HAL Id: hal-02191382
https://hal.inria.fr/hal-02191382
Submitted on 23 Jul 2019
HAL
is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire
HAL, estdestinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
broadcast networks
Nathalie Bertrand, Patricia Bouyer, Anirban Majumdar
To cite this version:
Nathalie Bertrand, Patricia Bouyer, Anirban Majumdar. Reconfiguration and message losses in pa-
rameterized broadcast networks. CONCUR 2019 - 30th International Conference on Concurrency
Theory, Aug 2019, Amsterdam, Netherlands. pp.1 - 15, �10.4230/LIPIcs.CONCUR.2019.32�. �hal-
02191382�
parameterized broadcast networks
2
Nathalie Bertrand
3
Univ. Rennes, Inria, CNRS, IRISA – Rennes (France)
4
Patricia Bouyer
5
LSV, CNRS & ENS Paris-Saclay, Univ. Paris-Saclay – Cachan (France)
6
Anirban Majumdar
7
Univ. Rennes, Inria, CNRS, IRISA – Rennes (France)
8
LSV, CNRS & ENS Paris-Saclay, Univ. Paris-Saclay – Cachan (France)
9
Abstract
10
Broadcast networks allow one to model networks of identical nodes communicating through message
11
broadcasts. Their parameterized verification aims at proving a property holds for any number
12
of nodes, under any communication topology, and on all possible executions. We focus on the
13
coverability problem which dually asks whether there exists an execution that visits a configuration
14
exhibiting some given state of the broadcast protocol. Coverability is known to be undecidable for
15
static networks,i.e. when the number of nodes and communication topology is fixed along executions.
16
In contrast, it is decidable inPTIME when the communication topology may change arbitrarily
17
along executions, that is for reconfigurable networks. Surprisingly, no lower nor upper bounds on the
18
minimal number of nodes, or the minimal length of covering execution in reconfigurable networks,
19
appear in the literature.
20
In this paper we show tight bounds for cutoff and length, which happen to be linear and quadratic,
21
respectively, in the number of states of the protocol. We also introduce an intermediary model with
22
static communication topology and non-deterministic message losses upon sending. We show that
23
the same tight bounds apply to lossy networks, although, reconfigurable executions may be linearly
24
more succinct than lossy executions. Finally, we showNP-completeness for the natural optimisation
25
problem associated with the cutoff.
26
2012 ACM Subject Classification Theory of computation→Verification by model checking
27
Keywords and phrases model checking – parameterized verification – broadcast networks
28
Funding The second author was supported by ERC project EQualIS (308087).
29
1 Introduction
30
Parameterized verification. Systems formed of many identical agents arise in many concrete
31
areas: distributed algorithms, populations, communication or cache-coherence protocols,
32
chemical reactions etc. Models for such systems depend on the communication or interaction
33
means between the agents. For example pairwise interactions are commonly used for
34
populations of individuals, whereas selective broadcast communications are more relevant for
35
communication protocols on ad-hoc networks. The capacity of the agents, and thus models
36
that are used to represent their behaviour also vary.
37
Verifying such systems amounts to checking that a property holds independently of the
38
number of agents. Typically, a consensus algorithm should be correct for any number of
39
participants. We refer to these systems as parameterized systems, and the parameter is
40
the number of agents. The verification of parameterized systems started in the late 80’s
41
and recently regained attention from the model-checking community [11, 8, 6, 1]. It can be
42
seen as particular cases of infinite-state-system verification, and the fact that all agents are
43
identical can sometimes lead to efficient algorithms [5].
44
© N. Bertrand, P. Bouyer, A. Majumdar;
licensed under Creative Commons License CC-BY
Broadcast networks. This paper targets the application to protocols over ad-hoc networks,
45
and we thus focus on the model of broadcast networks [3]. A broadcast network is composed
46
of several nodes that execute the same broadcast protocol. The latter is a finite automaton,
47
where transitions are labeled with message sendings or message receptions. Configuration in
48
broadcast networks is then comprised of a set of agents, their current local states, together
49
with a communication topology (which represents which agents are within radio range). A
50
transition represents the effect of one agent sending a message to its neighbours.
51
Parameterized verification of broadcast networks amounts to checking a given property
52
independently of the initial configuration, and in particular independently of the number
53
of agents and communication topology. A natural property one can be interested in is
54
coverability: a state of the broadcast protocol is coverable if some execution leads to a
55
configuration in which one node is in that local state. When considering error states, a
56
positive instance for the coverability problem thus corresponds to a network that can exhibit
57
a bad behaviour.
