1 Symmetry Symmetry Chapter 14 from “Model Checking” by Edmund M. Clarke Jr., Orna Grumberg, and...

1

SymmetryChapter 14 from “Model Checking”

by Edmund M. Clarke Jr., Orna Grumberg, and Doron A. Peled

presented by

Anastasia Braginsky

March 2012

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel Checking

2

Outline

Introduction

Groups and Permutations

Symmetry & Symmetry Example

Usual representation

Quotient Models & Quotient Models Example

Bisimulation Correctness proof

Model Checking with Symmetry


3

Symmetry

Final-state concurrent systems frequently contain replicated components

• caches,

• bus protocols,

• network protocols

• …

Symmetry uses this fact to obtain reduce models for the system


4

Formal Symmetry

The symmetry in the system implies the existence of nontrivial permutation that preserves both

• the state labeling

• the transition relationS0 S1

S2 S3


5

Formal Symmetry

This can be used to define an equivalence relation on the state space

The quotient model is smaller than the original model and is bisimulation equivalent to that model


6

Group

A group is a set G together with binary operation o on G (the group multiplication), such that:

• Multiplication is associative: a o (b o c) = (a o b) o c

• There is an identity element eG, such that for any element aG, e o a = a o e

• For each element aG, there is an inverse element a-1, such that a-1 o a = a o a-1 = e


7

Subgroup

H is a subgroup of G if H⊆G and H is a group under the multiplication operation of G

If S is a subset of a group G, then <S>, the subgroup generated by S, is the smallest subgroup of G containing every element of S


8

Permutation

A permutation σ on a finite set S is a function that is one-to-one and onto

σ : S S


9

Permutation group

Sym S is the set of all permutations on S

• Sym S forms a group under functional composition

Sym S is called the full symmetric group

A subgroup G of Sym S is called a permutation group on S


10

Kinds of permutations

Two permutations σ1, σ2 are disjoint iff {i | σ1(i)≠i } ∩ {j | σ2(j)≠j } = ø

A permutation that maps i1i2, i2i3, …, ik-1ik, iki1 is called a cycle and is denoted by (i1 i2 … ik)

A cycle of length of two is called transposition

Two disjoint permutations Cycle Transposition

σ1 σ2


11

Permutation presentations

Every finite permutation can be written as a composition of disjoint cycles Every permutation can be written as a composition of transpositions For example consider S = {1,2,3,4,5} and permutation σ given by

13, 24, 31, 45, 52

σ can be written as • a composition disjoint cycles (1 3) o (2 4 5)

• a composition of transpositions (1 3) o (2 5) o (2 4)

The subgroup of Sym S generated by the to permutations (1 3) and (2 4 5):

{ e, (1 3), (2 4 5), (2 5 4), (1 3)(2 4 5), (1 3)(2 5 4) }

1 2 3 4 5

1 2 3 4 5


12

Automorphism

Let M = (S, R, L) be a Kripke structure Let G be a permutation group of on the state space S A permutation σG is an automorphism of M iff σ preserves the transition

relation R Formally, σ should satisfy the following:

σ:

1 2 1 2 1 2, , , ,s S s S s s R s s R

S0 S1 S2

S3S0 S1 S2

S3

S0 S1

S2 S3

S0 S2

S1 S3

S0 S1

S2


13

Automorphism group

G is an automorphism group for the Kripke structure M iff every permutation σG is an automorphism of M

If every generator of the group G is an automorphism of M, then the group G is an automorphism group for M


14

Token Ring Algorithm

One component process Q Many component processes P

Both P and Q have the following Kripke structure:

States:

• n – noncritical section initial state for P

• t – has the token initial state for Q

• c – critical section

n t c

r (receive token)

s (send token)


15

Composition Q||P

Q || P t , n

Q sends token,

P receives

token

Q || Pn , t

P sends token,

Q receives

token

Q || P n , c

Q || P c , n


16

Duplicate process P, i times

Q || P1||…||Pi

t , n, … , n

Q sends token,

P1 receives token

Q || P1||…||Pi

n , t, … , n

P1 sends token,

Q receives token

Q || P1||…||Pi

n , c, … , n

Q || P1||…||Pi

c , n, … , n

Q P1

P2PI

…

…

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingBack to Q||P composition

σ is an automorphism of Q||P

17

Q || P t , n

Q sends token,

P receives

token

Q || Pn , t

P sends token,

Q receives

token

Q || P n , c

Q || P c , n

n,t t,n c,n

n,cn,t t,n c,n

n,c

σ:


Usual behavior offinite-state systems

States are determined by the values (from domain D) of a set of state variables x1, x2, …, xn

• For example, a state of Q||Pi is an (i+1)-touple from domain {n,t,c}

When extracting a Kripke structure from such systems:

• S⊆D k In Q||P example: k=2, S = { (x1=n, x2=t), (c, n), (t, n), (n, c)}

• R⊆S xS In Q||P example, R = { ( (x1=n, x2=t), (x1=t, x2=n) ), ( (t,n), (n,t)) … }

• dJ ∈L(s) ⇔ xi=dJ In Q||P example: L( (x1=n, x2=t) ) = {n, t}

18


Usual automorphism representation

The automorphism group is given as a group acting on the indices of the state variables

In Q||P example σ is the transposition (1 2)

A permutation σ acting on the set of indices {1, 2, …, n}, defines a new permutation σ’ acting on states in Dn in the following manner:

σ‘( (x1, x2, …, xn) ) = (xσ(1), xσ(2), …, xσ(n))

σ = (1 2)

x1=di x2=dj x2=di x1=dj

19

n,t t,n c,n

n,cn,t t,n c,n

n,c

σ':

x1, x2 x1, x2 x1, x2 x1, x2

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingQuotient Models

G is a permutation group acting on the set S

s is an element of S, s∈S

The orbit of s is the set

θ(s) = { t | ∃σ∈G ( σ(s)=t ) }

A representative of orbit is denoted

rep(θ(s)) ∈ θ(s)

Intuitively, the quotient model is obtained by collapsing all the states in one orbit to a single representative state

20

σ1 σ2

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingQuotient Models - formally

M = (S, R, L) is a Kripke structure

G is an automorphism group acting on S

The quotient structure MG = (SG, RG, LG):

• SG = {θ(s) | s∈S} the set of orbits of the

states in S (groups of states)

• RG = { (θ(s1), θ(s2)) | (s1, s2) ∈R }

• LG( θ(s) ) = L( rep(θ(s)) )21

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingRepresentatives choice

RG is independent of the chosen representatives

• Because G is an automorphism group

However, LG is not independent of the chosen

representatives

Restrict the attention to automorphism groups, that are also invariance groups

22

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingInvariance group

G is an invariance group for an atomic proposition p iff the set of states labeled by p is closed under the permutations of G

Formally:

• An automorphism group G of a Kripke structure M = (S, R, L)

is an invariance group for atomic proposition p iff

• (σ∈G) (s∈S) ( p∈L(s) ⇔ p∈L(σ(s)) )

p is an invariant under G

23

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingBack to example

G = <(1 2)> is the group generated by permutation on indexes (1 2)

G is an automorphism group of Q||P

The orbits induced by G are

{(t,n), (n,t)} and {(c,n), (n,c)}

24

Q || P t , n

Q sends token,

P receives

token

Q || Pn , t

P sends token,

Q receives

token

Q || P n , c

Q || P c , n

n,t t,n c,n

n,cn,t t,n c,n

n,c

σ=(1 2):

x1, x2 x1, x2 x1, x2 x1, x2

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingExample’s quotient model

Pick the states (t,n) and (c,n) as representatives

25

t,n c,n


Duplicate process P, i times

The Kripke structure corresponding to Q||Pi has 2(i+1) reachable states

The permutation group G=<(1 2 … i+1)> is an automorphism group for Q||Pi

G also induces only two orbits

26

Q || P1||…||Pi

t , n, … , n

Q sends token,

P1 receives token

Q || P1||…||Pi

n , t, … , n

P1 sends token,

Q receives token

Q || P1||…||Pi

n , c, … , n

Q || P1||…||Pi

c , n, … , n

…

t,n,…n n,t,…n c,n,…n

n,c,…nt,n,…n n,t,…n c,n,…n

n,c,…n

σ = (1 2 … i+1) ↓x1,x2,…xi+1

…

…

x1,x2,…xi+1 x1,x2,…xi+1 x1,x2,…xi+1

…

…

SAME QUOTIENT

MODEL!


