Eﬃcient CSP Model Checking for Symbolic State-space Exploration with application in bacterial chemo-taxis modelings

Event locality is a class of theory that can clearly minimizes the memory and time required to store the state space. We present the multi-way decision diagrams to encode the next-state functions based on event locality and CSP’s stable failure. Instead of studying symbolic overall model, we apply the above thinking to the set of sub-models. Furthermore, we focus on saturation algorithms for CSP theory. And the algorithms consist of two phases, the universal process’s saturation checking and the single CSP symbol’s saturation checking. In the former case, the algorithms discuss better iteration strategy and recursive local ﬁx-point computations. In the latter case, the the single CSP symbol’s saturation checking calls the former algorithms, being combined preformed events and refusal events. Finally, we discuss bacterial chemotaxis modeled in CSP’s framework and saturation checking used to check the predeﬁned properties. The all algorithms are implemented in CSP tool FDR, the running results show that our algorithms often perform signiﬁcantly faster than other conventional algorithms. represented. Explicit techniques store states by graphs, trees, where each state is explored linearly. Symbolic techniques store sets of states by BDDs (Binary Decision Diagrams), where the reachable set of states are explored sub-linearly. But the combinatorially expanding state space is solved diﬃcultly for both techniques. There are some progresses in symbolic techniques, but the limitations of memory and time are still remain.


Introduction
For safety-critical systems, such as railway system and flight system, small failure may lead to huge economic losses and even threaten the human life. Such systems require a relatively high reliability. However, testing and debugging are traditional method to verify the key properties in these systems, and only a little behaviors of systems can be examined. This requires researchers to employ new available means to overcome difficulties.
Formal methods are differentiated from other methods in that their specification and verification are based on a rigorous mathematical foundation, which guarantees a high degree of correctness. The internal algorithms in verification rely on the knowledge of reachable state space of systems. Unfortunately, many of them do not support very large state space. So researchers fall into two categories:explicit techniques and symbolic techniques, according to whether state-space are generated and represented. Explicit techniques store states by graphs, trees, where each state is explored linearly. Symbolic techniques store sets of states by BDDs (Binary Decision Diagrams), where the reachable set of states are explored sub-linearly. But the combinatorially expanding state space is solved difficultly for both techniques. There are some progresses in symbolic techniques, but the limitations of memory and time are still remain.
Researchers have addressed the limitations in a number of aspects. One direction has focused on disjunctionpartitioned transitions, which shift from global transitions to local transitions. The local transitions mean only finding part of transitions, rather than all of transitions. They have touched on the concept of event locality inherent in asynchronous systems. Event locality shows that researchers can explore the given subsystems which can be fired by some events [1]. Furthermore, it is applied in the area of generating state-space recently, also studied by MDDs [2][3][4]. The application breaks through the restriction of the traditional symbolic techniques that explore reachable states and often is limited to a relatively specific range.
The above studying target the reduction of practicable state-space, whereas the saturation based algorithms are committed to finding the set of states satisfy the properties. In contrast with breath-first search, they can employ the idea of "event locality", named "saturation-based iteration strategy" [5][6][7][8]. The advantages of strategy are clear, that are they can speed up the operation by only exploit the relevant sub-models [9][10][11][12]. CSP is a high-level formal language whose fundamental thought is the refinement of processes due to traces and failures. The CSP theory has advantages on describing the various interactions and verifying the concurrent properties of processes. In this paper, we attempt to apply the saturation-based iteration strategy to CSP model checking. It may been put into full application through the two technologies of Kronecker encoding of the next-state function and saturation-based iteration strategy [13]. The former technology need professional mathematics knowledge [14,15], and the steps are more complicated. Thus, we try to reduce unnecessary steps. In view of the fact that an modified constrained saturation based exploration has state-insertion operations, we incorporate them into the framework of the CSP's traces and stable failure.
The remainder of this paper is organized as follows. Sect. 2 gives the background on CSP, MDDs, discretestate model. In Sect. 3, we use next-event functions instead of next-state functions in MDDs, where the locality theory is based on stable failure. Sect. 4 describes the conventional checking for CSP. Sect. 5 proposes our framework of saturation checking of CSP and provides the detailed algorithms on it. Sect. 6 proposes the application on the biological system-arterial chemotaxis. In Sect. 7, the new approaches are apply to typical models. According to the results reported in the table 1, our approaches are more memory-efficient and requires less time. Finally, Sect. 8 states our conclusions and future research thinking.
2 Background and related work 2.1 Communicating sequential process (CSP) In CSP, the event is a smallest unit that allows to describe the action of system, and the process consists of many events. Event occurs instantaneously and lasts a very short time, so we do not care about the duration, but rather, temporal logic is what we are concerned with. In this paper, we write the event in lower-case letters and the process in capitals. In the aspect of syntax, the CSP defines the structure of each symbol in detail. For example, • a → P : The process first executes the event a, then behaves like process P . If the process does nothing, the P is never performed.
The process first executes a event of event set A, then behaves like P (x) according to what event of A is firstly choosed.
• c!v → P/c?x : T → P (x): The input event c?x : T or the output event c!v are executed before the P or P (x), respectively.
• P \A: In addition to hiding the event set A, the process performs P .
So far, the symbols we have described above are related to one process whose events are given in a linear fashion. In the following, we introduce the processes which give alternative behaviors.
• P Q: P Q executes the events of P (or Q)sequentially if the first external event is from P (or Q).
• P Q: There is non-deterministic internal choice involved in the operator. P Q behaves like P or Q non-deterministically. The first event is internal event, which is not exposed to the interface.
• P Q: Suppose process P contains event set E P , and process Q contains event set E Q . means P and Q execute in parallel, but both processes agree on the events in E P ∩ E Q .
• P A B Q: P and Q perform the event set B and the event set A, respectively, but processes agree on the events in A ∩ B.
• P | Q: The process carries out P and Q independently. But P and Q do not communicate any common events.
• P 1 ; P 2 : Process P 1 and P 2 are executed sequentially. For environment, P 1 is offered firstly and then P 2 is given. P 1 ; P 2 perform P 2 until P 1 's execution is completed.
• P 1 ∆P 2 : In P 1 ∆P 2 , P 2 can interrupt P 1 's execution at any time.
In the above theoretical framework, we introduce the different operators from the view of process. But this theory alone is not broad enough to describe the behaviour of system. So refusals set is introduced. Once the events are chosen, there are some events that not required to perform. These events are refusal events.
The refusal theory is more interested in the refusal event set after performing the trace. So to describe the idea, we introduce the pair (Tr, X) which indicates that the process first communicates the events of trace Tr then to refuse the event set X. It is defined as follows: where SF is stable failure. It is easier to understood by the following expressions: Essentially, this implies that P refuses the event set X after P performs T r and behaves like P . However, P means that P is a stable process which contains no internal events.

