Parametrised Compositional Verification with Multiple Process and Data Types

Antti Siirtola, Keijo HeljankoDepartment of Information and Computer Science, Aalto University, P.O.Box 15400, FI-00076 Aalto, Finland

firstname.lastname(at)aalto.fi

Abstract—We present an LTS-based (Labelled TransitionSystem) CSP-like (Communicating Sequential Processes) for-malism for expressing parametrised systems. The parametersare process types, which determine the number of replicatedcomponents, and data types, which enable components witha parametrised state space. We prove that the formalism iscompositional and show how to combine two existing resultsfor parametrised verification in order to check trace refinementbetween parametrised processes. The combined approach givesupper bounds, i.e., cut-offs, for types such that a parametrisedverification task collapses into finitely many checks solvable byusing existing finite state refinement checking tools. We haveimplemented the approach and applied it to prove mutualexclusion properties of network protocols and systems withshared resources. To the best our knowledge, our technique isthe only one that combines compositionality and completenesswith support for multiple parametric process and data types.

I. INTRODUCTION

Concurrent and object-oriented software systems havemany natural parameters which can take infinitely manyvalues. Such parameters are the number of replicated parts,like processes and objects, and the size of data types, likemessage domains and address spaces. Consequently, thequestion on the correctness of a software system is naturallyexpressed as the parametrised verification problem: givena parametrised system implementation and specification,determine whether the implementation is correct with respectto the specification for all parameter values.

In practice, we can automatically verify only the smallestinstances of a parametrised system in order to detect bugsin the implementation. Sometimes, we can also establishupper bounds, i.e., cut-offs, for the parameters such that thesystem implementation is correct for all parameter values ifand only if it is correct for all values up to the cut-offs. Inother words, if there is a bug in an implementation instancewith a parameter value greater than the cut-off, then there isan analogous bug in an implementation instance where thevalues of the parameters are within the cut-offs. Althoughsuch cut-offs always exist, determining them algorithmicallyis undecidable in the most general case [1].

Another practical challenge is that some subsystems (e.g.,external software packages and subsystems concurrentlyunder construction) can be available only in interface speci-fication form. Hence, there is a need to perform parametrisedverification in a compositional way, where we first substitutethe subsystem specification for each subsystem implementa-

tion that is known or proved to be correct and then analysethe correctness of the whole system. This is possible ifthe correctness relation is a precongruence, a reflexive andtransitive relation which is preserved under the applicationof composition operators.

Contribution: As the first contribution, we present aformalism which enables expressing parametrised systemsand specifications and allows for compositional analysis anddesign. The formalism is based on an LTS-based (LabelledTransition System) CSP-like [2], [3] (Communicating Se-quential Processes) process calculus with hiding and parallelcomposition operators, which we parametrise with types andvariables of two kinds. Process types enable parametrisingthe structure of a system by controlling the number of repli-cated concurrent parts. Data types allow for parametrisingthe state space of components by controlling the number ofsimilar transitions acting on different data. Process and datavariables refer to individual components and data values,respectively, and their values can be tested for (in)equality.Hence, the formalism is like the one in [4] but significantlyextended with data parametrisation features. It allows forexpressing interesting and practically important classes ofsystems and specifications, like the mutual exclusion proper-ties of network protocols and systems with shared resources,but increasing its expressiveness further quickly leads toundecidability [5].

As the main contribution, we show how to compute cut-offs for trace refinement checking between parametrisedprocesses. This is done by combining two existing results onparametrised verification: the precongruence reduction (PR)method of Siirtola and Kortelainen [6], [7], [5], [4] and thedata independence (DI) results of Lazic and Novak [8], [9].It is not obvious that the combination of the results leads tosomething useful since the PR technique applies to systemswith process types but does not allow for components witha parametrised state space, whereas the DI results apply tosystems with data types but do not allow for systems witha parametric number of replicated components.

Here, we solve the problem by bounding the process typeswith the PR technique first. Basically, we should fix thevalues of data types before we can apply the PR technique,which means that we ought to apply the technique infinitelymany times in order to determine cut-offs for process types.However, since the data types can affect the structure ofthe system only finitely many ways, it turns out that we

2013 13th International Conference on Application of Concurrency to System Design

1550-4808/13 $26.00 © 2013 IEEE

DOI 10.1109/ACSD.2013.9

60

2013 13th International Conference on Application of Concurrency to System Design

1550-4808/13 $26.00 © 2013 IEEE

DOI 10.1109/ACSD.2013.9

60

2013 13th International Conference on Application of Concurrency to System Design

1550-4808/13 $26.00 © 2013 IEEE

DOI 10.1109/ACSD.2013.9

60

can compute rough structural cut-offs for process types asbefore without paying attention to data types. After that, wecan basically substitute the parallel composition of finitelymany parametrised processes for a replicated parametrisedparallel composition and apply the DI results to bound thesize of data types. For each type 𝑇 , the cut-off size can becomputed easily based on the structure of the parametrisedsystem implementation and specification and the number ofvariables of the type 𝑇 . After that, the cut-offs can be furtherimproved by analysing the instances up to the cut-offs at theoperational level. Finally, the verification can be completedby solving the remaining finitely many finite state refinementchecking tasks by using existing tools.

As a running example, we consider a host configurationprotocol (HCP) with an arbitrary number of hosts (processtype) and an arbitrary number of network addresses (datatype). Since the protocol involves types of both kinds, itcannot be handled by either technique alone. However, itcan be treated with our combined result, which implies thatthe result presented here is more powerful than either of theapproaches alone. We have implemented the technique and,in addition to HCP, applied it to establish mutual exclusionproperties for systems with shared resources. Since ourformalism is compositional, it means that the specificationsof these systems can be used in place of the implementationsin further verification efforts.

Except for some small differences in formalism and thedefinition of cut-offs, our DI results are semantically similarto those of Lazic and Novak [8], [9]. Additionally, our DIproof technique is simpler than in [8], [9]: we use only thebijective mapping of transitions and avoid the constructionof intermediate structures, like exploration graphs [8] andquotient LTSs [9], altogether. This leads to a more accessibleand concise theory of data independence, which is the thirdcontribution of the paper. However, unlike [8], [9], we con-sider only safety properties, since the PR technique cannotbe extended to deadlock preserving semantics directly [5].On the other hand, extending the DI part of our results tosuch semantics should be easy, since all the key DI lemmasare formulated at the operational level.

Related Work: The distinctive features of our approachare compositionality, completeness and support for the mul-tiple parameters of two fundamentally different types.

Parametrised verification in a compositional setting ispreviously considered by Valmari & Tienari [10] andCreese [11]. In both works, induction is exploited to deter-mine an abstract process which can be used in verificationin place of the parametrised subsystem. The methods scaleto the multi-parametrised case, too, but they involve thediscovery of an invariant process which is a task that cannotbe automated in general.

Ghilardi and Ranise present a complete parametrisedverification technique [12], where the infinite family of finitestate systems arising from a parametrised system description

is encoded as a single infinite state well-structured transitionsystem (WSTS) [13]. The technique allows for two levelsof parametrisation, the number and the state space of pro-cesses, but since the formalism is not compositional, it doesnot allow for an arbitrary number of nested parametrisedsubstructures like ours. The completeness of the approachis based on the fact that there is an order on the set ofstates that is compatible with the transition relation [13].In our case, there is no such a criterion nor an (obvious)way to define a compatible order among the states of allthe instances. That is because our processes communicatethrough alphabet-based synchronisation, where increasingthe number of replicated components may block sometransitions and hence break compatibility.

Other methods that enable multi-parametrised verificationare by Emerson & Kahlon [14], Yang & Li [15] andHanna et al. [16]. Their approaches apply to systems withguarded broadcasts [14], shared actions [16] or rendezvouscommunication [15]. The methods are cut-off-based andallow for an arbitrary number of parameters which specifythe number of replicated processes. However, none of themsupports compositional analysis nor parametrised data types.

Other complete parametrised verification methods, in turn,are based on either cut-offs [17], [18], [19], [20], [21] orWSTSs [22], which covers counter abstraction and Petrinets [23]. WSTSs are already discussed earlier and the othercut-off results are only for closed systems with a singleparameter determining the number of replicated processes.

Moreover, some of the results can be obtained inour approach, too. At least the systems with conjunctiveguards [14] and homogeneous processes communicatingthrough prioritised queue policy [21] can be modelled in ourformalism [5]. On the one hand, most cut-off results includ-ing [14], [21] allow for the analysis of liveness, too, whereasour result as well as WSTS-based approaches are restrictedto safety properties. On the other hand, parametrised sys-tems where replicated processes communicate through ren-dezvous events are difficult to model in our formalism,whereas they can often be modelled as WSTSs.