58
Coverability is undecidable for static broadcast networks [3],i.e. when the communication
59
topology is fixed along executions. Decidability can be recovered by relaxing the semantics and
60
allowing non-deterministic reconfigurations of the communication topology. In reconfigurable
61
broadcast networks, coverability of a control state is decidable in PTIME [2]. A simple
62
saturation algorithm allows to compute the set of all states of the broadcast protocol that
63
can be covered.
64
Cutoff and covering length. Two important characteristics of positive instances of the
65
coverability problem are the cutoff and the covering length. First, thecutoff is the minimal
66
number of agents for which a covering execution exists. The notion of cutoff is particularly
67
relevant for reconfigurable broadcast networks since they enjoy a monotonicity property: if a
68
state can be covered from a configuration, it can also be from any configuration with more
69
nodes. Second, thecovering length is the minimal number of steps for covering executions. It
70
weighs how fast a network execution can go wrong. Both the cutoff and the covering length
71
are somehow complexity measures for the coverability problem. Surprisingly, no upper nor
72
lower bounds on these values appear in the literature for reconfigurable broadcast networks.
73
Contributions. In this paper, we prove a tight linear bound for the cutoff, and a tight
74
quadratic bound for the covering length in reconfigurable broadcast networks. Both are
75
expressed in the number of states of the broadcast protocol. These are obtained by refining
76
the saturation algorithm that computes the set of coverable states, and finely analysing it.
77
Another contribution is to introduce lossy broadcast networks, in which the communication
78
topology is fixed, however errors in message transmission may occur. In contrast with
79
broadcast networks with losses that appear in the literature [4], in our model, message
80
losses happen upon sending, rather than upon reception. This makes a crucial difference:
81
reconfiguration of the communication topology can easily be encoded by losses upon reception,
82
whereas it is not obvious for losses upon sending. Perhaps surprisingly, we prove that the set
83
of states that can be covered in reconfigurable semantics agrees with the one in static lossy
84
semantics. Using the same refined saturation algorithm, we prove that same tight bounds
85
hold for lossy broadcast networks: the cutoff is linear, and the covering length is quadratic
86
(in the number of states of the broadcast protocol). The two semantics thus appear quite
87
similar, yet, we show that the reconfigurable semantics can be linearly more succinct (in
88
terms of number of nodes) than the lossy semantics.
89
Finally, we study a natural decision problem related to the cutoff: decide whether a
90
state is coverable (in either semantics) with a fixed number of nodes. We prove it to be
91
NP-complete.
92
Outline. In Section 2, we define the broadcast networks, with static, reconfiurable and lossy
93
semantics. In Section 3, we present our tight bounds for cutoff and covering length. In
94
Section 4, we show our succinctness result. In Section 5, we give ourNP-completeness result.
95
2 Broadcast networks
96
2.1 Static broadcast networks
97
IDefinition 1. A broadcast protocol is a tuple P = (Q, I,Σ,∆) whereQ is a finite set
98
of control states; I ⊆ Q is the set of initial control states; Σ is a finite alphabet; and
99
∆⊆(Q× {!a,?a|a∈Σ} ×Q)is the transition relation.
100
For ease of readability, we often write q −!a→ q0 (resp. q −→?a q0) for (q,!a, q0) ∈ ∆
101
(resp. (q,?a, q0)∈∆). We assume all broadcast networks to be complete for receptions: for
102
every q∈Qanda∈Σ, there existsq0 such thatq−→?a q0.
103
A broadcast protocol is represented in Figure 1. In this example and in the whole paper,
104
for concision purposes, we assume that if the reception of a message is unspecified from some
105
state, it implicitly represents a self-loop. For example here, fromq1, receivingaleads toq1
106
again.
q0 q1 q2 q3 q4
r1
!a ⊥
?a !b1 ?a !b2
?b1 ?b2
?bi
Figure 1Example of a broadcast protocol.
107
Broadcast networks involve several copies, or nodes, of the same broadcast protocolP. A
108
configuration is an undirected graph whose vertices are labelled with a state ofQ. Transitions
109
between configurations happen by broadcasts from a node to its neighbours.
110
Formally, given a broadcast protocol P = (Q, I,Σ,∆), aconfiguration is an undirected
111
graphγ= (N,E,L) whereNis a finite set of nodes;E⊆N×Nis a symmetric and irreflexive
112
relation describing the set of edges; finally,L:N→Qis the labelling function. We let Γ(P)
113
denote the (infinite) set ofQ-labelled graphs. Given a configuration γ ∈Γ(P), we write
114
n∼n0 whenever (n,n0)∈Eand we let Neighγ(n) ={n0∈N|n∼n0} be the neighbourhood
115
ofn,i.e.the set of nodes adjacent ton. FinallyL(γ) denotes the set of labels appearing in
116
nodes ofγ. A configuration (N,E,L) is calledinitial ifL(N)⊆I.
