c1997kluweracademicpublishers,boston.manufacturedinthenetherlands. FormalMethodsinSystemDesign,,?{??(1997) SymbolicVericationofCommunication ProtocolswithInniteStateSpacesusingQDDs queues.itiswell-knownthatmostinterestingvericationproblems,suchasdeadlockdetection, nitesetofnite-statemachinesthatcommunicatebyexchangingmessagesviaunboundedfifo BERNARDBOIGELOT*ANDPATRICEGODEFROID** verywellturnouttobedecidableforasubclasscontainingmost\real"protocols. areundecidableforthisclassofsystems.however,inpractice,thesevericationproblemsmay Abstract.Westudythevericationofpropertiesofcommunicationprotocolsmodeledbya oftheprotocolbeinganalyzed.aloop-rstsearchisasearchtechniquethatattemptstoexplore evenifthisstatespaceisinnite.ouralgorithmperformsaloop-rstsearchinthestatespace structurenamedqueue-contentdecisiondiagram(qdd)isintroducedforrepresenting(possibly mayconstructaniteandexactrepresentationofthestatespaceofacommunicationprotocol, rsttheresultsofsuccessiveexecutionsofloopsintheprotocoldescription(code).anewdata Motivatedbythisoptimistic(and,weclaim,realistic)observation,wepresentanalgorithmthat presented. cationprotocolswithinnitestatespaceshavebeenperformed.fortheseexamples,ourtool innite)setsofqueue-contents.operationsformanipulatingqddsduringaloop-rstsearchare 1.Introduction completeditssearch,andproducedanitesymbolicrepresentationfortheseinnitestatespaces. Aloop-rstsearchusingQDDshasbeenimplemented,andexperimentsonseveralcommuni- ofallstatesencounteredduringtheexploration,startingfromagiveninitialstate, State-spaceexplorationisoneofthemostsuccessfulstrategiesforanalyzingand ploringaglobalstategraphrepresentingthecombinedbehaviorofallconcurrent byexecutingallenabledtransitionsineachstate.thestategraphthatisexplored componentsinthesystem.thisisdonebyrecursivelyexploringallsuccessorstates verifyingpropertiesofnite-stateconcurrentreactivesystems.itproceedsbyextemcanbecheckedbyexploringitsstatespace:deadlocks,deadcode,violations iscalledthestatespaceofthesystem.manydierenttypesofpropertiesofasys- ofuser-speciedassertions,etc.moreover,therangeofpropertiesthatstate-space decadethankstothedevelopmentofmodel-checkingmethodsforvarioustemporal logics(e.g.,[9,19,22,27]). (cf.[17,23]).thesimplicityofthestrategylendsitselftoeasy,andthusecient, explorationtechniquescanverifyhasbeensubstantiallybroadenedduringthelast implementations.moreover,vericationbystate-spaceexplorationisfullyautomatic:nointerventionofthedesignerisrequired.themainlimitofstate-space Vericationbystate-spaceexplorationhasbeenstudiedbymanyresearchers *\Aspirant"(ResearchAssistant)fortheNationalFundforScienticResearch(Belgium).The Correspondenceto:UniversitedeLiege,InstitutMonteore,B28,4000LiegeSart-Tilman,Belgium.Email:boigelot@monteore.ulg.ac.be. workofthisauthorwasdoneinpartwhilevisitingbelllaboratories. **LucentTechnologies{BellLaboratories,1000E.WarrenvilleRoad,Naperville,IL60566, U.S.A.Email:god@bell-labs.com.
2explorationvericationtechniquesistheoftenexcessivesizeofthestatespace. Obviously,thisstate-explosionproblemisevenmorecriticalwhenthestatespace beingexploredisinnite. queues.wepresentastate-spaceexplorationalgorithmforconstructinganiteand statemachinesthatcommunicatebyexchangingmessagesviaunboundedfifo Specically,weconsidercommunicationprotocolsmodeledbyanitesetofnite- bystate-spaceexplorationisalsopossibleforsystemswithinnitestatespaces. Incontrastwiththelastobservation,weshowinthispaperthatverication toverifymanypropertiesoftheprotocol,suchastheabsenceofdeadlocks,whether statespaceisinnite.fromthissymbolicrepresentation,itisthenstraightforward ornotthenumberofmessagesstoredinaqueueisbounded,andthereachability exactrepresentationofthestatespaceofsuchacommunicationprotocol,evenifits Indeed,itiswell-knownthatunboundedqueuescanbeusedtosimulatethetape oflocalandglobalstates. undecidableforthisclassofsystems[8].however,inpractice,theseverication ofaturingmachine,andhencethatmostinterestingvericationproblemsare problemsmayverywellturnouttobedecidableforasubclasscontainingmost Ofcourse,givenanarbitraryprotocol,ouralgorithmmaynotterminateitssearch. introducedinthispaper. tocolswithinnitestatespaceshavebeenveriedsuccessfullywiththealgorithm \real"protocols.tosupportthisclaim,propertiesofseveralcommunicationpro- ofsuccessiveexecutionsofloopsintheprotocoldescription(code).thissearch performsaloop-rstsearchinthestatespaceoftheprotocolbeinganalyzed.a techniqueispresentedinsection3.anewdatastructure,thequeue-content loop-rstsearchisasearchtechniquethatattemptstoexplorersttheresults Inthenextsection,weformallydenecommunicationprotocols.Ouralgorithm innite)setsofqueue-contents.operationsformanipulatingqddsduringaloop- rstsearcharepresentedinsection5.aloop-rstsearchusingqddshasbeen DecisionDiagram(QDD),isintroducedinSection4forrepresenting(possibly implemented,andexperimentsonseveralcommunicationprotocolswithinnite