Outline: In Section II, we introduce our process model.After that, we parametrise it while preserving composition-ality. In Section IV, we present the cut-off results and finally,the paper concludes with discussion on future work. For thesake of readability and the lack of space, proofs are foundin the online appendix [24].

II. PROCESSES

In this section, we define a fairly standard notation usedthroughout the paper and a CSP- and LTS-based processmodel with parallel composition and hiding operators. Themain difference with the standard LTSs is that in our model,states and events have an explicit data part which makesadding parametrisation convenient.

616161

Notation: For any set 𝐴, 𝐴∗ denotes the set of allfinite tuples over 𝐴, especially the empty tuple () is in𝐴∗. Whenever a := (𝑎1, . . . , 𝑎𝑛) and b := (𝑏1, . . . , 𝑏𝑘) aretuples over 𝐴, then ∣a∣ denotes the length 𝑛 of a, and abthe concatenation (𝑎1, . . . , 𝑎𝑛, 𝑏1, . . . , 𝑏𝑘) of a and b. Forany function 𝑓 : 𝐴 �→ 𝐵, dom(𝑓) is the domain 𝐴 of 𝑓 ,and im(𝑓) the image {𝑓(𝑎) ∣ 𝑎 ∈ 𝐴} of 𝑓 . The tuple acan be regarded as a function 𝑓 : {1, . . . , 𝑛} �→ 𝐴 such that𝑓(𝑖) = 𝑎𝑖 for all 𝑖 ∈ {1, . . . , 𝑛}, so we can define im(a) asthe set {𝑎𝑖 ∣ 𝑖 = 1, . . . , 𝑛}. For any set 𝐶, 𝑓 ∣𝐶 denotes therestriction of 𝑓 to 𝐴 ∩ 𝐶, i.e., a function 𝑓 ′ : 𝐴 ∩ 𝐶 �→ 𝐵such that 𝑓 ′(𝑎) = 𝑓(𝑎) for all 𝑎 ∈ 𝐴 ∩𝐶. For any function𝑔 such that im(𝑓) ⊆ dom(𝑔), 𝑔 ∘ 𝑓 is the composition of𝑔 and 𝑓 , i.e., a function ℎ : dom(𝑓) �→ im(𝑔) such thatℎ(𝑎) = 𝑔(𝑓(𝑎)) for all 𝑎 ∈ 𝐴.

Processes: A process is basically an LTS [3] wherestates have a control and data part and events have a channeland data part. Let 𝕊, ℂ and 𝕍 be mutually disjoint count-ably infinite sets of control states, channels and constants,respectively, such that 𝕊 contains the natural numbers and isclosed under the Cartesian product. We assume that there is asingle invisible channel 𝜏 ∈ ℂ which represents the internalactivity of a process. The other channels are called visibleand they are used for communication among processes andenvironment. A structure 𝑠d, where 𝑠 ∈ 𝕊 and d ∈ 𝕍

∗, isa state and a structure 𝑐 e, where 𝑐 ∈ ℂ and e ∈ 𝕍

∗, is anevent. If 𝑐 ∕= 𝜏 , the event is visible, otherwise it is invisible.

Definition 1 (Process). A process 𝑃 is a pair (𝑠 d, 𝑅), where𝑠 d is a state and 𝑅 is a set of triples (𝑠d, 𝑐 e, 𝑠′d′) suchthat 𝑠d, 𝑠′d′ are states and 𝑐 e is an event.

The first component of 𝑃 is called the initial state, denotedby init(𝑃 ), and the second one is the set of transitions,denoted by tran(𝑃 ). The set of all the visible eventsoccurring in 𝑃 , the alphabet of 𝑃 , is denoted by alph(𝑃 ).𝑃 is (in)finite if and only if tran(𝑃 ) is. 𝑃 is (strongly)deterministic if (i) it does not involve invisible events and(ii) whenever (𝑠d, 𝑐1 e1, 𝑠1 d1) and (𝑠d, 𝑐2 e2, 𝑠2 d2) aretransitions of 𝑃 such that 𝑠1 d1 ∕= 𝑠2 d2, then 𝑐1 e1 ∕= 𝑐2 e2.

Operators: In our formalism, both a system implemen-tation and specification are modelled as processes 𝑃impl and𝑃spec , respectively. Since the implementation often consistsof several components, 𝑃impl is typically a parallel compo-sition of smaller processes, and before 𝑃impl is comparedagainst 𝑃spec , the channels irrelevant to 𝑃spec are hidden.

Definition 2 (Parallel Composition). Let 𝑃𝑖 be the pro-cess (𝑠𝑖 d𝑖, 𝑅𝑖) for both 𝑖 ∈ {1, 2}. The parallel com-position (of 𝑃1 and 𝑃2), denoted by (𝑃1 ∥ 𝑃2), is apair ((𝑠1, 𝑠2, ∣d1∣) d1d2, 𝑅∥), where 𝑅∥ is the set of alltriples ((𝑠1, 𝑠2, ∣d1∣)d1d2, 𝑐 e, (𝑠

′1, 𝑠

′2, ∣d′1∣)d′1d′2) such that

(i) 𝑐 ∕= 𝜏 and (𝑠𝑖 d𝑖, 𝑐 e, 𝑠′𝑖 d′𝑖) ∈ 𝑅𝑖 for both 𝑖 ∈ {1, 2}, or

(ii) (𝑠𝑖 d𝑖, 𝑐 e, 𝑠′𝑖 d′𝑖) ∈ 𝑅𝑖, 𝑐 e /∈ alph(𝑃𝑗), 𝑠𝑗 d𝑗 is a state

of 𝑃𝑗 and 𝑠𝑗 d𝑗 = 𝑠′𝑗 d′𝑗 for different elements 𝑖, 𝑗 ∈ {1, 2}.

Obviously, (𝑃1 ∥ 𝑃2) is a process, where 𝑃1 and 𝑃2

execute a visible event jointly if and only if both agreeon its execution, whereas the visible events only in thealphabet of one process and the invisible events are executedindividually. This is essentially the parallel compositionoperator of CSP [2], [3] where the synchronisation alphabetis alph(𝑃1) ∩ alph(𝑃2). Note that the third component inthe control states of (𝑃1 ∥ 𝑃2) tells which part of the datavector comes from 𝑃1. Without it, the composition of states𝑠1(𝑎) and 𝑠2() and states 𝑠1() and 𝑠2(𝑎) would be the same,which is not what we want.

Definition 3 (Hiding). Let 𝑃 be the process (𝑠 d, 𝑅) and𝐸 a set of visible channels. The process 𝑃 after hiding 𝐸,denoted by (𝑃 ∖𝐸), is a pair (𝑠 d, 𝑅∖), where 𝑅∖ is the setof (i) all triples (𝑠d, 𝑐 e, 𝑠′d′) ∈ 𝑅 such that 𝑐 /∈ 𝐸 and (ii)all triples (𝑠d, 𝜏e, 𝑠′d′) such that (𝑠d, 𝑐 e, 𝑠′d′) ∈ 𝑅 forsome 𝑐 ∈ 𝐸.

In other words, (𝑃 ∖ 𝐸) is a process obtained from 𝑃 bysubstituting 𝜏 for the channels 𝑐 in 𝐸.

Semantics: For verification purposes, a process isinterpreted as a set of traces, which enables us toconsider safety properties. A finite alternating sequence(𝑠0 d0, 𝑐1 e1, 𝑠1 d1, . . . , 𝑐𝑛 e𝑛, 𝑠𝑛 d𝑛) of states and eventsof 𝑃 is a path of 𝑃 (from 𝑠0 d0) (to 𝑠𝑛 d𝑛) if(𝑠𝑖−1 d𝑖−1, 𝑐𝑖 e𝑖, 𝑠𝑖 d𝑖) is a transition of 𝑃 for every 𝑖 ∈{1, . . . , 𝑛}. A path from the initial state is called an execu-tion (of 𝑃 ). A finite sequence of visible events is a trace (of𝑃 ), if there is an execution of 𝑃 such that the sequence isobtained from the execution by erasing all the states and theinvisible events. The set of all the traces of 𝑃 is denoted bytr(𝑃 ). A process 𝑃1 is a trace refinement of a process 𝑃2,denoted by 𝑃1 ⪯tr 𝑃2, if and only if alph(𝑃1) = alph(𝑃2)and tr(𝑃1) ⊆ tr(𝑃2) [2]. The processes 𝑃1 and 𝑃2 are traceequivalent, denoted by 𝑃1 ≡tr 𝑃2, if and only if 𝑃1 ⪯tr 𝑃2

and 𝑃2 ⪯tr 𝑃1. 𝑃impl is considered correct with respect to𝑃spec if and only if 𝑃impl ⪯tr 𝑃spec .