117
The operational semantics of a static broadcast network for a given broadcast protocol P
118
is an infinite-state transition systemT(P). Intuitively, each node of a configuration runs
119
protocolP, and may send/receive messages to/from its neighbours. From a configuration
120
γ = (N,E,L), there is a step toγ0 = (N0,E0,L0) if N0 =N, E0 =E, and there exists n∈N
121
and a ∈ Σ such that (L(n),!a,L0(n)) ∈ ∆, and for every n0 ∈ N, ifn0 ∈ Neighγ(n), then
122
(L(n0),?a,L0(n0))∈∆, otherwiseL0(n0) =L(n0): a step reflects how nodes evolve when one of
123
them broadcasts a message to its neighbours. We writeγ−−→n,!a sγ0, or simplyγ→sγ0 (thes
124
subscript emphasizes that the communication topology isstatic).
125
Anexecutionof the static broadcast network is a sequenceρ= (γi)0≤i≤rof configurations
126
(N,E,Li) such thatγ0 is an initial configuration, and for every 0≤i < r, γi →sγi+1. We
127
write#nodes(ρ) for the number of nodes in γ0,#steps(ρ) for the numberrof steps alongρ,
128
and for any noden∈N,#steps(ρ,n) for the number of broadcasts, called theactive length, of
129
nodenalongρ. Note that, along an execution, the number of nodes and the communication
130
topology are fixed. The set of all static executions is denotedExecs(P).
131
Coverability problem.
132
Given a broadcast protocolP and a subset of target statesF⊆Q, we writeCOVERs(P, F)
133
for the set of allcovering executions, that is, executions that visit a configuration with a
134
node labelled by a state inF:
135
COVERs(P, F) ={(γi)0≤i≤r∈Execs(P)|L(γr)∩F 6=∅}.
136
Thecoverability problemis a decision problem that takes a broadcast protocolP and a subset
137
of target statesF as inputs, and outputs whetherCOVERs(P, F) is nonempty. For broadcast
138
networks, the coverability problem is a parameterized verification problem, since the number
139
of initial configurations is infinite. It is known that coverability is undecidable for static
140
broadcast networks [3], since one can use the communication topology to build chains that
141
may encode values of counters, and hence simulate Minsky machines [10].
142
If the broadcast protocolP allows to cover the subsetF, we define the cutoff as the
143
minimal number of nodes required in an execution to cover F. Similarly, we define the
144
covering length as the length of a shortest finite execution covering F. Those values are
145
important to characterize the complexity of a broadcast protocol: assuming a safe set of
146
states, coverability of the complement set represents bad behaviours, and cutoff and covering
147
length measure the size of minimal witnesses for violation of the safety property.
148
2.2 Reconfigurable broadcast networks
149
To circumvent the undecidability of coverability for static broadcast networks, one attempt is
150
to introduce non-deterministic reconfiguration of the communication topology. This solution
151
also allows one to model arbitrary mobility of the nodes, which is meaningful,e.g. for mobile
152
ad-hoc networks [3].
153
Under this semantics, configurations are the same as under the static semantics. Trans-
154
itions between configurations however are enhanced by the ability to modify the communica-
155
tion topology before performing a broadcast. Formally, from a configurationγ= (N,E,L),
156
there is a step toγ0 = (N0,E0,L0) if N0 =N, and there existsn∈ Nanda∈ Σ such that
157
(L(n),!a,L0(n)) ∈ ∆, and for every n0 ∈ N, if n0 ∈ Neighγ0(n), then (L(n),?a,L0(n0)) ∈ ∆,
158
otherwiseL0(n0) =L(n0): a step thus reflects that the communication topology may change
159
fromEtoE0 followed by the broadcast of a message from a node to its neighbours in the
160
new topology. We writeγ−−→n,!a rγ0, or simplyγ→rγ0.
161
Similarly to the static case, we writeExecr(P) andCOVERr(P, F) for, respectively the
162
set of all reconfigurable executions inP, and the set of all reconfigurable executions inP
163
that coverF. We will also use the same notations#nodes(ρ),#steps(ρ) and #steps(ρ,n) as
164
in the static case.
165
Figure 7 (with n= 2) gives an example of reconfigurable execution for the broadcast
166
protocol of Figure 1 (which covers ). Note that the communication topology indeed evolves
167
along the execution. Here the colored nodes broadcast a message in the step leading to the
168
next configuration.
