Parameterized Tree Systems

Parosh Aziz Abdulla1 parosh@it.uu.se,Noomene Ben Henda1 Noomene.BenHenda@it.uu.se,

Giorgio Delzanno2 giorgio@disi.unige.it,Frédéric Haziza1 frederic.haziza@it.uu.se, and

Ahmed Rezine1 Rezine.Ahmed@it.uu.se

1 Uppsala University, Sweden2 Università di Genova, Italy.

Abstract. Several recent works have considered parameterized verifica-tion, i.e. automatic verification of systems consisting of an arbitrary num-ber of finite-state processes organized in a linear array. The aim of thispaper is to extend these works by giving a simple and efficient method toprove safety properties for systems with tree-like architectures. A processin the system is a finite-state automaton and a transition is performedjointly by a process and its parent and children processes. The methodderives an over-approximation of the induced transition system, whichallows the use of finite trees as symbolic representations of infinite setsof configurations. Compared to traditional methods for parameterizedverification of systems with tree topologies, our method does not requirethe manipulation of tree transducers, hence its simplicity and efficiency.We have implemented a prototype which works well on several nontrivialtree-based protocols.

1 Introduction

In recent years, there has been an extensive amount of work on the verificationof parameterized systems, e.g. [10, 17, 4, 8, 9]. Typically, a parameterized systemconsists of an arbitrary number of finite-state processes organized in a lineararray. The task is to perform parameterized verification, i.e. to verify correct-ness of the system regardless of the number of processes inside the system.Examples of parameterized systems include mutual exclusion algorithms, busprotocols, telecommunication protocols, multi-threaded programs, and cache co-herence protocols. This work aims at extending the paradigm of parameterizedverification in order to verify systems which operate on tree-like architectures.More precisely, we consider analysis of safety properties for parameterized treesystems. Such a system consists of an arbitrary number of finite-state processeswhich operate on a tree-like architecture. Examples of parameterized tree sys-tems include several interesting protocols such as the percolate protocol [17],theTree-arbiter protocol [7], and the IEEE 1394 Tree identity protocol [16].

One of the most prominent techniques which have been used for verificationof parameterized tree systems is that of tree regular model checking [13, 3, 17,

11, 6]. In tree regular model checking, configurations (states) of the system arerepresented by trees, sets of configurations by tree automata, and transitionsby tree automata operating on pairs of trees, i.e. tree transducers. Safety prop-erties can be checked through performing reachability analysis, which amountsto applying the tree transducer relation iteratively to the set of initial configu-rations. The main problem with transducer-based techniques, such as the onesmentioned above, is that they are very heavy and usually rely on several layersof computationally expensive automata-theoretic constructions; in many casesseverely limiting their applicability.

In this paper, we propose a light-weight approach to parameterized tree ver-ification which, in addition to its simplicity, also yields a much more efficientimplementation than tree regular model checking. In our method, a configura-tion of the system is represented by a tree over a finite alphabet, where elementsof the alphabet represent the local states of the individual processes. The be-haviour of the system is induced by a set of rewriting rules which describe howthe processes perform transitions. A transition performed by a process is con-ditioned by the current local state of the process and possibly the local statesof neighboring processes, i.e. the parent and children processes. The transitionmay change the states of all involved processes. (see Figure 1).q1 / q01q2 / q02 q3 / q03Fig. 1. A typical transition rule where a process and its two children change state fromq1; q2; q3 to q01; q02; q03, respectively.

Observe that the set of configurations is infinite since we are dealing withtrees of an arbitrary size. In fact, parameterized verification amounts to analyzingan infinite family of systems; namely one for each size of the system and one foreach tree of that particular size.

The main idea of our method is to consider a transition relation which isan over-approximation of the one induced by the tree parameterized system. Todo so, we modify the semantics of the transition rules, such that a rule is ap-plied to a node and two nodes in its left and right subtrees (rather than its leftand right children). The approximate transition system obtained in this man-ner is monotonic with respect to the tree embedding relation on configurations(larger configurations are able to simulate smaller ones). Since the approximatetransition relation is monotonic, it can be analyzed using symbolic backwardreachability algorithm based on a generic method introduced in [1]. An attrac-tive feature of this algorithm is that it operates on sets of configurations whichare upward closed with respect to the tree embedding relation. This allows an

efficient symbolic representation of upward sets of configurations, since such aset can be represented by (the finite set of) its minimal elements. Since the min-imal elements are trees, reachability analysis can be performed by computingpredecessors of trees, which is much simpler and more efficient than applyingtransducer relations on general tree regular languages. Also, as a side effect,the analysis of the approximate model is guaranteed to terminate. This followsfrom the fact that the embedding relation on configurations (trees) is a wellquasi-ordering by Kruskal’s theorem [18]. The whole verification process is fullyautomatic since both the approximation and the reachability analysis are carriedout without user intervention. Observe that if the approximate transition systemsatisfies a safety property then we can safely conclude that the original systemsatisfies the property too.

Based on the method, we have implemented a prototype which works well onseveral tree-based protocols such as the percolate, leader election, Tree-arbiter,and the IEEE 1394 Tree identity protocols.

Outline In the next section, we give some preliminaries on trees. In Section 3, wedefine the basic model of parameterized tree systems. In Section 4, we describethe induced transition system and in Section 5, we define the over-approximatedtransition system on which we run our algorithm. We present a generic schemefor deciding reachability of upward closed sets in Section 6, and we show how toinstantiate it on our model in Section 7. In Section 9, we report our experimen-tal results on several tree protocols. Section 10 concludes the paper and givesdirection for future works. Some proofs as well as the details of the case studiesare omitted from the main text and can be found in the appendix.

2 Preliminaries

In this section, we give some basic definitions and notations needed in the restof the paper. To simplify the presentation, we will only consider binary treesin this paper. However, all the concepts and algorithms can be extended in astraightforward manner in order to deal with trees of higher ranks.

For a set X , we use X� to denote the set of words over X . We let " denote theempty word and use x �x0 to denote the concatenation of two words x; x0 2 X�.We extend the concatenation operation to sets of words D � X� by x � D :=fx � x0j x0 2 Dg. Given two words x; x0 2 X�, we use x � x0 to denote that x isa prefix of x0; and use x < x0 to denote that x � x0 and x 6= x0. In case x � x0,we use x0 � x to denote the word x00 where x � x00 = x0.Binary Trees A (binary) tree structure N is a finite set of words over f0; 1gwhich is closed under the prefix relation, i.e. n 2 N and n0 � n imply n0 2 N . Inthe rest of the paper, we fix a finite set of symbols � and we use b as a variableranging over f0; 1g.