Calculus: The operators and the trace relations havemany useful properties from the viewpoint of synthesis andanalysis. First, the parallel composition is commutative andassociative with respect to ≡tr and a single state process𝑃id := (𝑠(), ∅) without transitions is an identity element ofthe parallel composition. That is why for every finite set𝐼 = {𝑖1, . . . , 𝑖𝑛} and any processes 𝑃𝑖1 , . . . , 𝑃𝑖𝑛 , we candefine the 𝐼-indexed version of ∥ as follows: (∥𝑖∈𝐼 𝑃𝑖) :=𝑃𝑖1 ∥ (∥𝑖∈{𝑖2,...,𝑖𝑛} 𝑃𝑖), when 𝑛 > 0, and (∥𝑖∈𝐼 𝑃𝑖) := 𝑃id ,when 𝑛 = 0. Secondly, ⪯tr is a preorder (i.e., a reflexiveand transitive relation) and ≡tr an equivalence on the set ofprocesses. Moreover, ⪯tr is compositional, i.e., preservedunder the application of the operators: if 𝑃1 ⪯tr 𝑃2, then𝑃1 ∥ 𝑃 ⪯tr 𝑃2 ∥ 𝑃 , 𝑃 ∥ 𝑃1 ⪯tr 𝑃 ∥ 𝑃2 and 𝑃1∖𝐸 ⪯tr 𝑃2∖𝐸 for all processes 𝑃1, 𝑃2, 𝑃 and sets 𝐸 of visible channels.Hence, ⪯tr is a compositional preorder, a precongruence, onthe set of processes.

626262

III. PARAMETRISED PROCESSES

In this section, we equip our process calculus with pa-rameters. Our parametrised formalism is based on the onewhich is presented in [4] and which allows for parametrisingthe structure of a system. Here, we extend that formalismwith data parameters which allow for components with aparametrised state space, too.

Running Example: As a running example, we considera host configuration protocol (HCP), where each host repeat-edly picks a network address until it finds one that is not usedby other hosts. This is done by broadcasting address queriesand replies to other hosts in the style of ARP (AddressResolution Protocol). Our goal is to formally model theprotocol with an arbitrary number of hosts and an arbitrarilylarge address space and prove that in our construction, eachaddress is possessed by at most one host.

Parameters: In order to model HCP, we parametriseprocesses and operators with four kinds of variables: (pro-cess and data) types and (process and data) variables. Adata type denotes a finite non-empty set of data valuesand a process type represents a finite non-empty set ofthe identifiers of replicated components of a certain kindwhereas a process variable refers to the identifier of anindividual component and a data variable to a data value. A(concurrent) parametrised system is composed of sequentialparametrised processes each of which represents the systemfrom the viewpoint of finitely many replicated components.

Formally, we assume that for each type 𝑇 there is acountably infinite set 𝐼𝑇 ⊆ 𝕍 of constants such that 𝐼𝑈 and𝐼𝑉 are disjoint whenever 𝑈 and 𝑉 are different types, andfor each process and data variable 𝑥, there is respectivelya unique process or data type 𝑇𝑥. The possible values ofa type 𝑇 are the finite non-empty subsets of 𝐼𝑇 and thepossible values of a variable 𝑥 are the elements of 𝐼𝑇𝑥

. Weassume that the sets of process types, data types, processvariables and data variables, denoted by 𝕋𝑃 , 𝕋𝐷, 𝕏𝑃 and𝕏𝐷, respectively, are disjoint and countably infinite. Wewrite 𝕋 and 𝕏 short for 𝕋𝑃 ∪𝕋𝐷 and 𝕏𝑃 ∪𝕏𝐷, respectively.

In HCP, there are two kinds of replicated objects: hostsand addresses. Hence, we pick a process type 𝑇𝐻 to repre-sent the set of the identifiers of hosts and a data type 𝑇𝐴 todenote the set of available addresses.

Guards: In our parametrised formalism, (in)equalitytests between variables are represented as guards.

Definition 4 (Guard). Guards 𝒞 are given by the grammar

𝒞 ::= ⊤ ∣ 𝑥 = 𝑦 ∣ (¬ 𝒞) ∣ (𝒞 ∧ 𝒞),where 𝑥 and 𝑦 range over variables.

The parameters of a guard 𝒞 are the variables occurring in𝒞. The set of all the parameters of 𝒞 is denoted by par(𝒞)and the set par(𝒞)∪{𝑇𝑥 ∣ 𝑥 ∈ par(𝒞)} of all the parametersof 𝒞 plus the types of the parameters is denoted by par(𝒞).

Intuitively, ⊤ denotes a guard which is always true andsymbols with a hat on top are interpreted as connectiveswithout one; the hat is included just to mark operatorswhich act on parametrised structures. Formally, a guard isinstantiated by using a function called a valuation whichassigns values to parameters.

Definition 5 (Valuation). A valuation is a function 𝜙 whosedomain is a finite set of types and variables such that (i) foreach type 𝑇 ∈ dom(𝜙), 𝜙(𝑇 ) is a finite non-empty subsetof 𝐼𝑇 and (ii) for every variable 𝑥 ∈ dom(𝜙), 𝑇𝑥 ∈ dom(𝜙)and 𝜙(𝑥) ∈ 𝜙(𝑇𝑥).

A valuation 𝜙 is compatible with a guard 𝒞 if and only ifpar(𝒞) ⊆ dom(𝜙), i.e., par(𝒞) ⊆ dom(𝜙).Definition 6 (Instance of Guard). Let 𝒞 be a guard and 𝜙a compatible valuation. The (𝜙-)instance of 𝒞, denoted by[[𝒞]]𝜙, is determined inductively as follows:

1) [[⊤]]𝜙 is true ,2) [[𝑥 = 𝑦]]𝜙 equals 𝜙(𝑥) = 𝜙(𝑦),3) [[¬ 𝒞′]]𝜙 is ¬ [[𝒞′]]𝜙 and4) [[𝒞1 ∧ 𝒞2]]𝜙 = [[𝒞1]]𝜙 ∧ [[𝒞2]]𝜙.

Parametrised Processes: A structure 𝑠x, where 𝑠 ∈ 𝕊

and x is a tuple of data variables, is a parametrisedstate. Respectively, a structure 𝑐y, where 𝑐 ∈ ℂ andy is a tuple of any variables, is a parametrised event.A sequential parametrised process is basically a processwhere parametrised states and events are substituted for theordinary ones and transitions are equipped with a guard anda choice set, i.e., a set of data variables whose values arefixed during the execution of the transition.

Definition 7 (SPP). A sequential parametrised process (SPP)is a pair 𝒮 := (𝑠 x,Δ), where 𝑠 x is a parametrised state andΔ is a finite set of five-tuples (𝑠x, 𝑋, 𝒞, 𝑐y, 𝑠′x′) such that𝑠x and 𝑠′x′ are parametrised states, 𝑐y is a parametrisedevent, 𝒞 is a guard and 𝑋 ⊆ im(yx′) ∩𝕏𝐷 is a choice set.

The first component of 𝒮 is called the parametrised initialstate and the elements of Δ are parametrised transitions.Let 𝑥 be a variable that occurs in a parametrised transition(𝑠x, 𝑋, 𝒞, 𝑐y, 𝑠′x′). If 𝑥 ∈ im(x) ∪ 𝑋 , then 𝑥 and allits occurrences are bound in the parametrised transition,otherwise they are free. A variable is free in an SPP 𝒮, if itoccurs in the parametrised initial state of 𝒮 or it is free insome parametrised transition of 𝒮. Respectively, a variableis bound in 𝒮 , if it is bound in some parametrised transitionof 𝒮. Hence, if a variable occurs twice in 𝒮, it can be bothfree and bound. The parameters of 𝒮 are the free variablesand the types of bound variables occurring in 𝒮 . Like in thecase of guards, par(𝒮) denotes the set of all the parametersof 𝒮, par(𝒮) is the set par(𝒮) ∪ {𝑇𝑥 ∣ 𝑥 ∈ par(𝒮) ∩𝕏} ofall the parameters of 𝒮 plus the types of the parameters,and a valuation 𝜙 is compatible with 𝒮 if and only ifpar(𝒮) ⊆ dom(𝜙), i.e., par(𝒮) ⊆ dom(𝜙).

636363

Analogously to predicate logic, the free occurrences ofvariables are initialised (instantiated) in the beginning andpreserve their value throughout the computation whereas thevalues of the bound occurrences are determined at run time.To put it more formally, let 𝜙 be a valuation and 𝑋 a set ofvariables such that 𝑇𝑥 ∈ dom(𝜙) for every 𝑥 ∈ 𝑋 . We writeext(𝜙,𝑋) for the set of all valuations 𝜙′ with the domaindom(𝜙) ∪ 𝑋 such that 𝜙 and 𝜙′ agree on the values ofparameters outside 𝑋 , i.e., 𝜙′∣dom(𝜙)∖𝑋 = 𝜙∣dom(𝜙)∖𝑋 and𝜙′(𝑥) ∈ 𝜙(𝑇𝑥) for all 𝑥 ∈ 𝑋 .