169
A noticeable property of reconfigurable broadcast networks is the following copycat
170
property. Such a monotonicity property was originally shown in [7] for asynchronous shared-
171
memory systems, and it also applies to our context.
172
IProposition 2 (Copycat for reconfigurable semantics). Given ρ :γ0 →r γ1· · · →r γs an
173
execution, with γs= (N,E,L), for everyq ∈L(γs), for every nq ∈N such thatL(nq) = q,
174
there existst∈N and an executionρ0 :γ00→rγ10· · · →rγt0 with γt0 = (N0,E0,L0) such that
175
|N0|=|N|+1, there is an injectionι:N→N0 with for everyn∈N,L0(ι(n)) =L(n), and for
176
the extra nodenfresh∈N0\ι(N),L0(nfresh) =q, and#steps(ρ0,nfresh) =#steps(ρ,nq).
177
Intuitively, the new nodenfreshwill copy the moves of nodenq: it performs the same broadcasts
178
(but to nobody) and receives the same messages. More precisely, whennq broadcasts inρ, it
179
does so also in ρ0 and then we disconnect all the nodes andnfresh repeats the broadcast (no
180
other node is affected because of the disconnection); whennq receives a message inρ, we
181
connectnfresh to the same neighbours asnq (i.e., ι(n)∼0nfresh if and only ifn∼nq) so that
182
nfresh also receives the same message inρ0.
183
Relying on the copycat property, when reconfigurations are allowed, the coverability
184
problem becomes decidable and solvable in polynomial time.
185
ITheorem 3([2]). Coverability is decidable inPTIMEfor reconfigurable broadcast networks.
186
More precisely, a simple saturation algorithm allows one to compute in polynomial time,
187
the set of all states that can be covered. Despite this complexity result, to the best of
188
our knowledge, no bounds on the cutoff or length of witness executions are stated in the
189
literature.
190
2.3 Broadcast networks with messages losses
191
Communication failures were studied for broadcast networks, assuming non-deterministic
192
message losses could happen: when a message is broadcast, some of the neighbours of the
193
sending node may not receive it [4]. As observed by the authors, the coverability problem
194
for such networks easily reduces to the coverability problem in reconfigurable networks
195
by considering a complete topology, and message losses are simulated by reconfigurations.
196
Thus, message losses upon reception are equivalent to reconfiguration of the communication
197
topology.
198
We propose an alternative semantics here: when a message is broadcast, it either reaches
199
all neighbours of the sending node, or none of them. This is relevant in contexts where
200
broadcasts are performed in an atomic manner and may fail. In contrast to message losses
201
upon reception, it is not obvious to simulate arbitrary reconfigurations of the communication
202
topology with such message losses.
203
Formally, from a configurationγ= (N,E,L), there is a step to γ0 = (N0,E0,L0) ifN0=N,
204
E0 =Eand there existsn∈Nanda∈Σ such that (L(n),!a,L0(n))∈∆, and either (a) for
205
every n0 6=n, L0(n0) =L(n0) (no one has received the message, it has been lost), or (b) if
206
n0∈Neighγ0(n), then (L(n0),?a,L0(n0))∈∆, otherwiseL0(n0) =L(n0): a step thus reflects that
207
the broadcast message may be lost when it is sent. We writeγ−−→n,!a lγ0 or simplyγ→lγ0.
208
Similarly to the static and reconfigurable semantics,#steps(ρ,n) is the number of broadcasts
209
(including lost ones) by node nalongρ; and we write#nonlost_steps(ρ,n) for the number of
210
successful broadcasts by nodenalongρ.
211
For lossy executions also, we use the following notations: Execl(P) andCOVERl(P, F).
212
Any lossy execution can be seen as a reconfigurable execution. Indeed, a lossy execution
213
with communication topology E can be transformed into a reconfigurable one in which
214
the communication topology of each configuration is either∅orE, depending on whether
215
the next broadcast is lost or not. Therefore, with slight abuse of notation, we write
216
Execl(P)⊆Execr(P).
217
Figure 2 gives an example of a lossy execution for the broadcast protocol of Figure 1.
218
Note that in the third transition, some node indeed performs a lossy broadcast, emphasized
219
by the subscript “lost”. As before, the colored nodes broadcast a message in the step leading
220
to the next configuration.
221
q0
q0
q0
q0
q0 !a
−→l q1
q0
q0
q1
q0
!b1
−→l q2
r1
⊥
q1
q0
!b1
−→l
lost
q2
r1
⊥
q2
q0
−→!al q2
⊥ q0
q3
r1
!b2
−→l q2
⊥ ⊥
q4
Figure 2Example of a lossy execution on the protocol from Figure 1.