statespacesarereportedinsection6.thispaperendswithacomparisonbetween ourcontributionsandrelatedwork. municatewitheachotherbysendingandreceivingmessagesviaanitesetqof 2.CommunicatingFinite-StateMachines ConsideraprotocolmodeledbyanitesetMofnite-statemachinesthatcom- unboundedfifoqueues,modelingcommunicationchannels.letmidenotethe nitesetofstatesofmachinemi,1ijmj. setofmessagesthatcanbestoredinqueueqi,1ijqj.fornotationalconvenience,letusassumethatthesetsmiarepairwisedisjoint.letcidenotethe messages,andtisanitesetoftransitions,eachofwhichisatripleoftheform actions,qisanitesetofunboundedfifoqueues,m=[jqj isanitesetofcontrolstates,c02cisaninitialcontrolstate,aisanitesetof Formally,aprotocolPisatuple(C;c0;A;Q;M;T)whereC=C1CjMj i=1miisanitesetof
qi!w,whereqi2qandw2mi,qi?w,whereqi2qandw2mi,ora,where (c1;op;c2)wherec1andc2arecontrolstates,andopisalabelofoneoftheforms 3 Atransitionoftheform(c1;qi?w;c2)representsachangeofthecontrolstatefrom fromc1toc2whileappendingthemessagescomposingwtotheendofqueueqi. c1toc2whileremovingthemessagescomposingwfromtheheadofqueueqi. a2a. Aglobalstateofaprotocoliscomposedofacontrolstateandaqueue-content. Atransitionoftheform(c1;qi!w;c2)representsachangeofthecontrolstate CjMjM1MjQj.Aglobalstate=(c(1);c(2);:::;c(jMj);w(1);w(2); Formally,aglobalstate,orsimplyastate,ofaprotocolisanelementofthesetC1 Aqueue-contentassociateswitheachqueueqiasequenceofmessagesfromMi. Ci,andassociateswitheachqueueqjasequenceofmessagesw(j)2Mjwhich systemis0=(c0(1);c0(2);:::;c0(jmj);";:::;"),i.e.,weassumethatallqueues areinitiallyempty. representsthecontentofqjintheglobalstate.theinitialglobalstateofthe :::;w(jqj))assignstoeachnite-statemachinemia\local"(control)statec(i)2 globalstates,anda2a[fg.leta!0denote(;a;0)2!.relation!is if(c1;qi!w;c2)2t,then(c1(1);c1(2);:::;c1(jmj);w0(1);w0(2);:::;w0(jqj))! denedasfollows: Aglobaltransitionrelation!isasetoftriples(;a;0),whereand0are if(c1;qi?w;c2)2t,then(c1(1);c1(2);:::;c1(jmj);w0(1);w0(2);:::;w0(jqj))! totheendofqueueqi); (c2(1);c2(2);:::;c2(jmj);w00(1);w00(2);:::;w00(jqj))wherew00(i)=w0(i)wand (c2(1);c2(2);:::;c2(jmj);w00(1);w00(2);:::;w00(jqj))wherew0(i)=ww00(i)and w00(j)=w0(j);j6=i(thecontrolstatechangesfromc1toc2andwisappended if(c1;a;c2)2t,then(c1(1);c1(2);:::;c1(jmj);w0(1);w0(2);:::;w0(jqj))a! (c2(1);c2(2);:::;c2(jmj);w00(1);w00(2);:::;w00(jqj))withw00(i)=w0(i),forall fromtheheadofqueueqi); w00(j)=w0(j);j6=i(thecontrolstatechangesfromc1toc2andwisremoved asequenceofglobaltransitions(i 1;ai;i),1in,suchthat=0a1 Aglobalstate0issaidtobereachablefromanotherglobalstateifthereexists 1ijQj(thecontrolstatechangesfromc1toc2whiletheactionais performed). setofallstatesthatarereachablefromtheinitialglobalstate0. Example:Asanexampleofcommunicationprotocol,considerthewell-known 1n 1an!n=0.Theglobalstatespaceofasystemisthe(possiblyinnite)! Alternating-BitProtocol[6].Thisprotocolcanbemodeledbytwonite-state T)whereC=CSenderCReceiver,whereCSender=f1;2;3;4;5;6;7;8;9;10g totransmitacknowledgmentsfromthereceivertothesender). StoR(usedtotransmitmessagesfromtheSendertotheReceiver)andRtoS(used machinessenderandreceiverthatcommunicateviatwounboundedfifoqueues Precisely,theAlternating-BitProtocolismodeledbytheprotocol(C;c0;A;Q;M;
4 2 3 4 5 6 7 8 9 10 1 1 2 3 4 5 6 7 8 RtoS?ack0 RtoS?ack1 StoR!msg0 timeout StoR!msg0 Snd StoR!msg1 Snd StoR!msg0 RtoS?ack1 StoR!msg1 RtoS?ack0 timeout StoR!msg1 StoR?msg0 StoR?msg1 RtoS!ack1 RtoS!ack0 Rcv Rcv StoR?msg1 RtoS!ack1 StoR?msg0 RtoS!ack0 SENDER RECEIVER Figure1.Alternating-BitProtocol andcreceiver=f1;2;3;4;5;6;7;8g;c0=(1;1);a=fsnd;rcv;timeoutg;q= fstor;rtosg;m=mstor[mrtos,wheremstor=fmsg0;msg1gandmrtos= fack0;ack1g;andtcontainsthetransitions((s1;r1);op;(s2;r2))whereeitherr1= r2and(s1;op;s2)isatransitioninthesendermachineoffigure1,ors1=s2and (r1;op;r2)isatransitioninthereceivermachineoffigure1.theactionsndmodelsarequesttothesender,comingfromahigher-levelapplication,totransmitdata tothereceiverside.theactualdatathataretransmittedarenotmodeled,only messagenumbersmsg0andmsg1aretransmittedoverthequeues.similarly,the actionrcvmodelsthetransmissionofdatareceivedbythereceivertoahigher-level application.theactionslabeledbytimeoutmodeltheexpirationoftimeouts. 3.Loop-FirstSearch Allstate-spaceexplorationtechniquesarebasedonacommonprinciple:they spreadthereachabilityinformationalongthetransitionsofthesystemtobeanalyzed.theexplorationprocessstartswiththeinitialglobalstateofthesystem,and triesateverysteptoenlargeitscurrentsetofreachablestatesbypropagatingthese statesthroughtransitions.theprocessterminateswhenastablesetisreached. Inordertousetheabovestate-spaceexplorationparadigmforverifyingproperties ofsystemswithinnitestatespaces,twobasicproblemsneedtobesolved:one needsarepresentationforinnitesetsofstates,aswellasasearchtechniquethat canexploreaninnitenumberofstatesinaniteamountoftime.
