We discuss two methods for describing distributed algorithms. First, we have the array speci cation relying on the notion of an array-based system [ 17 ]. An array-based system is a transition system where a con guration, or system state, is represented as a collection of arrays whose length is not a priori bounded and whose i-th elements represent the state of process pi. Array-based systems can be enriched by adding to variables representing arrays also variables representing shared data, like integers, Booleans, etc. This is the more natural and widely applicable approach, and is well suited for parameterized systems; this formalization is adopted by tools like MCMT [ 18 ] and Cubicle [ 10 ]. Relevant properties need quanti ers to be expressed: for instance, the violation of mutual exclusion is expressed as 9z19z2 (z1 6= z2 ^ a[z1] = critical ^ a[z2] = critical) (1) where a maps every process to its location.

Counter systems is the formalization we take into consideration in this work. In a counter system, we can only use integer variables to describe the system state, i.e., we can just count the number of processes which are in each possible location (or, more generally, satisfying a predicate). The method is suitable in case the behavior of a process in a reactive parameterized system is driven by conditions of the type: if (number of received messages is in [min, max])

then perform action; where action can be a location change, a message send, etc. The counters speci cation may be used when processes are indistinguishable, and it does not matter \who" performs an action but rather \how many" do it (so called thresholdguarded algorithms [ 20, 21 ]). Counter speci cations have been used to formalize broadcast protocols [ 12, 16 ], cache coherence protocols [ 13 ] and are the basic formalism accepted by automata-based tools like FAST [ 3 ]. The main advantage of counter speci cations is that only integer variables are used; quanti ers are not needed (for instance in this setting (1) can be formulated simply as critical > 1), so much more support is available from existing solvers. The drawback is that this approach may not be expressive enough: when processes are structured as a ring, as a linear order or as a graph, nothing can be done within it. Even in case processes are unstructured, the use of counters models may require some form of abstraction. Take for instance a byzantine environment: correct processes either send or do not send a message to all other processes, but byzantine faulty processes may behave non-symmetrically, i.e. they may maliciously send corrupted messages only to a subset of processes in order to fool them. In this case, it is not su cient just to count the number of processes having sent a message. This problem may be overcome by introducing some form of abstraction (see below, or see the interval abstractions of [ 20 ] for another solution); abstractions, however, may cause spurious behavior, so in principle there is no guarantee that counters formalizations may work when they are combined with such abstractions. Otherwise said, abstractions produce just simulations, in the formal sense explained above.

On the other hand, in order for array-based model-checkers to be able to perform in a natural way arithmetic reasoning about the cardinality1 of the set of processes satisfying certain properties, an integrated framework (combining cardinality constraints and array-like speci cations) would be desirable. The problem is not that of changing the formal model (array-based systems are appropriate), but to enrich the logic supported to reason about such formal model. The enrichment should be appropriately designed to combine expressivity with computational e ciency (see [ 1 ] for recent promising results in this direction). 2.2

Whereas for array speci cations the Model Checker Modulo Theories (MCMT) [ 18 ] is our reference tool, for counter speci cations, it is possible to use also other SMT-based model-checkers (we choose Z [ 19 ] and nuXmv [ 6 ]) because counter speci cations only involve integer variables. In detail: - MCMT is an SMT-based model checker able to verify the properties of in nitestate reactive parameterized systems. Although speci cally designed for array1This is required, for example, to express resilience properties, i.e., assumptions of the kind \at most k processes will fail", where k is a symbolic constant (see below for a more detailed discussion on this).

based systems, it can handle counter speci cations too. MCMT exploits Yices [ 15 ] as the underlying SMT-solver. It has suitable options for abstraction/re nement search; however, MCMT abstraction is tailored to arraybased systems and so MCMT abstraction is too peculiar to be really operative in case of pure counter speci cations. On the other hand, MCMT implements also some form of acceleration; by using acceleration the tool may become competitive for counter speci cations, because it is able to describe in one shot the e ect of executing some loops any nite number of times. - Z is the Z3 module operating with Horn clauses speci cations; the formalism of Horn clauses is becoming a common speci cation language for model checkers. Using this formalism, we can specify the safety problems addressed in the counter speci cations of this paper. As a search mechanism, Z employs an IC3-based algorithm - a sophisticated abstraction/re nement search driven by the property to be checked. - nuXmv is the evolution for in nite-state systems of the symbolic model checker NuSMV; it uses MathSat as the underlying SMT-solver and implements state-of-the-art abstraction/re nement algorithms like IC3.

