An Operational Semantics for Model Checking Long Running Transactions

Abstract

Compensating CSP (cCSP) is an extension to CSP for modeling long running transactions (LRTs). In our work, we extended the original cCSP with the ability of modeling non-determinism, deadlock and livelock. Until now, there is only a failure-divergence semantics for the extended cCSP, and there is no model checking or animating tool for it. In this paper, we present an operational semantics for model checking the extended cCSP. We prove that the general problem of model checking the extended cCSP with respect to regular properties is undecidable. Using the operational semantics, we have implemented an animator and a prototype model checker for the extended cCSP based on the platform Process Analysis Toolkit (PAT). In addition, a case study is given to demonstrate the tool.

Appendix

1.1 Proof of Theorem 3

Theorem 3. Given a standard process \({P}\) of the extended cCSP and an FSM \({R}\), the language inclusion problem \({L(T(P)) \subseteq L(R)}\) is undecidable.

Proof

The problem can be reduced to the halting problem of Minsky 2-counter machine that is known to be undecidable [17]. The basic idea of the reduction is to construct a standard process \({P}\) and an FSM \({R}\) for a 2-counter machine \({M}\). \({P}\) models the behavior of \({M}\) with respect the memory constraint but without regard to the control constraint of \({M}\). \({R}\) models the control behavior of \({M}\) but disregards the memory constraint, and accepts all the traces of \({M}\) that are not halted. Therefore, \({L(T(P)) \subseteq L(R)}\) iff \({M}\) does not halt, which implies the problem is undecidable in general.

Hence, we need to give how to construct the process and the FSM. Let \({M}\) be a 2-counter machine with \({n}\) numbered instructions:

$$ {\langle 1:ins_{1}\rangle \ \langle 2: ins_{2} \rangle \ ... ...\ \langle n-1: ins_{n-1} \rangle \ \langle n:halt \rangle } $$

where \({ins_i {\in } \{ (c_k {:=} c_k + 1 ; \mathbf{goto }\ j), (\mathbf{if }\ (c_k = 0)\ \mathbf{goto }\ j ; (c_k {:=} c_k - 1 ; \mathbf{goto }\ l)) \}}\), \({k{\in }\{1, 2\}}\), \({1 \le j, l \le n}\) and \({1 \le i \le n - 1}\).

The construction of the extended cCSP process \({P}\) is as follows, where \({k \in \{1, 2\}}\).

$$ \begin{array}{lllll} M_{k}=(inc_{k}\div [M_k]\ ;\ M_{k})\Box ((dec_{k} ; \mathbf {throw})\div {\mathbf {skip}})\\ C_{k}=[M_{k}]\\ Z_{k}=[(zero_{k} \div {\mathbf {skip}}\ ;\ Z_{k} \div \mathbf {skip})\Box (inc_{k} \div {Z_{k}}\ ;\ (C_{k} \div \mathbf {skip}\ ;\ \mathbf {throww}))]\\ P= (C^{m_1}_1\ ;\ Z_1) \parallel (C^{m_2}_2\ ;\ Z_2)\\ \end{array} $$

In the above construction, \({inc_{k}}\), \({dec_{k}}\) and \({zero_{k}}\) represent the events of increasing, decreasing and zeroing the \({k}\)-th counter, respectively. \({C_1}\) and \({C_2}\) are the processes that try to increase or decrease the first counter and the second counter, respectively. After executing each terminated trace of \({C_k}\), the corresponding counter is decreased by one. During the execution of \({C_k}\), the memory constraint of the corresponding counter is preserved, i.e., the counter is no less than 1 if it is set to 2 at the beginning of executing \({C_k}\). \({Z_k}\) is the process that tries to keep the content of the \({k}\)th counter to be zero. Thus, the evolving of the processes \({C_k}\) and \({Z_k}\) is consistent with the memory constraint of \({M}\). The process \({P}\) models the 2-counter machine that the initial values of first counter and second counter are \({m_1}\) and \({m_2}\), respectively, where \({C^{m_k}_{k}}\) is the sequential composition of \({m_k}\) copies of \({C_k}\).