previoussection,oursolutiontotherstproblemistorepresentthecontrolpart Inthecontextofthevericationofcommunicationprotocolsasdenedinthe 5 datastructuresforrepresenting(possiblyinnite)setsofqueue-contentsassociated explicitlyandthequeue-contents\symbolically".specically,wewillusespecial withreachablecontrolstates. exploring(possiblyinnite)setsofglobalstatesratherthanindividualglobalstates. ofreachablestatesfromasinglereachablestate,meta-transitions[7]canbeused. Thismaymakeitpossibletoreachastablerepresentationofthesetofreachable globalstates,evenifthissetisinnite.inordertosimultaneouslygeneratesets Tosolvethesecondproblem,wewillusethesedatastructuresforsimultaneously globalstateshavethesamecontrolstatec. Givenaloopthatappearsintheprotocoldescriptionandacontrolstatecinthat reachedafterrepeatedexecutionsofthebodyoftheloop.bydenition,allthese loop,ameta-transitionisatransitionthatgeneratesallglobalstatesthatcanbe insuchawaythatitworkswithsetsofglobalstates,i.e.,pairsoftheformhcontrol state,datastructurei,ratherthanwithindividualstates.initially,thesearch transitionsareexecutable,theyareexploredrst,whichisaheuristicaimedat startsfromaninitialglobalstate.ateachstepduringthesearch,whenevermeta- Theclassicalenumerativestate-spaceexplorationalgorithmcanthenberewritten searchaloop-rstsearch.thesearchterminatesiftherepresentationofthesetof generatingmanyreachablestatesasquicklyaspossible.thisiswhywecallsucha reachablestatesstabilizes.thishappenswhen,foreverycontrolstate,everynew withthatcontrolstate.atthismoment,thenalsetofpairshcontrolstate,data deduciblequeue-contentisincludedinthecurrentsetofqueue-contentsassociated structureforrepresenting(possiblyinnite)setsofqueue-contents,andalgorithms formanipulatingthesedatastructures.specically,wheneveratransitionora structureirepresentsexactlythestatespaceoftheprotocolbeinganalyzed. rstsearch,thenewpairhcontrolstate,datastructureiobtainedaftertheexecution meta-transitionisexecutedfromapairhcontrolstate,datastructureiduringaloop- Inordertoapplythevericationmethoddescribedabove,weneedtodeneadata structure,oneneedstobeabletocomputeanewdatastructurerepresentingthe eectofsendingmessagestoaqueue(qi!w)andreceivingmessagesfromaqueue (qi?w),aswellastheresultofexecutingfrequenttypesofmeta-transitions,such ofthis(meta-)transitionhastobedetermined.therefore,fromanygivensuchdata asrepeatedlysendingmessagesonaqueue((qi!w)),repeatedlyreceivingmessages fromaqueue((qi?w)),andrepeatedlyreceivingthesequenceofmessagesw1from aqueueqifollowedbysendinganothersequenceofmessagesw2onanotherqueue qj,i6=j,((qi?w1;qj!w2)).finally,basicoperationsonsetsarealsoneeded,such ascheckingifasetofqueue-contentsisincludedinanotherset,andcomputingthe unionoftwosetsofqueue-contents. Queue-contentDecisionDiagrams(QDDs)aredatastructuresthatsatisfyallthe 4.Queue-contentDecisionDiagrams constraintslistedintheprevioussection.aqddisaspecialtypeofnite-state
6automatononnitewords.Anite-stateautomatononnitewordsisatuple A=(;S;;s0;F),whereisanalphabet(nitesetofsymbols),Sisaniteset s02sistheinitialstate,andfsisasetofacceptingstates.atransition symbolsinisacceptedbytheautomatonaifthereexistsasequenceofstates (s;a;s0)issaidtobelabeledbya.anitesequence(word)w=a1a2:::anof ofstates,s([f"g)sisatransitionrelation("denotestheemptyword), =s0:::snsuchthat81in:(si 1;ai;si)2,andsn2F.Thesetof wordsacceptedbyaiscalledthelanguageacceptedbya,andisdenotedbyl(a). obtainedbyremovingallsymbolsinwthatarenotinmi.anautomatonissaid LetusdenetheprojectionwjMiofawordwonasetMiasthesubsequenceofw tobedeterministicifitdoesnotcontainanytransitionlabeledbytheemptyword, (M;S;;s0;F)onnitewordssuchthat Denition1.AQDDAforaprotocolPisadeterministicnite-stateautomaton andifforeachstate,alltheoutgoingtransitionsarelabeledbydierentsymbols. Precisely,QDDsaredenedasfollows. andrepresentsasetofpossiblequeue-contentsforthiscontrolstate.eachword AQDDisassociatedwitheachcontrolstatereachedduringaloop-rstsearch, 8w2L(A):w=wjM1wjM2:::wjMn: protocol. wacceptedbyaqdddenesonequeue-contentwjmiforeachqueueqiinthe representedbyoneuniqueword.inotherwords,denition1implicitlydenesa bymessagesinmialwaysappearbeforetransitionslabeledbymessagesinmjif i<j.therefore,forallqddsforaprotocol,agivenqueue-contentcanonlybe qiintheprotocolsuchthat,forallqddsforthisprotocol,transitionslabeled ByDenition1,atotalorder<isimplicitlydenedonthesetQofallqueues \canonical"representationforeachpossiblequeue-content.notethatthisdoesnot implythatqddsarecanonicalrepresentationsforsetsofqueue-contents. anotherqdd,forcomputingtheunionofqdds,etc.(e.g.,see[18]).inwhatfollows,a1[a2willdenoteanautomatonthatacceptsthelanguagel(a1)[l(a2), whiledeterminize(a)willdenoteadeterministicautomatonthatacceptsthe ingifthelanguageacceptedbyaqddisincludedinthelanguageacceptedby Standardalgorithmsonnite-stateautomataonnitewordscanbeusedforcheck- 5.OperationsonQDDs Section3. (si 1;ai;si),1in,suchthatw=a1a2:::an,s0=s,sn=s0,andsi;1i<n, languagel(a).wewillwrite\add(s;w;s0)to"tomeanthattransitions thelanguageacceptedbya,andletlop(a)denotethelanguagethathastobe arenew(fresh)states,areaddedto. LetAbetheQDDassociatedwithagivencontrolstatec.LetL(A)denote WenowdescribehowtoperformtheotherbasicoperationsonQDDslistedin
SEND(queueidi,wordw,QDD(M;S;;s0;F))f 7 Forallstatess2Ssuchthat dothefollowingoperations: 9w02([ij=1Mj):s0w0 Foralltransitionst=(s;m;s00)2suchthatm2Mj;j>i: Addanewstates0toS; )s, Add(s;w;s0)to; Ifs2F,adds0toF,andremovesfromF; Foralltransitionst=(s00;m;s)2suchthatm2Mj;j>i: Replacetby(s00;m;s0); Replacetby(s0;m;s00); RECEIVE(queueidi,wordw,QDD(M;S;;s0;F))f ReturnDETERMINIZE((M;S;;s0;F)). gforallstatess2ssuchthat dothefollowingoperations: 9w02([i 1 j=1mj):s0w0 Foralltransitionst=(s;m;s00)2suchthatm2Mj;ji: Addanewstates0toS; )s, Forallstatess002Ssuchthats0w)s00: Foralltransitionst=(s00;m;s)2suchthatm2Mj;ji: Addatransition(s;";s00)to; Replacetby(s00;m;s0); Replacetby(s0;m;s00); ReturnDETERMINIZE((M;S;;s0;F)). gifs2f,adds0tof,andremovesfromf; associatedwiththecontrolstatec0reachedaftertheexecutionofatransition Figure2.qi!wandqi?w (c;op;c0)fromthecontrolstatec,withop2fqi!w;qi?wg.wehavethefollowing: Lqi!w(A)=fw00j9w02L(A):w00jMi=w0jMiw^8j6=i:w00jMj=w0jMjg; obtainedaftertheexecutionofatransitionoftheformqi!worqi?wonaqdd Lqi?w(A)=fw00j9w02L(A):w0jMi=ww00jMi^8j6=i:w00jMj=w0jMjg: AlgorithmsforcomputingaQDDA0thatacceptsallpossiblequeue-contents
establishedbythefollowingtwotheorems. 8A=(M;S;;s0;F)aregiveninFigure2.Thecorrectnessofthesealgorithmsis thatl(a0)=lqi!w(a). Proof:SeeAppendix. w,a),andletl(a0)denotethelanguageacceptedbya0.thena0isaqddsuch Theorem1LetAbeaQDD,letA0denotetheautomatonreturnedbySEND(i, thatl(a0)=lqi?w(a). Proof:SeeAppendix. w,a),andletl(a0)denotethelanguageacceptedbya0.thena0isaqddsuch Theorem2LetAbeaQDD,letA0denotetheautomatonreturnedbyRECEIVE(i, operation(qi?w)denotestheunionofallpossiblequeue-contentsobtainedafter sequencesofmessagesw2mitothequeueqiofthesystem,forallk0.the receivingksequencesofmessagesw2mifromthequeueqiofthesystem,for (qi!w)denotestheunionofallpossiblequeue-contentsobtainedaftersendingk Wenowconsiderthemeta-transitionsdiscussedinSection3.Theoperation allk0.theoperation(qi?w1;qj!w2)denotestheunionofallpossiblequeuecontentsobtainedafterreceivingksequencesofmessagesw12mifromthequeue fori6=j. qiandsendingksequencesofmessagesw22mjtothequeueqj,forallk0,and associatedwiththecontrolstatecreachedaftertheexecutionofameta-transition thelanguageacceptedbya,andletlop(a)denotethelanguagethathastobe (c;op;c)withop2f(qi!w);(qi?w);(qi?w1;qj!w2)g.wehavethefollowing: LetAbetheQDDassociatedwithagivencontrolstatec.LetL(A)denote L(qi?w)(A)=fw00j9w02L(A);k0:w0jMi=wkw00jMi^8j6=i:w00jMj= L(qi!w)(A)=fw00j9w02L(A);k0:w00jMi=w0jMiwk^8j6=i:w00jMj= L(qi?w1;qj!w2)(A)=fw00j9w02L(A);k0:w0jMi=wk1w00jMi^w00jMj= w0jmjg; (qi?w1;qj!w2)onaqdda=(m;s;;s0;f)aregiveninfigures3and4.the obtainedaftertheexecutionofameta-transitionoftheform(qi!w),(qi?w),or AlgorithmsforcomputingaQDDA0thatacceptsallpossiblequeue-contents w0jmjwk2^8l62fi;jg:w00jml=w0jmlg: Theorem3LetAbeaQDD,letA0denotetheautomatonreturnedbySEND- correctnessofthesealgorithmsisestablishedbythefollowingtheorems. STAR(i,w,A),andletL(A0)denotethelanguageacceptedbyA0.ThenA0isa QDDsuchthatL(A0)=L(qi!w)(A). Proof:SeeAppendix.