Definition 8 (Instance of SPP). Let 𝒮 be an SPP (𝑠 x,Δ)and 𝜙 a compatible valuation. The (𝜙-)instance of 𝒮, denotedby [[𝒮]]𝜙, is a pair (𝑠(𝜙 ∘ x), 𝑅), where 𝑅 is the setof all triples (𝑠(𝜙′ ∘ x), 𝑐(𝜙′ ∘ y), 𝑠′(𝜙′ ∘ x′)) such that(𝑠x, 𝑋, 𝒞, 𝑐y, 𝑠′x′) ∈ Δ, 𝜙′ ∈ ext(𝜙, im(x)∪𝑋) and [[𝒞]]𝜙′

is true.

In order to formalise the specification of HCP, we firstcapture it from the viewpoint of two hosts in an SPP UA2 inFigure 1, where a parametrised event ih(𝑧ℎ, 𝑧𝑎) denotes thata host 𝑧ℎ has an address 𝑧𝑎, guards other than ⊤ are writtenin brackets, and non-empty choice sets {𝑥1, . . . , 𝑥𝑛} areexpressed in the form □𝑥1, . . . , 𝑥𝑛 separated by a colon. InUA2 , variables 𝑥ℎ and 𝑦ℎ of the type 𝑇𝐻 representing hostsare free and variables 𝑥𝑎 and 𝑦𝑎 of the type 𝑇𝐴 representingaddresses are bound. That is why par(UA2 ) = {𝑥ℎ, 𝑦ℎ, 𝑇𝐴}and par(UA2 ) = {𝑥ℎ, 𝑦ℎ, 𝑇𝐴, 𝑇𝐻}. Initially, UA2 allowsthe host 𝑦ℎ to report having any address but after the host 𝑥ℎhas picked an address 𝑥𝑎, the host 𝑦ℎ is no longer allowedto report having 𝑥𝑎.

𝑠0() 𝑠1(𝑥𝑎)□𝑥𝑎 : ih(𝑥ℎ, 𝑥𝑎)

□ 𝑦𝑎 : ih(𝑦ℎ, 𝑦𝑎)

□ 𝑦𝑎 : [¬ (𝑦𝑎 = 𝑥𝑎)] ih(𝑦ℎ, 𝑦𝑎)

ih(𝑥ℎ, 𝑥𝑎)

Figure 1. SPP UA2 representing the specification of HCP from theviewpoint of two hosts

Concurrent parametrised processes are constructed fromSPPs, guards and parametrised versions of the operators.

Definition 9 (CPP). Concurrent parametrised processes(CPPs) 𝒫 are determined by the grammar:

𝒫 ::= 𝒮 ∣ ([𝒞]𝒫) ∣ (𝒫 ∥ 𝒫) ∣ (𝒫 ∖𝐸) ∣ (∥𝑥𝒫),where 𝒮 ranges over SPPs, 𝒞 over guards, 𝐸 over the finitesets of visible channels and 𝑥 over process variables.

A process variable 𝑥 is bound in a CPP 𝒫 if it occurs in𝒫 and its every occurrence is within a structure of the form∥𝑦 𝒫 ′ such that 𝑦 = 𝑥. A data variable 𝑥 is bound in 𝒫 ifit occurs in 𝒫 and its every occurrence is bound in someparametrised transition. The other variables occurring in 𝒫are free in 𝒫 . The parameters of 𝒫 , the sets par(𝒫) and

par(𝒫), and the notion of compatibility are defined like forSPPs. We can also write 𝒫(𝑥1, . . . , 𝑥𝑚, 𝑇1, . . . , 𝑇𝑛) to pointout that 𝒫 is a CPP the parameters of which are variables𝑥1, . . . , 𝑥𝑚 and types 𝑇1, . . . , 𝑇𝑛.

Intuitively, each CPP represents (infinitely) many pro-cesses obtained by fixing the values of the parametersand evaluating the operators. Especially, ∥𝑥 𝒫 ′ denotes theparallel composition of all structures 𝒫 ′ obtained by lettingthe variable 𝑥 to range over its domain.

Definition 10 (Instance of CPP). Let 𝒫 be a CPP and 𝜙a compatible valuation. The (𝜙-)instance of 𝒫 , denoted by[[𝒫]]𝜙, is determined inductively as follows:

1) [[𝒫1 ∥ 𝒫2]]𝜙 = [[𝒫1]]𝜙 ∥ [[𝒫2]]𝜙,2) [[𝒫 ′ ∖𝐸]]𝜙 = [[𝒫 ′]]𝜙 ∖ 𝐸,

3) [[[𝒞]𝒫 ′]]𝜙 ={[[𝒫 ′]]𝜙, if [[𝒞]]𝜙 is true,𝑃id , if [[𝒞]]𝜙 is false, and

4) [[∥𝑥 𝒫 ′]]𝜙 = ∥𝜙′∈ext(𝜙,{𝑥})[[𝒫 ′]]𝜙′ .

If the parameters of 𝒫 are 𝑥1, . . . , 𝑥𝑚, 𝑇1, . . . , 𝑇𝑛, thenwe also write 𝒫(𝜙(𝑥1), . . . , 𝜙(𝑥𝑚), 𝜙(𝑇1), . . . , 𝜙(𝑇𝑛)) for[[𝒫]]𝜙. Nevertheless, [[𝒫]]𝜙 is obviously a process with finitelymany transitions and [[𝒫]]𝜙 = [[𝒫]]𝜓 whenever 𝜓 is avaluation such that 𝜓∣par(𝒫) = 𝜙∣par(𝒫).

Regarding HCP, the full specification is obtained byletting 𝑥ℎ and 𝑦ℎ to range over all pairs of different hostidentifiers and by composing all the resulting instances ofUA2 in parallel. Hence, the formal specification is a CPP

UnqAdr(𝑇𝐻 , 𝑇𝐴) := ∥𝑥ℎ∥𝑦ℎ [¬ (𝑥ℎ = 𝑦ℎ)]UA2 ,

which allows for each host to report only a single uniqueaddress. To see this, consider a valuation 𝜙 such that𝜙(𝑇𝐻) = {ℎ1, ℎ2} and 𝜙(𝑇𝐴) = 𝐴2, where 𝐴2 = {𝑎1, 𝑎2}.Obviously, 𝜙 is compatible with UnqAdr and the 𝜙-instanceof UnqAdr is the process

𝑃id ∥ (UA2 (ℎ1, ℎ2, 𝐴2) ∥ (UA2 (ℎ2, ℎ1, 𝐴2) ∥ 𝑃id))

which is equal to UA2 (ℎ1, ℎ2, 𝐴2) ∥ UA2 (ℎ2, ℎ1, 𝐴2) inFigure 2, modulo the structure of control states.

The protocol itself is modelled in a similar way andcaptured in a CPP

HCP(𝑇𝐻 , 𝑇𝐴) :=( ∥𝑥ℎ

∥𝑦ℎ [¬ (𝑥ℎ = 𝑦ℎ)]Host) ∖ IC ,

where Host is an SPP (in Figure 3 in [24]) and IC is theset of all visible channels occurring in Host , except for ih .

Refinement: We complete our parametrised formalismby defining a trace refinement relation on the set of CPPs.

Definition 11 (Parametrised Trace Refinement). A CPP 𝒫1

is a trace refinement of a CPP 𝒫2, denoted by 𝒫1 ⪯tr 𝒫2, ifand only if [[𝒫1]]𝜙 ⪯tr [[𝒫2]]𝜙 for all valuations 𝜙 compatiblewith both 𝒫1 and 𝒫2.

Given a system implementation CPP 𝒫 and a system spec-ification CPP 𝒬, we consider 𝒫 to be correct (with respect

646464

(𝑠0, 𝑠0, 0)()

(𝑠1, 𝑠0, 1)(𝑎1)(𝑠1, 𝑠0, 1)(𝑎2)

(𝑠0, 𝑠1, 0)(𝑎2)(𝑠0, 𝑠1, 0)(𝑎1)

(𝑠1, 𝑠1, 1)(𝑎1, 𝑎2)(𝑠1, 𝑠1, 1)(𝑎2, 𝑎1)

ih(ℎ1, 𝑎1)ih(ℎ1, 𝑎2)

ih(ℎ2, 𝑎1) ih(ℎ2, 𝑎2)

ih(ℎ2, 𝑎2)ih(ℎ2, 𝑎1)

ih(ℎ1, 𝑎2) ih(ℎ1, 𝑎1)

ih(ℎ1, 𝑎1)

ih(ℎ2, 𝑎2)

ih(ℎ1, 𝑎1)

ih(ℎ2, 𝑎2)

ih(ℎ1, 𝑎2)

ih(ℎ2, 𝑎1)

ih(ℎ1, 𝑎2)

ih(ℎ2, 𝑎1)

Figure 2. The specification of HCP with two hosts and two addresses

to 𝒬) if and only if 𝒫 ⪯tr 𝒬. Now, the question on the cor-rectness of HCP can be formalised as the problem whetherHCP ⪯tr UnqAdr . Like the original trace refinement, alsoits parametrised version allows for compositional analysis.

