Ch2-Modelling Concurrent Systems.ppt -...

Chapter 2:Modelling Concurrent Systems

Prof. Ali MovagharVerification of Reactive Systems

2

Outline

A prerequisite for model checking is to provide a model of the system.

We introduce transition systems, a standard class of models to represent hardware and software system.We explain different aspects for modeling concurrent systems.Finally we explain about the state-space explosion problem encountered in model checking!

3

Transition Systems

Transition Systems (TSs) model the behavior of systems.TSs are directed graphs where nodes and edges represent states and transitions respectively.

4

Transition Systems (Con.)

A state describes information about a system at a certain moment of its behavior:

The current color of a traffic light.The current values of all program variables + the program counter.The current value of the registers together with the values of the input bits.

5


Transitions specify how the system evolvefrom one state to another.

A switch from one color to another (for traffic light).The execution of a program statementThe change of the registers and output bits for a new input.

In following we formally define a transition system.

6


Definition: A transition system TS is a tuple (S,Act,→,I,AP,L) where:

S is a set of states;Act is a set of actions;→⊆ S×Act×S is a transition relation;I⊆ S is a set of initial states;AP is a set of atomic proposition, andL: S → 2AP is a labeling function.

TS is called finite if S, Act, and AP are finite.

7

Transition Systems (Con.)We write instead of .The intuitive behavior of a TS is :

The TS starts in some initial state and evolvesaccording to the transition relation →.Evolution means: if s is the current state, a transition

is selected nondeterministically and taken.Take means: the action α is performed and the TS evolves from state s to state s΄.This procedure is repeated in state s΄ and finishes once a state is encountered that has no outgoing transition.

s sα ′⎯⎯→

(s, ,s )′α ∈→

0s I∈

s sα ′⎯⎯→

8


The labeling function L relates the set of propositions to any state s.

L(s) stands for atomic propositions which are satisfied by state s.Hence, given a propositional logic formula φ, s satisfies formula φ , if L(s) satisfies it:

APL(s) 2∈a AP∈

s | iff L(s) |=ϕ =ϕ

9


Example 2.2: Beverage Vending Machine (BVM)

S={pay,select,coffee,tea}Act={insert_coin,get_coffee,get_tea,τ}

selectcoffee

pay

tea

get_coffee

insert_coin

get_tea

10


The atomic propositions in the TS depends on the properties under consideration.

AP=S, L(s) = {s}, orAP={paid,drink} to verify “The vending machine only delivers a drink after paying”. Hence, L(pay)={}, L(coffee) = L(tea) = {paid,drink}, L(select)={paid}.

11


To formally model a system using LTs, we should define the set of Act and AP.

Actions are only necessary for modeling communication mechanism. When action names are irrelevant (e.g. internal actions), we use symbol τ or even remove it.Propositions are always chosen depending on the characteristics of interest.

12


Let TS= (S,Act,→,I,AP,L) be a transition system. For , , the set of direct α–successor of s is :

Similarly the set of α-predecessor of s is defined by:

s S∈ Actα ∈

Act

Post(s, ) {s S|s s }, Post(s) Post(s, )α

α∈

′ ′α = ∈ ⎯⎯→ = αU

Act

Pr e(s, ) {s S|s s}, Pr e(s) Pr e(s, )α

α∈

′ ′α = ∈ ⎯⎯→ = αU


The notation for the sets of direct successors are expanded to subsets of S ( ):

Similary

13

s C s C

Post(C, ) Post(s, ), Post(C) Post(s)∈ ∈

α = α =U U

C S⊆

s C s C

Pr e(C, ) Pr e(s, ), Pr e(C) Pr e(s)∈ ∈

α = α =U U


State s in transition system TS is called terminal if and only if Post(s)={}.Transition systems modelling a sequential computer program, terminal states represents terminination of the program.

14


The behavior of a transition system is formally defined by the notion of executions (also called runs).Informally, an execution of a TS results from the resolution of the possible non-determinism in the system.

15


Definition: A finite execution fragment σ of TS= (S,Act,→,I,AP,L) is an alternating sequence of states and actions ending with a state:

where n is called the length of execution fragment σ.