Of course, a comparison of the di erent tools is not easy and is not our main goal. Our aim is more modest: we just want to show that, by introducing rather natural and simple modeling techniques, current SMT-technology can successfully deal with our benchmarks. 3

Let G be a group of cooperating processes. The Reliable Broadcast problem requires that, when a process in G sends a message m, either all the correct processes in G deliver m to their users, or none of them delivers m, in spite of failures. In CBA, processes may prematurely stop performing any action; the halt may occur in the middle of a broadcast. In SOBA, processes may either crash, or transiently omit to send some messages requested by the algorithm. In GOBA, processes in addition may transiently omit to receive some messages. A correct process is a process that does not fail in any way for the whole algorithm Algorithm 1 Pseudo-code for CBA and SOBA Initialization: if (p is the sender) then estimate[p] else estimate[p] state[p] undecided; End Initialization m; coord id[p] ?; coord id[p] run. More formally, an algorithm correctly solves the Reliable Broadcast problem if it satis es the Agreement property: Agreement: If a correct process decides to deliver a message m, then all correct processes decide to deliver m.

To guarantee the algorithm correctness, up to t processes may fail (resilience), with t N 1 for CBA and SOBA, and t (N 1)=2 for GOBA. The system must be synchronous, in the sense that both the time for a message to arrive to its destination, and the time for a process to execute an algorithm step, are upper bounded. Hence, the algorithms evolve in rounds whose length is nite. For the sake of space, in this work we focus on the modelization of SOBA through counter systems; similar mechanisms are used for GOBA, while CBA is a special case. The pseudo-code for both CBA and SOBA is reported by Algorithm 1: by ignoring the underlined instructions, CBA is obtained; for SOBA, consider all the instructions in the pseudocode regardless of the fact that they are underlined or not. In [ 2 ], the discussion of how to model both CBA and SOBA using the array-based method is reported.

The counters modelization uses only global variables that count how many processes are in a certain state. In particular, we count (i) the number of either correct or faulty undecided processes owning or not the message m to be reliably broadcast to the group of processes (undC=F (m= ?)),2 (ii) the number of either correct or faulty processes that have decided (decC=F (m= ?)), (iii) the round number, and (iv) the number of either requests or nacks received by the current coordinator. Initially, the round number is 1, no process has undertaken any action, and only the sender { which is also the rst coordinator { owns m. This is described by initializing (undC(m) + undF (m)) = 1. The unsafe formula to be refuted, negating the Agreement property, is expressed as: ' = (decC(m) > 0 ^ decC(?) > 0).

In Round 1, every type and number of undecided processes may send a request, and the steps are freely interleaved. As an example, the guard enabling the transition of undecided correct processes with no message is: // prototype of a state update transition if (round = 1) then 1: undC(?) undC(?) 1; 2: req(?) req(?) + 1; 3: doneC(?) doneC(?) + 1; The support variables doneC=F (m= ?) are used to count the number of undecided processes that perform a transition, and to restore the appropriate initial values when switching to the successive round, with updates of the form undX(y) doneX(y), while the done variables are reset to 0. The round is incremented when all processes are moved to done, that is, when undC(m) + undF (m) + undC(?) + undF (?) = 0.

An interesting aspect is the modeling of send-omission failures. When using array theory, MCMT implicitly adopts the crash failure model [ 2 ], in that transitions describe the actions of alive processes. The behavior of faulty processes only omitting to send messages is fully described, whereas faulty crashed processes do nothing since their crashing (and if transitions do not cover all the possible cases, then the processes falling into the unspeci ed cases are considered crashed). The above solution is based on an (implicit) quanti ers relativization technology, which is not available anymore when counter abstractions are adopted; so in counter systems, we have to maintain the accounting of all the processes. To this purpose, in every round we added transitions similar to the prototype above but without line 2: a faulty process may omit to send the request but it is counted among the triggered processes. Processes that crash are modeled as processes that { from the failure on { only perform those transitions.