Discrete-state model
Based on state model Ŝ , s init , ℵ α , ε , we define discrete-state model Ŝ , s init , ℵ α,X , ε, X , whereŜ is the state space in which each s ∈Ŝ = s k , s k−1 , ..., s 1 , which implies the global state s ∈Ŝ is partitioned into k local states for k submodels; the initial states s init ∈Ŝ;ε is a finite set of asynchronous events;X is the refusal event set;the next-state function ℵ α,X is based on ℵ α , which means that α is disabled before the event set X is refused in next-state function ℵ.
Accordingly, ℵ −1 α and ℵ −1 α,X express inverse next-state functions. In many cases, the next-state function ℵ is expressed as a union ℵ = ∪ e∈ξ ℵ(e, s), where ℵ(e, s) is the set of successor states reachable from state s via event e. If ℵ(e, s) holds, event e is enabled in s, otherwise, event e is disabled. The next-state ℵ(e, s) can also expressed as the cross-product of k local functions, i. e. , The reachable state space is often referred to as the smallest set where s is usually the initial state s init and S is a forward and transitive closure. Moreover, the relationship between local states and global states can be represented by encoding the characteristic function Instead of studying symbolic overall model, we apply the partition is a thought that enables us to use symbolic techniques based on decision diagrams.

Multi-way decision diagrams (MDDs)
In above introductions, we specify the finite-state asynchronous system. We are not restricted to the whole system, however, we can extend our notation to systems and subsystems, global states and local states, as well as next-state functions and inverse next-state functions. BDDs are the most widely used directed, acyclic graphes that are widely used to store and manipulate sets of states. Instead of studying more details on BDDs, we employ the version of MDDs, which extend BDDs with discrete integer-valued variables. More specifically, they are in form of quasi-reduced canonical formats.
Formally, a quasi-reduced MDD is a directed acyclic edge-labeled graph, where • Nodes are distributed in the several levels, which expressed as {k, ..., 1, 0}.
• Only one root node k|r is at level k, whereas one or more nodes belong to levels k − 1 through 1. Two terminal nodes 0, 0 and 0, 1 are at level 0.
The node at level k is k|p , where p is defined as index of node k|p to make it different from other nodes. Node k|p can be reached from a sequence (i k , ..., i 1 ) ∈ S k × ... × S 1 , where we argue that S k × ... × S 1 to represent cross-product, that is of k local state spaces: The node at level k is recursively defined as Due to the complexity, the model we often considered is partitioned into k smaller interacting sub-models. Likewise, the global state s ∈Ŝ is also written as s = i k , i k−1 , ..., i 1 , which stands for local states.