16

i 10 1 1 2 n n i i 1s s ... s such that s s 0 i n+α

+σ = α α α ⎯⎯→ ∀ ≤ ≤


An infinite execution fragment ρ of TS is an infinite alternating sequence of states and actions:

A maximal execution fragment is a finite execution fragment that ends in a terminal state or an infinite execution fragment. An execution fragment, started in an initialstate s0∈S, is called initial.

17

i 10 1 1 2 i i 1s s ... such that s s 0 i+α

+ρ= α α ⎯⎯→ ∀ ≤


Example 2.8 : executions of the BVM

ρ1 and σ are initial, while only ρ1 and ρ2are maximal.

18

coin tget coin tget1

tget coin cget2

coin tget coin

pay select tea pay select tea ...

select tea pay select coffee ...

pay select tea pay select tea.

τ τ

τ τ

τ τ

ρ = ⎯⎯⎯→ ⎯⎯→ ⎯⎯→ ⎯⎯⎯→ ⎯⎯→ ⎯⎯→

ρ = ⎯⎯→ ⎯⎯→ ⎯⎯⎯→ ⎯⎯→ ⎯⎯→

σ = ⎯⎯⎯→ ⎯⎯→ ⎯⎯→ ⎯⎯⎯→ ⎯⎯→

get_coffee = cgetget_tea = tgetinsert_coin = coint


Definition: An execution of transition system TS is an initial and maximalexecution fragment.

in example 2.8, ρ1 is an execution while ρ2and σ are not.

19


Definition: A state s∈S is called reachable in TS= (S,Act,→,I,AP,L) if there exists an initial, finite execution fragment

Reach(TS) denotes the set of all reachable states in TS.

20

1 2 n0 1 ns s ... s s.α α α⎯⎯→ ⎯⎯→ ⎯⎯→ =

Sequential Hardware Circuits

Example 2.11: consider the sequential circuit with input variable x, output variable y and register r where

and

21

y (x r)λ = ¬ ⊕ r x rδ = ∨

Sequential Hardware Circuits (Con.)

The circuit behavior is modeled by the transition system TS with state space S=Eval(x,r) where Eval(x,r) stands for the set of evaluations of x and rThe initial states of TS are I={<x=0,r=0>,<x=1,r=0>}.The set of actions is irrelevant and omitted here.

22


The transitions results directly from the functions λy and δr :

For instance if the next input bit (x) equals i=0,1, then

23

x 0, r 1 x i, r 1< = = >→< = = >


AP={x,y,r} and the labeling relation L assign the set of atomic proposition which has a value equal to 1.

The state <x=0,r=1} is labeled with {r} since the circuit function result 0 for y.

24

(x r)¬ ⊕


Alternatively, using the set of proposition AP΄={x,y}, the register evaluation is invisible, we obtain:

L΄(<x=0,r=0>)={y} L΄(<x=0,r=1>)={}L΄(<x=1,r=0>)={x} L΄(<x=1,r=1>)={x,y}We can still formalize the property that “the output bit y is set infinitely often”.

25


This approach can be generalized for the sequential circuits with n input x1,…,xn, m output bits y1,…,ym and k registers r1,…,rk :

S = Eval(x1,…,xn,r1,…,rk ).I ={a1,…,an,c0,1,…,c0,k)| a1,…,an∈{0,1} } where c0,i is the initial value of ri .

26


AP={x1,…,xn,r1,…,rk ,y1,…,ym}.L(a1,…,an,c1,…,ck) ={xi|ai=1}∪{ri|ci=1}∪{yi| s |= λyi(a1,…,an,c1,…,ck) =1}

if and only if .

27

1 n 1 k 1 n 1 k(a ,..., a ,c ,..., c ) (a ,..., a ,c ,..., c )τ ′ ′⎯⎯→

jj r 1 n 1 kc (a ,..., a ,c ,..., c )′ = δ

Data-Dependant Systems

Example 2.12: Consider an extension of BVM (Example 2.2) which

counts the number of coffee and tea left ;returns inserted coin if the machine is empty.

