Algebraic Trace Theory ee249.2 - Donald Pederson · Algebraic Trace Theory EE249 Roberto Passerone...
Transcript of Algebraic Trace Theory ee249.2 - Donald Pederson · Algebraic Trace Theory EE249 Roberto Passerone...
October 21, 2002 ee249 1
Algebraic Trace Theory
EE249Roberto Passerone
Material from: Jerry R. Burch, “Trace Theory for Automatic Verification of Real-Time Concurrent Systems”, PhD thesis, CMU, August 1992
October 21, 2002 ee249 2
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphisms
October 21, 2002 ee249 3
Abstract Algebra
x + 3 = 5( x + 3 ) + ( -3 ) = 5 + ( -3 )x + ( 3 + ( -3 ) ) = 2x + 0 = 2x = 2
When is it that the solution of a linear equation is unique?
October 21, 2002 ee249 4
Uniqueness of Solution
“Addition” is associativeThere is an identity elementThere is an inverse for each elementNo need for commutativity!Axiomatic approach: don’t define the objects, define their properties
Group = (D, f, id, inv) with the properties above
Many possible examples:Integers under addition (Z, +, 0, -)Positive reals under multiplication (R+, x, 1, -1)Permutations under functional composition (F, °, Id, -1)
October 21, 2002 ee249 5
Algebraic Approach
The properties of the functions must be true in any implementation of the algebra
Hence they allow you to prove general facts that are independent of the particular implementation of the algebra
For example, uniqueness of solutions for linear equations
We will represent models of computation as instances of an algebra and prove general facts
The algebra gives as a tradeoff between generality and structure
October 21, 2002 ee249 6
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphisms
October 21, 2002 ee249 7
Objective
Create models for agent behaviorsStudy the relationships between different models
October 21, 2002 ee249 8
A Concrete Model
Define a domain of agentsThe set of finite state automata
Defines an interface for each agentA set of signal names
Defines a mechanism for instantiating agentsA signal renaming function
Defines a mechanism for combining agentse.g. product machine
Defines a mechanism for encapsulating agentsHide local signal names from the interface
October 21, 2002 ee249 9
An Abstract Algebraic Model
Concurrency Algebra = (D, ||, proj, rename)Domain of agent (carrier set)Operation of parallel composition on agentsOperation of projection on agents
encapsulation, scopingOperation of renaming on agents
instantiation
Note: we don’t say what the carrier and the operations are, just that they must exist!But we must provide some properties that we want satisfied
October 21, 2002 ee249 10
Concurrency Algebra
Let W be a set of signal names
A signature γ = ( I, O ) is a pair where I and O are subsets of W
We call the set A = I ∪ Ο the alphabet of a signature γEach agent in D has an associated signature γ
October 21, 2002 ee249 11
Definition of the functions
If O and O’ are disjoint, then E || E’ is defined and the signature is
( ( I ∪ I’ ) – ( O ∪ O’ ), O ∪ O’ )
If I ⊆ B ⊆ A, then proj( B )( E ) is defined and its signature is ( I, O ∩ B )
If r is a renaming function with domain A, then rename( r )( E ) is defined and its signature is ( r( I ), r( O ) ) (where r is naturally extended to sets)
October 21, 2002 ee249 12
Axioms
C1. Associativity of composition( E || E’ ) || E’’ = E || ( E’ || E’’ )
C2. Commutativity of compositionE || E’ = E’ || E
C3. Application of renaming functionsrename( r )( rename( r’ )( E ) ) = rename( r ° r’ )( E )
October 21, 2002 ee249 13
Axioms
C4. Renaming and parallel composition commute
rename( r )( E || E’ ) = rename( r|A )( E ) || rename( r|A’ )( E’ )
C5. Identity of renamingrename( idA )( E ) = E