Next-event functions of MDDs
The next-state functions of MDDs are defined via concept of local transitions between states. We have Level L through 1 and Level L through 1 defined that correspond to "from" states and"to" states. In asynchronous system, locality is a key property built on the fact that events are independent of most levels. Even a event fired, the value of i k (∀i k ∈ S k ) may be not changed.
The local state analysis with parameter is that: which means the local influence for event α on sub-model k. ℵ k,α is the next-state function corresponding to the event α of the event set ξ at level k.
The impact of event α on the global state is: Conceptually, for the global state, we can compute each local state (i k , ..., i 1 ) at level k, ..., 1 encoding the effect of firing α in them.
In this paper, we use the next-event function to describe the next event's forward and backward transition instead of states. For convenience, the next-event function is also denoted by ℵ. The failure theory defines refusal event sets in processes and uses trace T r to record the performed events. Process executes trace T r before refusal event set. On infiltrating the idea of failure theory into next-state function to redefine the impact of trace T r on the global state: We denote transition (α 1 → α 2 → ... → α n ), where n is the number of events contained in the trace, and α ∈ ε. Additionally, we discuss global events α 1 = α 1 1 , ..., α k 1 ,..., α n = α 1 n ..., α k n on the subsystems. For instance, local event α 1 1 indicates the effect of the global event α 1 on the subsystem 1. Every global event is composed of k local events. Similar to this, global refusal event set X is expressed as X = (X 1 , ..., X k ), where X 1 , ..., X k is local refusal event at level 1, ..., k.
In the saturation strategy, we fire events node-wise, bottom-up per iteration. It has several key properties. Firstly, it allows a "from the button level to the top level" order of nodes which satisfies the assigned condition. Moreover, instead of firing events in level-wise heavyweight image computation of global strategies, we fire events in chained lightweight of local next-state function. The node α is saturated if a fix-point is reached with respect to firing any irrelevant events of all levels above k: and k refers to the level of node α. The image computation ℵ is the set of states: The locality and saturation apply to complicated asynchronous systems. We redefine the MDD encoding local next-event function and stable failure theory.
Denote by T op(T r, X)/Bot(T r, X) the highest/maximum levels on which α affects, with -The root node of MDD is selected from T op (α), T op (A) and T op (tr, X).
-T op (α) are the highest/maximum levels on which α affects.
-T op (A) are the highest/maximum levels on which the event set A affects, with Affection means that its firing will change the value of i k at level k(1 ≤ k ≤ K). Let join the record of T r and refusal event set in the transition. Denote by T op (tr, X)/Bot (tr, X) the highest/lowest levels on which the stable failure (T r, X) affects. The root node of MDD is selected from T op(α), T op(A), T op(T r, X). Let The value of Inter (α), Inter (A) and Inter (tr, X) present the characteristics of discretization. Now, we can build a MDD for each event's transition. For the event MDDs can be merged by levels: If the "from" state level k ∈ Inter (α), k appears on every path that α affects.
If the "to" state level k ∈ Inter (α), k could appear on every path that α affects, or not.