For simplicity, BVM is modeled by two locations start and select.

28

Data-Dependant Systems (Con.)

We exploit conditional transitions g:α to model the data-dependant behavior of the system, where g is a condition and α is an action which is possible once g holds. Hence below transitions model insertion of coin and refilling the machine:

29

true:coinstart select⎯⎯⎯→ true:refillstart start⎯⎯⎯⎯→


Suppose the variables of ncof and ntea record the number of bottles of coffee and tea respectively.

30

ncof 0:cgetselect start>⎯⎯⎯⎯→ ntea 0:tgetselect start>⎯⎯⎯⎯→

ncof 0 ntea 0:ret _ coinselect start= ∧ =⎯⎯⎯⎯⎯⎯⎯→


The effect of each action on variables ncof and ntea is shown below:

The graph consisting of locations as node and conditional transition as edge is not a TS.

31

Action Effect

refillcgettgetcoinret_coin

ncof:= max; ntea:=maxncof:=ncof-1ntea:=ntea-1No changeNo change


However a TS can be obtained by unfolding this graph.

32


This approach in modeling data-dependant systems can be formalized by program graphs over a set of Var of typed variables.A program graph over a set of typed variables is a digraph whose edges are labeled by conditions on these variables and actions.

33


The effect of the actions is formalized by means of mapping Effect: Act×Eval(Var) → Eval(Var)This indicates how the evaluation η of variables is changed by performing an action.

34


Definition: A program graph overt set Var of type variables is a tuple (Loc,Act,Effect,→,Loc0,g0) where:

Loc is a set of locations and Act is a set of actions;Effect : Act×Eval(Var) → Eval(Var);→⊆ Loc×Cond(Var)×Act×Loc;Loc0⊆Loc is a set of initial locations;g∈Cond(Var) is the initial condition.

35


We write instead of .The condition g is called guard of the conditional transition.The behavior in location depends on the current variable evaluation η. A non-deterministic choice is made between transitions whose guard is satisfied in evaluation η (η |= g).

36

g:α ′⎯⎯→l l ( ,g, , )′α ∈→l l

Loc∈l


Each program graph can be interpreted as a transition system which results from unfolding.

In other words, the semantics of a program graph is defined by a transition system.

37


The states of the corresponding TS consist of a location of program graph together with an evaluation η of the variables: .Initial states are initial locations that satisfy the initial condition g0.The set AP is comprised by locations and boolean conditions for the variables.

38

Loc∈l

,⟨ η⟩l


The labeling of states is such that is labeled with and with all conditions (over Var) that hold in η.The transition relation is defined as follows: whenever and g holds in the current evaluation η, then :

39

,⟨ η⟩l

l

g:α ′⎯⎯→l l

, , Effect( , )α ′⟨ η⟩ ⎯⎯→⟨ α η ⟩l l


Definition: The transition system TS(GP) of program graph GP= (Loc,Act,Effect, →,Loc0,g0) over set Var is the tuple (S,Act,→,I,AP,L) where:

S = Loc ×Eval(Var);→ ⊆ S ×Act ×S is defined by the following rule:

40

g: | g, ,Effect( , )

α

α

′⎯⎯→ ∧ η =′⟨ η⟩ ⎯⎯→⟨ α η ⟩

l l

l l


I ={ ,η|= g0};AP = Loc ∪ Cond(Val);L( )={ }∪{g Cond(Var) | η|= g}.

The definition TS(PG) determines a very large set of propositions AP. But generally only a small part of AP is necessary to formulate system properties.

41

0, | Loc⟨ η⟩ ∈l l

,⟨ η⟩l l ∈

Structural Operation Semantics

The transition relation of TS(PG) is defined using the so-called SOS-notation:

Which implies if the proposition above the “solid line” holds, then the proposition under the fraction bar holds as well.If the premise is a tautology, the rule is called axiom.

42

premiseconclusion

Structural Operation Semantics (Con.)

The relations defined by SOS rules are the smallest relation satisfying the indicated axioms and rules.The semantics of many modeling languages like process algebras are defined using SOS rules.