Many kinds of transitions may be accelerated by changing the state of d processes (rather than 1) at a time, for any d greater than 0 and not greater than the global number of processes involved in the transition. In this case, the prototype above would be: // prototype of an accelerated state update transition if (round = 1 ^ 9d; 0 < d undC(?)) then

1: undC(?) undC(?) d; 2 Thus e.g. undC(m) counts the number of undecided correct processes owning m, whereas undF (?) counts the number of undecided faulty processes not owning m, etc. 2: req(?) req(?) + d; 3: doneC(?) doneC(?) + d; As an important heuristics, some model checkers (like MCMT) are supposed to produce by themselves the above accelerated form in order to prevent divergence and to speed up the veri cation for all possible values of the variable d in the indicated range, thus reproducing all cases of subsets of processes sending their requests and subsets of processes failing to do this. This acceleration does not introduce spurious traces.

A critical aspect of counter modelization is the determination of the most recently distributed estimate (lines 4, 8 of Algorithm 1). We describe the solution we adopted in our simulating model. If the coordinator receives just one type of requests (i.e., either req(m) = 0 or req(?) = 0), then that value is taken as the estimate e. Otherwise, two global variables lastE and agC are used. The former is set to e every time the current coordinator succeeds in sending its estimate to at least one process. The latter is initialized to 0 and set to 1 the rst time a coordinator reaches a correct process, which will report the estimate to all the successive coordinators. In the successive phases, if f lagC > 0 then the coordinator takes lastE as its estimate; otherwise, the algorithm behavior is nondeterministic: both e = m and e = ? are allowed.

Di erently from the array-based implementation, there is no memory about what processes are or have already taken the role as a coordinator: this is an example of an abstraction we are forced to make because of the adoption of counters formalization (this abstraction, fortunately, does not introduce spurious behavior). In Round 2, both cases of a correct and a faulty coordinator are explored, depending on whether the corresponding sets of processes are not empty. The two branches are distinguished by properly setting a global ag correct coordinator. In the case of a correct coordinator, all undecided processes adopt its estimate in one transition, and Round 3 is skipped, according to the following code (where e is supposed equal to m): if (e = m ^ correct coordinator) then

undC(m) undC(m) + undC(?); undF (m) undF (m) + undF (?); In the case of a faulty coordinator, transitions adopt the schema of the prototype above, so that processes are allowed to update their estimate { and their state and associated counter is changed accordingly { or alternatively to move to done thus simulating the send-omission failure of the coordinator. Moreover, at any time a transition allows to move to the successive round (describing the case where no further messages are sent by the coordinator). The residual number of undecided processes not yet triggered is the number of processes enabled to send a nack. This is modeled similarly to Round 1, with the simpli cation that it is su cient one process sending the nack to switch to the successive round. Round 4 (di usion of the Decide by the coordinator) is modeled after Round 2. 3.2

In [25], an algorithm implementing a broadcast primitive for byzantine failures (BBP) is proposed, aiming at substituting authentication obtained by unforgeAlgorithm 2 Byzantine broadcast primitive Initialization: k round number when p broadcasts m ; Round k:

Phase (2k-1): process p sends Init(p,m,k); Phase 2k: 8 process does: if (received Init(p, m, k) from p in Phase 2k 1) then send Echo(p, m, k) to all; if (received Echo(p, m, k) from N t distinct processes in Phase 2k) then Accept(p, m, k); Round r k+1: 8 Phase (2r 1), 2r: 8 process does if (received Echo(p, m, k) from N 2t distinct processes in previous phases ^ not sent echo yet) then send Echo(p, m, k) to all; if (received Echo(p, m, k) from N t distinct processes in this and previous phases) then Accept(p, m, k); able signatures. Byzantine failures allow faulty processes to behave arbitrarily, i.e. omitting to send and/or receive messages, sending messages with a wrong content, or even coalescing to fool correct processes. The resilience in this case is t (N 1)=3. The algorithm attempts to achieve its goal through the re-di usion of a message m sent by a source p, on behalf of the receiving processes, trying to aggregate a majority of correct processes supporting the acceptance of m. The pseudo-code is supplied by Algorithm 2. The algorithm aims at guaranteeing the following properties: Correctness: If a correct process p broadcasts (p,m,k) in round k, then every correct process accepts (p,m,k) in the same round.