SEND-STAR(queueidi,wordw,QDD(M;S;;s0;F))f Forallstatess2Ssuchthat Addtwonewstatess0ands00toS; dothefollowingoperations: 9w02([ij=1Mj):s0w0 Foralltransitionst=(s;m;s000)2suchthatm2Mj;j>i: )s, Ifs2F,adds00toF; Add(s;";s0),(s0;";s00)and(s0;w;s0)to; Foralltransitionst=(s000;m;s)2suchthatm2Mj;j>i: Replacetby(s000;m;s00); Replacetby(s00;m;s000); RECEIVE-STAR(queueidi,wordw,QDD(M;S;;s0;F))f ReturnDETERMINIZE((M;S;;s0;F)). gforallstatess2ssuchthat 9w02([i 1 j=1mj):s0w0 Foralltransitionst=(s;m;s00)2suchthatm2Mj;ji: Addanewstates0toS; dothefollowingoperations: )s, Forallstatess002Ssuchthat9w02fwg:s0w0 Foralltransitionst=(s00;m;s)2suchthatm2Mj;ji: Replacetby(s00;m;s0); Replacetby(s0;m;s00); ReturnDETERMINIZE((M;S;;s0;F)). Ifs2F,adds0toF; Addatransition(s;";s00)to; )s00: Figure3.(qi!w)and(qi?w) g 9
10 RECEIVE-SEND-STAR(queueidi,wordw1,queueidj,wordw2,QDD(M;S; ;s0;f))f Letnbethegreatestintegersuchthat LetA0denotetheQDD(M;S;;s0;F); Forallk,1kn+1,computeAk=SEND(j;w2,RECEIVE(i;w1;Ak 1)); with81k<ln+1:sk6=sl; 9s1;:::sn+12S:s1w1 )s2w1 )w1 )sn+1; IfL(An+1)6=;: IfL(An+1)=;: Letp=1; WhileL(An+1)6=L(RECEIVE(i;wp1;An+1)): ReturnDETERMINIZE([nk=0Ak); Forallk,2kp,computeAn+k=SEND(j;w2,RECEIVE(i; ComputeAn+p+1=SEND-STAR(j;wp2;DETERMINIZE([n+p w1;an+k 1)); p:=p+1; greturndeterminize([n+p+1 k=0ak). k=n+1ak)); Figure4.(qi?w1;qj!w2)
STAR(i,w,A),andletL(A0)denotethelanguageacceptedbyA0.ThenA0isa Theorem4LetAbeaQDD,letA0denotetheautomatonreturnedbyRECEIVE- 11 Proof:SeeAppendix. QDDsuchthatL(A0)=L(qi?w)(A). Lemma1LetnandAn+1beasdenedinthealgorithmRECEIVE-SEND-STAR(i; w1;j;w2;a),withi6=j.ifthelanguageacceptedbyan+1isnotempty,thenthere existspsuchthat0<p(n+1)!,andl(an+1)=l(receive(i;wp1;an+1)). SEND-STAR(i,w1,j,w2,A),,withi6=j,andletL(A0)denotethelanguage Theorem5LetAbeaQDD,letA0denotetheautomatonreturnedbyRECEIVE- Proof:SeeAppendix. Proof:SeeAppendix. acceptedbya0.thena0isaqddsuchthatl(a0)=l(qi?w1;qj!w2)(a). 6.ExperimentalResults languagel(qi?w1;qj!w2)(a)isregular. Itisworthnoticingthat,asacorollaryofthelasttheorem,wehavethatthe addedtothesetoftransitionsofsender,andthemeta-transitions(1;(stor?msg1; ConsideragaintheAlternating-BitprotocolofExample.Meta-transitionsare RtoS!ack1);1)and(5;(StoR?msg0;RtoS!ack0);5)areaddedtothesetoftransitionsofReceiver. (qi?w1;qj!w2).precisely,themeta-transitions(3;(rtos?ack1;stor!msg0);3), (3;(StoR!msg0);3),(8;(RtoS?ack0;StoR!msg1);8)and(8;(StoR!msg1);8)are addedtotheprotocoldescriptionforloopsthatmatcheither(qi!w),(qi?w),or havecombineditwithaloop-rstsearch.startingwiththecontrolstate(1;1)and theqdd(m;fs0g;fg;s0;fs0g),whichcorrespondstothequeue-content"forboth thealgorithmsformanipulatingqddsdescribedintheprevioussection,andwe queuesstorandrtos,theexecutionoftheloop-rstsearchforthealternating-bit Wehaveimplemented(inC)a\QDD-package"containinganimplementationof initialstate. duringthesearchcontains21states,and52controlstatesarereachablefromthe protocolterminatesafter5.9secondsofcomputationonasparc10workstation. Thenumberof(meta-)transitionsexecutedis331.ThelargestQDDconstructed oftheprotocolobtainedattheendofthesearch.forinstance,itisthenstraightforwardtoprovethattheprotocoldoesnotcontainanydeadlocks,thatthereare reachablecontrolstateswherethenumberofmessagesinaqueueisunbounded, thatmessagesarealwaysdeliveredinthecorrectorder,etc. Manypropertiescanbecheckedonthesymbolicrepresentationofthestatespace wherethetransitionslabeledby\timeout"areremovedfromtheprotocoldescrip- OurtoolhasalsobeentestedonseveralvariantsoftheAlternating-Bitprotocol,
12 A).Wealsoperformedexperimentsonseveralsimplesliding-windowprotocols[26], abletransmissionmedia).inordertohandlethiscase,itissucienttodeneone additionalalgorithmsend-lossy(i,w,a),thatmerelyreturnsa[send(i,w, interestingvariantisthecasewherequeuesmaylosemessages(tomodelunreli- tion,wherethesender/receiverhavevariousnumberofcontrolstates,etc.an than20intotal),ourtoolwasabletosuccessfullyterminateitssearchwithina withvariouswindowsizes.foralltheseexampleswithinnitestatespaces(more fewminutesofcomputation.thisshowsthat,atleastforthisparticularthough importantclassofexamples,ourvericationmethodisveryusefulandrobust. 