A binary tree (tree for short) T over the alphabet � is a tuple (N; �) where Nis a tree structure and � is a mapping from N to �. Each element of N is called

a node of T . We say that a node n0 is the parent of the node n iff n0 � b = n forsome b. In such a case, n is said to be a child of n0. A leaf in T is a node whichdoes not have any children; and the root of T is the node ". Given a node n, wedefine the descendants of n by Desc(n) := fn0 2 N j n < n0g. We use Trees(�)to denote the set of all trees over �.Inclusions and Embeddings Consider two trees T = (N; �) and T 0 = (N 0; �0)in Trees(�).

An inclusion of T in T 0 is an injection f : N ! N 0 such that for any n 2 N :– n � b 2 N =) f(n) � b = f(n � b), and– �(n) = �0(f(n)).

We write T �f T 0 to denote that f is an inclusion of T in T 0, and write T � T 0if T �f T 0 for some inclusion f . Informally, if T � T 0 then T 0 contains a copyof T .

An embedding of T in T 0 is an injection f : N ! N 0 such that for any n 2 N :– n � b 2 N =) f(n) � b � f(n � b), and– �(n) = �0(f(n)).

We use T �f T 0 to denote that f is an embedding of T in T 0, and write T � T 0if T �f T 0 for some embedding f . Observe that � is a weaker relation than�. The difference between the two relations is that an inclusion preserves theparent/child relation between nodes, while an embedding preserves a weakerrelation, namely that of ascendant/descendant.

Operations on Trees In this paragraph, we fix a tree T = (N; �) 2 Trees(�).For a node n 2 N , we use T (n) todenote the subtree of T rooted at n.Formally, we let T (n) = (N 0; �0) whereN 0 := fn00 � nj n00 2 N ^ n � n00g; and forany n0 2 N 0, �0(n0) := �(n � n0). T0 1 T (1)T

0 1

T 0T (0; T 0) Now we fix a tree T 0 = (N 0; �0) 2Trees(�) and define the the following op-eration: Given a node n 2 N , we denote byT (n; T 0) the tree T 00 = (N 00; �00) whereN 00 := (N �Desc(n))S(n �N 0) and for anyn00 2 N 00, �00(n00) := �(n00) if n 6� n00, and�00(n00) := �0(n00 � n) otherwise. Intuitively,we obtain T 00 by replacing in T the subtreerooted at n by T 0.

Consider a (partial) function f : N * N 0. We define the renaming of T 0 withrespect to f and T , denoted by T 0 �f T , to be the tree T 00 = (N 0; �00) where forany n0 2 N 0, �00(n0) = �0(n0) if n0 62 Img(f), and �00(n0) = �(f�1(n0)) otherwise.

T 0 Tf

f

T 0 �f T3 Parameterized Tree Systems

A parameterized tree system consists of an arbitrary (but finite) number of iden-tical processes, arranged in a (binary) tree topology. Each process is a finite-stateautomaton. The transitions of the automaton are conditioned by the current lo-cal state and possibly the local states of other processes (parent, children, etc).A transition may change the states of all processes involved in the condition.A parameterized tree system induces an infinite family of finite-state systems,namely one for each size and each structure of the tree. The aim is to verify cor-rectness of the systems for the whole family regardless of the number of processesin the system or the particular form of the tree.

Formally, a parameterized tree system P is a tuple (Q;R) where Q is a finiteset of local states, and R � Trees(Q�Q) is a finite set of trees called rewriterules. For each rule r = (N; �) 2 R, we associate two special trees in Trees(Q)called left and right trees of r, and denoted respectively by lhs(r) and rhs(r). Wedefine lhs(r) := (N; lhs(�)) and rhs(r) := (N; rhs(�)), where lhs(�) and rhs(�)are obtained from � by projecting on the first and the second component ofQ�Q. More precisely, for any node n 2 N , if �(n) = (q; q0) then lhs(�)(n) := qand rhs(�)(n) := q0.Example 1. We consider the percolate protocol where the set of states Q isdefined by fq0; q1; qug and the transition rules R = fr1; r2; r3; r4g are as depictedin Figure 2. The protocol evaluates the disjunction of the values in the leaves upto the root.r1 qu=q0q0=q0 q0=q0 r2 qu=q1q1=q1 q0=q0 r3 qu=q1q0=q0 q1=q1 r4 qu=q1q1=q1 q1=q1

Fig. 2. The transition rules of the percolate protocol.

4 Operational Semantics

The operational semantics of a parameterized tree system can be captured by atransition system. In this section, we first describe the induced transition system.Then we introduce the coverability problem.

Transition System A transition system T is a pair (C;=)), where C is an(infinite) set of configurations and =) is a binary relation on C. We use �=)to denote the reflexive transitive closure of =). Given an ordering � on C,we say that T is monotonic with respect to � if the following holds: For anyconfigurations 1; 2; 3 2 C with 1 =) 3 and 1 � 2, there is a configuration4 2 C such that 2 =) 4 and 3 � 4. We will consider several transitionsystems in this paper.

First, a parameterized system P = (Q;R) induces a transition system T(P) =(C;�!) where C = Trees(Q). Intuitively, a configuration = (N; �) 2 C repre-sents an instance of the system with jN j processes. These processes are arrangedaccording to the tree structure N and their current local states are given by �.More precisely, each node n 2 N represents a process in the state �(n).

Next, we define the transition relation �! on the set of configurations asfollows. Let r 2 R be a rewrite rule. Consider two configurations 1 and 2. Wewrite 1 r�! 1 to denote that there is an f such that the following conditionshold: (i) lhs(r) �f 1, and (ii) 2 = 1 �f rhs(r). Intuitively, 2 can be derivedfrom 1 by changing the labels of all the nodes in Img(f) according to the labelingfunction of rhs(r). Below, we give informal explanations of the conditions. First,in condition (i), we identify the “active processes” (those which participate inthe transition) by the inclusion f (Img(f)). Implicitly, we interpret lhs(r) asa guard and therefore require, through condition (i), that the configuration 1contains a tree which is a copy of the left hand side of the rule. Then, in condition(ii), we interpret rhs(r) as an operation and require that, in 2, the processesin Img(f) (the active ones) should all change state according to rhs(r). Observethat the local states of the “passive processes”, i.e. those not participating inthe transition, should remain unchanged through the transition, and also thatthe transition does not change the structure of the tree 3 (see Figure 3).