3 Tight bounds for reconfigurable and lossy broadcast networks
222
In this section, we will show tight bounds for the cutoff and the minimal length of a witness
223
execution for the coverability problem. These hold both for the reconfigurable and the lossy
224
semantics.
225
3.1 Upper bounds on cutoff and covering length for reconfigurable
226
networks
227
First, we will refine the polytime saturation algorithm of [2], which computes all states
228
which can be covered in the reconfigurable semantics. We will then show that, based on
229
the underlying computation, one can construct small witnesses for the two semantics (linear
230
number of nodes and quadratic number of steps). While it would be enough to show the
231
result for the lossy semantics (since, given a broadcast protocolP, Execl(P)⊆Execr(P)),
232
for pedagogical reasons, we provide the two proofs, starting with the simplest one for
233
reconfigurable semantics.
234
Let us fix for the rest of this section, a protocolP = (Q, I,Σ,∆). We slightly modify the
235
algorithm given in [2] as follows: we include at most one state to the setS in each iteration.
236
Additionally, we associate a labelling functionc:S →Nwith the setS in every iteration.
237
More formally, we consider the modification of the previous saturation algorithm as shown
238
in Algorithm 1.
239
Algorithm 1 Refined saturation algorithm for coverability
1: S :=I;c(S) :=|I|;S0:=∅ 2: while S6=S0 do
3: S0:=S;c:=c(S)
4: if ∃(q1,!a, q2)∈∆ s.t. q1∈S0 andq26∈S0 then 5: S:=S∪ {q2};c(S) :=c+ 1
6: else if ∃(q1,!a, q2)∈∆ and (q01,?a, q20)∈∆ s.t. q1, q2, q01∈S0 andq026∈S0 then 7: S:=S∪ {q20};c(S) :=c+ 2
8: end if 9: end while 10: returnS
In Algorithm 1, the variable ccounts the number of nodes that are sufficient to cover the
240
current setS, as we will prove later.
241
I Lemma 4 ([2]). Algorithm 1 terminates and returns the set of coverable states. In
242
particular,COVERr(P, F)6=∅ iffF∩S6=∅.
243
Let S0, S1, . . . , Sm be the sets after each iteration of the algorithm, withS0 =I and
244
Sm=S. We fix an ordering on the states inSon the basis of insertion inS: for all 1≤i≤m,
245
qi is such thatqi∈Si\Si−1. In the following, we show the desired upper bounds, proving
246
that there exists an execution of sizeO(n) and lengthO(n2) covering at the same time all
247
states ofSm.
248
ITheorem 5. LetP = (Q, I,Σ,∆)be a broadcast protocol, andF ⊆Q. IfCOVERr(P, F)6=
249
∅ (that is, if F∩S 6=∅), then there exists ρ∈COVERr(P, F)with #nodes(ρ)≤2|Q| and
250
#steps(ρ)≤2|Q|2.
251
Theorem 5 is a consequence of the following Lemma.
252
I Lemma 6. For every step i of Algorithm 1, there exists an initial configuration γ0, a
253
configurationγ and a reconfigurable executionρ:γ0
−→∗ rγ such that L(γ) =Si,#nodes(ρ) =
254
c(Si), andmaxn#steps(ρ,n)≤i.
255
Proof. The lemma is proved by induction on i. The base case i= 0 is obvious: take the
256
initial configurationγ0with|I|nodes, and label each node with a different initial state; its
257
size is|I|, and the length of the execution is 0, hence so is the maximum active length.
258
To prove the induction step, we distinguish two cases: depending on whetherqi+1 was
259
added as the target state of a broadcast transitionq−!a→for someq∈Si; or whetherqi+1 is
260
the target state of a reception from someq∈Si with matching broadcast between two states
261
already inSi.
262
Case 1: There exists q ∈ Si with q −!a→ qi+1. We apply the induction hypothesis to
263
step i, and exhibit an executionρ:γ0
−→∗ rγ such thatL(γ) =Si, #nodes(ρ) =c(Si) and
264
maxn#steps(ρ,n)≤i. Applying the copycat property (see Proposition 2), we construct an
265
executionρ0:γ00 −→∗ rγ0 such thatγ00 has one node more thanγ0, and, focusing on the nodes
266
(since we are in a reconfigurable setting, edges in the configuration are not important), γ0
267
coincides with γ, with an extra node n labelled by q. We then disconnect all nodes and
268
extend with a transitionγ0−−→n,!a rγ00, which makes only progress nodenfromqto qi+1; the
269
resulting execution is denotedρ00. Then:
270
1. L(γ00) =Si∪ {qi+1}=Si+1,
271
2. #nodes(ρ00) =c(Si) + 1 =c(Si+1),
272
3. maxn#steps(ρ00,n) ≤ maxn#steps(ρ,n) + 1 ≤ i+ 1; Indeed, the active length of the
273
copycat node alongρ0 coincides with the active length of some existing node along ρ, and
274
it is increased only by 1 inρ00.
