 have the
variables Var1∩Var2 in common.
Variables in Var1\Var2 are local variables
of PG1.
56
Parallelism and Communication:
Com. via shared variable

Example 2.22: consider the program
graphs PG1 and PG2 that correspond to
assignments x:=x+1 and x:=2.x.

57
Parallelism and Communication:
Com. via shared variable

its underlying transition system
TS(PG1|||PG2) is shown below:

The non-determinism in
the initial state does not
represent concurrency but
just a possible resolution
of contention on x.

TS(PG1|||PG2)≠TS(PG1)|||TS(PG2).

58
Parallelism and Communication:
Com. via shared variable

Question: which actions of program
graphs can be interleaved arbitrary (i.e.
executed arbitrary) and which one can
not? (page 42)

Read examples 2.24 and 2.25.

59
Parallelism and
Communication: Handshaking

Until now, we have introduced two
mechanisms for parallel processes:

Interleaving: processes evolve completely
autonomously.

Com. via shared variables: processes
communicate via shared variables.

60
Parallelism and Communication:
Handshaking (Con.)

The third mechanism in which current
processes that want to interact have to
do this in a synchronous fashion.

In other words, processes can interact if
they are both participating in this
interaction at the same time- they
shake hands.

61
Parallelism and Communication:
Handshaking (Con.)

During handshaking, information can be
exchanged.

Here we abstract of information
exchange (message contents) by
considering the occurrence of
handshake.

A set H of handshake actions is
distinguished with τ ∉ H .
62
Parallelism and Communication:
Handshaking (Con.)

Informally, if both parallel processes are
ready to execute the same handshake
action, can message passing take place.

All actions outside H (Act\H) are
independent and therefore can be
executed autonomously in an
interleaved fashion.

63
 Parallelism and Communication:
Handshaking (Con.)

Definition: The transition system
TS1||HTS2 , where TSi=(Si,Acti,→i,Ii,APi,Li)
i=1,2 and H⊆Act1∩Act2 with τ ∉ H , is
defined by:

(S1×S2,Act1∪Act2, →,I1×I2,AP1∪AP2,L)

L(〈s1,s2〉)=L1(s1)∪L2(s2)

The transition relation → is defined by the
below rules:

64
Parallelism and Communication:
Handshaking (Con.)

Interleaving for α∉H:
s1  α
→1 s1′ α
s 2  →2 s 2′
〈s1 ,s 2 〉 α
→〈s1′ ,s 2 〉 〈s1 ,s 2 〉 
α
→〈s1 ,s 2′ 〉

Handshaking for α∈H:

s1  α
→1 s1′ s 2 α
→2 s 2′
〈s1 ,s 2 〉 
α
→〈s1′ ,s 2′ 〉

65
Parallelism and Communication:
Handshaking (Con.)

We write TS1||TS2 for TS1||HTS2 for H=
Act1∩ Act2.

When H={}, then TS1||{}TS2 reduces to
TS1|||TS2.

The handshaking operator ||H is
communicative, but not associative:

TS1||HTS2 = TS2||HTS1.

TS1||H (TS2||H’TS3)≠(TS1||HTS2)||H’TS3.
66
Parallelism and Communication:
Handshaking (Con.)

The (multiway) handshaking operator in
TS=TS1||HTS2||H…||HTSn, where
H⊆Act1∩…∩Actn, is appropriate to
model broadcasting!

The handshaking operator is similar to
parallel operator in CSP algebra.

67
Parallelism and Communication:
Handshaking (Con.)

Example 2.28: consider two processes
P1 and P2 of the form :
Pi loop forever
…
request
Modeled by
critical section
release
….
end loop

68
Parallelism and Communication:
Handshaking (Con.)

P1 and P2 can communicate with a new
process Arbiter to enter their critical
sections :

Arbiter mimics a
binary semaphore.

TSArb= (TS1 ||| TS2) || Arbiter guarantees

mutual exclusion (why?).
69
Parallelism and Communication:
Handshaking (Con.)

70
Parallelism and Communication:
Handshaking (Con.)

Read Example 2.30.

It should be noted that the parallel
operators introduced are time-abstract.

See example 2.31.

71
Parallelism and Communication:
Channel Systems

Channel systems are parallel systems
where processes communicate via
channels.

Channels are first-in, first-out buffers that
may contain messages.

Processes are program graphs PGi
extended with communication actions:

c!v transmits the value v along channel c.

c?x receives a message via c and assigns it to
x. 72
Parallelism and Communication:
Channel Systems (Con.)

Definition: A program graph over

(Var,Chan) is a tuple (Loc,Act,Effect,
→,Loc0,g0) as before with the only
difference that

→ ⊆ Loc×(Cond(Var)×(Act∪Comm)×Loc

Comm={c!v,c?x|c∈Chan, v∈dom(c), x∈Var
with dom(c)⊆dom(x)}

73
Parallelism and Communication:
Channel Systems (Con.)

A channel system CS over (Var,Chan)
consists of program graphs PGi over
(Var,Chan) with Var=∪1≤i≤nVari.