C6. Application of projectionsproj( B )( proj( B’ )( E ) ) = proj( B )( E )
October 21, 2002 ee249 14
Axioms
C7. Identity of projectionproj( A )( E ) = E
C8. Projection and parallel composition commute
proj( B )( E || E’ ) = proj( B ∩ A )( E ) || proj( B ∩ A’ )( E’ )
C9. Projection and renaming commuteproj( r( B ) )( rename( r )( E ) ) = rename( r|B )( proj( B )( E ) )
October 21, 2002 ee249 15
Concurrency Algebra• Set of agents• Parallel composition of agents• Projection of agents• Renaming of agents
Algebra of Agents
Concurrency AlgebraA
Model of agents
October 21, 2002 ee249 16
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphisms
October 21, 2002 ee249 17
Objective of Trace Theory
Start from models of individual behaviorsConstruct models of agents that form a concurrency algebraConstruct relationships between models of agents from relationships between individual behaviorsAgain we use an algebra to define a model of individual behaviors
October 21, 2002 ee249 18
Concurrency Algebra• Set of agents• Parallel composition of agents• Projection of agents• Renaming of agents
Trace and Trace Structure Algebras
Concurrency AlgebraA
Model of individual behaviors
Model of agents
Trace algebraC
Trace Algebra• Set of traces• Projection of traces• Renaming of traces
October 21, 2002 ee249 19
What Is a Trace?
An element of a set of objects with the following two operations
projectionrenaming
Satisfying a set of axiomsYou must see a pattern here
Don’t define the objects, define their properties!
A trace algebra is a mathematical structure (a set plus the operations) that satisfies the axiomsExamples of traces?
October 21, 2002 ee249 20
Trace Algebra
A trace algebra Cc over W is a triple ( BC, proj, rename ) where
For every A ⊆ W, BC( A ) is the set of traces over AAlso use BC to denote all tracesproj( B ) and rename( r ) are partial functions from BC to BC
October 21, 2002 ee249 21
Axioms of Trace Algebra
T1. Definition of projectionproj( B )( x ) is defined if there is A such that x ∈ BC( A ) and B ⊆ A. When defined proj( B )( x ) is an element of BC( B )
T2. Application of projectionproj( B )( proj( B’ )( x ) ) = proj( B )( x )
T3. Identity of projectionIf x ∈ BC( A ) then proj( A )( x ) = x
October 21, 2002 ee249 22
Axioms of Trace Algebra
T5. Definition of renamingrename( r )( x ) is defined iff x ∈ BC( dom( r ) ). When define, rename( R )( x ) is an element of BC( codom( r ) )
T6. Application of renamingrename( r )( rename( r’ )( x ) ) = rename( r ° r’ )( x )
T7. Identity of renamingIf x ∈ BC( A ) then rename( idA )( x ) = x
October 21, 2002 ee249 23
Axioms of Trace Algebra
T9. Projection and renaming commuteproj( r( B ) )( rename( r )( x ) ) = rename( r|B )( proj( B )( x ) )
T4. Diamond propertyLet x ∈ BC( A ) and x’∈BC( A’ ) be such that
proj( A ∩ A’ )( x ) = proj( A ∩ A’ )( x’ ).For all A’’ ⊇ A ∪ A’ there is x’’ ∈ BC( A’’ )
such that x = proj( A )( x’’ ) and x’ = proj( A’ )( x’’ )
October 21, 2002 ee249 24
Examples of trace algebras
CI = ( BCI, projI, renameI )
For every A, the set of traces BCI( A ) of
traces over A is A∞ (finite and infinite sequences over A)projI( B )( x ) is the sequence formed by removing every symbol a not in B (the sequence shrinks)renameI( r )( x ) is the sequence formed by applying r to each element of the sequence
October 21, 2002 ee249 25
Examples of Trace Algebras
The singleton { xo }Here all behaviors are the same. It conveys no information
BC( A ) = 2A
proj( B )( x ) = x ∩ Brename( r )( x ) is the natural extension to setsAbstracts time and retains only occurrence information
October 21, 2002 ee249 26
Examples of Trace Algebras
BC( A ) = ( 2A )ω
proj( B )( x ) is intersection with BEvents carry a time stamp (Tagged Signal Model)