Conventional saturation checking for CSP
In Conventional checking of CSP, we formulate the process in 2 steps: trace T r checking and refusal event set checking. In order to perform local events at each level on each sub-model, we encode local next-event functions each ℵ k,α as a incidence matrices: Similarly, the inclusion holds at each level: .
We explore the state-space by inverse next-event functions. For CSP, the elementary unit is process. So we start our checking from process checking. The stable failure of P is expressed as (Tr(P ), X(P )). The event array of P is defined as {α 1 ...α n } in chronological order, where n is the number of events. In fact, every event corresponds to a global state. After completing the process event sequences of P , the process refuses to perform any event contained in X(P ). X(P ) lists as X P 1 , X P 2 , ..., X P m , where m is the count of X(P ).
Algorithm 1 A traditional saturation checking procedure of P Sat 1 (P, Tr (P ) , X (P )) : set of states Declare χ: set of states get event from the event array of P in reverse order set Tr(P ) = {α 1 , ..., α n } In Algorithm 1, we start from χ(α n ), which is the set of states satisfying the last event of event array, then compute whether intersection of the next state set of α n and refusal event set X(P ) is empty. After that, the intersection of the afterimage of the explored states and the set of states satisfying the i th event of event array are added to the event set χ repeatedly until χ does not change. The new event is alive on the promise of the occurrence of previous events. The chain of events is arranged in the sequence of the time when event occurred.
In our approach, we assume that the process can be partitioned into n events. Each enabled(P ) is expressed as a conjunction of single enabled events. Hence, we express the enabled process, the condition under which the process is triggered successfully, as where α j = produce −1 (α j+1 , ℵ(α j+1 )), i = 1, 2, ..., n − 1.
To describe the connection between the new events and old events, we also study the chain of events by utilizing next-event functions. Note that this requires us to identify events(the member of process) that can occur, because the events actually executed are changed. A process for both the enabling events and the events that have bubbled to the surface, which only affects specific sets, is expressed by making use of the definition just introduced. One important point corresponds to the fact that environment allows to "enable" the events of P . In other words, the refusal set X and the events of P have no elements in common. The function "produce" means that the events satisfied equation really happened. Even if the events have been enabled, they may not happened.

Saturation checking for CSP
The next event α j should not only be a "member" of process P , but also satisfies the next-event function whose independent variable is α j . That is, Thus, the MDD structure for (1) is the common part of two corresponding structures. The inverse next-event function is considered as a form of dynamic MDD structure. And the events of process resulted from different dynamic actions of submodels. So the MDD encoding next-event function is a composite of multiple level structure. The above approaches have to rely on intersection after each event, which has been fired in inverse order of Tr(P ). However, the challenge arise from the expensive operation of intersection and too large a space range. To overcome these difficulties, we modify the algorithms heavily. In our implementation, the levels of MDD rely on hierarchical decomposition of the process P . We add constraints to inverse next-event function, where the process P holds in all nodes along the paths in MDD. Its saturation checking is unlike the traditional property checking, as the executing events of process are changing. The liveness property and reachable property are the two significant proven natures in formal methods. And the process P is consistently satisfied, that is a kind of liveness at some degrees. We attempt to integrate liveness into inverse next-event function: ifp == N then continue the process of the nextState; elseif return 0; do while l p ← p 1 's level l v ← v's level from high level to low level if l p > l v then for each α p ∈ ε lp do M ← nextState(α p ← dw, v); elseif l p < l v then α N ∈ ε ln do M ← nextState(p 1 , α n ← dw); elseif l p = l v then for each α p ∈ ε lp , α n ∈ ε ln do M ← nextState(α p ← dw, α n ← dw); add M to cache as solutions for p 1 and ℵ return M ; We assume that the process P is referred as a MDD pattern p. The term α n means in general the last event of process P . We translate a compound event into equivalent small events. There are overlaps between MDD encoding process P and MDD structure encoding the verified system. For convenience, the result is answered by combing simple results. In other words, we determine the satisfactory repeating elements at each level, lastly, aggregate these results. To conserve strong range in traditional methods, the contained events are used to bound the implementation. The process P confirms the extent of checking. Every subsystem restricts the iteration to every transition. In this paper, we can sure about the location of last event in the MDD or candidated events which may be satisfied. We must confirm all events are included in the system to address. The steps can be summarized into three steps: (1)Check if the refusal events are contained in the forward transitive MDD; (2)Evaluate the sub-MDD in each transition; (3)Assign the sub-MDD to every level on the basis of the second step;  if α v2 ∈ l v2 then continue the process of nextStateSaturate else return 0; repeat if f == 1 and produce(α v2 , ℵ(α v2 )) = 0 then check if produce(α v2 , ℵ(α v2 )) ∈ l v2 then mdd z ← TransProd(produce(α v2 , ℵ(α v2 )), α v2 , ℵ(α v2 , 1)); elseif f == 0 and produce −1 (α v2 , ℵ(α v2 )) = 0 check if produce −1 (α v2 , ℵ(α v2 )) ∈ l v2 then mdd z ← TransProd(produce −1 (α v2 , ℵ −1 (α v2 )), α v2 , ℵ −1 (α v2 , 1)); M ← union(z, M ); until M do not change; add M to Cache as solution for p 2 and v 2 . return M ; The second method has a choice of forward transition or backward transition. We test whether the newly created events belong to the collection of events at their own level step by step. We first set up the set of events T r(P ) and refusal set X(P ), then saturate the MDD structure that convert the event of P into the set of explored events, finally to combine the results and the saturated pattern representing events. During the procedure, we narrow the search space, which presents transition relationship. The method retains the advantages of event locality and local fixpoint computation by testing the newly generated local event per iteration.