We denote CS=[PG1 | … | PGn]

As before the conditional transitions
labeled by α:g, α∈Act can happen
whenever g holds.

74
Parallelism and Communication:
Channel Systems (Con.)

The occurrences of conditional
transitions labeled by g:c!v or g:c?x
depends on the current evaluation and
the capacity and content of channel.

Handshaking : if cap(c)=0, then process Pi
c!v
can perform iℓ  → ℓ′i only if another
c!x
process Pj receives ℓ j  → ℓ′j .

75
Parallelism and Communication:
Channel Systems (Con.)

Asynchronous: if cap(c)>0

Pi can send if the channel c is not full.

Pj can receive if channel c is not empty.

The Effect of actions are defined as below; the
channel is treated as a buffer:
Executable if … Effect
c!v c is not “full” Enqueue(c,v)
c?x C is not “empty” 〈x:= Front(c);Dequeue(c);〉

Channel systems are used to model

communication protocols. 76
Parallelism and Communication:
Channel Systems (Con.)

Example 2.23: Alternating Bit Protocol

The Sender S sends its messages along an
unreliable channel c to a receiver R, who
sends its acknowledges along a reliable
channel d to the sender.

Sender c, cap(c)= ∞ Receiver

d, cap(d)= ∞


77
Parallelism and Communication:
Channel Systems (Con.)

S and R uses two bits 0,1 to distinguish
retransmissions of m from transmissions of
subsequent (and previous) messages:

When S sends message m tagged with 0
<m,0>, it waits to receive <0> (sent by R),
otherwise retransmits the <m,0>.

When S receives <0>, it transmits the new
message tagged by 1.

When S receives <1>, it retransmit its message
<m,0>.
78
Parallelism and Communication:
Channel Systems (Con.)

The program graph of the sender S:

79
Parallelism and Communication:
Channel Systems (Con.)

The program graph of the receiver R:

80
Parallelism and Communication:
Channel Systems (Con.)

The complete system is presented as a
channel system over chan= {c, d,
tmr_on, tmr_off,timeout} and Var= {
x,y,mi} : ABP=[S|Timer|R].

The behavior of a channel system can
be given by a transition system, similar
to the mapping from program graphs to
transition systems.
81
Parallelism and Communication:
Channel Systems (Con.)

The states of TS(CS), where
CS=[PG1|…|PGn] over (Chan,Var), are
tuples 〈ℓ1 ,..., ℓ n , η, ξ〉 :

ℓ i indicates the current location of
component PGi;

η(∈Eval(Var)) keeps track of the current
values of the variables;

ξ ,ξ(c)∈dom(c)*, records the current
content of the various channels.
82
Parallelism and Communication:
Channel Systems (Con.)

Definition: The transition system of CS,
denoted by TS(CS), where
CS=[PG1|…|PGn] over (Chan,Var) and
PGi= (Loci, Acti, Effecti, →i,Loc0,i,g0,i), is
defined by TS(CS)=(S,Act,→,I,AP,L):

S=(Loc1×…×Locn)×Eval(Var) ×Eval(Chan);

Act=∪0≤i≤nActi ∪{τ};

I={〈ℓ1 ,..., ℓ n , η, ξ〉 |∀1≤i≤n.(ℓ i∈Loc0,i∧η|= g0,i)};
83
Parallelism and Communication:
Channel Systems (Con.)

AP=∪1≤i≤nLoci∪Cond(Var);

L(〈ℓ1 ,..., ℓ n , η, ξ〉)={ℓ1 ,..., ℓ n}∪
{g∈Cond(Var)| η|=g};

→ is defined by the following rules:

Interleaving for α∈Acti:
g:α
ℓ i  →i ℓ i′
〈 ℓ1 ,..., ℓ i ,..., ℓ n , η, ξ〉 
α
→〈 ℓ1 ,..., ℓ i′ ,..., ℓ n , η′, ξ〉
η′ = Effect(α, η)

84
Parallelism and Communication:
Channel Systems (Con.)

Asynchronous message passing for c∈Chan,
cap(c)>0:

Receive a value along channel c and assign it to x:
g:c? x
ℓ i  →i ℓ i′ ∧ η |= g ∧ len(ξ(c) = k) > 0 ∧ ξ(c) = v1...v k
〈 ℓ1 ,..., ℓ i ,..., ℓ n , η, ξ〉 
τ
→〈 ℓ1 ,..., ℓ i′ ,..., ℓ n , η′, ξ′〉
where η’=η[x:=v1] and ξ’=ξ[c:=v2…vk]

Transmit value v∈dom(c) over channel c:

g:c!v
ℓ i  →i ℓ i′ ∧ η |= g ∧ len(ξ(c) = k) < cap(c) ∧ ξ(c) = v1...v k
〈 ℓ1 ,..., ℓ i ,..., ℓ n , η, ξ〉 
τ
→〈 ℓ1 ,..., ℓ i′ ,..., ℓ n , η, ξ′〉
where ξ’=ξ[c:=v1v2…vkv]
85
 Parallelism and Communication:
Channel Systems (Con.)