Proposition 12. The relation ⪯tr is a precongruence on theset of CPPs.

IV. CUT-OFF THEOREMS

Next, we present the main result of the paper, Corol-lary 21, which provides cut-offs for checking trace refine-ment between CPPs. However, we need to assume that thespecification does not involve hiding and that it is determin-istic, i.e., all its instances are deterministic. That is becausegiving up either of the assumptions renders parametrisedverification undecidable.1 Fortunately, in practice, manysafety specifications are deterministic and hiding is typicallyapplied only on the implementation side.

The proof consists of two main parts, Theorems 16 and20, which give cut-offs for process types and data types,respectively. Theorem 16 is similar to the ones provedin [7], [5] but allows for data parameters, too, whereasTheorem 20 is semantically similar to the DI results [8], [9]but technically more elegant. Consequently, the presentationis more accessible and concise here than in [8], [9].

Finally, we provide cut-offs for checking the determinismof a CPP in the form of Theorem 22. Previously, a semanti-cally similar result is presented in [25] in the context of [8].

1To see why allowing hiding on the specification side makes parametrisedverification undecidable, we refer to [5]. The undecidability for non-deterministic specifications follows from the fact that they can detectwhether an implementation uses data constants for counting. As long asthe implementation maintains the initial order for any (non-deterministicallychosen) pair of data constants, the specification does not allow for an extrabehaviour, especially executing a halting event is forbidden. However, if apair of data constants does not respect the order in which they were seen forthe first time, the specification allows the implementation to do anything.This way, the implementation can simulate a Turing machine and haltingcan be detected as the violation of the specification.

A. Cut-Offs for Process Types

In order to determine cut-offs for process types, we firstshow that if a big instance of the system specification 𝒬is composed of the same components as a set of smallinstances, then the big instance can be represented as theparallel composition of the small ones. (Here, big and smallare in terms of the size of the values of process types.)Similarly, if a big instance of the system implementation𝒫 is composed of the same components as a set of smallinstances, the big instance can be over-approximated as theparallel composition of the small ones (Lemma 13).

Second, if each of the small instances of 𝒫 is a tracerefinement of the corresponding instance of 𝒬, then bythe compositionality of the trace refinement, the parallelcomposition of the small instances of 𝒫 is a trace refinementof the parallel composition of the small instances of 𝒬.By above and the transitivity of the trace refinement, itimplies that the big instance of 𝒫 is a trace refinement ofthe corresponding instance of 𝒬, too (Proposition 14).

Finally, since there is an upper limit for the size of smallinstances which is obtained by simply counting the numberof free and nested bound variables for each process type(Lemma 15), a parametrised trace refinement checking taskreduces to the refinement checking of the instances, wherethe size of the process types is bounded (Theorem 16).

In order to present the technique formally, we need toclarify some concepts. If ℛ is a CPP and 𝜙 a compatiblevaluation, the set of the processes (of the 𝜙-instance of ℛ),denoted by prc(ℛ, 𝜙), is defined inductively as follows:

1) prc(𝒮, 𝜙) = {[[𝒮]]𝜙} for an SPP 𝒮,2) prc(ℛ1 ∥ ℛ2, 𝜙) =

∪𝑖∈{1,2}

({𝑖} × prc(ℛ𝑖, 𝜙)),

3) prc(ℛ ∖𝐸, 𝜙) = prc(ℛ, 𝜙),4) prc([𝒞]ℛ′, 𝜙) =

{prc(ℛ′, 𝜙), if [[𝒞]]𝜙 is true,∅, if [[𝒞]]𝜙 is false, and

5) prc(∥𝑥ℛ′, 𝜙)=∪𝜙′∈ext(𝜙,{𝑥})

({𝜙′(𝑥)}×prc(ℛ′, 𝜙′)).For example, if 𝜃 is a valuation such that 𝑇𝐻 , 𝑇𝐴 ∈ dom(𝜃)and 𝜃(𝑇𝐻) = {ℎ1, . . . , ℎ𝑛}, then prc(UnqAdr , 𝜃) equals{(ℎ𝑖, (ℎ𝑗 ,UA2 (ℎ𝑖, ℎ𝑗 , 𝜃(𝑇𝐴)))) ∣ 𝑖, 𝑗 ∈ {1, . . . , 𝑛}, 𝑖 ∕= 𝑗

}.

If 𝜙1 and 𝜙2 are valuations and 𝒯 is a set of types, wesay that 𝜙1 is a (𝒯 -)subvaluation of 𝜙2, if

1) 𝜙1 and 𝜙2 have the same domain,2) 𝜙1(𝑇 ) ⊆ 𝜙2(𝑇 ) for all types 𝑇 ∈ 𝒯 ∩ dom(𝜙1) and3) 𝜙1∣dom(𝜙1)∖𝒯 = 𝜙2∣dom(𝜙2)∖𝒯 (the valuations agree on

the values of parameters outside 𝒯 ).The 𝜙1-instance of a CPP ℛ is smaller than (or equal to)the 𝜙2-instance of ℛ if 𝜙1 is a subvaluation of 𝜙2. Forexample, if Θ is the set of all subvaluations 𝜃′ of 𝜃 suchthat ∣𝜃′(𝑇𝐻)∣ ≤ 2, then Θ is a finite set of 𝕋𝑃 -subvaluationsof 𝜃 and [[UnqAdr ]]𝜃′ is smaller than [[UnqAdr ]]𝜃 for all𝜃′ ∈ Θ.

Since the specification 𝒬 does not involve hiding, eachinstance of 𝒬 is just the parallel composition of the instances

656565

of SPPs occurring 𝒬. Hence, if the set of the processes of a(big) instance of 𝒬 equals the set of the processes of smallerinstances of 𝒬, then by the commutativity, associativity andidempotence of the parallel composition, it is evident that thebig instance is trace equivalent to the parallel compositionof the small instances. For implementation CPPs 𝒫 , whichtypically involve hiding, trace equivalence does not hold ingeneral. However, since distributing hiding over the parallelcomposition results in a process with more traces, we canstill establish a trace refinement between the big instance of𝒫 and the parallel composition of the small ones.

Lemma 13. Let ℛ be a CPP, 𝜓 a compatible valuation,𝑇 ∈ dom(𝜓) a process type and Φ a finite set of the {𝑇}-subvaluations of 𝜓 such that prc(ℛ, 𝜓) = ∪

𝜙∈Φ prc(ℛ, 𝜙).Then [[ℛ]]𝜓 ⪯tr ∥𝜙∈Φ[[ℛ]]𝜙, and if ℛ does not involve hiding,[[ℛ]]𝜓 ≡tr ∥𝜙∈Φ[[ℛ]]𝜙, too.

Considering our running example, let 𝜃 and Θ be asabove. Since every element of prc(UnqAdr , 𝜃) dependson the identifiers of two hosts, it is easy to see thatprc(UnqAdr , 𝜃) equals

∪𝜃′∈Θ prc(UnqAdr , 𝜃

′), which im-plies that [[UnqAdr ]]𝜃 ≡tr ∥𝜃′∈Θ[[UnqAdr ]]𝜃′ . Similarly,we can check that prc(HCP , 𝜃) =

∪𝜃′∈Θ prc(HCP , 𝜃

′),which implies that [[HCP ]]𝜃 ⪯tr ∥𝜃′∈Θ[[HCP ]]𝜃′ . Now, if[[HCP ]]𝜃′ ⪯tr [[UnqAdr ]]𝜃′ for all 𝜃′ ∈ Θ, then by thecompositionality of ⪯tr, we know that ∥𝜃′∈Θ[[HCP ]]𝜃′ ⪯tr

∥𝜃′∈Θ[[UnqAdr ]]𝜃′ , too. By the transitivity of ⪯tr, it followsthat [[HCP ]]𝜃 ⪯tr [[UnqAdr ]]𝜃. Hence, the lemma impliesthat we can derive the correctness of a big system instancefrom the correctness of small instances.

Proposition 14. Let 𝒫 and 𝒬 be CPPs such that 𝒬 doesnot involve hiding, 𝜓 a compatible valuation, 𝑇 ∈ dom(𝜓)a process type and Φ a set of the {𝑇}-subvaluations of 𝜓such that prc(𝒫, 𝜓) = ∪

𝜙∈Φ prc(𝒫, 𝜙) and prc(𝒬, 𝜓) =∪𝜙∈Φ prc(𝒬, 𝜙). If [[𝒫]]𝜙 ⪯tr [[𝒬]]𝜙 for all valuations 𝜙 ∈ Φ,

then [[𝒫]]𝜓 ⪯tr [[𝒬]]𝜓 .