275
This proves the induction step in the first case.
276
Case 2: There exists q, q0, q00∈Si withq−→?a qi+1 andq0 −!a→q00. The idea is similar to
277
the previous case, but one should apply the copycat property twice, to bothqandq0. We
278
formalize this.
279
We apply the induction hypothesis to step i, and exhibit an execution ρ : γ0
−∗
→r γ
280
such thatL(γ) =Si,#nodes(ρ) =c(Si) and maxn#steps(ρ,n)≤i. Applying the copycat
281
property (see Proposition 2) twice, to bothqandq0, we construct an executionρ0:γ00 −→∗ rγ0
282
such thatγ00 has two nodes more thanγ0, and, focusing on the nodes,γ0 coincides withγ,
283
with one extra nodenlabelled byqand one extra noden0 labelled by q0. We then connect
284
nodesnandn0 and disconnect all other nodes, and extend with a transition γ0 n
0,!a
−−−→rγ00;
285
this makes nodenprogress fromqtoqi+1 and noden0progress fromq0 toq00; all other nodes
286
are unchanged; the resulting execution is denotedρ00. Then:
287
1. L(γ00) =Si∪ {q00, qi+1}=Si+1 sinceq00∈Si,
288
2. #nodes(ρ00) =c(Si) + 2 =c(Si+1),
289
3. maxn#steps(ρ00,n)≤maxn#steps(ρ,n) + 1≤i+ 1; Indeed the active length of any of
290
the copycat node alongρ0 coincides with the active length of some existing node alongρ,
291
and it is increased by at most 1 inρ00.
292
This proves the induction step in the second case, which allows to conclude the proof of the
293
lemma. J
294
To conclude the proof of Theorem 5, we recall that Algorithm 1 is sound and complete:
295
Sm is the set of states that can be covered. Hence, from Lemma 6, we deduce that if
296
COVERr(P, F)6=∅, then there isρ∈COVERr(P, F) such that:
297
1. L(γ) =Sm;
298
2. #nodes(ρ) =c(Sm)≤ |I|+ 2m≤ |I|+ 2(|Q| − |I|) = 2|Q| − |I|;
299
3. maxn#steps(ρ,n)≤m≤ |Q| − |I|.
300
Therefore#steps(ρ)≤ #nodes(ρ)
·
maxn#steps(ρ,n)
≤2|Q|2, so that we established
301
the desired bounds for Theorem 5.
302
3.2 Upper bounds on cutoff and covering length for lossy networks
303
Perhaps surprisingly, Algorithm 1 also computes the set of states that can be covered by
304
lossy executions. Concerning coverable states, the reconfigurable and lossy semantics thus
305
agree. In Section 4, we will show that reconfigurable covering executions can be linearly
306
more succinct than lossy covering executions.
307
ILemma 7. Algorithm 1 returns the set of coverable states for lossy broadcast networks. In
308
particular,COVERl(P, F)6=∅ iffF∩S6=∅.
309
Indeed, we haveExecl(P)⊆Execr(P). ThereforeCOVERl(P, F)6=∅impliesCOVERr(P, F)6=
310
∅and by Lemma 4, we concludeF∩S6=∅. The other direction of Lemma 7 is a consequence
311
of the following theorem.
312
ITheorem 8. LetP = (Q, I,Σ,∆)be a broadcast protocol, and F⊆Q. IfS∩F6=∅, then
313
there exists ρ∈COVERl(P, F)with #nodes(ρ)≤2|Q|and#steps(ρ)≤2|Q|2.
314
Before going to the proof of Theorem 8, we show a copycat property for the lossy
315
broadcast networks, as a counterpart of Proposition 2 for the lossy semantics. Since the
316
communication topology is static in lossy networks, the following proposition explicitly relates
317
the communication topologies in the initial execution and its copycat extension.
