State Space C-Reductions @ ETAPS Workshop GRAPHITE 2013

649 views
566 views

Published on

My talk on "State Space C-Reductions for Concurrent Systems in Rewriting Logic" held at the International ETAPS Workshop on Graph Inspection and Traversal Engineering (GRAPHITE 2013).

Full manuscript available here: http://eprints.imtlucca.it/1350/

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
649
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

State Space C-Reductions @ ETAPS Workshop GRAPHITE 2013

  1. 1. State Space C-Reductionsof Concurrent Systems in Rewriting Logic -- Alberto Lluch Lafuente, IMT Lucca -- José Meseguer, UIUC -- Andrea Vandin, IMT Lucca 2nd ETAPS Graphite Workshop, Rome, March 24, 2013 preliminary version presented at WRLA 2012 conference version presented at ICFEM 2012
  2. 2. t ct i ons a l ng redu ion-leve“defini ecificat ” the sp several pros has
  3. 3. running example$ = transfer of 1$x$ = account with x$
  4. 4. credit rule$x$ x+1$
  5. 5. $ $ Isomorphic... Isomorphic... but syntactically different but syntactically different 0$ 0$ $ $1$ 0$ 0$ 1$ 1$ 1$
  6. 6. symmetries in state space exploration problems
  7. 7. some tools with symmetry reduction Murphy [Ip&Dill @FMSD96]; Symmetric SPIN [Bosnacki et al. @SPIN00]; TopSPIN [Donaldson et al. @AMAST06]; Groove [Rensink @GRABATS06]; MiHDa [Montanari et al. @FMCO02]; PRISM-symm [Ball et al. @CAV06]; Uppaal [Larsen et al. @ FORMATS 2003 ]; Planners, constraint and SAT solvers, etc.
  8. 8. Canonizers
  9. 9. A ∼-canonizer for – a Kripke structure K – and an equivalence (bisimulation) relation ∼ ⊆ S × Sis a function c : S → S such that s∼c(s) for all states s. c $ c $ 1$ 0$ 0$ 1$
  10. 10. A ∼-canonizer is strong if s∼s implies c(s) = c(s) (i.e. if canonical representatives of ∼-equivalence classes are unique) 2$ 1$ 3$ 2$ 1$ 3$ 1$ 3$ 2$ c c 1$ 3$ 2$ c c c 1$ 2$ 3$ 1$ 2$ 3$ 2$ 3$ 1$ 2$ 3$ 1$ c3$ 1$ 2$ c 3$ 1$ 2$ c 3$ 2$ 1$ 3$ 2$ 1$ otherwise we call them weak.
  11. 11. C-reductionof a KripkeStructure
  12. 12. The c-reduction of a Kripke structure K = (S , → , L, AP) $ $is Kc = (S , →;c , L, AP) 0$ 0$ $ $ 1$ 0$ c 0$ 1$ 1$ 1$
  13. 13. Th. If c is a ∼-canonizer then Kc ∼ K.
  14. 14. PERFORMANCE? t ct i ons a l ng redu ion-leve “defini ecificat ” the sp several pros has
  15. 15. typical space reduction patternsizes of thestate-space no reduction strong reduction weak reduction size of the system
  16. 16. typical time reduction patternruntime no reduction strong reduction weak reduction size of the system
  17. 17. will we have the same in Maude?Q1. Overhead of meta-level based c-reductions?Q2. Similar performance gains as model checkers?Q3. Performance for c-reductions not based on full permutations (e.g. rotations)?
  18. 18. previous work on symmetry reduction with Maude reduction was much slower! Full symmetries in Maude [D.Rodriguez@WRLA08]
  19. 19. Q1. meta-level vs c-reductions?runtime(seconds) 90 80 meta-level 70 60 50 40 30 20 c-reductions 10 0 1 2 3 4 5 6 7 8 size of the system (instance parameter)
  20. 20. Q2. Maude vs SymmSPIN?relative timereduction factor 2 no reduction symmSPIN 1.5 strong c-reduction weak c-reduction 1 0.5 0 2 3 4 5 size of the system -0.5 (instance parameter) -1 -1.5