7.ComparisonwithOtherWorkandConclusions Protocolandthepropertiesdiscussedintheprevioussection,whichwereeasily 12,13,15,16,24,25].Thesesub-classesdonotcover,e.g.,theAlternating-Bit tainedforthevericationofspecicpropertiesforlimitedsub-classes[2,3,10,11, Althoughmostvericationproblemsareundecidableforarbitraryprotocolsmod- veriedusingaloop-rstsearchandqdds. eledbycommunicatingnite-statemachines,decisionprocedureshavebeenob- queue-contentsassociatedwiththatcontrolstatecanberepresentedbyaqdd. Theclassofprotocolscharacterizedbytheabovenecessaryconditionisequivalent gorithmisthat,forallreachablecontrolstatesoftheprotocol,thelanguageof totheclassofprotocolsforwhich,foreachreachablecontrolstateoftheprotocol, Clearly,anecessary,butnotsucient,conditionfortheterminationofoural- setofqueue-contentsrepresentedbyaqddisarecognizablelanguage. (i.e.,aniteunionofcartesianproductsofregularexpressions).indeed,itcanbe thesetofpossiblequeue-contentscanbedescribedbyarecognizableexpression shownthatanyrecognizablelanguagecanberepresentedbyaqdd,andthatany suchrecognizableexpressions,foranyprotocolintheclassdenedabove,cannot protocol.actually,from[11],itiseasytoshowthatanalgorithmforconstructing ableexpressionrepresentingallpossiblequeue-contentsforeachcontrolstateofthe aboveclassofprotocols.however,nomethodisgivenforconstructingarecogniz- In[20],itispointedoutthatseveralvericationproblemsaredecidableforthe exist.incontrast,ourcontributionistoprovideapracticalalgorithmwhichisable allofthem{thisisimpossibleanyway. tocomputesucharepresentationforprotocolsintheaboveclass,althoughnotfor possibletodesignalgorithmsonqddsforothertypesofmeta-transitionsaswell. ofexecutingthreefrequenttypesofmeta-transitions.thesealgorithmsweresucientforanalyzingtheprotocolsconsideredintheprevioussection.however,itis Inthispaper,wehavepresentedalgorithmsonQDDsforcomputingtheeect Interestingfutureworkistocharacterizepreciselythesetofmeta-transitionsthat inaforthcomingpaper. oftheexecutionofanymeta-transitioninthisclass.thesetopicswillbeaddressed preserverecognizabilityandtoprovideagenericalgorithmforcomputingtheeect equations"fromthedescriptionofasetofcommunicatingnite-statemachines.by In[21],avericationmethodbasedondata-owanalysisisusedtogenerate\ow
thattheoriginalsystemisfreeofcertaintypesoferrors.incontrast,ouralgorithm computingapproximationsofsolutionsfortheseequations,itispossibletoshow 13 analyzed.thisenablesusnotonlytoprovetheabsenceoferrors,butalsoto detecterrorsandtoexhibittotheusersequencesoftransitionsthatleadtoerrors. isabletoproduceanexactrepresentationofthestatespaceoftheprotocolbeing Notethat,obviously,approximationscouldalsobeusedinourframework,e.g.,for simplifyingqddswhentheybecometoocomplex,orwhenthesearchdoesnot seemtostop.fortheexampleswehaveconsideredsofar,noapproximationswere necessary. ically(datapart)alreadyappearedin[1]forthevericationofreal-timesystems, wheredense-timedomainsarerepresentedbypolyhedra.thisideaalsoappeared ThesesymbolicrepresentationsarequitedierentfromQDDs. in[7],wherethevaluesofintegervariablesarerepresentedbyperiodicvectorsets. Theideaofrepresentingstatespartlyexplicitly(controlpart)andpartlysymbol- abooleanfunction(withanitedomain)asadirectedacyclicgraph.in[14], sentationiscertainlythebinarydecisiondiagram(bdd)[5],whichrepresents itisshownhowqddscanbecombinedwithbddstoimprovetheeciencyof classicalbdd-basedsymbolicmodel-checkingmethodsforverifyingpropertiesof Fordigitalhardwareverication[4],themostcommonlyusedsymbolicrepre- communicationprotocolswithlargenitestatespaces. apreliminaryversionofthispaper. WewishtothankMichaelMerrittandMarkStaskauskasforhelpfulcommentson Acknowledgments References 3.P.A.AbdullaandB.Jonsson.Undecidablevericationproblemsforprogramswithunreliable 1.R.Alur,C.Courcoubetis,andD.Dill.Model-checkingindensereal-time.Informationand 2.P.A.AbdullaandB.Jonsson.Verifyingprogramswithunreliablechannels.InProceedings channels.inproc.icalp-94,volume820oflecturenotesincomputerscience,pages316{ 327.Springer-Verlag,1994. ofthe8thieeesymposiumonlogicincomputerscience,1993. Computation,104(1):2{34,May1993. 5.R.E.Bryant.Symbolicbooleanmanipulationwithorderedbinary-decisiondiagrams.ACM 4.J.R.Burch,E.M.Clarke,K.L.McMillan,D.L.Dill,andL.J.Hwang.Symbolicmodelchecking:1020statesandbeyond.InProceedingsofthe5thSymposiumonLogicinComputer 6.K.Bartlett,R.Scantlebury,andP.Wilkinson.Anoteonreliablefull-duplextransmissions ComputingSurveys,24(3):293{318,1992. Science,pages428{439,Philadelphia,June1990. 7.B.BoigelotandP.Wolper.Symbolicvericationwithperiodicsets.InProc.6thConference 8.D.BrandandP.Zaropulo.Oncommunicatingnite-statemachines.JournaloftheACM, 55{67,Stanford,June1994.Springer-Verlag. oncomputeraidedverication,volume818oflecturenotesincomputerscience,pages 2(5):323{342,1983. overhalf-duplexlines.communicationsoftheacm,2(5):260{261,1969. 9.E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automaticvericationofnite-stateconcurrent systemsusingtemporallogicspecications.acmtransactionsonprogramminglanguages andsystems,8(2):244{263,january1986.
