My talk on "State Space C-Reductions for Concurrent Systems in Rewriting Logic" held at the International ETAPS Workshop on Graph Inspection and Traversal Engineering (GRAPHITE 2013).
Full manuscript available here: http://eprints.imtlucca.it/1350/
State Space C-Reductions @ ETAPS Workshop GRAPHITE 2013
1. State Space C-Reductions
of Concurrent Systems in
Rewriting Logic
-- Alberto Lluch Lafuente, IMT Lucca
-- José Meseguer, UIUC
-- Andrea Vandin, IMT Lucca
2nd ETAPS Graphite Workshop, Rome, March 24, 2013
preliminary version presented at WRLA 2012
conference version presented at ICFEM 2012
2. t
ct i ons a l
ng redu ion-leve
“defini ecificat ”
the sp several pros
has
9. A ∼-canonizer for
– a Kripke structure K
– and an equivalence (bisimulation) relation ∼ ⊆ S × S
is a function c : S → S such that s∼c(s) for all states s.
c
$ c $
1$ 0$ 0$ 1$
10. A ∼-canonizer is strong if s∼s' implies c(s) = c(s')
(i.e. if canonical representatives of ∼-equivalence classes are unique)
2$ 1$ 3$ 2$ 1$ 3$
1$ 3$ 2$ c c
1$ 3$ 2$
c c
c
1$ 2$ 3$ 1$ 2$ 3$
2$ 3$ 1$ 2$ 3$ 1$
c
3$ 1$ 2$ c 3$ 1$ 2$
c
3$ 2$ 1$ 3$ 2$ 1$
otherwise we call them weak.
14. PERFORMANCE?
t
ct i ons a l
ng redu ion-leve
“defini ecificat ”
the sp several pros
has
15. typical space reduction pattern
sizes of the
state-space
no reduction
strong reduction
weak reduction
size of the
system
16. typical time reduction pattern
runtime
no reduction
strong reduction
weak reduction
size of the
system
17. will we have the same in Maude?
Q1. Overhead of meta-level based c-reductions?
Q2. Similar performance gains as model checkers?
Q3. Performance for c-reductions not based
on full permutations (e.g. rotations)?
18. previous work on symmetry reduction with Maude
reduction was much slower!
Full symmetries in Maude [D.Rodriguez@WRLA'08]
19. Q1. meta-level vs c-reductions?
runtime
(seconds)
90
80
meta-level
70
60
50
40
30
20 c-reductions
10
0
1 2 3 4 5 6 7 8
size of the system
(instance parameter)
20. Q2. Maude vs SymmSPIN?
relative time
reduction factor
2
no reduction
symmSPIN
1.5 strong c-reduction
weak c-reduction
1
0.5
0
2 3 4 5
size of the system
-0.5
(instance parameter)
-1
-1.5
21. Q3. space reduction in dining philosophers
states
msg id reuse
explored
600000
msg abstraction
msg id reuse & permutations
msg abstraction + philosopher rotation
500000
400000
300000
200000
100000
size of the system
0
2 3 4 5 6 7 8 9 (instance parameter)
22. WE DO IT IN...
REWRITING LOGIC / MAUDE
t
ct i ons a l
ng redu ion-leve
“defini ecificat ”
the sp several pros
has
23. What is RL?
A rewrite theory M is a tuple (Σ , E ∪ A , R , ϕ)
Σ = signature (e.g. syntax);
E = equations (e.g. functions); System states
A = axioms (e.g. ACI);
R = rules (e.g. non deterministic behaviour);
System dynamics
ϕ = frozennes map (e.g. rewrite strategy).
24. What is RL?
A rewrite theory M is a tuple (Σ , E ∪ A , R , ϕ)
Σ = signature (e.g. syntax);
E = equations (e.g. functions); Not all equivalence relations ∼
Not all equivalence relations ∼
are tractable as axioms
A = axioms (e.g. ACI); are tractable as axioms
R = rules (e.g. non deterministic behaviour);
ϕ = frozennes map (e.g. rewrite strategy).
Some assumptions:
Topmost rules for a designated [State] kind.
25. --- The main module defining the signature and one initial state
fmod BANK is
...
sorts Object Message Configuration State .
subsort Message Object < Configuration .
op <_|_> : Nat Nat -> Object [ctor] . --- account id and balance
op credit : Nat -> Message [ctor] . --- id of the target account
op __ : Configuration Configuration -> Configuration [ctor assoc comm] .
op none : -> Configuration [ctor] .
op {_} : Configuration -> State [ctor frozen] .
--- A simple initial state $ $
op init : -> Configuration .
0$ 0$
eq init = < 0 | 0 > < 1 | 0 > credit(0) credit(1) .
endfm
26. --- The behavioural rules of the example
mod BANK-RULES is
$
inc BANK .
vars i x : Nat .
x$ x+1$
vars c1 : Configuration .
--- A simple rule for crediting an account
rl [credit] :
{ < i | x > credit(i) c1 }
=> { < i | s(x) > c1 } .
endm
29. c-extension
The c-extension of a rewrite theory
M = ( , E ∪ A , R, ϕ)
is
M+c= ( ⊎ c
, E ∪ Gc ∪ A , R, ϕc)
i.e. a correct extension of R with the definition of c.
30. c-extension (example of canonizer)
--- The c-extension of BANK that defines the c-canonizer for object permutations
mod BANK-C is
...
op c : State -> [State] . apply transposition...
vars i j x y : Nat .
vars c1 : Configuration .
ceq c( { < i | x > < j | y > c1 } )
= c( { [[ i <-> j ]]( < i | x > < j | y > c1 ) } )
if [[ i <-> j ]]( < i | x > < j | y > c1 )
<# < i | x > < j | y > c1 .