The proposition allows us to discard (big) instances butit does not explicitly say which instances we should keep.This piece of information is hidden in the condition of theform prc(ℛ, 𝜓) = ∪

𝜙∈Φ prc(ℛ, 𝜙) which requires the setof the processes of the big instance to be the same as theset of the processes of the small ones. Since each elementin prc(ℛ, 𝜓) is completely determined by the values offinitely many variables and data types, the cut-off (size) fora process type 𝑇 and ℛ, denoted by cp𝑇 (ℛ), depends onthe maximum number of constants in 𝐼𝑇 that occur in anelement in prc(ℛ, 𝜓). In other words, cp𝑇 (ℛ) is obtainedby simply counting the number of the free variables of thetype 𝑇 and adding the maximum number of the nested boundvariables of the type 𝑇 . More formally,

cp𝑇 (ℛ) := max(1, ∣free𝑇 (ℛ)∣+ pbnd𝑇 (ℛ)) ,where free𝑇 (ℛ) is the set {𝑥 ∈ 𝕏∩par(ℛ) ∣ 𝑇𝑥 = 𝑇} of all

the variables of the type 𝑇 that are free in ℛ and pbnd𝑇 (ℛ)is defined inductively as follows:

1) pbnd𝑇 ((𝑠 x,Δ)) = 0,2) pbnd𝑇 ([𝒞]ℛ′) = pbnd𝑇 (ℛ′),3) pbnd𝑇 (ℛ1 ∥ ℛ2) = max(pbnd𝑇 (ℛ1), pbnd𝑇 (ℛ2)),4) pbnd𝑇 (ℛ′ ∖𝐸) = pbnd𝑇 (ℛ′) and

5) pbnd𝑇 (∥𝑥ℛ′) ={pbnd𝑇 (ℛ′) + 1, if 𝑇𝑥 = 𝑇,pbnd𝑇 (ℛ′), if 𝑇𝑥 ∕= 𝑇.

For example, as the specification CPP UnqAdr involvestwo subprocesses of the form ∥𝑥 𝒫 ′ such that 𝑇𝑥 = 𝑇𝐻 , wesee that pbnd𝑇𝐻

(UnqAdr) = 2. Moreover, since UnqAdrhas no free variable, it implies that cp𝑇𝐻

(UnqAdr) = 2.Similarly, we can show that cp𝑇𝐻

(HCP) = 2, too.

Lemma 15. If ℛ is a CPP, 𝜓 a compatible valuation,𝑇 ∈ dom(𝜓) a process type, 𝑘 ≥ ∣im(𝜓∣𝕏) ∩ 𝐼𝑇 ∣ +pbnd𝑇 (ℛ) a positive integer and Φ the set of all {𝑇}-subvaluations 𝜙 of 𝜓 such that ∣𝜙(𝑇 )∣ = min(𝑘, ∣𝜓(𝑇 )∣),then prc(ℛ, 𝜓) = ∪

𝜙∈Φ prc(ℛ, 𝜙).By combining the results above, we get cut-offs for

process types for parametrised trace refinement checking.

Theorem 16 (Cut-Offs for Process Types). Let 𝒫 and 𝒬 beCPPs such that 𝒬 does not involve hiding, Φ the set of allvaluations with the domain par(𝒫 ∥𝒬) and Ψ the set of allvaluations 𝜙 ∈ Φ such that ∣𝜙(𝑇 )∣ ≤ cp𝑇 (𝒫 ∥ 𝒬) for everyprocess type 𝑇 ∈ par(𝒫 ∥ 𝒬). Then [[𝒫]]𝜙 ⪯tr [[𝒬]]𝜙 for all𝜙 ∈ Φ, if and only if [[𝒫]]𝜓 ⪯tr [[𝒬]]𝜓 for all 𝜓 ∈ Ψ.

When we apply the theorem to HCP, we see that to proveHCP correct for any number of hosts and network addresses,it is sufficient to consider instances with an arbitrary numberof addresses but at most two hosts.

B. Cut-Offs for Data Types

To determine cut-offs for data types, we first show thatan execution of a big instance of a system implementation𝒫 can be bijectively mapped to an execution of a smallinstance of 𝒫 transition by transition. (Here, big and smallare in terms of the size of the values of data types.)If the small instance of 𝒫 is a trace refinement of thesmall instance of the system specification 𝒬, then the smallspecification instance has a corresponding execution whichcan be projected back to the execution of the big instance of𝒬 by using the inverse mappings, provided the specificationis deterministic (Lemma 17). This implies that if the smallinstance of 𝒫 is a trace refinement of the small instance 𝒬,then the big instance of 𝒫 is a trace refinement of the biginstance 𝒬, too (Prop. 18).

Since we can compute an upper limit for the size of smallinstances based on the cut-offs of process types and thenumber of data variables occurring in 𝒫 and 𝒬 (Lemma 19),a parametrised trace refinement checking task reduces tothe refinement checking of the instances of bounded size(Theorem 20).

666666

The bijective mapping of executions between big andsmall instances presumes that the small instance is bigenough. The sufficient size for the small instance depends onthe number of constants occurring in a transition or the initialstate of the big instance, which motivates the followingdefinition. Let 𝑃 be a process and 𝐴 a set of constants.We write idc(𝑃,𝐴) for the maximum number of constantsin 𝐴 that occur in a state or transition of 𝑃 , i.e.,

idc(𝑃,𝐴) := max{∣im(d) ∩𝐴∣, ∣im(ded′) ∩𝐴∣ ∣∣𝑠 d = init(𝑃 ), (𝑠d, 𝑐 e, 𝑠′d′) ∈ tran(𝑃 )} .

For example, let 𝜃1 be a valuation with the domain {𝑇𝐴, 𝑇𝐻}such that 𝜃1(𝑇𝐻) = {ℎ1, ℎ2} and 𝜃1(𝑇𝐴) = {𝑎1, . . . , 𝑎𝑛}.If 𝑛 = 2, then [[UnqAdr ]]𝜃1 is the process in Figure 2,where obviously idc([[UnqAdr ]]𝜃1 , 𝐼𝑇𝐴

) = 2. More gener-ally, since [[UnqAdr ]]𝜃1 = 𝑃id ∥ UA2 (ℎ1, ℎ2, 𝜃1(𝑇𝐴)) ∥UA2 (ℎ2, ℎ1, 𝜃1(𝑇𝐴)) ∥ 𝑃id and each parametrised transi-tion and state of UA2 involves at most two variables ofthe type 𝑇𝐴, we can see that idc([[UnqAdr ]]𝜃1 , 𝐼𝑇𝐴

) ≤ 4.Similarly, we get that idc([[HCP ]]𝜃1 , 𝐼𝑇𝐴

) ≤ 4.Lemma 17. Let 𝒫 and 𝒬 be CPPs, 𝜓 a compatiblevaluation, 𝑇 ∈ dom(𝜓) a data type and 𝜙 a {𝑇}-subvaluation of 𝜓 such that ∣𝜙(𝑇 )∣ ≥ ∣im(𝜓∣𝕏) ∩ 𝐼𝑇 ∣ +idc

([[𝒫]]𝜓, 𝐼𝑇 ∖ im(𝜓∣𝕏)

)+idc

([[𝒬]]𝜙, 𝐼𝑇 ∖ im(𝜓∣𝕏)

). More-

over, let [[𝒬]]𝜙 be deterministic, [[𝒫]]𝜙 a trace refinement of[[𝒬]]𝜙 and (𝑠0 d0, 𝑐1 e1, 𝑠1 d1, . . . , 𝑐𝑛 e𝑛, 𝑠𝑛 d𝑛) an execu-tion of [[𝒫]]𝜓 such that 𝑛 = 0 or 𝑐𝑛 e𝑛 is a visible event,and let 𝑖1, 𝑖2, . . . , 𝑖𝑘 be the increasing sequence of all theindices in {1, . . . , 𝑛} such that 𝑐𝑖 ∕= 𝜏 .

Then, (i) there are bijections 𝑔1, . . . , 𝑔𝑛 : 𝕍 �→ 𝕍

which move only constants in 𝜓(𝑇 ) ∖ im(𝜓∣𝕏) such that(𝑠0 d0, 𝑐1(𝑔1∘ e1), 𝑠1(𝑔1∘d1), . . . , 𝑐𝑛(𝑔𝑛∘ e𝑛), 𝑠𝑛(𝑔𝑛∘d𝑛))is an execution of [[𝒫]]𝜙, (ii) and there is an execu-tion (𝑠′0 d

′0, 𝑐

′1 e′1, 𝑠

′1 d

′1, . . . , 𝑐

′𝑘 e′𝑘, 𝑠

′𝑘 d

′𝑘) of [[𝒬]]𝜙 such that

(𝑠′0d′0, 𝑐

′1(𝑔

−1𝑖1∘e′1), 𝑠′1(𝑔−1

𝑖1∘d′1), . . . , 𝑐′𝑘(𝑔−1

𝑖𝑘∘e′𝑘), 𝑠′𝑘(𝑔−1

𝑖𝑘∘d′𝑘))

is an execution of [[𝒬]]𝜓 and 𝑐′𝑗(𝑔−1𝑖𝑗

∘ e′𝑗) = 𝑐𝑖𝑗 e𝑖𝑗 for all𝑗 ∈ {1, . . . , 𝑘}.