318
IProposition 9(Copycat for lossy semantics). Given ρ:γ0→lγ1· · · →lγr an execution,
319
with γr = (N,E,L), for every q ∈ L(γr), for every nq ∈ N such that L(nq) = q, there
320
exists s ∈ N and an execution ρ0 : γ00 →l γ10 · · · →l γs0 with γs0 = (N0,E0,L0) such that
321
|N0|=|N|+1, there is an injection ι :N→N0 with for every n∈N, L0(ι(n)) =L(n), and
322
for the extra node nfresh ∈N0\ι(N),L0(nfresh) =q, for every n∈N,nfresh∼0ι(n) iffnq ∼n,
323
#steps(ρ0,nfresh) =#steps(ρ,nq), and#nonlost_steps(ρ0,nfresh) = 0.
324
Proof. First notice that, from our definition of lossy semantics, the topology should be the
325
same in γ0 and in γr, hence we can write γ0 = (N,E,L0), and more generally, for every
326
i, γi = (N,E,Li). Define N0 as a finite set such that |N0| =|N|+ 1, and fix an injection
327
ι:N→N0. Writenfresh for the unique element ofN0\ι(N). SetL00(ι(n)) =L0(n) for every
328
n∈N, andL00(nfresh) =L0(nq). Define the edge relationE0 by its induced edge relation∼0
329
such thatι(n)∼0ι(n0) iffn∼n0, andnfresh∼0ι(n0) iffnq ∼n0.
330
The idea will then be to makenfresh follow whatnq is doing. Roughly, ifnq is receiving a
331
message to progress, then we will connectnfreshto a relevant node to also receive the message;
332
ifnq is broadcasting a message, then we will makenfresh broadcast a message and lose, so
333
that no other node is impacted.
334
Formally, we will show by induction on ithat for every 0≤i≤r, there is an execution
335
ρ0i : γ00 →l γ01· · · →l γf(i)0 for some f(i), such that L0i(ι(n)) = Li(n) for every n∈ N and
336
L0i(nfresh) =Li(nq). The initial casei= 0 is obvious. We then assume that we have constructed
337
a relevant ρ0i for some i < r, and we will extend it to ρ0i+1 as follows. We make a case
338
distinction depending on the nature of the stepγi→lγi+1:
339
Assume γi
−−→n,!a l γi+1 is a broadcast message with nq 6= n, then ρ0i+1 is obtained by
340
extendingρ0i with the broadcastγf(i)0 −−−−→ι(n),!a γf(i)+10 , with the condition that it should
341
be lost if and only if it was lost in the original execution. For checking correctness, we
342
distinguish two cases:
343
the broadcast message was not lost, andnq ∼n. Then, it is the case thatnfresh∼0ι(n),
344
hencenfresh also receives the message. By resolving properly the nondeterminism, we
345
can make the label ofnfresh become the same as the label ofnq inγf(i)+10 . Note also
346
that all nodes inι(N) can progress to the same states as those ofNin γi+1;
347
the broadcast message was lost, ornq6∼n, then it is the case that the label ofnq has
348
not been changed inγi
−−→n,!a lγi+1, and so will the label of the fresh node inγf(i)0 .
349
Assume γi n
q,!a
−−−→l γi+1 is a broadcast message, then we extend ρ0i with the two steps
350
γf(i)0 ι(n
q),!a
−−−−−→ γ0f(i)+1 −−−−→nfresh,!a γf(i)+20 (resolving nondeterminism in a similar way as in
351
γi nq,!a
−−−→lγi+1), and we make the last broadcast lossy whereas the broadcast fromι(nq)
352
is lossy if and only if it was lossy inγi→lγi+1.
353
This concludes the induction. Notice that in the constructed execution, nodenfresh does not
354
make any real sending. J
355
For any configurationγ= (N,E,L) and a noden, we writeL(n) =×ifnis not important
356
anymore in the execution, in other words all the required conditions inγ0 such thatγ−→∗ lγ0
357
are still satisfied whateverL(n) is.
358
Recall the saturation algorithm and the ordering of the sets and the states: S0 =
359
I, S1, . . . , Sm=S are the sets after each iteration andqiis the state such thatqi∈Si\Si−1
360
for all 1≤i≤m. We will refine the construction from the proof of Lemma 6 (in the context
361
of reconfigurable broadcast networks), and build inductively a lossy execution covering all
362
states inSi. Since the topology is static, some nodes which have “finished their jobs” will
363
remain connected to other nodes, and may therefore continue to change states (contrary to
364
Lemma 6 where they could be fully disconnected). Hence, in every such execution, every
365
stateq∈Si (which is then covered by the execution) will have a main corresponding node,
366
whose label will remainq. All nodes which are not the main node of a state will be assigned
367
×, since their labels will become meaningless.