We use �! 0 to denote that r�! 0 for some rule r 2 R.Safety Properties In order to analyze safety properties, we study the cov-erability problem defined below. For a parameterized tree system P = (Q;R),we assume that we are given a set of initial configurations Init , each of whichcharacterizes a possible state of the system prior to starting the execution.

We recall the definition of the relation � defined in Section 2. A set ofconfigurations D � C is said to be upward closed (with respect to �) if 2 Dand � 0 implies 0 2 D. For sets of configurations D;D0 � C we use D �! D03 In fact, our method can also cope with non-structure preserving rules, such dynamic

creation and deletion of processes. However, for simplicity of presentation, we choosenot to do so.

ququq0 q0 quq1 q1 r1�! quq0q0 q0 quq1 q1 r4�! quq0q0 q0 q1q1 q1 r3�! q1q0q0 q0 q1q1 q1Fig. 3. A possible run of the percolate protocol. We highlight in white the zone wherethe rule applies (see Example 1).

to denote that there are 2 D and 0 2 D0 with �! 0. The coverabilityproblem for parameterized tree systems is defined as follows:

PAR-TREE-COV

Instance

– A parameterized tree system P = (Q;R).– An upward closed set F of configurations.

Question Init��! F ?

It can be shown, using standard techniques (see [19, 14]), that checking safetyproperties (expressed as regular languages) can be translated into instances of thecoverability problem. Therefore, checking safety properties amounts to solvingPAR-TREE-COV (i.e. to the reachability of upward closed sets).

5 Approximation

In this section, we introduce an over-approximation of the transition relation ofa parameterized tree system.

In Section 4, we mentioned that each parameterized tree system P = (Q;R)induces a transition system T(P) = (C;�!). A parameterized tree system Palso induces an approximate transition system A(P) = (C;;), where the set Cof configurations is identical to the one in T(P) and the transition relation ; isdefined below.

First, we define a special operation on trees needed in order to describe thesemantics of ;.Tree Subtraction In this paragraph, we fix two trees T = (N; �); T 0 = (N 0; �0) 2Trees(�) such that T 0 �f T for some embedding f . We define T f T 0 to bethe tree T 00 obtained from T 0 by performing a sequence of operations describedbelow. First, we enumerate the nodes of T 0 in a bottom-up fashion. Formally,let fnig1�i�jN j be an enumeration of the set N 0 of nodes in T 0 such that for anyi; j : 1 � i 6= j � jN j, ni < nj implies that j < i. In other words, if nj is adescendant of ni in T 0, then nj occurs earlier than ni in the enumeration. Basedon the enumeration, we define a sequence of trees fTig1�i�jN j�1 as follows. Welet T1 := T . For any i : 1 � i � jN j � 2, we denote by npi the parent of ni, i.e.

npi � b = ni for some b; and we defineTi+1 := Ti (f(npi ) � b; T (f(ni))) .Finally, we let T 00 := TjN j�1. In other words, we go through the nodes of T 0one by one in a bottom-up manner. For each node ni and its parent npi in T 0(say npi � b = ni for some b), we consider their images f(npi ) and f(ni) in T . Wereplace the subtree rooted in the child of the image f(npi ) � b by the one rootedin the image f(ni) (see Figure 4). Notice that the resulting tree T 00 and the treesT 0; T are related by T 0 � T 00 � T . In the sequel, we denote by bf the inclusionof T 0 in T 00 such that bf(") = f(") (such a function exists and is unique by thedefinition above). T 0 �f T . ..T1

. .

.

T2.

.

T3.

T4Fig. 4. In the first row, we give an example of two trees T; T 0 satisfying T 0 �f Tfor some embedding f . In the second row, we give the sequence of trees used in thedefinition of Tf T 0. In each of the trees, the arrow shows where subtrees are re-rooted,while the nodes surrounded by a discontinuous line are those which are removed.

The Approximate Transition Relation Consider two configurations 1; 2and a rule r 2 R. We write 1 r; 2 to denote that there is an f such that (i)rhs(r) �f 1, and (ii) 2 = (1 f lhs(r)) �bf rhs(r). Intuitively, starting from1 and an embedding f of lhs(r) in 1, we first remove all nodes in 1 suchthat lhs(r) is included in the resulting configuration. This is done by takinglhs(r) f 1 and the inclusion bf . Then we apply the rule r and obtain 2 fromlhs(r)f 1 in a similar manner to how it is described in the previous section, i.e.by renaming the labels of the nodes in Img( bf) according to rhs(r) (see Figure 5).We use 1 ;1 2 if 1 r; 2 for some r 2 R.

Observe that the relation ; is an over-approximation of the transition re-lation defined in the previous section (i.e. ;��!) by the following argument.

T1 quququq1 qu q1 qu q0 r4; T2 quq1q1 q1 qu q0 r2; T3 q1q1q1 q1 q0Fig. 5. A possible run of the approximate transition system induced by the percolateprotocol (see Example 1). The nodes with a white background represent those wherethe rule will apply while the discontinuous lines surround the nodes which are removed.

Consider two configurations 1; 2 2 C with 1 �! 2. By definition, this im-plies the existence of a rule r 2 R and an inclusion f of lhs(r) in 1 such that2 = 1 �f rhs(r). Observe that, by definition of the operation, since f isan inclusion it follows that 1 f lhs(r) = 1 and bf = f . Therefore, we obtain2 = 1 �f rhs(r) = (1 f lhs(r)) �bf rhs(r), and as a consequence, 1 r; 2.

We are now ready to state a key property of the approximated transitionsystem.

Lemma 1. The approximate transition system (C;;) is monotonic with respectto �.

We define the coverability problem for the approximate system as follows.

APRX-PAR-TREE-COV

Instance

– A parameterized tree system P = (Q;R)– An upward closed set F of configurations.

Question Init�; F ?

Since �!�;, a negative answer to APRX-PAR-TREE-COV implies anegative answer to PAR-TREE-COV.

6 Scheme

In this section, we recall a generic scheme from [1] for performing symbolicbackward reachability analysis. The scheme in question is based on symbolicrepresentations of infinite sets of configurations called constraints. Throughoutthis section, we fix a transition system T = (C;=)) and a set Init � C of initialconfigurations.