43

Parallelism and Communication

In reality most hard- and software systems are not sequential but parallel.We describe several mechanisms to provide operational models for parallel systems by means of TSs.

These Mechanisms range from simple mechanism where no communication take place between TSs to message-passing one.

44

Parallelism and Communication (Con.)

Assume the operational (stepwise) behavior of the processes that run in parallel are given by transition systems TS1, …, TSn.Our goal is to define an operator || such that TS = TS1 || TS2 || … || TSn is a transition system that specifies the behavior of parallel composition of TSs.

45

Parallelism and Communication (Con.)

It should be noted that each TSi may be a transition system that is composed of several transition systems:

TSi = TSi,1 || TSi,2 || … || TSi,n

Hence complex systems can be described in a rather structured way using the parallel composition in a hierarchical way.

46

Parallelism and Communication: Interleaving

In this model, it is assumed that a system is actually composed of a set of independent components.Hence, the global system state is composed of the current individual states of the components.

47

Parallelism and Communication: Interleaving (Con.)

Actions of an independent components are merged or “interleaved” with actions from other components.Thus concurrency is presented by pure interleaving : nondeterministic choice between activities of parallel processes.

48


Example: Two independent traffic lights

||| denotes interleaving operator.

49

||| =


An important justification for interleaving is the fact that the effect of currently executed, independent actions α and β is identical to the effect when αand β are executed in arbitrary order:

Effect(α|||β,η)=Effect(α;β)+ Effect(α;β)where ; stands for sequential execution and + stands for non-deterministic choice.

50


Definition: The transition system TS1|||TS2 where TSi=(Si,Acti,→i,Ii,APi,Li) is defined by

(S1×S2,Act1∪Act2, →,I1×I2,AP1∪AP2,L)Where the TS → is defined by :

Labeling function is defined :

51

11 1

1 2 1 2

s ss ,s s ,s

α

α

′⎯⎯→′⟨ ⟩ ⎯⎯→⟨ ⟩

22 2

1 2 1 2

s ss ,s s ,s

α

α

′⎯⎯→′⟨ ⟩ ⎯⎯→⟨ ⟩

1 2 1 2L( s ,s ) L(s ) L(s )⟨ ⟩ = ∪

Parallelism and Communication: Com. via shared variable

Consider two independent value assignments x:=x+1 ||| y:=y-2.

The order of their execution is not important, so they can be easily interleaved.

52

||| =


Consider two parallel assignments on a shared variable x, x:=2.x ||| x:= x+1.

The different order of execution results in different final value for x

53

||| =


Thus interleaving is not appropriate when two components compete on a shared variable.Hence to deal with parallel programs with shared variables, an interleaving operator will be defined on the level of program graphs PG1 and PG2.TS(PG1 ||| PG2) describe a parallel system communicating via shared variables.

54


Definition: Program graph PG1 ||| PG2over Var1∪Var2, where for i=1,2, PGi= (Loci,Acti,Effecti, →i,Loc0,i,g0,i), is defined by

PG1 ||| PG2=(Loc1×Loc2,Act1∪Act2,Effect,→,Loc0,1×Loc0,2, g0,1 ∧g0,2) where→ is defined by the rules :

55


Effect(α,η)=Effecti(α,η) if α∈Acti.

Program graphs PG1 and PG2 have the variables Var1∩Var2 in common. Variables in Var1\Var2 are local variables of PG1.

56

g:11 1

g:1 2 1 2, ,

α

α

′⎯⎯→′⟨ ⟩ ⎯⎯→⟨ ⟩

l l

l l l l

g:22 2

g:1 2 1 2, ,

α

α

′⎯⎯→⟨ ⟩ ⎯⎯→⟨ ⟩

l l

l l l l


Example 2.22: consider the program graphs PG1 and PG2 that correspond to assignments x:=x+1 and x:=2.x.

57


its underlying transition system TS(PG1|||PG2) is shown below:

TS(PG1|||PG2)≠TS(PG1)|||TS(PG2).

58

The non-determinism inthe initial state does notrepresent concurrency butjust a possible resolution of contention on x.