Bacterial chemo-taxis modeling and Its Saturation checking
In previous sections above, we have given a complete framework for the CSP based saturation checking. In this section, we study its application in bacterial chemo-taxis system, which is a typical system. When the amount of signals are produced, they cause the reactions to emerge by external stimuli. The whole procedure is called Bacterial Chemo-taxis. There are two types of actions for escherichia coli: moving towards attractants and away from repellents. We discuss the all sensary pathways and model its conduct. Different proteins suffix with different letters. Because of repellent, these proteins interact to make the bacteria tumbling. Trans-membrane sensory receptors call methylacepting chemo-taxis proteins (MCPs) can detect chemo-tactic signals. Then the chemo-taxis pathway is started. CheW, as an important adaptor protein, is playing the bridge and link role in the process of MCP-CheW-CheA. In the model, the two response regulators-CheY and CheB have been linked together as response consequences by varying degrees of autophosphorylation. During the process, CheA has great significance. A complex interaction between CheY and Film can cause different reactions directions, which cause adverse results for bacteria. The model involves a number of events that are representative of actions in separate directions in pathways. In the whole procedure, we view various biological significant functions, most of them involved with phosphorylation, dephosphorylation, methylation and demethylation.
Considering the system as a closed box, then repellent events and tumble events are external events outside the interface. Different arrows in the diagram indicate different directions of actions.
The total system is described as: where SY ST EM is internal iteration system. The multiple subsystems are described as follows: For example, we denote simple properties to verify: It is easy to see that there are more repellents than tumbles. The saturation-based computation procedure is: Algorithm 5 The saturation-based computation procedure Sat(#(s {repellent}) ≥ (#(s {tumble}) declare χ, χ 1 , χ 2 : set of states divide the set χ into two parts:χ 1 , χ 2 : classify states (α s , x s , χ 1 , χ 2 ); repeat χ 1 ← χ repellent if Saturate (χ 1 , α s ) then counter r + +; if counter r ≥ counter t then return true else return false Based on above property, we want to guarantee that no rumble is refused. The whole property is So we want to perform the process Because the equation a → b ⇔ ¬b → ¬a holds, we equivalently check The brief description of the above process is: In the process, we call the previous saturation-based algorithms, namely the universal process's saturation checking.

Experimental studies
In this section, we compare three approaches:the traditional saturation algorithm, Saturation algorithm 1 (SatP 1 ) and Saturation algorithms 2 (SatP 2 ) by doing experiments. We implemented the proposed approach in FDR and reported on a set of experiments running on an Intel(R) i5-6300HQ 2. 3GHz workstation with 8. 00 GB RAM under windows 10. The state space size for each model is expressed as the number of MDD nodes. Then we record the final memery, peak memory, and the time of CPU. The results are shown in Table 1. The column items is used for the number of iterations.
It can be seen from Table 1 that our algorithms are much faster, as well as require less memory than traditional method. The process is under a constraint, the process P is determinant and reduces the complexity that built next-event function greatly since it starts from candidate events. While our method saturating the MDD nodes, the events not in the process P are gradually eliminated. We discuss diverse manners running in the typical systems and compare the outcomes of experiment. The application of algorithms can be further extended to the whole framework of CSP.

Conclusions
Summarizing, we present a novel approach for saturation based model checking in the framework of CSP in this paper. The sets of states are stored as MDDs equipped with event locality, that is, the advanced fixed-point iteration policy. For biological systems, we use CSP's theories to model the policy in a refinement methodology. Therefore, the saturation algorithm for CSP is also applicable to biological system. Finally, we apply theory to practice and show the application in the context of bacterial chemo-taxis. We discuss desirable properties of our algorithms and analyze the checking procedure. The checking procedure which starts from next-event function, namely layering iteration, provides a efficient testbed for our ideas since it eliminates unreachable system parts.
The results remain unchanged if answer is negative. In the experimental studies, we compare the performances of our novel approaches, using the tool FDR, with previous saturation algorithm. Just as important, the new saturation algorithms tend to use less peak and final memory and less time. The future work is to check the processes that are not limited and a number of different processes directly.