If it provides
eq c({c1}) = {c1} [ owise ] .
“lexicographically”
smaller states
endm
31. Identification of symmetric states
Maude> red c( {credit(0) < 0 | 0 > < 1 | 1 >}) .
result State: {credit(1) < 0 | 1 > < 1 | 0 >}
$
0$ 1$
c
$
1$ 0$
33. The c-reduction of a rewrite theory
M =( ,E∪A,R,ϕ)
is
M/c = ( ⊎ c
, E ∪ Gc ∪ A , Rc , ϕc)
cc
where Rc is made of rules K(M/c) = K (M)
K(M/c) = K (M)
l => c(r) if cond
for each rule of R
l => r if cond
37. exploiting the c-reduced state space
Another example: 4 accounts, 4 transfers for each
Maude> search in BANK/C : {init(4,4)} =>* s:State .
search in BANK/C : {init(4, 4)} =>* s:State .
...
states: 70 rewrites: 14333 in 26ms cpu (26ms real) (536615 rewrites/second)
Unreduced state space has 625 states
Model checking example “eventually there will be no more transfers to
process, forever”
Maude> red modelCheck({init(4,4)}, <>[]~ some-message) .
reduce in MUTEX-CHECK : modelCheck({init(4, 4)}, <> []~ some-message) .
rewrites: 14485 in 17ms cpu (19ms real) (841906 rewrites/second)
result Bool: true
38. CHECKING CORRECTNESS
OF REDUCTIONS
t
ct i ons a l
ng redu ion-leve
“defini ecificat ”
the sp several pros
has
39. Does c provide a correct c-reduction?
Th 1. “K(M/c) is bisimilar to K(M)” (desiderata)
Lemma 0. “Relation ∼ is an equivalence relation”
(i) Check that the action of the group is correct.
Lemma 1. “Relation ∼ is a bisimulation”
Proof plan for
(ii) Check that ∼ strongly preserves AP;
group-theoretic
(iii) Check that ∼ and R “commute”. reductions
Lemma 2. “Function c is a ∼-canonizer”
(iv) Check that c is a ∼-canonizer.
40. group theoretic equivalence relations
The action ⟦ ⟧ of a group G on the set of states S
defines an equivalence relation:
s∼s' iff ⟦ f ⟧(s) = s' for some f ∈ G.
43. (ii) Checking that ∼ strongly preserves AP
IDEA: Define a rewrite theory M/G to “move” inside orbits:
M/G = (Σ ⊎ ΣG, E ∪ EG ∪ A , RM/G , ϕ)
where RM/G = { s => [[g]](s) , g in H}
Theorem: ∼ strongly preserves AP if AP is stable in R∼.
44. Can we check such stability automatically?
Yes, with InvA (under some conditions)
fmod BANK-AP is
eq [two-dollars-eq] : two-dollars({ < i | s(s(x)) > c1 }) = true .
endfm
fmod BANK-PERMUTATION-RULES is
rl [transposition] : { < i | x > < j | y > c1 }
=> { [[ i <-> j ]] ( < i | x > < j | y > c1) } .
endm
Maude> (analyze-stable two-dollars(s:State) in BANK-AP BANK-PERMUTATION-RULES .)
rewrites: 15571 in 16ms cpu (19ms real) (918643 rewrites/second)
Checking BANK-PERMUTATION-RULES ||- two-dollars => O two-dollars ...
Proof obligations generated: 2
For non discharged proof obligations
Proof obligations discharged: 2 For non discharged proof obligations
Success!
one can use the Maude ITP tool
one can use the Maude ITP tool
47. (iii) Checking that ∼ and R commute
M For all M/G-transitions u → u' and
u v
M/G for all M-transitions from u to v.
M/G
*
M
u' v'
M
θ(l) θ(r)
For all M/G-rules l' => r' and
for all M-rules from l => r.
M/G M/G Similar functionalities (e.g. critical pair generation)
Similar functionalities (e.g. critical pair generation)
are already available in some Maude tools
M * are already available in some Maude tools
θ(r') v' (e.g. in the Coherence Checker).
(e.g. in the Coherence Checker).
48. (iii) Checking that ∼ and R commute
How do we check joinability of critical pairs (R rules vs R∼)?
M For each M/G-rule l'=>r', M-rules l=>r do
θ(l) θ(r) Compute the MGUs θ for l'=l
For each θ do
M/G Compute transitions θ(r')→θ(vi)
Check if at least one θ(vi)
M
v1 is reachable from θ(r')
NOTE 1: Can be done using Maude's
...
unify and search commands.
θ(r') vn M/G
NOTE 2: We are currently implementing a
M tool for this.
50. t
ct i ons a l
ng redu ion-leve
“defini ecificat ”
the sp several pros
has
51. preliminary version presented at WRLA 2012
conference version presented at ICFEM 2012
yet more work is to be done...
Better integration in Maude
Conciliate with other state space reduction techniques;
Tool support and its integration in MFE.
Beyond group theoretic symmetries
Abstractions that yield bisimulations?
Axiomatisations of bisimulations in process algebras?
Beyond bisimulation
Weak bisimulation? Trace equivalence (for LTL)?
52. thanks!
alberto.lluch@imtlucca.it
http://www.albertolluch.com
http://www.linkedin.com/in/albertolluch
http://www.imtlucca.it/alberto.lluch+lafuente
State Space C-Reductions (full manuscript)
http://eprints.imtlucca.it/1350/