Question: which actions of program graphs can be interleaved arbitrary (i.e. executed arbitrary) and which one can not? (page 42)Read examples 2.24 and 2.25.

59

Parallelism and Communication: Handshaking

Until now, we have introduced two mechanisms for parallel processes:

Interleaving: processes evolve completely autonomously.Com. via shared variables: processes communicate via shared variables.

60

Parallelism and Communication: Handshaking (Con.)

The third mechanism in which current processes that want to interact have to do this in a synchronous fashion.In other words, processes can interact if they are both participating in this interaction at the same time- they shake hands.

61


During handshaking, information can be exchanged.Here we abstract of information exchange (message contents) by considering the occurrence of handshake.A set H of handshake actions is distinguished with .

62

Hτ∉


Informally, if both parallel processes are ready to execute the same handshake action, can message passing take place.All actions outside H (Act\H) are independent and therefore can be executed autonomously in an interleaved fashion.

63


Definition: The transition system TS1||HTS2 , where TSi=(Si,Acti,→i,Ii,APi,Li) i=1,2 and H⊆Act1∩Act2 with , is defined by:

(S1×S2,Act1∪Act2, →,I1×I2,AP1∪AP2,L)L(⟨s1,s2⟩)=L1(s1)∪L2(s2)The transition relation → is defined by the below rules:

64

Hτ∉


Interleaving for α∉H:

Handshaking for α∈H:

65

11 1

1 2 1 2

s ss ,s s ,s

α

α

′⎯⎯→′⟨ ⟩ ⎯⎯→⟨ ⟩

22 2

1 2 1 2

s ss ,s s ,s

α

α

′⎯⎯→′⟨ ⟩ ⎯⎯→⟨ ⟩

1 21 1 2 2

1 2 1 2

s s s ss ,s s ,s

α α

α

′ ′⎯⎯→ ⎯⎯→′ ′⟨ ⟩ ⎯⎯→⟨ ⟩


We write TS1||TS2 for TS1||HTS2 for H= Act1∩ Act2.When H={}, then TS1||{}TS2 reduces to TS1|||TS2.The handshaking operator ||H is communicative, but not associative:

TS1||HTS2 = TS2||HTS1.TS1||H (TS2||H’TS3)≠(TS1||HTS2)||H’TS3.

66


The (multiway) handshaking operator in TS=TS1||HTS2||H…||HTSn, where H⊆Act1∩…∩Actn, is appropriate to model broadcasting!The handshaking operator is similar to parallel operator in CSP algebra.

67


Example 2.28: consider two processes P1 and P2 of the form :

68

Pi loop forever…requestcritical sectionrelease….end loop

Modeled by


P1 and P2 can communicate with a new process Arbiter to enter their critical sections :

Arbiter mimics a binary semaphore.

TSArb= (TS1 ||| TS2) || Arbiter guarantees mutual exclusion (why?).

69


70


Read Example 2.30.It should be noted that the parallel operators introduced are time-abstract.

See example 2.31.

71

Parallelism and Communication: Channel Systems

Channel systems are parallel systems where processes communicate via channels.

Channels are first-in, first-out buffers that may contain messages.Processes are program graphs PGiextended with communication actions:

c!v transmits the value v along channel c.c?x receives a message via c and assigns it to x. 72

Parallelism and Communication: Channel Systems (Con.)

Definition: A program graph over (Var,Chan) is a tuple (Loc,Act,Effect,→,Loc0,g0) as before with the only difference that

→ ⊆ Loc×(Cond(Var)×(Act∪Comm)×LocComm={c!v,c?x|c∈Chan, v∈dom(c), x∈Var with dom(c)⊆dom(x)}

73


A channel system CS over (Var,Chan) consists of program graphs PGi over (Var,Chan) with Var=∪1≤i≤nVari.

We denote CS=[PG1 | … | PGn]

As before the conditional transitions labeled by α:g, α∈Act can happen whenever g holds.

74


The occurrences of conditional transitions labeled by g:c!v or g:c?x depends on the current evaluation and the capacity and content of channel.

Handshaking : if cap(c)=0, then process Pican perform only if another process Pj receives .