Relay: If a correct process accepts (p,m,k) in round r k then every other correct process accepts (p,m,k) in round r + 1 or earlier.

Unforgeability: If process p is correct and does not broadcast (p,m,k), then no correct process ever accepts (p,m,k).

This algorithm signi cantly di ers from those in sec.3.1. All algorithms are synchronous. Yet, in the previous algorithms, for each round a di erent kind of message is exchanged, and all messages of that type must arrive within that round. By contrast, in BBP just one type of message is exchanged, i.e. the Echo messages, and processes consider the cumulative number of Echo's received so far. This is the reason why in our model we abstract from the round value, and just di erentiate two phases: (i) initialization, depending on the property to be validated, and executed just once; (ii) actions undertaken by correct processes depending on the number of Echo's each one of them received so far. The evolution of correct processes is reproduced by continuously triggering the transitions of phase (ii).

In our model, we consider di erent process states depending on the received messages. For correct processes, four states are possible: the initial state (IT ), the receivedInit (RI) state, the sentEcho (SE) state and the Accepted (AC) state. Fig. 1 represents the state transitions: arcs are labeled with a pair htriggering event, performed actioni { with one of the two elements possibly empty { and describe all the possible interleavings of events. In our counter speci cation, four global variables named after the states are used to count the number of processes in each state. According to Algorithm 2 and to the number of received Echo's, correct processes move from one state to the other as shown in Fig. 1. These transitions are modeled simply by updating the number of processes in the four states, and accumulating the number of newly generated messages, which will be counted by the processes successively (phase (ii)).

The behavior of faulty processes is modeled indirectly through a global variable F counting the number of Echo's generated by faulty processes and received by the correct process taking the next transition. F is updated by two transitions that may freely interleave with the others, which respectively increment or decrement F while always guaranteeing that 0 F t. The decrement is the abstraction we introduce to describe the possibility that a faulty process does not send its messages to all the correct processes (the abstraction consists in the fact that in this way we allow messages to be in a sense \withdrawn"). In our experiments, this abstraction does not introduce spurious behavior (for a di erent abstraction, using interval abstract domains, see [ 20 ]). It is worth to notice that correct processes are unable to distinguish whether an Echo was generated by either a correct or a faulty process. Hence, in the transitions modeling correct behavior, just the cumulative value (SE + F ) is considered.

As far as the validation is concerned, we produced one model for every property to be validated; all models include the same transitions and they di er just in the initialization. Unforgeability is a safety property, while both Correctness and Relay are liveness properties. Yet, most of the available in nite-state model checkers are not able to verify liveness properties. In order to deal with this problem, we change liveness properties into safety properties by exploiting the round indication in the assertion: since the round where the 'good event' (i.e. the event mentioned in the liveness property) has to take place is known, the problem can be reformulated as a safety property (even better, as a bounded model checking property). In the following, for each property we supply both the corresponding unsafe formula, and the initial state: { Correctness: the unsafe formula is: 'C := ((SE+F ) < (N t)^(IT +RI) = 0). Initially all correct processes are in RI state. { Unforgeability: the unsafe formula is: 'U := (AC > 0). Initially all correct processes are in IT state. { Relay: to refute acceptance on behalf of the correct processes, it must be the case that either (i) there are still processes in IT but the Echo messages are not su cient to move them to either SE or AC state; or (ii) there are still processes in SE state but the Echo messages are not enough to move them to AC state. The two conditions above are described by the following unsafe formulas, which are checked separately: 'RA := ((SE + F ) < (t + 1) ^ IT > 0 ^ RI = 0) 'RB := (AC < (N t) ^ (IT + RI) = 0 ^ (SE + F ) < (N t)): For both RelayA and RelayB, initially the number of Echo's sent by correct processes equals SE + AC and processes may be in whatever of the four states, but it must be AC > 0. 4