Constraint Systems A constraint system relative to the transition systemT is a set whose elements are called constraints and can be finitely encoded, suchthat there is a function [[�]] : ! 2C . For a finite set � of constraints, we let[[�]] = S�2�[[�]]. We say that a set D � C is computable or representable (in the

constraint system ) if it is possible to compute a finite set of constraints � � such that D = [[�]].

We define an entailment relation v on constraints, where �1 v �2 iff [[�2]] �[[�1]]. For sets �1; �2 of constraints, abusing notation, we let �1 v �2 denotethat for each �2 2 �2 there is a �1 2 �1 with �1 v �2. Notice that �1 v �2implies that [[�2]] � [[�1]].

For a constraint �, we let Pre(�) be the set of constraints, such that [[Pre(�)]] =fj 90 2 [[�]]: =) 0g. In other words, Pre(�) characterizes the set of configu-rations from which we can reach a configuration in � through the applicationof a single rewrite rule. Such a set does not necessarily exist, nevertheless, forour class of systems, we will show that such a set always exists and is in factcomputable. For a set � of constraints, we let Pre(�) = S�2� Pre(�).Symbolic Backward Reachability We present a scheme for a symbolic algo-rithm which, given a finite set �F of constraints, checks whether Init �=) [[�F ]].

In the scheme, we perform a backward reachability analysis, generating asequence f�igi2N : �0 w �1 w �2 w � � � of finite sets of constraints such that�0 = �F , and �i+1 = �i [ Pre(�i). Since [[�0]] � [[�1]] � [[�2]] � � � � , theprocedure terminates when we reach a point j where �j v �j+1. Consequently,�j characterizes the set of all predecessors of [[�F ]]. This means that Init �=)[[�F ]] iff Init \ [[�j ]] 6= ;.

Observe that, in order to implement the scheme (i.e. transform it into analgorithm), we need to be able to (i) compute Pre; (ii) check for entailmentbetween constraints; and (iii) check for emptiness of Init \ [[�]] for any constraint�. A constraint system satisfying these three conditions is said to be effective.Moreover, in [1], it is shown that termination is guaranteed in case the constraintsystem is well quasi-ordered (WQO) with respect to v, i.e. for each infinitesequence �0; �1; �2; : : : of constraints, there are i < j with �i v �j .7 Algorithm

In this section, we instantiate the scheme of Section 6 to derive an algorithm forsolving APRX-PAR-TREE-COV. We do that by introducing an effective andwell quasi-ordered constraint system.

Throughout this section, we assume a parameterized tree system P = (Q;R)and the induced approximate transition system A(P) = (C;; ). We define aconstraint to be a tree in Trees(Q). Although we use the same syntax as forconfigurations, constraints are interpreted differently. More precisely, given aconstraint �, we let [[�]] = f 2 Cj � � g.

An aspect of our constraint system is that each constraint characterizesa set of configurations which is upward closed with respect to �. Conversely(by Higman’s Lemma [15]), any upward closed set F of configurations can becharacterized as [[�F ]] where �F is a finite set of constraints. In this manner,APRX-PAR-TREE-COV is reduced to checking the reachability of a finite setof constraints.

Below we show effectiveness and well quasi-ordering of our constraint system,meaning that we obtain an algorithm for solving APRX-PAR-TREE-COV.First, observe that the entailment relation can be computed in a straightforwardmanner since for any constraints �; �0, we have � v �0 iff � � �0.

In order to check the initial condition, we rely on previous works on regulartree languages [12] and provide a sufficient condition on Init which guaranteeseffectiveness of Init \ [[�]] = ; for any constraint �. More precisely, we requirethat the set Init can be characterized by a regular tree language.

For the computation of Pre we rely on the following result.

Lemma 2. For any constraint �, the set of constraints Pre(�) is computableand finite.

It was shown in [18] that the embedding relation on trees � is a well quasi-order (Kruskal’s theorem). This combined with results in [1] guarantee termina-tion of our scheme when instantiated on the constraints we have defined above.

8 Case Studies

In this section, we provide descriptions of two tree protocols we have analyzedusing our method. For each protocol, we define the corresponding parameter-ized tree system model and we give the sets of unsafe (F ) and initial (Init)configurations.

8.1 The Tree-arbiter Protocol

The protocol supervises the access to a shared resource of a set of processesarranged in a tree topology. The processes competing for the resource reside inthe leaves.

A process in the protocol can be in state idle (i), requesting (r), token (t) orbelow (b). All the processes are initially in state i. A node is in state b wheneveris has a descendant in state t. When a leaf is in state r, the request is propagatedupwards until it encounters a node which is aware of the presence of the token(i.e. a node in state t or b). A node that has the token (in state t) can choose topass it upwards or pass it downwards to a requesting child (node in state r).

We model the tree-arbiter protocol with a parameterized tree system P =(Q;R) where Q = fqns j s 2 fi; r; t; bg ^ n 2 fleaf; inner; rootgg and R is as de-picted in the figure below (figure 6). Observe that in the definition of Q, we usethe scripts s and n to model respectively the state and the nature (leaf, inneror root) of the nodes. In the definition of the rules, we will drop the script(s)whenever we mean that it is arbitrary (it can take any value).

The rules to model this protocol are as follows: 2 rules to propagate therequest upwards, 2 rules to propagate the token downwards, 2 rules to propagatethe token upwards and one rule to initiate a request from a leaf.

The set of bad constraints F is represented by trees where at least two pro-cesses (i.e. two leaves) obtain the token (i.e. in state qleaft ).

qi/qr qr qi/qrqr qt/qbqr/qt qt/qbqr/qtqb/qtqt/qi qb/qtqt/qi qleafi /qrFig. 6. The rewrite rules for the tree-arbiter protocol. We mention here that there aremore rules in the model we have verified. For example, the rule in the top-left corner isrepresented in the concrete model by 2 rules, each of which corresponds to a particularcombination of the natures of the parent and child nodes: For the parent there are 2possibilities (qinneri =qinnerr and qrooti =qrootr ) while for the child, there are 2 (qinnerr andqleafr ).

The set of initial configurations Init contains all treeswhere the leaf nodes are either idle or requesting, innernodes are idle, and the root has the token.

qqleaft qleaft8.2 The IEEE 1394 Tree Identification Protocol

The 1394 High Performance serial bus [16] is used to transport digitized videoand audio signals within a network of multimedia systems and devices.