14 11.G.Cece,A.Finkel,andS.Purushothaman.Unreliablechannelsareeasiertoverifythan 10.A.ChoquetandA.Finkel.SimulationoflinearFIFOnetshavingastructuredsetofterminal 12.A.Finkel.AnewclassofanalyzablecfsmswithunboundedFIFOchannels.InProc.8th markings.inproc.8theuropeanworkshoponapplicationandtheoryofpetrinets,pages 95{112,Saragoza,1987. perfectchannels.informationandcomputation,124(3):20{31,1996. IFIPWG6.1InternationalSymposiumonProtocolSpecication,Testing,andVerication, 14.P.GodefroidandD.E.Long.SymbolicProtocolVericationwithQueueBDDs.InProceedingsofthe11thIEEESymposiumonLogicinComputerScience,NewBrunswick,July ofcommunicatingnite-statemachines.computersandarticialintelligence,6(3):209{228, 13.M.G.Gouda,E.M.Gurari,T.H.Lai,andL.E.Rosier.Ondeadlockdetectioninsystems 1987. pages1{12,atlanticcity,1988.north-holland. 15.T.Jeron.TestingforunboundednessofFIFOchannels.InProc.STACS-91:Symposiumon 1996. 17.M.T.Liu.Protocolengineering.AdvancesinComputing,29:79{195,1989. 16.R.M.KarpandR.E.Miller.Parallelprogramschemata.JournalofComputerandSystem Sciences,3(2):147{195,1969. pages322{333,hamburg,1991.springer-verlag. TheoreticalAspectsofComputerScience,volume480ofLectureNotesinComputerScience, 18.H.R.LewisandC.H.Papadimitriou.ElementsoftheTheoryofComputation.Prentice 20.J.K.Pachl.Protocoldescriptionandanalysisbasedonastatetransitionmodelwithchannel 19.O.LichtensteinandA.Pnueli.Checkingthatnitestateconcurrentprogramssatisfytheir gramminglanguages,pages97{107,neworleans,january1985. Hall,1981. expressions.inproc.7thifipwg6.1internationalsymposiumonprotocolspecication, Testing,andVerication.North-Holland,1987. linearspecication.inproceedingsofthetwelfthacmsymposiumonprinciplesofpro- 21.W.PengandS.Purushothaman.Dataowanalysisofcommunicatingnitestatemachines. 23.H.Rudin.Networkprotocolsandtoolstohelpproducethem.AnnualReviewofComputer 22.J.P.QuielleandJ.Sifakis.SpecicationandvericationofconcurrentsystemsinCESAR.In pages337{351.springer-verlag,1981. Proc.5thInt'lSymp.onProgramming,volume137ofLectureNotesinComputerScience, ACMTransactionsonProgrammingLanguagesandSystems,13(3):399{442,1991. 24.L.E.RoyerandH.C.Yen.Boundedness,emptychanneldetectionandsynchronizationfor Science,2:291{316,1987. 26.A.Tanenbaum.ComputerNeworks.PrenticeHall,1989. 25.A.P.SistlaandL.D.Zuck.Automatictemporalvericationofbuersystems.InProc. Science,pages93{103,Aalborg,July1991.Springer-Verlag. 3rdWorkshoponComputerAidedVerication,volume575ofLectureNotesinComputer communicatingniteautomata.theoreticalcomputerscience,44:69{105,1986. 27.M.Y.VardiandP.Wolper.Anautomata-theoreticapproachtoautomaticprogramverication.InProceedingsoftheFirstSymposiumonLogicinComputerScience,pages322{331, Cambridge,June1986.
15 Appendix CorrectnessProofs Theorem3LetAbeaQDD,letA0denotetheautomatonreturnedbySEND(i, w,a),andletl(a0)denotethelanguageacceptedbya0.thena0isaqddsuch thatl(a0)=lqi!w(a). Proof: LetusproverstthatLqi!w(A)L(A0).LetubeawordinL(A).Hence, thereexistsapath=s0m0!s1m1!mn 1!sninAacceptingu.Since u=ujm1ujmn,containsexactlyonestateslsuchthat8k<l:mk2 [ij=1mjand8kl:mk2[nj=i+1mj.therefore,slisastate\s"that satisestheconditioninline3ofthealgorithm,andthealgorithmreplacesthe transition(sl;ml;sl+1)(ifany)by(s0;ml;sl+1),wherethestates0isanewstate addedbythealgorithm.moreover,thealgorithmalsoadds(sl;w;s0)totheset oftransitionsofa.sinceallsequencesoftransitionslabeledbyasymbolin [Nj=i+1MjarepreservedinA0(anewstates0isassociatedtoeveryintermediate statesthatsatisestheconditioninline3,andalltheincoming(outgoing) transitionsto(resp.from)slabeledbyasymbolin[nj=i+1mjaremappedto transitionsofsamelabelto(resp.from)s0),beforebeingdeterminized,the resultingautomatoncontainsthepath0=s0m0!ml 1!slw!s0ml!s0l+1ml+1! mn 1!s0n.Inthecasewhereml 1isthelasttransitionof,slisacceptingin A,andisreplacedbys0inthesetofacceptingstatesofA0.Inanycase,thepath 0isaccepting,andtheautomatonA0acceptsujM1ujMiwujMi+1ujMN. Now,weshowthatL(A0)Lqi!w(A).LetubeawordinL(A0),andletA00be theautomatonobtainedbeforethedeterminizationoperationgivinga0.since theautomataa0anda00acceptthesamelanguage,u2l(a00)andthereexists apathofa00acceptingu.letusshowthatisoftheform1(s;w;s0)2, where1iscomposedonlyoftransitionslabeledbyasymbolin[ij=1mjwhile 2iscomposedonlyoftransitionslabeledbyasymbolin[Nj=i+1Mj. Since1leadsfroms0tosandiscomposedoftransitionslabeledbyasymbol in[ij=1mj,statessatisestheconditiononline3ofthealgorithm,andhence cannotbeacceptingina00.moreover,thereexistsatransition(s;w;s0)ina00 addedbythealgorithm(atline10).sincethealgorithmdoesnotperformany modicationontransitionslabeledbyasymbolin[ij=1mj,allthetransitionsof 1aretransitionsinA.Sinceallsequencesoftransitionslabeledbyasymbolin [Nj=i+1MjarepreservedinA0(anewstates0isassociatedtoeveryintermediate statesthatsatisestheconditioninline3,andalltheincoming(outgoing) transitionsto(resp.from)slabeledbyasymbolin[nj=i+1mjaremappedto transitionsofsamelabelto(resp.from)s0),thereexistsinaapath02froms correspondingtothesamesequenceoftransitionsasin2.sincethelaststate of2isacceptingina00,thelaststateof02isacceptingina.thus,theword vsuchthat8k6=i:vjmk=ujmkandvjmiw=ujmi,isacceptedbya.
