State Space c-Reductions of Concurrent Systems in Rewriting Logic @ ETAPS Workshop WRLA 2013
-
Upload
alberto-lluch-lafuente -
Category
Technology
-
view
817 -
download
2
description
Transcript of State Space c-Reductions of Concurrent Systems in Rewriting Logic @ ETAPS Workshop WRLA 2013
Alberto Lluch, Andrea VandinIMT Lucca
State Space C-Reductionsof Concurrent Systems in Rewriting Logic
International Workshop on Rewriting Logic and its Applications (WRLA'12)Tallin, March 24-25, 2012
José MeseguerUIUC
typical space reduction
no reductionstrong reductionweak reduction
states explored
size of the system
state space explosion
1 binary counter has ... 2 states
1 n-ary counter has ... n states (data abstraction)
m n-ary counters Mn states! (symmetries, concurrency, etc.)
0 3 8 6...
running example
x$
$ = transfer of 1$
= account with x$
credit rule
x$
$
x+1$
1$ 0$
$
0$
$
1$
0$
$
0$
$
1$ 1$
Isomorphic...
but syntactically different
Isomorphic...
but syntactically different
symmetries in state space exploration problems
some tools with symmetry reduction
Murphy [Ip&Dill@FMSD'96]; Symmetric SPIN [Bosnacki et al.@SPIN'00]; TopSPIN [Donaldson et al.@AMAST'06]; Groove [Rensink@GRABATS'06]; MiHDa [Montanari et al.@FMCO'02]; PRISM-symm [Ball et a@CAV06]; Planners, constraint solvers, etc.
some drawbacks
✗ Symmetries denoted with extra primitives;
✗ Limited, fixed symmetry classes;
✗ Rigid “flexibility” vs “guarantees” tradeoff;
✗ Complex changes to model checker;
✗ Unofficial extensions of model checkers;
✗ No support for checking correctness.
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
1$ 0$
$
0$
$
1$
0$
$
0$
$
1$ 1$
p
p,q p,q
q p = there is some empty account
q = there are one or less dollars around
A Kripke structure is a tuple K = (S , → , L, AP) such that S is a set of states;
→ ⊆ S × S is a transition relation;
AP are atomic propositions;
L: S → 2AP maps states into AP subsets.
1$ 0$
$
0$
$
1$
0$
$
0$
$
1$ 1$
0$
$
1$
0$
$
0$
$
1$ 1$
A bisimulation between two Kripke structures K and H
is a binary relation ∼ ⊆ SK × SH such that s∼s' implies
LK(s) = LH(s');
s →K r implies s' →H r' and r∼r' for some r';
vice versa.
s →K r
s' →H r'≀ ≀
p
p,q p,q
q
p
p,q
q
1$ 0$
$
0$
$
1$
c
A ∼-canonizer for
– a Kripke structure K
– and an equivalence (bisimilation) relation ∼ ⊆ S × S
is a function c : S → S such that s∼c(s) for all states s.
c
A ∼-canonizer is strong if s∼s' implies c(s) = c(s')
(i.e. if canonical representatives of ∼-equivalence classes are unique)
3$2$1$
2$3$1$
1$2$3$
3$1$2$
2$1$3$
1$3$2$
cc
c
c
c
otherwise we call them weak.
3$2$1$
2$3$1$
1$2$3$
3$1$2$
2$1$3$
1$3$2$
c
c
c
The c-reduction of a Kripke structure
K = (S , → , L, AP)
is
Kc = (S , →;c , L, AP)
1$ 0$
$
0$
$
1$
0$
$
0$
$
1$ 1$
c
Th. If c is a ∼-canonizer then Kc ∼ K.
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
some symmetry reductions captured
Full symmetries; Rotational symmetries; Name reuse (garbage collection); Name abstraction.
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
What is RL?
A rewrite theory R is a tuple (Σ , E ∪ A , R , ϕ) Σ = signature (e.g. syntax); E = equations (e.g. functions); A = axioms (e.g. ACI); R = rules (e.g. non deterministic behaviour); ϕ = frozennes map (e.g. rewrite strategy).
Some assumptions: R has good executability properties; Topmost rules for a designated [State] kind.
Not all equivalence relations ∼
are tractable as axioms
Not all equivalence relations ∼
are tractable as axioms
--- The main module defining the signature and one initial state
fmod BANK is
...
sorts Object Message Configuration State .
subsort Message Object < Configuration .
op <_|_> : Nat Nat -> Object [ctor] .
op credit : Nat -> Message [ctor] .
op __ : Configuration Configuration -> Configuration [ctor assoc comm] .
op none : -> Configuration [ctor] .
op {_} : Configuration -> State [ctor frozen] .