According to the instructions of \({M}\), we can construct the FSM \({R {=} (\varSigma , S, s_0, \delta , F)}\), where \({\varSigma }\) is the alphabet set and \({\varSigma = \{inc_k, dec_k, zero_k \mid k \in \{1, 2\}\}}\), \({S}\) is the state set and \({S = \{s_i \mid 1\le i \le n\} \cup \{s_{n+1}\}}\), \({s_0}\) is the initial state, i.e., \({s_1}\) in \({S}\), \({\delta : S {\times } \varSigma {\rightarrow } S }\) is the transition function, \({F}\) is the final state set and \({F = S \setminus \{s_{n}\}}\). For each construction, we can add the transitions as follows, where \({k\in \{1, 2\}}\).

$$ \begin{array}{lllll} \langle i:\ c_{k} := c_{k}+1;\mathbf{goto }\ j \rangle \Longrightarrow \delta (s_{i}, inc_{k}) = s_{j}\\ \langle i: \mathbf{if }\ c_{k}=0\ \mathbf{goto }\ j;\ c_{k} := c_{k}-1; \mathbf{goto }\ l \rangle \Longrightarrow \delta (s_{i}, zero_{k}) = s_{j}, \delta (s_{i}, dec_{k}) = s_{l} \end{array} $$

Then, we complete \({R}\) by adding a self-transition to \({s_{n+1}}\) for each element in \({\varSigma }\), i.e., \({\forall a\in \varSigma \bullet \delta (s_{n+1}, a)= s_{n+1} }\). Finally, for each state \({s}\) except \({s_n}\), if there does not exist a transition for an element \({a}\) in \({\varSigma }\) (\({\not \exists s_1\in S \bullet \delta (s, a) = s_1}\)), we add a transition from \({s}\) to \({s_{n+1}}\) with the label as \({a}\) to \({\delta }\), i.e., \({\delta (s, a) = s_{n+1}}\). Thus, the FSM \({R}\) is constructed according to the control constraints of \({M}\), and \({R}\) accepts the trace any prefix of which is not a halted trace of \({M}\), because there is no transition from \({s_n}\) to \({s_{n+1}}\), and \({s_n}\) is not a final state.

According to the above constructions, we next prove “\({L(T(P)) \subseteq L(R)}\) iff \({M}\) does not halt”. Instead of proving it directly, we prove “\({L(T(P)) \nsubseteq L(R)}\) iff \({M}\) halts”.

• If \({M}\) halts, then there exists a trace \({s}\) produced by a halted execution of \({M}\), which is accepted by \({T(P)}\), because \({P}\) satisfies the memory constraints. However, according to the construction of \({R}\), \({s}\) is not accepted by \({R}\). Thus, \({L(T(P)) \nsubseteq L(R)}\).

• If \({L(T(P)) \nsubseteq L(R)}\), then there exists a trace \({s}\) accepted by \({T(P)}\), but \({s}\) is not accepted by \({R}\). According to the construction of \({R}\), there must exist \({s_t}\) that is a prefix of \({s}\) and \({s_t}\) can reach the state \({s_n}\) in the state set \({S}\) of \({R}\), i.e., \({M}\) can reach the last instruction (\({halt}\)) via \({s_t}\). Also, because \({s}\) is accepted by \({T(P)}\), the execution of \({s_t}\) satisfies the memory constraint. Thus, \({M}\) has a halting execution, i.e., \({M}\) halts.

In total, we can have \({L(T(P)) \subseteq L(R)}\) iff \({M}\) does not halt. Therefore, according to the undecidable result of 2-counter machine [17], the problem \({L(T(P)) \subseteq L(R)}\) is undecidable in general. \(\square \)