Regarding HCP, let 𝜃2 be a {𝑇𝐴}-subvaluation of 𝜃1such that ∣𝜃2(𝑇𝐴)∣ = 8. Since [[UnqAdr ]]𝜃2 is deterministic,im(𝜃1∣𝕏) is empty and ∣𝜃2(𝑇𝐴)∣ ≥ idc

([[HCP ]]𝜃1 , 𝐼𝑇𝐴

)+

idc([[UnqAdr ]]𝜃2 , 𝐼𝑇𝐴

), the proposition implies that if

[[HCP ]]𝜃2 ⪯tr [[UnqAdr ]]𝜃2 , then for every execution of[[HCP ]]𝜃1 there is an execution of [[UnqAdr ]]𝜃1 which givesrise to the same trace. Hence, with the aid of the lemmaabove, we can derive the correctness of a big implementationinstance from the correctness of a small one.

Proposition 18. Let 𝒫 and 𝒬 be CPPs, 𝜓 a com-patible valuation, 𝑇 ∈ dom(𝜓) a data type and 𝜙 a{𝑇}-subvaluation of 𝜓 such that ∣𝜙(𝑇 )∣ ≥∣im(𝜓∣𝕏) ∩ 𝐼𝑇 ∣+ idc

([[𝒫]]𝜓, 𝐼𝑇 ∖ im(𝜓∣𝕏)

)+idc

([[𝒬]]𝜓, 𝐼𝑇 ∖ im(𝜓∣𝕏)

). If

[[𝒬]]𝜙 is deterministic and [[𝒫]]𝜙 ⪯tr [[𝒬]]𝜙, then [[𝒫]]𝜓 ⪯tr

[[𝒬]]𝜓 , too.

Like in the case of process types, the proposition allowsus to discard (big) instances but it does not explicitly saywhich instances we should keep. This time, the cut-off sizeof a data type 𝑇 depends on the number of constants in𝐼𝑇 that occur in a state or transition of an implementationinstance and a specification instance. If the size of processtypes is already bounded using Theorem 16, then the cut-off (size) for 𝑇 and a CPP ℛ, denoted by cd𝑇 (ℛ), can beover-approximated as follows. First, count the number ofthe free variables of the type 𝑇 . Then, go through all SPPs𝒮 occurring in ℛ and in each round, add the product oftwo figures: the maximum number of the bound variablesof the type 𝑇 occurring in a parametrised transition and themaximum number of the instances of 𝒮 within an instanceof ℛ. To put it more formally,

cd𝑇 (ℛ) := max(1, ∣free𝑇 (ℛ)∣+ dbnd𝑇,ℛ(ℛ)) ,where dbnd𝑇,ℛ(ℛ) is defined inductively as follows:

1) dbnd𝑇,ℛ((𝑠 x,Δ)) is the maximum of∣{𝑥 ∈ im(x) ∪𝑋 ∣ 𝑇𝑥 = 𝑇}∣when (𝑠x, 𝑋, 𝒞, 𝑐y, 𝑠′x′) ranges over Δ,

2) dbnd𝑇,ℛ([𝒞]ℛ′) = dbnd𝑇,ℛ(ℛ′),3) dbnd𝑇,ℛ(ℛ1 ∥ℛ2) = dbnd𝑇,ℛ(ℛ1)+dbnd𝑇,ℛ(ℛ2),4) dbnd𝑇,ℛ(ℛ′ ∖𝐸) = dbnd𝑇,ℛ(ℛ′) and5) dbnd𝑇,ℛ(∥𝑥ℛ′) = cp𝑇𝑥

(ℛ) ⋅ dbnd𝑇,ℛ(ℛ′).For example, let HU := HCP ∥ UnqAdr . By above,

we know that cp𝑇𝐻(HU ) = 2. Moreover, since every

parametrised transition of UA2 involves at most two vari-ables of the type 𝑇𝐴, we see that dbnd𝑇𝐴,HU (UA2 ) = 2.Hence, dbnd𝑇𝐴,HU (UnqAdr) = cp𝑇𝑥ℎ

(HU ) ⋅ cp𝑇𝑥𝑦(HU ) ⋅

dbnd𝑇𝐴,HU (UA2 ) = 8. Similarly, we can show thatdbnd𝑇𝐴,HU (HCP) = 8. Because HU has no free variable,it implies that cd𝑇𝐴

(HU ) = 16.

Lemma 19. Let 𝒫 be a CPP, 𝜙 a compatible valuation andℛ a CPP such that ∣𝜙(𝑈)∣ ≤ cp𝑈 (ℛ) for each processtype 𝑈 ∈ dom(𝜙). Then for every data type 𝑇 ∈ dom(𝜙),dbnd𝑇,ℛ(𝒫) ≥ idc

([[𝒫]]𝜙, 𝐼𝑇 ∖ im(𝜓∣𝕏)

).

By combining the results above, we get cut-offs for datatypes for parametrised trace refinement checking.

Theorem 20 (Cut-Offs for Data Types). Let 𝒫 and 𝒬 beCPPs such that 𝒬 is deterministic. Moreover, let Ψ be theset of all valuations 𝜓 with the domain par(𝒫 ∥ 𝒬) suchthat ∣𝜓(𝑈)∣ ≤ cp𝑈 (𝒫 ∥ 𝒬) for every process type 𝑈 ∈par(𝒫 ∥𝒬), and Φ the set of all valuations 𝜙 ∈ Ψ such that∣𝜙(𝑇 )∣ ≤ cd𝑇 (𝒫 ∥ 𝒬) for every data type 𝑇 ∈ par(𝒫 ∥ 𝒬).Then, [[𝒫]]𝜓 ⪯tr [[𝒬]]𝜓 for all 𝜓 ∈ Ψ, if and only if [[𝒫]]𝜙 ⪯tr

[[𝒬]]𝜙 for all 𝜙 ∈ Φ.

When we apply the theorem to HCP, we see that to provethe system correct for any number of addresses and up totwo hosts, it is sufficient to consider instances with at most16 addresses and two hosts.

676767

C. Automated Approach

Even though Theorems 16 and 20 provide cut-offs fortypes, they do not quite enable automated parametrisedverification because there are still infinitely many instancesup to the cut-offs. However, if we consider only valuationswhich are non-isomorphic, i.e., cannot be obtained from eachother by the bijective mapping of constants, then we are leftwith finitely many instances. Formally, valuations 𝜙1 and 𝜙2are isomorphic, if they have the same domain and if thereis a bijection 𝑔 : 𝕍 �→ 𝕍 such that 𝜙2(𝑥) = 𝑔(𝜙1(𝑥)) for allvariables 𝑥 ∈ dom(𝜙1) and 𝜙2(𝑇 ) = {𝑔(𝑐) ∣ 𝑐 ∈ 𝜙1(𝑇 )}for all types 𝑇 ∈ dom(𝜙1). Valuations are non-isomorphicif they are not isomorphic.

Getting rid of isomorphs is safe since isomorphic valua-tions result in verification tasks with the same answer. Thatwhy we say that a set Φ of valuations is a cut-off set for aCPP ℛ if Φ is a maximal set of non-isomorphic valuations𝜙 with the domain par(ℛ) such that ∣𝜙(𝑈)∣ ≤ cp𝑈 (ℛ) forevery process type 𝑈 ∈ dom(𝜙) and ∣𝜙(𝑇 )∣ ≤ cd𝑇 (ℛ) forevery data type 𝑇 ∈ dom(𝜙). With Theorems 16 and 20, thisnotion leads to our main result, which allow us to reducea parametrised verification task to finitely many refinementchecks between finite processes.

Corollary 21 (The Main Cut-Off Theorem). Let Φ be acut-off set for a CPP (𝒫 ∥𝒬), where 𝒬 is deterministic anddoes not involve hiding. Then (1) Φ is finite and (2) 𝒫 ⪯tr𝒬if and only if [[𝒫]]𝜙 ⪯tr [[𝒬]]𝜙 for all 𝜙 ∈ Φ.

Another practical problem is that establishing the deter-minism of the specification involves infinitely many checks,too. That is why we provide cut-offs for that task as wellby using similar reasoning as above.