16 Theorem4LetAbeaQDD,letA0denotetheautomatonreturnedbyRECEIVE(i, w,a),andletl(a0)denotethelanguageacceptedbya0.thena0isaqddsuch thatl(a0)=lqi?w(a). Proof: LetusproverstthatLqi?w(A)L(A0).Letu=u1wu2beawordinL(A), withu1(resp.u2)onlycomposedofsymbolsin[i 1 j=1mj(resp.[nj=imj).there existsapath=s0m0!s1m1!mn 1!sninAacceptingu.Sinceu= ujm1ujmn,containsexactlyonestateslsuchthat8k<l:mk2[i 1 j=1mj and8kl:mk2[nj=imj.therefore,slisastate\s"thatsatisesthe conditioninline3ofthealgorithm,andthealgorithmreplacesthetransition (sl;ml;sl+1)by(s0;ml;sl+1),wherethestates0isanewstateaddedbythe algorithm.moreover,itfollowsfromthedenitionofuthatcontainsexactly onestatespsuchthatslw)sp.thestatespsatisestheconditionatline10of thealgorithm,hencethealgorithmadds(s;";sp)tothesetoftransitionsofa. Sinceallsequencesoftransitionslabeledbyasymbolin[Nj=iMjarepreserved ina0(anewstates0isassociatedtoeveryintermediatestatesthatsatisesthe conditioninline3,andalltheincoming(outgoing)transitionsto(resp.from) slabeledbyasymbolin[nj=imjaremappedtotransitionsofsamelabelto (resp.from)s0),beforebeingdeterminized,theresultingautomatoncontains thepath0=s0m0!ml 1!sl"!spmp!s0p+1mn 1!s0n.Sincethepath0is accepting,theautomatona0acceptsthewordu1u2. Now,weshowthatL(A0)Lqi?w(A).LetubeawordinL(A0),andletA00be theautomatonobtainedbeforethedeterminizationoperationgivinga0.since theautomataa0anda00acceptthesamelanguage,u2l(a00)andthereexists apathofa00acceptingu.letusshowthatisoftheform12,where 1iscomposedonlyoftransitionslabeledbyasymbolin[i 1 j=1mjwhile2is composedonlyoftransitionslabeledbyasymbolin[nj=imj. Since1leadsfroms0tosandiscomposedoftransitionslabeledbyasymbol in[i 1 j=1mj,statessatisestheconditiononline3ofthealgorithm,andhence cannotbeacceptingina00.moreover,theonlyoutgoingtransitionfromsnot labeledbyasymbolin[i 1 j=1mjcanonlybeatransition(s;";s00)addedby thealgorithm(atline11),withsw)s00ina.sincethealgorithmdoesnot performanymodicationontransitionslabeledbyasymbolin[i 1 j=1mj,allthe transitionsof1aretransitionsina.sinceallsequencesoftransitionslabeled byasymbolin[nj=imjarepreservedina0(anewstates0isassociatedtoevery intermediatestatesthatsatisestheconditioninline3,andalltheincoming (outgoing)transitionsto(resp.from)slabeledbyasymbolin[nj=imjare mappedtotransitionsofsamelabelto(resp.from)s0),thereexistsinaapath 02froms00correspondingtothesamesequenceoftransitionsasin2.Sincethe
17 laststateof2isacceptingina00,thelaststateof02isacceptingina.thus, thewordvsuchthat8k6=i:vjmk=ujmkandvjmi=wujmi,isacceptedby A. Theorem5LetAbeaQDD,letA0denotetheautomatonreturnedbySEND- STAR(i,w,A),andletL(A0)denotethelanguageacceptedbyA0.ThenA0isa QDDsuchthatL(A0)=L(qi!w)(A). Proof: LetusproverstthatL(qi!w)(A)L(A0).LetubeawordinL(A).Hence, thereexistsapath=s0m0!s1m1!mn 1!sninAacceptingu.Sinceu= ujm1ujmn,containsexactlyonestateslsuchthat8k<l:mk2[ij=1mj and8kl:mk2[nj=i+1mj.therefore,slisastate\s"thatsatisesthe conditioninline3ofthealgorithm,andthealgorithmreplacesthetransition (sl;ml;sl+1)(ifany)byby(s00;ml;sl+1),wherethestates00isanewstate addedbythealgorithm.moreover,thealgorithmalsocreatesanothernew states0andaddsthetransitions(sl;";s0),(s0;";s00)and(s0;w;s0)totheset oftransitionsofa.sinceallsequencesoftransitionslabeledbyasymbolin [Nj=i+1MjarepreservedinA0(anewstates00isassociatedtoeveryintermediate statesthatsatisestheconditioninline3,andalltheincoming(outgoing) transitionsto(resp.from)slabeledbyasymbolin[nj=i+1mjaremapped totransitionsofsamelabelto(resp.from)s00),beforebeingdeterminized, theresultingautomatoncontainsthepath0=s0m0!ml 1!sl"!s0"! s00ml!s0l+1ml+1!mn 1!s0n.Inthecasewhereml 1isthelasttransitionof,slisacceptinginA,andisreplacedbys00inthesetofacceptingstatesof A0.Inanycase,thepath0isaccepting.Letk0beanarbitraryinteger. SincethesetoftransitionsofA0containsthetransition(s0;w;s0),thepath 0k=s0m0!ml 1!sl"!s0wk!s0"!s00ml!s0l+1ml+1!mn 1!s0nisalsoan acceptingpathofa0.itfollowsthatforanyk0,theautomatona0accepts ujm1ujmiwkujmi+1ujmn. Now,weshowthatL(A0)L(qi!w)(A).LetubeawordinL(A0),andlet A00betheautomatonobtainedbeforethedeterminizationoperationgivingA0. SincetheautomataA0andA00acceptthesamelanguage,u2L(A00)and thereexistsapathofa00acceptingu.letusshowthatisoftheform 1or1(s;";s0)(s0;w;s0)k(s0;";s00)2,where1iscomposedonlyoftransitions labeledbyasymbolin[ij=1mj,2iscomposedonlyoftransitionslabeledby asymbolin[nj=i+1mj,andk0. Since1leadsfroms0tosandiscomposedoftransitionslabeledbyasymbol in[ij=1mj,statessatisestheconditiononline3ofthealgorithm.moreover, thereexisttransitions(s;";s0),(s0;w;s0)and(s0;";s00)addedbythealgorithm
18 (atline10).sincethealgorithmdoesnotperformanymodicationontransitionslabeledbyasymbolin[ij=1mj,allthetransitionsof1aretransitions ina.moreover,if1isanacceptingpathina00,thenitisalsoanaccepting pathina.hence,if=1,thenu2l(a).letusassumenowthat6=1. Sinceallsequencesoftransitionslabeledbyasymbolin[Nj=i+1Mjarepreserved ina0(anewstates00isassociatedtoeveryintermediatestatesthatsatises theconditioninline3,andalltheincoming(outgoing)transitionsto(resp. from)slabeledbyasymbolin[nj=i+1mjaremappedtotransitionsofsame labelto(resp.from)s00),thereexistsinaapath02fromscorrespondingto thesamesequenceoftransitionsasin2.sincethelaststateof2isacceptingina00,thelaststateof02isacceptingina.thus,thewordvsuchthat 8j6=i:vjMj=ujMjandvjMiwk=ujMi,isacceptedbyA. Theorem6LetAbeaQDD,letA0denotetheautomatonreturnedbyRECEIVE- STAR(i,w,A),andletL(A0)denotethelanguageacceptedbyA0.ThenA0isa QDDsuchthatL(A0)=L(qi?w)(A). Proof: LetusproverstthatL(qi?w)(A)L(A0).Letu=u1wku2beawordin L(A),withu1(resp.u2)onlycomposedofsymbolsin[i 1 j=1mj(resp.[nj=imj), andk0.thereexistsapath=s0m0!s1m1!mn 1!sninAacceptingu. Sinceu=ujM1ujMN,containsexactlyonestateslsuchthat8k<l:mk2 [i 1 j=1mjand8kl:mk2[nj=imj.therefore,slisastate\s"thatsatisesthe conditioninline3ofthealgorithm,andthealgorithmreplacesthetransition (sl;ml;sl+1)by(s0;ml;sl+1),wherethestates0isanewstateaddedbythe algorithm.moreover,itfollowsfromthedenitionofuthatcontainsexactly onestatespsuchthatslwk )sp.thestatespsatisestheconditionatline10of thealgorithm,hencethealgorithmadds(s;";sp)tothesetoftransitionsofa. Sinceallsequencesoftransitionslabeledbyasymbolin[Nj=iMjarepreserved ina0(anewstates0isassociatedtoeveryintermediatestatesthatsatisesthe conditioninline3,andalltheincoming(outgoing)transitionsto(resp.from) slabeledbyasymbolin[nj=imjaremappedtotransitionsofsamelabelto (resp.from)s0),beforebeingdeterminized,theresultingautomatoncontains thepath0=s0m0!ml 1!sl"!spmp!s0p+1mn 1!s0n.Sincethepath0is accepting,theautomatona0acceptsthewordu1u2. Now,weshowthatL(A0)Lqi?w(A).LetubeawordinL(A0),andletA00be theautomatonobtainedbeforethedeterminizationoperationgivinga0.since theautomataa0anda00acceptthesamelanguage,u2l(a00)andthereexists apathofa00acceptingu.letusshowthatisoftheform1or12,where 1iscomposedonlyoftransitionslabeledbyasymbolin[i 1 j=1mjwhile2is composedonlyoftransitionslabeledbyasymbolin[nj=imj.
