# Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach

Robert P. Kurshan
Pages: 284
https://www.jstor.org/stable/j.ctt7ztp96

1. Front Matter
(pp. i-vi)
(pp. vii-x)
3. Preface
(pp. xi-2)
R. P. Kurshan
4. Chapter 1 Introduction
(pp. 3-30)

This book addresses the problem: how to verify mathematically that a system model of coordinating components behaves as it should. In this context, the “system” typically is a hardware and/or software implementation of a control algorithm. Examples of systems subject to the type of formal verification addressed in this book include controllers which implement communication protocols, cache coherency protocols and telephone switches. However, for our purposes, a system may as well be a subcircuit which implements an adder, a state machine implementing a lexical parser, a game such as nim, or a discrete-event economic model. The real-time behavior of systems...

5. Chapter 2 Boolean Algebra
(pp. 31-44)

Anautomaton, defined precisely in Chapters 5 and 6, is a finite-state transition system used to define a set of strings or sequences of discreteevent behaviors. Classically, the transition structure of an automaton is represented “dynamically” in terms of a transition function which gives the “next” states as a function of each “current” state and input, as in Figure 2.1. When the “alphabet” of “inputs events” is represented by the values of a vector × (as typically is the case in practice), this representation can be very cumbersome. For example, if\mathrm{x}=(x_{1},\ldots,x_{n}), then the alphabet of inputs has the...

6. Chapter 3 L-matrix
(pp. 45-50)

The automaton transition structure discussed in the previous chapters and illustrated in Figure 2.2 now is defined formally as a matrix over the Boolean algebra of atomic system events. The most common example of an “atomic system event” is a global assignment to system variables. IfY_{1},\ldots ,Y_{k}are the variables comprising a system model, and for eachi,\; a_{i}is a possible value ofY_{i}, then the collection of local assignments

Y_{1}=a_{1},

Y_{2}=a_{2},

\vdots

Y_{k}=a_{k}

one local assignment for each system variable, is such a global assignment. The conjunction over all system variables of these local assignments...

7. Chapter 4 L-language
(pp. 51-62)

We now introduce the vehicle used to define the “behavior” of a transition system. Conceptually, thebehaviorof a transition system is the set of sequentially evolving atomic events consistent with its transition structure. If the atomic events are comprised of global assignments to system variables, as described in the introduction to Chapter 3, then each behavior of the system consists of a sequence of such consecutive global assignments. Since each atomic event is modelled by an atom of the underlying Boolean algebra, each system behavior is a sequence of atoms consistent with the system model transitions structure. The set...

8. Chapter 5 String Acceptors
(pp. 63-76)

System behaviors are defined through finite-state generators and “acceptors” of behavior, known generally as “finite state machines” and “finite state automata”, respectively. In case all behavior is eventually terminating (bounded in time), each behavior is captured by astringof events. (Nonterminating (unbounded) behavior, captured by sequences of events, is dealt with analogously in Chapter 6). There are reasons, discussed in Section 6.2, for wanting, in both the bounded and infinite cases, two distinct types of structures for defining behavior: theprocessin the role of behavior generator, and theautomatonin the role of acceptor. The acceptor or automaton...

9. Chapter 6 ω-theory: L-automaton/L-process
(pp. 77-108)

The “automata” ofautomata-theoretic verification(the subject of this book) areω-automata: acceptors of sequences, as apposed to the acceptors of strings discussed in the previous chapter. The reasons for this choice are presented in Section 6.2. First, some machinery is developed to help relate the languages of these two theories.

AnL-ω-languageis a subset\cal{L}\subset S(L)^{\omega }.\cal{L}isω-regularif

\cal{L}=\mathit{\bigcup_\mathit{{i=1}}^{n}}\cal{L}_\mathit{{i1}}\cdot \cal{L}\mathit{_{i2}^{\omega}}

where\cal{L}_{\mathit{ij}}are *-regular.

0^{\omega }+1^{\omega }\neq \cal{L}_{\mathrm{1}}\cal{L}_{\mathrm{2}}^{\omega }for any *-regular\cal{L}_{\mathrm{1}},\cal{L}_{\mathrm{2}}.

Let\cal{L}be anL-*-language. Then\mathrm{x}\; \in \cal{L}isminimalif no prefix of × is in\cal{L}. Letk(\cal{L}) be the set of minimum elements...

10. Chapter 7 The Selection/Resolution Model of Coordinating Processes
(pp. 109-152)

We now explain how the machinery thus far established, can be used to model and analyze systems of coordinating processors. Here, the sense ofcoordinationis that of interconnected state machines whose respective outputs are functions of inputs, and the inputs are comprised of the outputs of the various machines.

The same underlying semantic model is used throughout, to model both synchronous or asynchronous systems, as well as to modelconstraintson systems. In all cases, the modelling semantics is founded onL-processes,L-automata and their tensor product, which forms a “synchronous” composition. (Synchronous composition of components corresponds tological...

11. Chapter 8 Reduction of Verification
(pp. 153-202)

LetP_{1},\ldots,P_{k}beL-processes modelling components of a system model,P=\otimes P_{i}and letTbe anL-automaton which defines a requirement ofPwe would like to verify. We verify thatPperforms the “task”T(cf. Section 7.5) by checking

\cal{L}(\mathit{P})\subset \cal{L}(\mathit{T}).

There is no loss of generality in takingTto be strongly deterministic, as for anyω-regular language\cal{L}, we can write\cal{L}=\cap \cal{L}(\mathit{T_{i}})whereT_{1},\ldots ,T_{n}are strongly deterministicL-automata, by Theorem 6.2.54; verifying

\cal{L}(\mathit{P})\subset \cal{L}(\mathit{T_{i}})\forall \mathit{i},

gives\cal{L}(\mathit{P})\subset \cal{L}(\mathit{T_{i})}=\cal{L}. Moreover, as will be seen, expressing a “global” property\cal{L}in terms of “local” properties \cal{L}(\mathit{T_{i}}) such that\cap \cal{L}(\mathit{T_{i}})\; \subset \; \cal{L}...

12. Chapter 9 Structural Induction
(pp. 203-214)

This chapter, taken from [KM89], deals with the formal verification of finite state systems that have an arbitrary number of isomorphic components. Many protocols that occur in computers and communication are finite state, but are parameterized on the number of components in the system. For example, a network protocol may allow for an arbitrary number of hosts, or a system bus protocol may allow for an arbitrary number of processors. Since the structure of the system isdefinedinductively , some form of inductive reasoning is required to prove that the system performs a given task. This chapter presents a...

13. Chapter 10 Binary Decision Diagrams
(pp. 215-230)

Recent advances in the manipulation of data-structures for binary decision diagrams (BDD’s) [Bry86], [BBR90], [Rud93] facilitate checking language containment for far larger system models than has been hitherto possible (cf. [BCM+90]). In this chapter, taken from [TBK91], two BDD-based algorithms are given for testing that the language of anL-process is empty, thereby giving a test for language containment, via (8.1.3). Of the two algorithms, one has a time advantage and the other has a space advantage. Each has increased significantly the size of system models which can be verified. For a selected problem with a scalable structure, it was...

14. Appendices
(pp. 231-240)
15. Bibliography
(pp. 241-262)
16. Glossary
(pp. 263-263)
17. Index
(pp. 264-270)
18. Back Matter
(pp. 271-271)