368
We formalize this idea in the lemma below. However, for better understanding, we
369
also illustrate this inductive construction of a witness execution in Figure 4 on the simple
370
broadcast protocol from Figure 3. Configurations are represented vertically: they involve 10
371
nodes, and the communication topology is given for the first configuration only, for the sake
372
of readability. To save space, several broadcasts (of the same message type, from different
373
nodes) may happen in amacrostepthat merges several steps. This is for instance the case in
374
the first macrostep, whereais being broadcast from the node in setS1, as well as from the
375
first node in setS2. Dashed arrows are used to represent that a node is not involved in some
376
macrostep and thus stays in the same state. In the execution, the nodes that are performing
377
a real broadcast are colored yellow, the ones which receive a message are colored gray, and
378
blue nodes indicate the main nodes for the coverable states.
379
ILemma 10. For every stepiof the refined saturation algorithm, there exists a configuration
380
γ= (N,E,L)and an executionρ:γ0
−→∗lγ such that:
381
L(γ)\ {×}=Si and#nodes(ρ) =c(Si),
382
maxn#steps(ρ,n)≤i andmaxn#nonlost_steps(ρ,n)≤1,
383
for everyq∈Si, there existsnmainq ∈Nsuch that
384
L(nmainq ) =qand#nonlost_steps(ρ,nmainq ) = 0,
385
nmainq ∼nimpliesL(n) =×, and if n∈ {n/ mainq |q∈Si}, thenL(n) =×.
386
Proof. We do the proof by induction on i. The case i = 0 is obvious, by picking one
387
main node per initial state inI, and by disconnecting all nodes; hence forming an initial
388
configuration satisfying all the requirements.
389
To prove the induction step, we distinguish two cases: depending on whetherqi+1 was
390
added as the target state of a broadcast action !afrom someq∈Si; or whetherqi+1 is the
391
target state of a reception from someq∈Si with matching broadcast between two states
392
already inSi.
393
Case 1: There exists q∈Si withq−!a→qi+1. We apply the induction hypothesis to step
394
i, and exhibit the various elements of the statement. Applying the copycat property for
395
lossy broadcast systems (that is, Proposition 9) with node nmainq , we build an execution
396
ρ0 : γ00 −→∗ lγ0 such thatγ0 = (N,E,L0) with |N0|=|N|+ 1, and an appropriate injectionι.
397
The fresh nodenfresh is connected to nodes to whichnmainq was connected before; hence, by
398
induction hypothesis, it is only connected to nodes labelled with×. Then we extendρ0 with
399
γ0 −−−−→nfresh,!a γ00 and lose the message (this is for condition#nonlost_steps(ρ,nmainq ) = 0 to be
400
satisfied). We declarenmainqi+1=nfresh. All requirements forγ00are easily checked to be satisfied
401
(when a node is labelled with×in γ0, then it remains labelled by×inγ00).
402
Case 2: There exist q, q0, q00 ∈ Si such that q −→?a qi+1 and q0 −!a→ q00. We apply the
403
induction hypothesis to stepi, and exhibit the various elements of the statement. Applying
404
twice the copycat property (that is, Proposition 9), once with nodenmainq and once with
405
q0 q1
q2
q3 q4 q5
q6 ?c !b ?a !a ?b !c
Figure 3Illustrating example for the saturation algorithm.
S0
S1
S2
S3
S4
S5
S6
q0
q0
q0
q0
q0
q0
q0
q0
q0
q0
q1
×
q2
q2
q2
q0
q0
q0
q2
q2
q2
q1
q1
q1
q2
q3
×
q4
q4
q4
q2
q4
q4
q3
q5
×
q6
q0
q1
×
q2
q3
×
q4
!a lost
!a
?a
?a
?a
!a lost
!a lost
!a lost
?a !b
lost
!b lost
!b
?b
?b
?b
!c lost
!c
?c
Figure 4Applying saturation algorithm on protocol in Figure 3 in lossy semantics. Configurations are represented vertically; for readability, macrosteps merge several broadcasts.
nodenmainq0 , we build an executionρ0:γ00 −→∗ lγ0 such thatγ0= (N,E,L0) with|N0|=|N|+ 2,
406
and an appropriate injection ι. The two fresh nodes nfresh andn0fresh are only connected
407
to×-nodes inγ0 (by induction hypothesis on nmainq andnmainq0 respectively). We transform
408
γ00 intoγ000 by connecting the two nodes nfresh andn0fresh. By Proposition 9, we know that
409
those two nodes don’t perform any real sending (i.e., #nonlost_steps(ρ0,nfresh) = 0 and
410
#nonlost_steps(ρ0,n0fresh) = 0), hence this new connection will not affect the labels of the
411
nodes, and we can safely apply the same transitions as inρ0 from γ000 to get an execution
412
