Model checking guarded protocols

Abstract

The parameterized model checking problem (PMCP) is to decide whether a temporal property holds for a uniform family of systems, C||U/sup n/, comprised of a control process, C, and finitely, but arbitrarily, many copies of a user process, U, executing concurrently with interleaving semantics. We delineate the decidability/undecidability boundary of the PMCP for all possible systems that arise by letting processes coordinate using different subsets of the following communication primitives: conjunctive Boolean guards, disjunctive Boolean guards, pairwise rendezvous, asynchronous rendezvous and broadcast actions. Our focus is on the following linear time properties: (p1) LTL/spl bsol/X formulae over C; (p2) LTL formulae over C; (p3) regular properties specified as regular automata; and (p4) /spl omega/-regular automata. We also establish a hierarchy based on the relative expressive power of the primitives by showing that disjunctive guards and pairwise rendezvous are equally expressive, in that we can reduce the PMCP for regular and /spl omega/-regular properties for systems with disjunctive guards and pairwise rendezvous are equally expressive, in that we can reduce the PMCP for regular and /spl omega/-regular properties for systems with disjunctive guards to ones with pairwise rendezvous and vise versa, but that each of asynchronous rendezvous and broadcasts is strictly more expressive than pairwise rendezvous (and disjunctive guards). Moreover, for systems with conjunctive guards, we give a simple characterization of the decidability/undecidability boundary of the PMCP by showing that allowing stuttering sensitive properties bridges the gap between decidability (for p1) and undecidability (for p2). A broad framework for modeling snoopy cache protocols is also presented for which the PMCP for p3 is decidable and that can model all snoopy cache protocols given by Culler and Emerson (1988) thereby overcoming the undecidability results.