75

c!vi i′⎯⎯→l l

c!xj j′⎯⎯→l l


Asynchronous: if cap(c)>0Pi can send if the channel c is not full.Pj can receive if channel c is not empty.The Effect of actions are defined as below; the channel is treated as a buffer:

Channel systems are used to model communication protocols.

76

Executable if … Effect

c!v c is not “full” Enqueue(c,v)

c?x C is not “empty” ⟨x:= Front(c);Dequeue(c);⟩


Example 2.23: Alternating Bit ProtocolThe Sender S sends its messages along an unreliable channel c to a receiver R, who sends its acknowledges along a reliable channel d to the sender.

77

Sender Receiverc, cap(c)= ∞

d, cap(d)= ∞


S and R uses two bits 0,1 to distinguish retransmissions of m from transmissions of subsequent (and previous) messages:

When S sends message m tagged with 0 <m,0>, it waits to receive <0> (sent by R), otherwise retransmits the <m,0>.When S receives <0>, it transmits the new message tagged by 1.When S receives <1>, it retransmit its message <m,0>.

78


The program graph of the sender S:

79


The program graph of the receiver R:

80


The complete system is presented as a channel system over chan= {c, d, tmr_on, tmr_off,timeout} and Var= { x,y,mi} : ABP=[S|Timer|R].The behavior of a channel system can be given by a transition system, similar to the mapping from program graphs to transition systems.

81


The states of TS(CS), where CS=[PG1|…|PGn] over (Chan,Var), are tuples :

indicates the current location of component PGi;η(∈Eval(Var)) keeps track of the current values of the variables;ξ ,ξ(c)∈dom(c)*, records the current content of the various channels.

82

1 n,..., , ,⟨ η ξ⟩l l

il


Definition: The transition system of CS, denoted by TS(CS), where CS=[PG1|…|PGn] over (Chan,Var) and PGi= (Loci, Acti, Effecti, →i,Loc0,i,g0,i), is defined by TS(CS)=(S,Act,→,I,AP,L):

S=(Loc1×…×Locn)×Eval(Var) ×Eval(Chan);Act=∪0≤i≤nActi ∪{τ};I={ |∀1≤i≤n.( ∈Loc0,i∧η|= g0,i)};

83

1 n,..., , ,⟨ η ξ⟩l l il


AP=∪1≤i≤nLoci∪Cond(Var);L( )={ }∪

{g∈Cond(Var)| η|=g};→ is defined by the following rules:

Interleaving for α∈Acti:

84

1 n,..., , ,⟨ η ξ⟩l l 1 n,...,l l

g:ii i

1 i n 1 i n,..., ,..., , , ,..., ,..., , ,Effect( , )

α

α

′⎯⎯→′ ′⟨ η ξ⟩ ⎯⎯→⟨ η ξ⟩

′η = α η

l l

l l l l l l


Asynchronous message passing for c∈Chan, cap(c)>0:

Receive a value along channel c and assign it to x:

where η’=η[x:=v1] and ξ’=ξ[c:=v2…vk]Transmit value v∈dom(c) over channel c:

where ξ’=ξ[c:=v1v2…vkv]85

g:c?xii i 1 k

1 i n 1 i n

| g len( (c) k) 0 (c) v ...v,..., ,..., , , ,..., ,..., , ,τ

′⎯⎯⎯→ ∧ η = ∧ ξ = > ∧ ξ =′ ′ ′⟨ η ξ⟩ ⎯⎯→⟨ η ξ ⟩

l l

l l l l l l

g:c!vii i 1 k

1 i n 1 i n

| g len( (c) k) cap(c) (c) v ...v,..., ,..., , , ,..., ,..., , ,τ

′⎯⎯⎯→ ∧ η = ∧ ξ = < ∧ ξ =′ ′⟨ η ξ⟩ ⎯⎯→⟨ η ξ ⟩

l l

l l l l l l


Synchronous message passing over c∈Chan, cap(c)=0:

where η’=η[x:=v].