The tree identification protocol is used in one of the phases implementingthe IEEE 1394 protocol. More precisely, it is run after a bus reset in the networkand leads to the election of a unique leader node

In this section, we consider a version working on tree topologies. Furthermore,we assume that (i) each inner node is connected to 3 neighbors, (ii) the root isconnected to 2 neighbors, and (ii) communication is atomic.

Initially, all nodes are in state undefined (u). We identify two steps in theprotocol depending on the number n of neighbors which are still in state u. Ifn > 1, the node waits for (“be my parent”) requests from its neighbors. If n = 1,then the node sends a request to the remaining neighbor in state u. Observe thatwe implicitly assume that the leaf nodes are the first to communicate with theirneighbors.

Formally, we derive a parameterized tree system model P = (Q;R) as follows.We define the set of states by Q = fqns j s 2 fu; ; lg ^ n 2 fleaf; inner; rootggwhere the scripts s and n describe respectively the state and the nature of thenode. In the definition of the state (s), the letters u, and l stand respectivelyfor undefined, child and leader. In a similar manner to the previous section, we

drop the script(s) whenever we mean that it can take any value (see caption ofFigure 6).

The rewrite rules R are described below.– The leaves initiate the communications:quqleafu /q qu qleafu /q– The inner nodes become children or wait for requests:qu/qqu qq qu/qq quq qu/qq qqu– The leader is chosen:qu/qlq qq qqleafu /ql qqleafu /ql

The set of initial configurations Init is represented by trees where all nodesare in state undefined, and the set of bad constraints F is represented by treeswhere at least 2 leaders are elected.qlql ql ql qql ql9 Experiments

We have implemented a prototype tool in C++ and run it on several models ofprotocol with tree-like topologies. The experiments have been performed on adual Opteron 2.8 GHz, with 8 GB of RAM memory and the results are reportedin Table 1.

For each example, we give the number of iterations performed by the reacha-bility algorithm, the largest number of constraints maintained at the end of theexecution, the time and total memory consumption. Full details of the examplescan be found in the appendix.

Table 1. Experimental Results

Protocol Time # iterations # constraints Memory

Token 1s 1 3

7. R. Alur, R. K. Brayton, T. A. Henzinger, S. Qadeer, and S. K. Rajamani. Partial-order reduction in symbolic state space exploration. In Proc. 9th Int. Conf. onComputer Aided Verification, volume 1254, pages 340–351, 1997.

8. B. Boigelot, A. Legay, and P. Wolper. Iterating transducers in the large. In Proc.15th Int. Conf. on Computer Aided Verification, volume 2725 of Lecture Notes inComputer Science, pages 223–235, 2003.

9. A. Bouajjani, P. Habermehl, and T. Vojnar. Abstract regular model checking. InCAV04, Lecture Notes in Computer Science, pages 372–386, Boston, July 2004.Springer Verlag.

10. A. Bouajjani, B. Jonsson, M. Nilsson, and T. Touili. Regular model checking. InEmerson and Sistla, editors, Proc. 12th Int. Conf. on Computer Aided Verification,volume 1855 of Lecture Notes in Computer Science, pages 403–418. Springer Verlag,2000.

11. A. Bouajjani and T. Touili. Extrapolating Tree Transformations. In Proc. 14th Int.Conf. on Computer Aided Verification, volume 2404 of Lecture Notes in ComputerScience, 2002.

12. H. Common, M. Dauchet, R. Gilleron, F. Jacquemard, D. Lugiez, S. Tison, andM. Tommasi. Tree Automata Techniques and Applications. October 1999.

13. D. Dams, Y. Lakhnech, and M. Steffen. Iterating transducers. In G. Berry,H. Comon, and A. Finkel, editors, Computer Aided Verification, volume 2102 ofLecture Notes in Computer Science, 2001.

14. P. Godefroid and P. Wolper. Using partial orders for the efficient verificationof deadlock freedom and safety properties. Formal Methods in System Design,2(2):149–164, 1993.

15. G. Higman. Ordering by divisibility in abstract algebras. Proc. London Math. Soc.(3), 2(7):326–336, 1952.

16. IEEE Computer Society. IEEE standard for a high performance serial bus. Std1394-1995, Aug. 1996.

17. Y. Kesten, O. Maler, M. Marcus, A. Pnueli, and E. Shahar. Symbolic modelchecking with rich assertional languages. Theoretical Computer Science, 256:93–112, 2001.

18. J. Kruskal. Well-quasi-ordering, the tree theorem, and Vazsonyi’s conjecture.Transactions of the American Mathematical Society, 95:210–225, 1960.

19. M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic programverification. In Proc. LICS ’86, 1st IEEE Int. Symp. on Logic in Computer Science,pages 332–344, June 1986.

A Appendix – Proofs

A.1 Approximation

We devote this section to proving Lemma 1. In order to do that, we rely onseveral auxiliary results related to the tree operations from Section 2.

Auxiliary Results First, we consider the operation and show the followingproperty.

Lemma A1. For any trees T; T 0 2 Trees(�) such that T �f T 0 for someembedding f , the following holds: There are two functions bf; ef , such that:1. T �bf T 0 f T �ef T 0.2. ef Æ bf = f .

Proof. By definition of the operation, we know that T � T 0f T � T 0. Assumethat T; T 0; T 0f T are respectively of the forms (N; �); (N 0; �0); (N 00; �00). Below,we define the functions bf : N ! N 00 and ef : N 00 ! N 0 such that the lemmastatements hold.

First, for any n 2 N , we define bf(n) := f(") � n. Second, for any n00 2 N 00,we consider three cases reflecting the membership of n00 2 N 00:

– If f(") 6� n00, then we let ef(n00) := n00.– If n00 2 Img( bf), then we take ef := f( bf�1(n00)).– Otherwise, since f(") � n00 and n00 62 Img( bf), there is a unique node n00l 2

Img( bf) such that n00l � n00 and for any other node n00o 2 Img( bf) the followingholds: n00o � n00 =) n00o � n00l . In other words, n00l is the longest prefix of n00in Img( bf). We define ef(n00) := f( bf�1(n00l )) � (n00 � n00l ).