BC( A ) = { x( t ) | x : R+ → 2A }Real-valued time stampsProjection is the restriction of the image
October 21, 2002 ee249 27
Examples of Trace Algebras
Interpret the set of signals A as a set of state variables
A state is an assignment σ : A → V where V is the set of possible values of the state variablesBC( A ) = ( A → V )ω
Sequence of assignment functionsProjection is a restriction of the domain of the assignment function
October 21, 2002 ee249 28
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphisms
October 21, 2002 ee249 29
Concurrency Algebra• Set of agents• Parallel composition of agents• Projection of agents• Renaming of agents
Trace and Trace Structure Algebras
Trace structure algebraA
Model of individual behaviors
Model of agents
Trace algebraC
Trace Algebra• Set of traces• Projection of traces• Renaming of traces
A trace structurecontains a set
of traces
October 21, 2002 ee249 30
Constructing agents
We want to go from individual behaviors to models of agentsWe want the model of agents to be a concurrency algebra
Set of agents, with parallel composition, projection and renaming satisfying the axioms
Naturally if a trace is an individual behavior, and agent is a set of those behaviors
October 21, 2002 ee249 31
Trace Structures
A trace structure (or agent) over a trace algebra C is the set of ordered pairs ( γ, P ) where
γ is a signature over W (reminder: γ = ( I, O ) )A is the alphabet of γP is a subset of BC( A )
In other words, P is a set of traces over the alphabet AEach trace in P represents a possible behavior of the agent
October 21, 2002 ee249 32
Let Τ be a set of trace structures (agents)A Trace Structure Algebra is the 4-tuple ( Τ, ||, projTS, renameTS ) where
For T’’ = T || T’: γ’’ = (( I∪I’ ) – (O ∪ O’), O ∪ O’)P’’ = { x ∈ BC( A’’ ) : projT( A )( x ) ∈ P and projT( A’ )( x ) ∈ P’ }projTS( B )( T ) = ( ( I, O ∩ B ), projT( B )( P ) )renameTS( r )( T ) = ( ( r( I ), r( O ) ), renameT( r )( P ) )
An Algebra of Trace StructuresNote: ||, projTS and renameTS denote operations on trace structures, which are derived from the corresponding operations on individual traces projT and renameTNote: the operations on individual traces projT
and renameT are naturally extended to sets of traces
October 21, 2002 ee249 33
Example
BC( A ) = A∞
T = ( ( { a, b }, ∅ ), { abab } )T’ = ( ( { b, c }, ∅ ), { bcb } )
T’’ = T || T’P’’ = { x ∈ BC( A’’ ) : proj( A )( x ) ∈ P and proj( A’ )( x ) ∈ P’ }P’’ = { abacb, abcab }
Note: P’’ is maximal such that its projections correspond to the agents that are being composed
October 21, 2002 ee249 34
Example
BC( A ) = ( 2A )ω
T = ( ( { a, b }, ∅ ), { <{ a, b }, { a }, { b } > } )T’ = ( ( { b, c }, ∅ ), { < { b }, { c }, { b } > } )
T’’ = T || T’P’’ = { < { a, b }, { a, c }, { b } > }
Note that under this trace algebra (with time stamps) we don’t get non-determinism due to interleaving semantics
October 21, 2002 ee249 35
Example
BC( A ) = ( 2A )ω (also = N → 2A )T = ( ( { a, b }, ∅ ), { < { a }, { a }, { b } > } )T’ = ( ( { a, b }, ∅ ), { < { b }, { a }, { b } > } )
T’’ = T || T’Need P’’ ⊆ BC( A ) such that
proj( A )( P’’1 ) = { a } andproj( A )( P’’1 ) = { b }
Obviously this isn’t possible when projection is defined as set intersection
In other words, T and T’ are “incompatible”
October 21, 2002 ee249 36
Theorem
If C is a Trace Algebra, then the Trace Structure Algebra derived from C is a Concurrency Algebra
I.e. the operations of parallel composition, projection and renaming satisfy the axioms of concurrency algebra
Note: the result is independent of the particular Trace Algebra (models of behaviors) that we start from
October 21, 2002 ee249 37
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphisms
October 21, 2002 ee249 38
Trace structure algebraA’
Trace algebraC’
“Abstract” Domain
Trace structure algebraA
Trace algebraC
“Detailed” Domain
Trace and Trace Structure Algebras
ΨΨΨΨu ΨΨΨΨlΨΨΨΨinv
Goal: Study the problem of heterogeneous interactionFormalize the concepts of abstraction and refinement
October 21, 2002 ee249 39
Relationships between modelsEach semantic domain has a refinement order
Based on trace containment
T1 ⊆ T2 means T1 is a refinement of T2
Guiding intuition: T1 ⊆ T2 means T1 can be substituted for T2
Abstraction mappingIf a function H between agent domains is monotonic, detailed implies abstract: If T1 ⊆ T2 then H(T1) ⊆ H(T2)
Analogy for real numbers r and s: If r ≤ s then r ≤ s
Conservative approximationsA pair of functions Ψ = (Ψl, Ψu) is a conservative approximation if Ψu(T1) ⊆ Ψl(T2) implies T1 ⊆ T2
Analogy: r ≤ s implies r ≤ s
Abstract implies detailed
October 21, 2002 ee249 40
Conservative Approximations
if Ψu( Timpl ) ⊆ Ψl( Tspec ) then Timpl ⊆ Tspec
Intuitively Ψu( Timpl ) is an upper bound of the implementation (has more behaviors)Intuitively Ψl( Tspec ) is a lower bound of the specification (has less behaviors)Hence we are being conservativeFalse negatives are possible. False positives are ruled outThe verification at the more abstract level should be easier
October 21, 2002 ee249 41
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphisms
October 21, 2002 ee249 42
Constructing Approximations
How do we build a conservative approximation?As before, we prefer to work at the level of the individual behavior
October 21, 2002 ee249 43
Trace and Trace Structure Algebras
Trace structure algebraA’
Trace structure algebraA
Trace algebraC
Trace algebraC’
Homomorphismh ΨΨΨΨu ΨΨΨΨl
ΨΨΨΨinv
“Abstract” Domain
“Detailed” Domain
Let Tspec and Timpl be trace structures in A. Then
if ΨΨΨΨu( Timpl ) ⊆⊆⊆⊆ ΨΨΨΨl( Tspec ) then Timpl ⊆⊆⊆⊆ Tspec
Derive
October 21, 2002 ee249 44
Homomorphisms on Traces
Let C and C’ be two Trace AlgebrasA homomorphism h is a function from the traces in C (BC) to the traces in C’ (BC’) such that h commutes with the operations of projection and renaming
h( proj( B )( x ) ) = proj’( B )( h( x ) )h( rename( r )( x ) ) = rename’( r )( h( x ) )
The homomorphism h is in general many-to-oneHence C’ is in general more abstract than C
October 21, 2002 ee249 45
Commutative Diagram
x proj( B )( x )apply proj
x’apply proj’h( x )
apply h apply h
x’ = h( proj( B )( x ) ) = proj’( B )( h( x ) )
October 21, 2002 ee249 46
Building the Upper Bound
Let P be a set of traces, and consider the natural extension to sets h( P ) of hClearly P ⊆ h-1( h( P ) )
Because h is many-to-oneThis indeed is an upper bound!Equality holds if h is on-to-one
Hence defineΨu( T ) = ( γ, h( P ) )
October 21, 2002 ee249 47
Building the Upper Bound
P
h(P)
h-1( h( P ) )
October 21, 2002 ee249 48
Building the Lower Bound
We want P ⊇ h-1( lb of P )If x is not in P, then h( x ) should not be in the lower bound of PHence define
Ψl( T ) = h( P ) – h( BC( A ) – P )
There is a tighter lower bound
October 21, 2002 ee249 49
Building the Lower Bound
h( BC(A) – P )
BC( A ) - P
h-1( h( P ) - h( BC(A) – P ) )
h( P ) - h( BC(A) – P )
October 21, 2002 ee249 50
Theorem
The pair of functions just defined forms a conservative approximation
if Ψu( Timpl ) ⊆ Ψl( Tspec ) then Timpl ⊆ Tspec
This is an example of a conservative approximation induced by a homomorphism
October 21, 2002 ee249 51
Examples of homomorphisms
From BC( A ) = A∞ to BC( A ) = 2A
h( x ) = { a | a appears in x at least once }
Prove that this is a homomorphismMust show it commutes with projection and renaming
What do the upper and lower bounds look like?