--- A simple initial state
op init : -> Configuration .
eq init = < 0 | 0 > < 1 | 0 > credit(0) credit(1) .
endfm
0$
$
0$
$
--- The behavioural rules of the example
mod BANK-RULES is
inc BANK .
vars i x : Nat .
vars c1 : Configuration .
--- A simple rule for crediting an account
rl [credit] :
{ < i | x > credit(i) c1 }
=> { < i | s(x) > c1 } .
endm
x$
$
x+1$
search without reductionMaude> search in BANK-RULES : {init} =>* s:State .
Solution 1 (state 0)
s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}
Solution 2 (state 1)
s:State --> {credit(1) < 0 | 1 > < 1 | 0 >}
Solution 3 (state 2)
s:State --> {credit(0) < 0 | 0 > < 1 | 1 >}
Solution 4 (state 3)
s:State --> {< 0 | 1 > < 1 | 1 >}
No more solutions.
states: 4 rewrites: 6 in 0ms cpu (2ms real) (9523 rewrites/second)
symmetric states
1$ 0$
$
0$
$
1$
0$
$
0$
$
1$ 1$
c-extension
The c-extension of a rewrite theory
R = (Σ, E ∪ A , R, ϕ)
is
Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , R , ϕc)
i.e. a correct extension of R with the definition of c.
BANK
module architecture
BANK-RULES (R)
BANK-C (Rc)
c-extension (example of canonizer)--- The c-extension of BANK that defines the c-canonizer for object permutations
mod BANK-C is
...
op c : State -> [State] .
vars i j x y : Nat .
vars c1 : Configuration .
ceq c( { < i | x > < j | y > c1 } )
= c( { [[ i <-> j ]]( < i | x > < j | y > c1 ) } )
if [[ i <-> j ]]( < i | x > < j | y > c1 )
<# < i | x > < j | y > c1 .
eq c({c1}) = {c1} [ owise ] .
endm
BANK
module architecture
BANK-RULES (R) BANK-PERMUTATION
BANK-C (Rc)
c-extension (example of transpositions)--- Implementation of object permutations
fmod BANK-PERMUTATION is
...
op [[_<->_]] _ : Nat Nat Configuration -> Configuration [frozen] .
op [[_<->_]] _ : Nat Nat Nat -> Nat .
eq [[ i <-> j ]](none) = none .
eq [[ i <-> j ]](obj1 c1) = ([[ i <-> j ]](obj1)) ([[ i <-> j ]](c1)) .
eq [[ i <-> j ]](msg1 c1) = ([[ i <-> j ]](msg1)) ([[ i <-> j ]](c1)) .
eq [[ i <-> j ]](< k | x >) = < [[ i <-> j ]](k) | x > .
eq [[ i <-> j ]](credit(k)) = credit([[ i <-> j ]] k) .
 eq [[ i <-> j ]](i) = j .
eq [[ i <-> j ]](j) = i .
ceq [[ i <-> j ]](k) = k if (i != k) /\ (j != k) .
endfm
Identification of symmetric states
Maude> red c( {credit(0) < 0 | 0 > < 1 | 1 >}) .
result State: {credit(1) < 0 | 1 > < 1 | 0 >}
0$ 1$
$
1$
$
0$
c
The c-reduction of a rewrite theory
R = (Σ, E ∪ A , R , ϕ )
is
Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , Rc , ϕc)
where Rc is made of rules
l => c(r) if cond
for each rule of R
l => r if cond
K(Rc) = Kc(R)K(Rc) = K
c(R)
BANK
module architecture
BANK-RULES (R) BANK-PERMUTATION
BANK-C (Rc)
BANK-C-REDUCTION (Rc)
c-reduction (example)
--- The c-reduction of BANK-RULES
mod BANK-C-REDUCTION is
inc BANK-C .
rl [credit] :
{ < i | x > credit(i) c1 }
=> c({ < i | s(x) > c1 }) .
endm
search in c-reduced state spaceMaude> search in BANK-C-REDUCTION : {init} =>* s:State .
search in BANK-C-REDUCTION : {init} =>* s:State .
Solution 1 (state 0)
s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}
Solution 2 (state 1)
s:State --> {credit(1) < 0 | 1 > < 1 | 0 >}
Solution 3 (state 2)
s:State --> {< 0 | 1 > < 1 | 1 >}
No more solutions.
states: 3 rewrites: 25 in 0ms cpu (2ms real) (53648 rewrites/second)
1$ 0$
$
0$
$
1$
0$
$
0$
$
1$ 1$
c
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
Th 1. “K(Rc) is bisimilar to K(R)” (desiderata)
Lemma 0. “Relation ∼ is an equivalence relation”
(i) Check that the action of the group is correct.