Observe now that following the above definitions, properties (1) and (2) triviallyhold. ut

Then, we show how the operation preserves the inclusion (�) and embed-ding (�) relations in the following sense.Lemma A2. For any T; T 0; T 00 2 Trees(�) and any mappings f and g, thefollowing hold:

1. T 0 �g T 00 =) T 0 �f T � T 00 �gÆf T , and2. T �f T 0 �g T 00 =) T 0 f T � T 00 gÆf T .

Proof. Property (1) holds trivially since by definition of the � operation T 0 �fT �g T 00 �gÆf T .In order to prove (2), we provide a mapping h which guarantees that T 0 fT �h T 00gÆf T . First, we assume that T 0f T is of the form (N 0; �0). Then, we

recall from Lemma A1 that there are some functions bf; ef;[g Æ f;℄g Æ f such that:– T �bf T 0 f T �ef T 0, and

– T �[gÆf T 00 gÆf T �℄gÆf T 00.For a node n0 2 N 0, we define h(n0) by three cases reflecting the membership ofn0.

– If f(") 6� n0, we define h(n0) := g(n0).– If n0 2 Img( bf), then we take h(n0) := g(f("))� (n0�f("))(=[g Æ f( bf�1(n0))).– Otherwise, we let h(n0) :=℄g Æ f�1(g( ef(n0))). Observe that this is well defined

(definition of℄g Æ f). utWe are now ready to prove the lemma.

Proof of Lemma 1 We recall the lemma in question.

Lemma 1. The approximate transition system (C;;) is monotonic with respectto �.Proof. Consider three configurations 1; 2; 3 2 C such that 1 �g 3 for someembedding g, and 1 ; 2. The task is to prove that there is a configuration4 2 C such that 2 � 4 and 3 ; 4.

By definition 1 ; 2 iff there is a rule r 2 R and a mapping f such thatlhs(r) �f 1 and (1f lhs(r))�bf rhs(r) = 2. By definition of f and g, it followsthat lhs(r) �gÆf 3. Let 4 = (3 gÆf lhs(r))�[gÆf rhs(r). As a consequence andby definition of the transition relation;, we obtain 3 ; 4. It remains to showthat 2 � 4 which gives the result.

By Lemma A2(2) and the fact that lhs(r) �f 1 �g 3, we have 1f lhs(r) �3 gÆf lhs(r). We use a similar reasoning (see proof of Lemma A2(2)) to definethe embedding h satisfying 1f lhs(r) �h 3gÆf lhs(r). Observe that we haveh Æ bf =[g Æ f by the following argument: By definition, the mappings h Æ bf and[g Æ f are both inclusions of lhs(r) in 3 gÆf lhs(r) rooted at the same nodeg(f(")). Now by Lemma A2(1) and the fact that 1 f lhs(r) �h 3 gÆf lhs(r),we obtain2 = (1 f lhs(r)) �bf rhs(r) � (3 gÆf lhs(r)) �hÆbf rhs(r)

= (3 gÆf lhs(r)) �[gÆf rhs(r) = 4. utA.2 Algorithm

We devote this section to the proof of Lemma 2. In order to do that we firstintroduce some preliminaries on trees. Afterwards, we define the tree additionoperation which will be needed to capture the effect of the approximation in thecomputation of Pre. Finally, we prove the lemma.

Preliminaries In this paragraph, we fix two trees T = (N; �) and T 0 = (N 0; �0).Given a n 2 N which is a leaf in T and a b 2 f0; 1g, we use T � (n; b; T 0) to

denote the tree T 00 = (N 00; �00) obtaining from T by appending T 0 as a subtreeof n “in the b direction”. More formally, we let N 00 := N Sn� b�N 0; and for anyn00 2 N 00 we define �00(n00) := �(n00) if n � b 6� n00, and �00(n00) := �0(n � b� n00)otherwise. T T 0 T � (0; 1; T 0)

A non-empty set of nodes N 00 � N is said to be almost prefix closed if it isthe image of an inclusion in T . More precisely, there exists a tree T 00 such thatT 00 �g T for an inclusion g satisfying Img(g) = N 00 (see Figure 7). Observe thatby definition, any almost prefix closed set N 00 contains a unique node n such thatg(n) = ". In the sequel, we use root(N 00) to refer to such a node, and we denoteby leaves(N 00) � N 00 the set of nodes without children or whose all children inT do not belong to N 00.

We introduce now a special class of tree relations. Given a set N 00 � N anda function f : N 00 ! N 0. We say that f is a partial embedding of T in T 0 withrespect to N 00 if the following conditions hold: (i) N 00 is an almost prefix closedset of nodes, and (ii) f satisfies the embedding conditions (see Section 2) (seeFigure 7). More precisely, for any node n00 2 N 00

– n00 � b 2 N 00 =) f(n00) � b � f(n00 � b), and– �(n00) = �0(f(n00)).

T 00 T .. T 0fgFig. 7. In the tree T , we give an example of an almost prefix closed set defined by theincluion g of the tree T 00 in T . The trees T and T 0 are related by the partial embeddingf defined on the almost prefix closed set considered earlier. In the rest of the figures,we will use T and T 0 as the starting tree examples.

Intuitively, the existence of a partial embedding f of T in T 0 implies thefollowing: Starting from T , we can construct a tree by adding to T the nodes

from N 0 which are not in Img(f), such that (i) we do not modify the “structure”of the remaining nodes in T , and (ii) T 0 is included in the resulting tree. Weformalize this construction by the addition operation T �f T 0 described below.Tree Addition In the following, we fix two trees T = (N; �); T 0 = (N 0; �0) 2Trees(�) and a partial embedding f of T in T 0 defined over some almost prefixclosed set N 00 � N .

We define several auxiliary operations in order to describe the addition ofsubtrees from T 0 in different positions (above, below and in-between) with re-spect to some reference node(s).

Given a node n 2 N 00, we first consider the addition in T of certain nodesfrom T 0 above n.Formally, we denote by T over�f (n; T 0) the tree T 00 of thefollowing form:T 00 = T (n; Ta) where Ta = T 0 (f(n); T (n))Intuitively, we first construct Ta by concatenating T 0with the subtree T (n) at f(n). Then, we derive T 00 byreplacing in T the subtree T (n) by Ta.

T over�f (1; T 0)..

We consider now, the addition in T of some nodes from T 0 below a referencenode of T . In such a case, we also need to take into consideration the position(left or right subtree) in which we add the nodes.