Synchronous message passing over c∈Chan,
cap(c)=0:

g1 :c? x
ℓ i  →i ℓ i′ ∧ η |= g1 ∧ η |= g 2 ∧ ℓ j 
g 2 :c!v
→ j ℓ j′ ∧ i ≠ j
〈 ℓ1 ,..., ℓ i ,..., ℓ j ,..., ℓ n , η, ξ〉 
τ
→〈 ℓ1 ,..., ℓ i′ ,..., ℓ j′ ,..., ℓ n , η′, ξ〉

where η’=η[x:=v].

See example 2.34.

86
Parallelism and Communication:
Synchronous Parallelism

In synchronous systems components
evolve in a lock step fashion.

Synchronous hardware circuits in which all
components are connected to a central
clock and all perform a step on each clock
pulse.

87
Parallelism and Communication:
Synchronous Parallelism (Con.)

Definition: The synchronous product
TS1⊗TS2, where

TSi =(Si,Act, →i,Ii, APi,Li) and

*:Act×Act →Act be a mapping that assigns α*β
to each pair of actions α and β
is given by (S1×S2, Act, →, I1×I2,
AP1∪AP2, L) where

88
Parallelism and Communication:
Synchronous Parallelism (Con.)

The transition relation is defined by:
s1  α
→1 s1′ s 2 β
→2 s 2′
〈s1 ,s 2 〉 →〈
α*β
s1′ ,s 2′ 〉

α*β denotes the synchronous execution of
action α and β.

L(〈s1,s2〉)=L1(s1)∪L2(s2).

It should be noted that compared to
parallel operator ||, there is no
autonomous transition of TS1 or TS2.
89
The state-space Explosion
Problem

Program graphs and channel systems
introduced to model data-dependant
and communication systems.

In following we discuss on the
cardinality of resulting transition
systems, since verification techniques
are based on analyzing the TSs.

90
The state-space Explosion
Problem (Con.)

Program graph representation:

Recall that the states of the unfolded TS
are of the form 〈 ℓ ,η〉, where location ℓ and
variable evaluation η.

Assume all variables in Var have finite
domain.

The number of states in the resulting TS is:
| Loc | . ∏ | dom(x) |
x∈Var

91
The state-space Explosion
Problem (Con.)

The number of states grows exponentially
in the number of variables in the program
graph.

Parallelism

In all variant of parallel operators, the
state space of the complete system is built
of the local state space Si of the
components.

92
The state-space Explosion
Problem (Con.)

Hence the number of states in S is growing
exponentially in the number of
components.

Additionally the size of local state of each
component grows exponentially with
number of variable.

Thus the “exponential blowup” in the
number of parallel components and
number of variables explains the problem.
93
The state-space Explosion
Problem (Con.)

Channel systems

For the size of TS of channel systems,
similar observation can be made as for the
representation of program graphs.

Additionally, the size of channels affects on
the number of states.

94
The state-space Explosion
Problem (Con.)

Thus for CS=[PG1|…|PGn] over
Var=Var1∪…∪Varn and channels Chan, the
cardinality of state space is :
n

∏ i ∏
| PG
i =1
|. | dom(c) |
c∈Chan
cap(c)

which can be rewritten as :

n  
∏ 
i =1 
| Loc i | . ∏ | dom(x)  ∏
. | dom(c) |cap(c)

x∈Vari  c∈Chan
95
Summery

Transition systems are a fundamental
model for modeling software and
hardware systems.

An execution of a TS is an alternating
sequence of states and actions that
starts in an initial state and that cannot
be prolonged.

96
Summery (Con.)

Interleaving amounts to represent the
evolvement of “simultaneous” activities of
independent concurrent processes by the
nondeterministic choice between these
activities.

In case of shared variable communication,
parallel composition on the level of transition
systems does not faithfully reflect the
system’s behavior. Instead, composition on
program graphs has to be considered.
97
Summery (Con.)

Concurrent processes that communicate via
handshaking on the set H of actions execute
actions outside H autonomously whereas they
execute actions in H synchronously.

In channel systems, concurrent processes
communicate via FIFO-buffers. Handshaking
communication is obtained when channels
have capacity 0. For channels with a positive
capacity, communication takes place
asynchronously.
98
Summery (Con.)

The size of transition system
representations grows exponentially in
various components, such as the
number of variables in a program graph
or the number of components in a
concurrent system. This is known as the
state-space explosion problem.

99