October 21, 2002 ee249 52
Outline
IntroductionConcurrency AlgebrasTrace AlgebrasTrace Structure AlgebrasConservative ApproximationsHomomorphismsConservative Approximations: inverses
October 21, 2002 ee249 53
Approximations: Inverses
Apply Ψu
ΨΨΨΨu
Consider T such that
Ψu(T) = Ψl(T) = T’
ΨΨΨΨl
Apply Ψl
October 21, 2002 ee249 54
Approximations: Inverses
Apply Ψu
ΨΨΨΨu
Then Ψinv(T’) = T
Consider T such that
Ψu(T) = Ψl(T) = T’
ΨΨΨΨl
Apply Ψl
October 21, 2002 ee249 55
Can be used to embed
high-level model in low
level
Approximations: Inverses
Apply Ψu
ΨΨΨΨinv
Then Ψinv(T’) = T
Consider T such that
Ψu(T) = Ψl(T) = T’
Apply Ψl
October 21, 2002 ee249 56
Combining MoCs
Want to compose T1 and T2 from different trace structure algebras
T1 T2
Construct a third, more detailed trace algebra, with homomorphisms to the other twoConstruct a third trace structure algebraConstruct cons. approximations and their inversesMap T1 and T2 to T1’ and T2’ in the third trace structure algebraCompose T1’ and T2’ΨΨΨΨinv
T1’
T2’
October 21, 2002 ee249 57
Combining MoCs
Want to compose T1 and T2 from different trace structure algebras
T1 T2
Compose T1’ and T2’Get T’’Project back to T1’ and T2’Map back in the abstract domain
Find restrictions due to the interaction at the higher level (constraint application)Find greatest possible T1 and T2that still have the same interaction (don’t cares, synthesis)
ΨΨΨΨinv
T1’
T2’T’’
October 21, 2002 ee249 58
Key Insight
Using this process you canFind restrictions due to the interaction at the higher level (constraint application)Find greatest possible T1 and T2 that still have the same interaction (don’t cares, synthesis)
October 21, 2002 ee249 59
A Sample of Trace AlgebrasA*( (A) - {∅})*
pomsets(A)(A → V)* (sf: stutter free)(A → V)*( (A))*
→ ((AV → V) rrrr (AE))tomsets((AV --> V) rrrr (AE)) (sf)(A → V)2
→ (A → V)→ (A)→ (A*)
A → {0, 1, X}((AV --> V) rrrr ( (AC) - {∅}))* (sf)(A x V)*
Interleaving semanticsExplicit simultaneityPartial order modelsState based asynchronous timeState based synchronous timeEvent based synchronous timeMetric timeNon-metric timePre-postState based discrete timeEvent based discrete timeDiscrete time with interleavingCombinationalGALSInterleaving with values