More precisely, given a node n 2 N 00 and some b 2 f0; 1g, we denote byT below�f (n; b; T 0) the set of trees S � Trees(�) constructed as described below: Incase the node f(n)�b is not defined (i.e., 62 N 0), then we let S := fTg. Otherwise,we look at the tree T and consider two subcases depending on whether n � b isdefined in T or not.

– If n � b 2 N , we let Ta := T (n � b; T 0(f(n) � b)), wedenote by Nl the set of leaves in Ta which are descen-dants of n � b, and we defineS := fTa � (nl; bl; T (n � b)) j nl 2 Nl ^ bl 2 f0; 1gg .

– Otherwise, we let S := fT � (n; b; T 0(f(n) � b))g.We generalize the above operation byT below�f (n; T 0) := [T 002T below�f (n;0;T 0)T 00 below�f (n; 1; T 0).

T below�f (1; 1; T 0).

.

.

.

Finally, we consider the addition of nodes between two given reference nodesin T . In such a case, we require that the given nodes are directly related to eachothers (parent/child).

For two nodes n; n0 2 N 00 such that n � b = n0 for someb 2 f0; 1g, we denote by T between�f (n; n0; T 0) the tree T 00 ofthe following form:T 00 = T (n; Ta(f(n) � b)) where Ta = T 0 (f(n0); T (n0))Intuitively, we first construct Ta by replacing the subtreeT 0(f(n0)) by T (n0), then we derive T 00 by replacing thesubtree T (n) by Ta(f(n)).

T between�f (1; 10; T 0).

.

We are now ready to generalize the above operations by defining T �f T 0.We first consider an enumeration of the nodes N 00 in a bottom-up fashion. Inother words, let fnig1�i�jN 00j be an arrangement of the nodes of N 00 such thatfor any i; j : 1 � i 6= j � jN 00j, ni < nj implies that j < i. Then, we definea sequence of sets of trees fSig0�i�jN 00j as follows. We let S0 := fTg. For anyi : 0 � i � jN 00j�1, we define Si+1 in terms of Si by three case analysis reflectingthe nature of the node ni+1.

– If ni+1 2 leaves(N 00), then we letSi+1 := [T 002Si T 00 below�f (ni+1; T 0).– If there is b 2 f0; 1g such that ni+1 � b 2 N 00 and ni+1 � (1� b) 62 N 00, then

we define Si+1 := [T 002Sa T 00 below�f (ni+1; 1� b; T 0) whereSa := [T 002Si�T 00 between�f (ni+1; ni+1 � b; T 0)� .Observe that this is the case where ni+1 has only one child in N 00.

– Otherwise, we defineSi+1 := [T 002Sa�T 00 between�f (ni+1; ni+1 � 1; T 0)� whereSa := [T 002Si�T 00 between�f (ni+1; ni+1 � 0; T 0)� .Finally, we let T �f T 0 := [T 002SjN00j nT 00 over�f (njN 00j; T 0)o .

Observe that each tree T 00 2 T �f T 0 satisfies (i) T � T 00, and (ii) there isa unique inclusion denoted by f of T 0 in T 00 such that f(") = root(N 00) (seeFigure 8).

We are now ready to describe Pre.

S0 ..

S1 ..S2 .

.

.

.

T �f T 0.

.

.

.

Fig. 8. The figures shows the sequence of sets of trees in the computation of T �f T 0.Computing Pre Assume that we are given a parameterized tree system P =(Q;R). For a constraint �0, we define PreR(�0) = Sr2R Prer(�0), i.e. we computethe set of predecessor constraints with respect to each rewrite rule r 2 R.

Consider a constraint �0 and a rule r 2 R. We define Prer(�0) to be the set ofconstraints satisfying the following: A constraint � belongs to Prer(�0) iff thereis a partial embedding f of �0 in rhs(r) such that� 2 (�0 �f rhs(r)) �f lhs(r).Proof of Lemma 2 In order to prove Lemma 2, we rely on the followingauxiliary result related to the addition operation.

Lemma A3. For any T0; T1; T2 2 Trees(�) and any mappings f and g satisfyingT0 �f T2 and T1 �g T2, the following holds: If Img(f) \ Img(g) 6= ;, then thereis a partial embedding h of T1 in T0 such that for any T 2 T1 �h T0 we haveT � T2.Proof. Assume that T0; T1; T2 are of the forms (N0; �0); (N1; �1); (N2; �2) respec-tively. We first define the following set of nodes N 00 := fn 2 N1j g(n) 2 Img(f)g.Observe that Img(f) \ Img(g) 6= ; iff N 00 6= ;. We now show that N 00 is almostprefix closed.

In order to do that, we assume the opposite and derive a contradiction.We suppose that N 00 is not almost prefix closed. By definition, this implies theexistence of two nodes n; n0 2 N 00 such one the following conditions is satisfied.1. n � n � n0 for some n 62 N 00.2. n 6� n0 ^ n0 6� n and there is no np 2 N 00 such that np � n ^ np � n0.

If condition (1) holds then this implies that g(n) 62 Img(f). Since g(n); g(n0) 2Img(f) and g(n) � g(n0), it holds by definition of an inclusion that any n2 2N2 : g(n) � n2 � g(n0) satisfies n2 2 Img(f). This is a contradiction since by

definition of an embedding g(n) � g(n) � g(n0) and by assumption g(n) 62Img(f).

If condition (2) holds, then we let np 2 N0 be the node satisfying np � b � nand np � (1� b) � n0 for some b 2 f0; 1g. Observe that such a node exists sinceN0 is prefix closed. We recall here that by assumption np 62 N . By definition ofan embedding g(np) � b � g(n) and g(np) � (1 � b) � g(n0). Since g(n); g(n0) 2Img(f), it follows by definition of an inclusion that g(np) 2 Img(f). This is alsoa contradiction.

So far, we have shown that N 00 is almost prefix closed. We let h := f�1 Æ gdenote the function defined over N 00. Observe that by definition of g and f , andsince N 00 is almost prefix closed, it follows that h is a partial embedding of T1in T0.

Consider now a tree T = (N; �) 2 T1 �h T0. We first recall that T0 �h T .Then, we provide below a mapping e that guarantees T �e T2. We define e bycase analysis depending on the membership of n 2 N .