See example 2.34.86

1 2g :c?x g :c!vi ji i 1 2 j j

1 i j n 1 i j n

| g | g i j

,..., ,..., ,..., , , ,..., ,..., ,..., , ,τ

′ ′⎯⎯⎯→ ∧ η = ∧ η = ∧ ⎯⎯⎯→ ∧ ≠

′ ′ ′⟨ η ξ⟩ ⎯⎯→⟨ η ξ⟩

l l l l

l l l l l l l l

Parallelism and Communication: Synchronous Parallelism

In synchronous systems components evolve in a lock step fashion.

Synchronous hardware circuits in which all components are connected to a central clock and all perform a step on each clock pulse.

87

Parallelism and Communication: Synchronous Parallelism (Con.)

Definition: The synchronous product TS1⊗TS2, where

TSi =(Si,Act, →i,Ii, APi,Li) and *:Act×Act →Act be a mapping that assigns α*βto each pair of actions α and β

is given by (S1×S2, Act, →, I1×I2, AP1∪AP2, L) where

88

Parallelism and Communication: Synchronous Parallelism (Con.)

The transition relation is defined by:

α*β denotes the synchronous execution of action α and β.

L(⟨s1,s2⟩)=L1(s1)∪L2(s2).

It should be noted that compared to parallel operator ||, there is no autonomous transition of TS1 or TS2.

89

1 21 1 2 2*

1 2 1 2

s s s ss ,s s ,s

α β

α β

′ ′⎯⎯→ ⎯⎯→′ ′⟨ ⟩ ⎯⎯→⟨ ⟩

The state-space Explosion Problem

Program graphs and channel systems introduced to model data-dependant and communication systems.In following we discuss on the cardinality of resulting transition systems, since verification techniques are based on analyzing the TSs.

90

The state-space Explosion Problem (Con.)

Program graph representation:Recall that the states of the unfolded TS are of the form ⟨ ,η⟩, where location and variable evaluation η.Assume all variables in Var have finite domain.The number of states in the resulting TS is:

91

l l

x Var

| Loc | . | dom(x) |∈∏


The number of states grows exponentiallyin the number of variables in the program graph.

ParallelismIn all variant of parallel operators, the state space of the complete system is built of the local state space Si of the components.

92


Hence the number of states in S is growing exponentially in the number of components.Additionally the size of local state of each component grows exponentially with number of variable.Thus the “exponential blowup” in the number of parallel components and number of variables explains the problem.

93


Channel systemsFor the size of TS of channel systems, similar observation can be made as for the representation of program graphs.Additionally, the size of channels affects on the number of states.

94


Thus for CS=[PG1|…|PGn] over Var=Var1∪…∪Varn and channels Chan, the cardinality of state space is :

which can be rewritten as :

95

ncap(c)

ii 1 c Chan

| PG |. | dom(c) |= ∈

∏ ∏

i

ncap(c)

ii 1 x Var c Chan

| Loc | . | dom(x) . | dom(c) |= ∈ ∈

⎛ ⎞⎜ ⎟⎜ ⎟⎝ ⎠

∏ ∏ ∏

Summery

Transition systems are a fundamental model for modeling software and hardware systems.An execution of a TS is an alternatingsequence of states and actions that starts in an initial state and that cannot be prolonged.

96

Summery (Con.)

Interleaving amounts to represent the evolvement of “simultaneous” activities of independent concurrent processes by the nondeterministic choice between these activities.In case of shared variable communication, parallel composition on the level of transition systems does not faithfully reflect the system’s behavior. Instead, composition on program graphs has to be considered.

97

Summery (Con.)

Concurrent processes that communicate via handshaking on the set H of actions execute actions outside H autonomously whereas they execute actions in H synchronously.In channel systems, concurrent processes communicate via FIFO-bu ers. Handshakingcommunication is obtained when channels have capacity 0. For channels with a positive capacity, communication takes place asynchronously.

98

Summery (Con.)

The size of transition system representations grows exponentially in various components, such as the number of variables in a program graph or the number of components in a concurrent system. This is known as the state-space explosion problem.

99

Ch2-Modelling Concurrent Systems.ppt -...

Documents

Transcript of Ch2-Modelling Concurrent Systems.ppt -...