Lemma 1. “Relation∼ is a bisimulation”
(ii) Check that ∼ strongly respects AP;
(iii) Check that ∼ and R “commute”.
Lemma 2. “Function c is a ∼-canonizer”
(iv) Check that c is a ∼-canonizer.
Does c provide a correct c-reduction?
Proof plan for
group-theoretic
reductions
BANK
modules and checks
BANK-RULES (R)BANK-AP
BANK-PERMUTATION-RULES (R∼)
BANK-PERMUTATION (R∼)
BANK-C (Rc)
BANK-C-REDUCTION (Rc)
check (i)
check (ii)
check (iii)check (iv)
The action ⟦∙⟧ of a group G on S defines an equivalence relation:
s∼s' iff ⟦ f ⟧(s) = s' for some f ∈ G.
group theoretic equivalence relations
BANK
modules and checks
BANK-RULES (R)BANK-AP
BANK-PERMUTATION-RULES (R∼)
BANK-PERMUTATION (R∼)
BANK-C (Rc)
BANK-C-REDUCTION (Rc)
check (i)
(i) Checking group actions
Implement the action ⟦∙⟧ of G on S as
[[_]]_ : G State ->State .
… but we just need to implement the action of the generators.
Check that the we actually have a group action by showing:⟦g⟧⟦g-1⟧(s) = s for each generator g of G.
HINT: induction on S (structure of states).
For example, in the case of permutations one has to show
[[ i <-> j]] ([[ i <-> j]] (s)) = s
(i) Checking group actions
Implement the action ⟦∙⟧ of G on S as
[[_]]_ : G State ->State .
… but we just need to implement the action of the generators.
Check that the we actually have a group action by showing:
⟦e⟧(s) = s, for e the identity of G;
⟦g ∘ g'⟧(s) = ⟦g⟧(⟦g'⟧(s)) for each pair of generators g, g' of G;
⟦g⟧⟦g-1⟧(s) = s for each generator g of G.
HINT: induction on G (generators ) and S (structure of states).
BANK
modules and checks
BANK-RULES (R)BANK-AP
BANK-PERMUTATION-RULES (R∼)
BANK-PERMUTATION (R∼)
BANK-C (Rc)
BANK-C-REDUCTION (Rc)
check (ii)
(ii) Checking that ∼ strongly preserves AP
IDEA: Define a rewrite theory R∼ to “move” inside orbits:
R∼ = (Σ ⊎ Σ∼
, E ∪ E∼ ∪ A , R∼ , ϕ)
where R∼
= { s => [[g]](s) }
Theorem: ∼ strongly preserves AP if AP is stable in R∼.
Maude> (analyze-stable two-dollars(s:State) in BANK-AP BANK-PERMUTATION-RULES .)
rewrites: 15571 in 16ms cpu (19ms real) (918643 rewrites/second)
Checking BANK-PERMUTATION-RULES ||- two-dollars => O two-dollars ...
Proof obligations generated: 2
Proof obligations discharged: 2
Success!
Can we check such stability automatically?
Yes, with InvA (under some conditions)
fmod BANK-AP is
eq [two-dollars-eq] : two-dollars({ < i | s(s(x)) > c1 }) = true .
endfm
fmod BANK-PERMUTATION-RULES is
rl [transposition] : { < i | x > < j | y > c1 }
=> { [[ i <-> j ]] ( < i | x > < j | y > c1) } .
endm
For non discharged proof obligations
one can use the Maude ITP tool
For non discharged proof obligations
one can use the Maude ITP tool
BANK
modules and checks
BANK-RULES (R)BANK-AP
BANK-PERMUTATION-RULES (R∼)
BANK-PERMUTATION (R∼)
BANK-C (Rc)
BANK-C-REDUCTION (Rc)
check (iii)
v'
v
u'
uR
R
(iii) Checking that ∼ and R commute
For all equivalent states u, u' and for all R-transitions from u to v.
v'
v
u'
u
R∼
R
* R *R∼
(iii) Checking that ∼ and R commute
For all R∼reachable pairs of states u->u' and for all R-transitions from u to v.
v'
v
u'
uR
u1'R
R
R
v1'
u2' v2'*R∼
R∼
(iii) Checking that ∼ and R commute
*
R∼
R∼
For all R∼-transitions u->u' and for all R-transitions from u to v.
w
θ(r)
θ'(r')
θ(l)R
R
R∼*
R∼
θ'(l')
Consider:
Each R-rules from l => r
Each R∼-rules l' => r'
≡A
v'
v
u'
uR
R
R∼
(iii) Checking that ∼ and R commute
*R∼
For all R∼-transitions u → u' and
for all R-transitions from u to v.