– If n 2 Img(h), then we let e(n) := f(h�1(n)).– If h(") 6� n, we define e(n) := g(n).– Otherwise, we denote by nh the longest prefix in Img(h) such that andnh�b � n for some b 2 f0; 1g. Two cases follow depending on the membership

of f(h�1(nh)) in Img(g).� If f(h�1(nh)) 2 Img(g), then we define e(n) := g(g�1(f(h�1(nh)))�(n�nh)).� Otherwise, we denote by ng , the longest word in Img(g) \ Img(h) suchthat ng �b0 � nh for some b0 2 f0; 1g. We let e(n) := g(g�1(f(h�1(ng)))�b0 � (n� nh � b)). ut

In what follows, we consider a weaker statement of Lemma 2 which is moreconvenient for our definition of Pre. Nevertheless, the original statement can beproven similarly but in a more tedious manner. We have considered this varianthoping that the presentation would be more clear. Observe, that the result belowsuffices for correctness of our algorithm.

Weaker Variant of Lemma 2.For any constraint �:– PreR(�) is computable and finite.– [[Pre(�)]] � [[�]] [ [[PreR(�)]].

Proof. Observe that Finiteness and computability of PreR(�) follows by defini-tion of the � operation.

In order to show correctness (the second item), we consider a constraint �0and a configuration 0 2 [[�0]] and show that for any constraint with ; 0 itis the case that 2 [[�0]] [ [[PreR(�0)]].

By definition of the approximate transition relation, ; 0 implies that thereis a rule r 2 R and an embedding f of lhs(r) in such that

(f lhs(r)) �bf rhs(r) = 0. (1)

By assumption 0 2 [[�0]], therefore there is a function g such that �0 �g 0. ByEquation (1) and the definition of bf , we have rhs(r) �bf 0. Below, we considertwo cases depending on emptiness of Img( bf)T Img(g).

In case Img( bf)T Img(g) = ;, it follows directly that �0 �g (f lhs(r)) � where the last embedding relation holds by Lemma A1(1). As a consequence, 2 [[�0]].

In case Img( bf) \ Img(g) 6= ;, then this combined with the fact that �0 �g 0and Lemma A3 yields the following: There is a partial embedding h of �0 inrhs(r) such that for any �” 2 �0�h rhs(r), it is the case that rhs(r) �h �” � 0.

We fix a constraint �” in �0 �h rhs(r) and we recall from the proof ofLemma A3 the definition of the embedding e satisfying �” �e 0. Observe thatby definition of e, bf and h, we have bf = eÆh. This combined with Lemma A2(1)and the fact that �” �e 0 yields the following:�”�h lhs(r) � 0 �eÆh lhs(r) = 0 �bf lhs(r) = f lhs(r),where the last equality follows from the definition of 0 and the renaming oper-ation.

By Lemma A1(1), f lhs(r) � and hence by the above equations �”�hlhs(r) � . Finally, since by definition of Prer(�) we have�”�h lhs(r) 2 (�0 �h rhs(r)) �h lhs(r) � Prer(�0) � PreR(�0),it follows that 2 [[PreR(�0)]]. ut

B Appendix – Description of the Case Studies

In the following, we give detailed description of the case studies. For each ex-ample, we describe how we instantiate the algorithm by specifying (i) the initialconfiguration, (ii) the set of rewriting rules , and (iii) the set of bad constraints.

B.1 Leader Election Protocol

The protocol operates on binary trees to elect a leader among processes whichreside in the leaves and which are candidates. A leaf process can be labeled ascandidate or non-candidate n. An inner node is initially labeled as undefinedu and will be labeled as candidate if at least one of its children is candidate, andnon-candidate otherwise.

In a first phase, the information that a node is candidate or not travelsup to reach the root. In a second phase, the decision el, initially in the root,travels down from candidate parent to candidate child. (If several children arecandidates, the parent chooses one undeterministicly). Once the decision reachesa leaf, this leaf process is elected as leader. Below follows a small scenario:

el

u

n c

u

n n

el

c

n c

u

n n

el

c

n c

n

n n

el

el

n c

n

n n

el

el

n el

n

n n

The rules for the upwards propagation of candidate information are:

u / c

c n

u / c

n c

u / c

c c

u / n

n n

The rules for the downwards propagation of election decision are:

el

c / el

el

c / el

The set of bad constraints F is represented by trees where at least two nodesin different branches are elected.

*

el el

The set of initial constraints Init is represented by trees where leaves areeither candidates or non-candidates, inner nodes are labeled undefined and theroot is labeled el.

We have been able to prove Init is not backward reachable from F (i.e. thatInit

��! F does not hold).B.2 Token Protocol

The protocol operates on binary trees to transmit a token from the root to theleaves. A node can be labeled as having the token t, or not having the token n.As an example:

t

n

n n

n

n n

n

t

n n

u

n n

n

n

n t

n

n n

The rules for the propagation of the token are:

t / n

n / t

t / n

n / t

The set of bad constraints F is represented by trees where at least two nodescontain the token.

t

t

t

t

*

t t

Initially, the token is in the root.We have been able to prove Init is not backward reachable from F (i.e. that

Init��! F does not hold).

B.3 Two-way Token Protocol

This protocol is a generalization of the token protocol by allowing the token toboth move upwards and downwards. As an example:

t

n

n n

n

n n

n

t

n n

u

n n

n

n

n t

n

n n

n

t

n n

u

n n

n

n

t n

n

n n

The rules for the propagation of the token are:

t / n

n / t

t / n

n / t

n / t

t / n

n / t

t / n

The set of bad constraints F is represented by trees where at least two nodescontain the token, similarly to the simple token protocol.

Initially, the token is in the root.We have been able to prove Init is not backward reachable from F (i.e. that

Init��! F does not hold).

B.4 Percolate Protocol

The protocol [17] operates on binary trees of processes and evaluates the dis-junction of the values in the leaves up to the root. Initially, the leaves containeither a 0 or a 1 and all other nodes are labeled as undefined u. An still undefinedinner node will be labeled as 1 if at least one of its children contains a 1, and 0otherwise. As an example:uu

0 0

u1 1

u0

0 0

1

1 1

1

0

0 0

1

1 1

The corresponding rules are:u / 00 0

u / 11 0

u / 10 1

u / 11 1

The set of bad constraints F is represented by trees where a 0 get propagatedupwards while there is a 1 below.

0

1

0

1

We have been able to prove Init is not backward reachable from F (i.e. thatInit

��! F does not hold).