Explicit and quotient modelsare equivalent

We want to prove that:

• If a temporal specification f has only invariant propositions,

• Then f can be safely checked in the quotient model

27

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingBisimulation relation

Is a binary relation between state transition systems, which behave in the same way in the sense that one system simulates the other and vice-versa

equivalence between models that strongly preserves CTL* (-calculus)

If M1 M2 then for every CTL* formula , M1 |= M2 |=

28


Bisimulation Relation- formally

Let M=(S,R,L) and M’=(S’,R’,L’) be two structures with the same set of atomic propositions AP. A relation B⊆SxS’’is a bisimulation relation between M and M’ iff

For all s and s’, if B(s,s’) then the following holds:

1. L(s) = L’(s’)

2. s1 such that R(s,s1) there is s’1 such that R’(s’,s’1) and B(s1,s’1)

3. s’1 such that R’(s’,s’1) there is s1 such that R(s,s1) and B(s1,s’1)

Bisimulation example:

29

a ba’

b’

b’a’

B

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingLemma

Let M=(S,R,L) be a Kripke structure with AP as the set of atomic propositions,

Let G be an invariance group for all propositions in AP

Let MG be the quotient model for M

Let B⊆SxSG be a relation defined by:

• For every sS, B(s,θ(s))

Then, B is a bisimulation relation between M and MG

30

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof -1

Definition:M=(S,R,L) & M’=(S’,R’,L’) have the same

APB⊆SxS’ is a bisimulation relation between

M and M’ iff ∀s,s’, if B(s,s’), then:

1. L(s) = L’ (s’)

2. s1 such that R(s,s1) there is s’1 such that R’ (s’,s’1) and B(s1, s’1)

3. s’1 such that R’ (s’,s’1) there is s1 such that R(s,s1) and B(s1, s’1)

Lemma:

M=(S,R,L): a Kripke structure over AP

G: invariance group for all propositions in AP

MG: the quotient model for M

B⊆SxSG is a relation defined by:

For every s∊S, B(s,θ(s))

B is a bisimulation relation between M & MG

First let’s show that: L(s)=LG(θ(s))

By definition of MG:

LG( θ(s) )=L( rep(θ(s)) )

rep(θ(s))θ(s) there is a permutation σ∈G such that σ(s)=rep(θ(s))

G is an invariance group for all propositions in AP For all pAP,

( p∈L(s) ⇔ p∈L( rep(θ(s)) ) )

Thus: L(s)= L( rep(θ(s)) )=LG(θ(s))


Consider relation (s,t)R

By definition of RG: ( θ(s),θ(t ) )RG

By definition of B: ( t, θ(t ) )B

s

t

θ(s)

θ(t)

B

Lemma:










1. L(s) = L’ (s’)



B


Consider relation ( θ(s),θ(t ) )RG

By definition of θ there must be some rep(θ(t))θ(t)

Let’s denote rep( θ(t) ) as t, need to prove that (s,t)R and B(t, θ(t))

By definition of RG there must be some s1 and t1

such that s1θ(s), t1θ(t), and (s1,t1)R

s1θ(s), t1θ(t) ∃σ1G,∃σ2G, σ1(s)=s1 σ2(t)=t1

G is automorphism group (s1,t1)R (s,t)R

s

t

θ(s)

θ(t)

B

Lemma:










1. L(s) = L’ (s’)



B

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingIt can be also proven that

If B(s,s’) is a bisimulation, then for every CTL* formula f,

s ⊨ f s’ ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingCorollary

Let M be a structure defined over AP and let G be an invariance group for AP

Then for every sS and every CTL* formula defined over AP

M,s ⊨ f MG,θ(s) ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingTheorem

Let M=(S,R,L) be a Kripke structure

Let G be an automorphism group of M

Let f be a CTL* formula

If G is an invariance group for all the atomic propositions p occurring in f

Then M,s ⊨ f MG,θ(s) ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof (some definitions)

M is defined over AP and f is defined over AP’⊆AP

The restriction of M to AP’ is the structure M’=(S,R,L’) that is identical to M, except that for sS, L’(s)=L(s)∩AP’

For every CTL* formula defined over AP’ and for every sS

M,s ⊨ f M’,s ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof

Let M’G be the quotient model of M’, induced by G

By the definition of quotient model, M’G is the restriction of MG to AP’

Thus for every VSG, MG,V ⊨ f M’G,V ⊨ f G is an invariance group for AP’, so the corollary applies,

thus:

M’,s ⊨ f M’G, θ(s) ⊨ f

Altogether: M,s ⊨ f MG,θ(s) ⊨ f


Model Checking with Symmetry

How to perform the model checking itself?