For all R∼-rules l' => r' and
for all R-rules from l => r.
Similar functionalities (e.g. critical pair generation)
are already available in some Maude tools
(e.g. in the Coherence Checker).
Similar functionalities (e.g. critical pair generation)
are already available in some Maude tools
(e.g. in the Coherence Checker).v'
θ(r)
θ'(r')
θ(l)R
R
R∼*
R∼
(iii) Checking that ∼ and R commute
IDEA: Show joinability of critical pairs (R rules vs R∼)
Theorem: If all such pairs are joinable, ∼ is a bisimulation
BANK
modules and checks
BANK-RULES (R)BANK-AP
BANK-PERMUTATION-RULES (R∼)
BANK-PERMUTATION (R∼)
BANK-C (Rc)
BANK-C-REDUCTION (Rc)
check (iv)
(iv) checking that c is a ∼-canonizer
c({t}) = c([[g]]({t})) if [[g]]({t})<{t}
c({t}) = {t} [owise]
c({t}) = min{[[f]]({t})}
Local strategies
Enumeration strategies
IDEA: Exploit the form of typical reduction strategies:
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
typical space reduction
no reductionstrong reductionweak reduction
states explored
size of the system
typical time reduction
no reductionstrong reductionweak reduction
runtime
size of the system
will we have the same in Maude?
Full symmetries in Maude [D.Rodriguez@WRLA'08]
will we have the same in Maude?
Q1. Overhead of meta-level based c-reductions?
Q2. Similar performance gains as model checkers?
Q3. Performance for c-reductions not based
on full permutations (e.g. rotations)?
Q1. meta-level vs ad-hoc?runtime
(seconds)
size of the system
(instance parameter)
1 2 3 4 5 6 7 80
10
20
30
40
50
60
70
80
90
meta-level
ad-hoc
2 3 4
-1
-0.5
0
0.5
1
1.5
2
Q2. Maude vs SymmSPIN?
relative time reduction factor
no reductionsymmSPINstrong c-reductionweak c-reduction
size of the system
(instance parameter)
Q3. space reduction in dining philosophers?
~ ~
Dining philosophers (rotational symmetries)
= philosopher eating
= philosopher resting
~
Dining philosophers (msg. id's)
3 4 4 31 2
~
~msg id abstraction
msg id
permutation
msg id reuse
Q3. space reduction in dining philosophers
2 3 4 5 6 7 8 90
100000
200000
300000
400000
500000
600000
states explored
msg id reusemsg abstractionmsg id reuse & permutationsmsg abstraction + philosopher rotation
size of the system
(instance parameter)
Q3. time reduction in dining philosophers
7 8 9
states explored
size of the system
(instance parameter)
msg reuse&permutationmsg abstractionmsg abstraction + philosopher rotation
Q1. Overhead of meta-level based c-reductions?
✔ Significant improvement
when not resorting to the meta-level.
Q2.Performance against model checkers?
✔ Similar in space reduction;
✔ Comparable time reduction.
Q3. Performance for c-reductions not based
on full permutations (e.g. Rotations)?
✔ Significant space gains in rotational.
conclusion
Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.
Related work (Maude)
Full symmetries in Maude [D.Rodriguez@WRLA'08]
✔ Full object permutations, meta-representation order;
✭ More symmetries and examples, no meta-representation order, verification methodology.
Equational abstractions [Palomino et al.@JLAP'10]
✔ Identify states to reduce state space;
✭ Bisimulation, reduction application control.
Related work (ii) SymmSPIN et al. [Bosnacki et al.@SPIN'01]
✔ Heuristics for canonizers;
✭ No extension needed, object references allowed, formal checks;
Groove [Rensink@GRABATS'06]
✔ Up-to-isomorphism GTS;
✭ Programmable reductions, not just iso.
HD-automata [Montanari et al.@TCS'05]
✔ Name reuse techniques;
✭ On-the-fly reduction, algebraic state structure.
Current and Future Work Better integration in Maude
Conciliate with other state space reduction techniques (equational abstractions, partial order reduction);
Tool support and its integration in MFE.
Beyond group theoretic symmetries
Abstractions that yield bisimulations?
Exploit axiomatisations of bisimulation for process algebras?
Beyond bisimulation
Weak bisimulation?
Trace equivalence (for LTL)?
http://sysma.lab.imtlucca.it/tools/c-reducer/
thanks!