19 Since1leadsfroms0tosandiscomposedoftransitionslabeledbyasymbolin [i 1 j=1mj,statessatisestheconditiononline3ofthealgorithm.moreover,the onlyoutgoingtransitionfromsnotlabeledbyasymbolin[i 1 j=1mjcanonlybe atransition(s;";s00)addedbythealgorithm(atline11),withswk )s00ina,and k0.sincethealgorithmdoesnotperformanymodicationontransitions labeledbyasymbolin[i 1 j=1mj,allthetransitionsof1aretransitionsina. Moreover,if1isanacceptingpathinA00,thenitisalsoanacceptingpath ina.hence,if=1,thenu2l(a).letusassumenowthat6=1. Sinceallsequencesoftransitionslabeledbyasymbolin[Nj=iMjarepreserved ina0(anewstates0isassociatedtoeveryintermediatestatesthatsatises theconditioninline3,andalltheincoming(outgoing)transitionsto(resp. from)slabeledbyasymbolin[nj=imjaremappedtotransitionsofsamelabel to(resp.from)s0),thereexistsinaapath02froms00correspondingtothe samesequenceoftransitionsasin2.sincethelaststateof2isaccepting ina00,thelaststateof02isacceptingina.thus,thewordvsuchthat 8j6=i:vjMj=ujMjandvjMi=wkujMi,isacceptedbyA. Lemma2LetnandAn+1beasdenedbythealgorithmcomputingthevalueof RECEIVE-SEND-STAR(i;w1;j;w2;A).IfthelanguageacceptedbyAn+1isnot empty,thenthereexistsp>0suchthatan+1andreceive(i;wp1;an+1)accept thesamelanguage. Proof: First,weprovethatL(An+1)L(RECEIVE(i;wp1;An+1))forsomep>0. LetwbeawordinL(An+1).Foranysuchword,thereexistsw02L(A)such thatw0jmi=wn+1 1(wjMi),wjMj=(w0jMj)wn+1 2,and8k62fi;jg:wjMk= w0jmk.lets0;s1;:::;sxbethepathofaacceptingw0.itcontainsasubpath sy;sy+1;:::;sy+n+1suchthatsyw1 )sy+1w1 )w1 )sy+n+1ands0w00 )sy,with w00=w0jm1w0jmi 1.Bydenitionofn,thissubpathcontainsaloop,i.e., thereexistszandlsuchthatyzy+n+1,1nn+1,andszwl1 )sz. Wethushave8k0:w0jM1w0jMi 1wkl 1w0jMiw0jMN2L(A).Choosing k=(n+1)!=l,weobtainw0jm1w0jmi 1w(n+1)! 1 w0jmiw0jmn2l(a),which implieswjm1wjmi 1w(n+1)! 1 wjmiwjmn2l(an+1).bytakingp=(n+1)! andapplyingthisresulttoallthewordswinl(an+1),itfollowsthatl(an+1) L(RECEIVE(i;wp1;An+1)). Now,weshowthatL(RECEIVE(i;wp1;An+1))L(An+1)forthesamep= (n+1)!.letw2l(receive(i;wp1;an+1)).thereexistsw02l(a)such thatw0jmi=wp+n+1 1 wjmi,wjmj=w0jmjwn+1 2,and8k62fi;jg:wjMk= w0jmk.lets0;s1;:::;sxbethepathofa0acceptingw0.bydenitionofn, thispathcontainsasubpathsy;sy+1;:::;szsuchthats0w00 )sy,withw00=
20kandlaresuchthatk:lpandln+1.Byremovingexactlyp=loccurrences w ofthisloopfromthepaths0;s1;:::;sx,weobtainapathofaacceptingthe wordw000suchthatw000jmi=wn+1 0jM1w0jMi 1,thatbeginswithkoccurrencesofaloopacceptingwl1,where wjmk=w000jmk.therefore,w2l(an+1). 1wjMi,wjMj=w000jMjwn+1 2,and8k62fi;jg: w2;a),withi6=j,thena0isaqddsuchthatl(a0)=(qi?w1;qj!w2)(l(a)). Theorem7IfAisaQDDandA0isreturnedbyRECEIVE-SEND-STAR(i;w1;j; Proof:Letn,p,fAkgbeasdenedbythealgorithmcomputingRECEIVE- SEND-STAR.Wehave: (qi?w1;qj!w2)(l(a)) =1[k=0(qi?w1;qj!w2)k(L(A)) =n[k=0(qi?w1;qj!w2)k(l(a))[1[ =n[k=0l(ak)[1[k=0(qi?w1;qj!w2)k(l(an+1)): k=n+1(qi?w1;qj!w2)k(l(a)) IfL(An+1)6=;:Asi6=j,theoperationsqi?m1andqj!m2commute.Hence, IfL(An+1)=;:Wehave(qi?w1;qj!w2)(L(A))=n[k=0L(Ak)=L(A0). wehave: 1[k=0(qi?w1;qj!w2)k(L(An+1)) =1[i=0p 1 [j=0(qj!w2)pi(qi?w1;qj!w2)j(qi?w1)pi(l(an+1)): [j=0(qi?w1;qj!w2)pi+j(l(an+1)) Bydenitionofp,(qi?w1)pi(L(An+1))=L(An+1).Thus,wehave: 1[k=0(qi?w1;qj!w2)k(L(An+1)) =1[i=0p 1 [j=0(qj!w2)pi(qi?w1;qj!w2)j(l(an+1))
=1[i=0(qj!w2)pi0@p 1 =(qj!wp2)0@p 1 [j=0l(an+j+1)1a [j=0(qi?w1;qj!w2)j(l(an+1))1a Therefore,(qi?w1;qj!w2)(L(A))=n[k=0L(Ak)[L(An+p+1).Since =L(An+p+1): n+p wenallyhave k=n+1l(ak)l(an+p+1); [ (qi?w1;qj!w2)(l(a))=n+p+1 =L(A0): [k=0l(ak) 21