Theorem 22 (Cut-Offs for Determinism Checking). Let Φbe a cut-off set for a CPP (𝒬∥𝒬), where 𝒬 does not involvehiding. Then (1) Φ is finite and (2) 𝒬 is deterministic, if andonly if [[𝒬]]𝜙 is deterministic for all 𝜙 ∈ Φ.

Corollary 21 and Theorem 22 give rise to a completelyautomatic procedure for parametrised verification which wehave implemented in the recent version of the Boundstool [26]. First, the tool reads system implementation andspecification CPPs. Then, it computes the cut-off sizes fortypes, produces the instances of the specification up to thecut-offs and checks that they are deterministic. Moreover,since the cut-offs provided by the corollary are only roughstructural ones, the tool tries to improve them further bychecking the assumptions of Propositions 14 and 18 for eachinstance up to the rough bounds and by discarding big in-stances which satisfy the assumptions of either proposition.After that, Bounds produces the trace refinement checkingtasks up to the improved cut-offs. Finally, the outputted finitestate verification questions are solved using the refinementchecker FDR2 [3] in order to obtain the answer to the

parametrised verification task.When applied to HCP, Bounds first generates all 32

instances up to the cut-offs of two hosts and 16 addresses andchecks that the specification is deterministic. After that, itapplies Propositions 14 and 18, which reveals that only six ofthe instances have to be actually verified. By using FDR2, allsix instances are found to be correct, which implies that HCPoperates correctly for any number of hosts and addresses.

We have also proved mutual exclusion properties for ashared resource system (SRS) where an arbitrary number ofusers compete for an access to an arbitrary number of sharedresources which store data from an arbitrary large domainand a cache coherence protocol with an arbitrary numberof processors and an arbitrary amount of memory storingarbitrary large data values. Additionally, we have provedconsistency properties for both systems when the number ofusers and processes was fixed to two. In each case, the wholeverification process took only a second or two (see Table I),which shows that our approach is applicable to practicalverification problems. Moreover, since our formalism iscompositional, the specifications of these systems can beused in place of the implementations in further verificationefforts. The experiments were run on a desktop computerwith 4GB of memory running 64-bit Ubuntu on 3Ghz IntelCore2 Duo processor. The descriptions of HCP, SRS andCache models are available in [24].

V. CONCLUSIONS AND FUTURE WORK

We have presented a formalism for expressingparametrised systems and combined two existing results [8],[5] on parametrised verification into a single powerfultechnique which enables parametrised verification byreduction to finitely many finite state verification tasks.The reduction is determined by the structure of a systemimplementation and specification and, to the best of ourknowledge, this is the first and only parametrised verificationtechnique that allows for compositional reasoning, lendssupport to multiple and two fundamentally different kindsof parameters and guarantees termination with the correctanswer. The approach is implemented in a tool used toprove the correctness of several parametrised systems.

An obvious topic for future research is extending theapproach. We already know that the approach can beextended with relations over process types that are definablein the first order logic [7], [5] but we are also interested inmixing process and data types and extending the techniqueto liveness properties [10] and interface theories [27]. Thechallenge is that such extensions tend to render parametrisedrefinement checking undecidable [5]. Nevertheless, we arehopeful in finding practically sensible assumptions underwhich the extensions can be realised.

Acknowledgement: The work was partially fundedby Helsinki Institute for Information Technology HIIT,

686868

Table ISTATISTICS ON THE VERIFICATION OF SYSTEMS INVOLVING BOTH PARAMETRIC PROCESS AND DATA TYPES

Process types Data types Instances Processing timeSystem number cut-offs number cut-offs generated outputted Bounds FDR2HCP 1 2 1 16 32 6 0.20s 0.13sSRS mutex 2 2,1 1 12 24 5 0.06s 0.11sSRS consistency 1 1 1 8 8 6 0.04s 0.15sCache mutex 2 2,1 1 17 34 12 0.23s 0.35sCache consistency 1 1 1 14 14 12 0.28s 1.05s

Academy of Finland (project 139402), and RECOMP projectfunded by ARTEMIS-JU.

REFERENCES

[1] K. R. Apt and D. C. Kozen, “Limits for automatic verificationof finite-state concurrent systems,” Inf. Process. Lett., vol. 22,no. 6, pp. 307–309, 1986.

[2] C. A. R. Hoare, Communicating sequential processes.Prentice-Hall, 1985.

[3] A. W. Roscoe, Understanding Concurrent Systems. Springer,2010.

[4] A. Siirtola, “Automated multiparameterised verification bycut-offs,” in ICFEM 2010, ser. LNCS. Springer, 2010, vol.6447, pp. 321–337.

[5] ——, “Algorithmic multiparameterised verification of safetyproperties. Process algebraic approach,” Ph.D. dissertation,University of Oulu, 2010.

[6] A. Siirtola and J. Kortelainen, “Parameterised process alge-braic verification by precongruence reduction,” in ACSD ’09.IEEE, 2009, pp. 158–167.

[7] ——, “Algorithmic verification with multiple and nestedparameters,” in ICFEM ’09, ser. LNCS. Springer, 2009,vol. 5885, pp. 561–580.

[8] R. S. Lazic, “A semantic study of data independence withapplications to model checking,” Ph.D. dissertation, OxfordUniversity, 2001.

[9] R. S. Lazic and D. Nowak, “A unifying approach to data-independence,” in CONCUR ’00, ser. LNCS. Springer, 2000,vol. 1877, pp. 581–595.

[10] A. Valmari and M. Tienari, “An improved failures equivalencefor finite-state systems with a reduction algorithm,” in PSTV’91. North-Holland, 1991, pp. 3–18.

[11] S. J. Creese, “Data independent induction: CSP model check-ing of arbitrary sized networks,” Ph.D. dissertation, OxfordUniversity, 2001.

[12] S. Ghilardi and S. Ranise, “Backward reachability of array-based systems by SMT solving: termination and invariantsynthesis,” Log. Meth. Comput. Sci., vol. 6, no. 4, 2010.

[13] A. Finkel and P. Schnoebelen, “Well-structured transitionsystems everywhere!” Theor. Comput. Sci., vol. 256, no. 1,pp. 63–92, 2001.

[14] E. A. Emerson and V. Kahlon, “Reducing model checking ofthe many to the few,” in CADE-17, ser. LNCS. Springer,2000, vol. 1831, pp. 236–254.

[15] Q. Yang and M. Li, “A cut-off approach for bounded verifi-cation of parameterized systems,” in ICSE ’10. ACM, 2010,pp. 345–354.

[16] Y. Hanna, D. Samuelson, S. Basu, and H. Rajan, “Automatingcut-off for multi-parameterized systems,” in ICFEM ’10, ser.LNCS. Springer, 2010, vol. 6447, pp. 338–354.

[17] E. A. Emerson and V. Kahlon, “Model checking large-scaleand parameterized resource allocation systems,” in TACAS’02, ser. LNCS. Springer, 2002, vol. 2280, pp. 251–265.

[18] ——, “Exact and efficient verification of parameterized cachecoherence protocols,” in CHARME ’03, ser. LNCS, vol. 2860.Springer, 2003, pp. 247–262.

[19] E. A. Emerson and K. S. Namjoshi, “On reasoning aboutrings,” Int. J. Found. Comput. Sci., vol. 14, no. 4, pp. 527–550, 2003.

[20] E. A. Emerson and V. Kahlon, “Parameterized model check-ing of ring-based message passing systems,” in CSL ’04, ser.LNCS, vol. 3210. Springer, 2004, pp. 325–339.

[21] A. Bouajjani, P. Habermehl, and T. Vojnar, “Verification ofparametric concurrent systems with prioritised FIFO resourcemanagement,” Form. Method. Syst. Des., vol. 32, no. 2, pp.129–172, 2008.

[22] A. Kaiser, D. Kroening, and T. Wahl, “Dynamic cutoffdetection in parameterized concurrent programs,” in CAV ’10,ser. LNCS, T. Touili, B. Cook, and P. Jackson, Eds. Springer,2010, vol. 6174, pp. 645–659.

[23] G. Delzanno, J.-F. Raskin, and L. V. Begin, “Towards theautomated verification of multithreaded Java programs,” inTACAS ’02, ser. LNCS. Springer, 2002, vol. 2280, pp. 173–187.

[24] A. Siirtola, “Online appendix,” 2013. [Online]. Available:http://users.ics.aalto.fi/sipe/papers/acsd13app.pdf

[25] A. W. Roscoe, The Theory and Practice of Concurrency.Prentice Hall, 1997.

[26] A. Siirtola, “Bounds: from parameterised to finite-state veri-fication,” in ACSD ’11. IEEE, 2011, pp. 31–35.

[27] L. De Alfaro and T. Henzinger, “Interface automata,” ACMSIGSOFT Software Engineering Notes, vol. 26, no. 5, pp.109–120, 2001.

696969