• Compact explicit Kripke structure

• Use OBDD


Find the reachable set of states

How to find the set of states in an explicit Kripke structure that are reachable from initial states?

• BFS or DFS from the set of initial structures is performed

• Maintain list of reached states and list of unexplored states

• Assume function ξ(q), which maps a state q to the unique state representing the orbit of q

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingAlgorithm

reached := ø;

unexplored := ø;

for all initial states s do

append ξ(s) to reach;

append ξ(s) to unexplored;

end for all

while unexplored ≠ ø do

remove a state s from unexplored;

for all successor states q of s do

if ξ(q) is not in reached

append ξ(q) to reached;

append ξ(q) to unexplored;

end if

end for all

end while

It is important to compute the orbit relation efficiently

• This is as least as hard as the graph isomorphism problem

• Which is in NP, but not known to be NP complete


OBDD as the underlying representation

The construction of the quotient model is more complex

At least

• If R is represented by the OBDD R(v1,…,vk,v’1,…,v’k)

• And σ is a permutation on the state variables (recall the usual representation)

Then, it is straightforward to check that σ is an automorphism of M

Check R(v1,…,vk,v’1,…,v’k) == R(vσ(1),…,vσ(k),v’σ(1),…,v’σ(k))

• R(vσ(1),…,vσ(k),v’σ(1),…,v’σ(k)) is the OBDD representing the transition relation of the permuted structure

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingOrbit relation

Given a Kripke structure M=(S,R,L) and an automorphism group G on M with r generators g1, g2,…,gr

The orbit relation Θ ( Θ(x,y)(xθ(y)) ) is the least fixpoint of the equation:

Least fixpoint:

1. Start from the smallest relation, where each state is in relation with itself

2. Stop when no more iterations of applying the recursive equation add new value

, ( , ) ( ( ))ii

Y x y x y z Y x z y g z

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingLemma 2

The least fixpoint of equation:

Is the orbit relation Θ induced by the group G generated by g1, g2,…,gr

, ( , ) ( ( ))ii


IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof - fixpoint:

Θ has reflexivity and transitivity, therefore:

Θ(x,y) ( x=y ( z( Θ(x,z) Vi y=gi(z) ) ) )

Θ(x,y) Θ(y,x)

By the definition of the orbit relation ∃σG such that y=σ(x)

Let assume x≠y (otherwise the result is immediate)

σG σ is composition of generators, thus y=gk(g’’…g’((x)))

Lets set z=g’’…g’((x)) gk, k≤r, z such that Θ(x,z) and y=gk(z),

therefore:

Θ(x,y) ( x=y ( z( Θ(x,z) Vi y=gi(z) ) ) )

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof – least fixpoint

We want to prove that

• If T is any fixpoint of equation

• Then Θ T

We will prove that Θ(x,y) T(x,y)

46

, ( , ) ( ( ))ii


IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof – least fixpoint – cont.

By the definition of the orbit relation Θ(x,y) ∃σG such that x=σ(y)

σG σ is composition of generators, thus σ =gim … gi2 gi1 1≤ij≤r

Because T is a fix point of the equation it can be proved by induction that for every 1≤ l ≤m

T(x, gil (… gi2 (gi1(x)) ) ) holds

For l ≤m we see that T(x,y) holds47

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingComplexity

The size of OBDD for the orbit relation should be bounded

If suitable OBDD is available, this fixpoint equation can be computed

Having Θ, we can compute ξ :S S (unique representative of the orbit)

Assuming we have the OBDD representation of the mapping function ξ, the transition RG:

RG(x,y) = x1y1 ( R(x1,y1) ξ(x1)=x ξ(y1)=y )

48

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingSUMMARY!

Formal definitions for symmetry

Formal proof: symmetric quotient model is equivalent

Model checking with symmetry

Formal proof: the recursive orbit calculation is correct

49

Questions?

Thank you!!

50

1 Symmetry Symmetry Chapter 14 from “Model Checking” by Edmund M. Clarke Jr., Orna Grumberg, and...

Documents

Transcript of 1 Symmetry Symmetry Chapter 14 from “Model Checking” by Edmund M. Clarke Jr., Orna Grumberg, and...