  21. 21. Q3. space reduction in dining philosophers states msg id reuse explored 600000 msg abstraction msg id reuse & permutations msg abstraction + philosopher rotation 500000 400000 300000 200000 100000 size of the system 0 2 3 4 5 6 7 8 9 (instance parameter)
  22. 22. WE DO IT IN... REWRITING LOGIC / MAUDE t ct i ons a l ng redu ion-leve “defini ecificat ” the sp several pros has
  23. 23. What is RL?A rewrite theory M is a tuple (Σ , E ∪ A , R , ϕ) Σ = signature (e.g. syntax); E = equations (e.g. functions); System states A = axioms (e.g. ACI); R = rules (e.g. non deterministic behaviour); System dynamics ϕ = frozennes map (e.g. rewrite strategy).
  24. 24. What is RL?A rewrite theory M is a tuple (Σ , E ∪ A , R , ϕ) Σ = signature (e.g. syntax); E = equations (e.g. functions); Not all equivalence relations ∼ Not all equivalence relations ∼ are tractable as axioms A = axioms (e.g. ACI); are tractable as axioms R = rules (e.g. non deterministic behaviour); ϕ = frozennes map (e.g. rewrite strategy).Some assumptions: Topmost rules for a designated [State] kind.
  25. 25. --- The main module defining the signature and one initial statefmod BANK is ... sorts Object Message Configuration State . subsort Message Object < Configuration . op <_|_> : Nat Nat -> Object [ctor] . --- account id and balance op credit : Nat -> Message [ctor] . --- id of the target account op __ : Configuration Configuration -> Configuration [ctor assoc comm] . op none : -> Configuration [ctor] . op {_} : Configuration -> State [ctor frozen] . --- A simple initial state $ $ op init : -> Configuration . 0$ 0$ eq init = < 0 | 0 > < 1 | 0 > credit(0) credit(1) .endfm
  26. 26. --- The behavioural rules of the examplemod BANK-RULES is $ inc BANK . vars i x : Nat . x$ x+1$ vars c1 : Configuration . --- A simple rule for crediting an account rl [credit] : { < i | x > credit(i) c1 } => { < i | s(x) > c1 } .endm
  27. 27. search without reduction $ $ 0$ 0$Maude> search in BANK-RULES : {init} =>* s:State . $ $Solution 1 (state 0) 1$ 0$ 0$ 1$s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}Solution 2 (state 1) 1$ 1$s:State --> {credit(1) < 0 | 1 > < 1 | 0 >} symmetric statesSolution 3 (state 2)s:State --> {credit(0) < 0 | 0 > < 1 | 1 >}Solution 4 (state 3)s:State --> {< 0 | 1 > < 1 | 1 >}No more solutions.states: 4 rewrites: 6 in 0ms cpu (2ms real) (9523 rewrites/second)
  28. 28. Definingcanonizers
  29. 29. c-extensionThe c-extension of a rewrite theory M = ( , E ∪ A , R, ϕ)is M+c= ( ⊎ c , E ∪ Gc ∪ A , R, ϕc)i.e. a correct extension of R with the definition of c.
  30. 30. c-extension (example of canonizer)--- The c-extension of BANK that defines the c-canonizer for object permutationsmod BANK-C is ... op c : State -> [State] . apply transposition... vars i j x y : Nat . vars c1 : Configuration . ceq c( { < i | x > < j | y > c1 } ) = c( { [[ i <-> j ]]( < i | x > < j | y > c1 ) } ) if [[ i <-> j ]]( < i | x > < j | y > c1 ) <# < i | x > < j | y > c1 . If it provides eq c({c1}) = {c1} [ owise ] . “lexicographically” smaller statesendm
  31. 31. Identification of symmetric statesMaude> red c( {credit(0) < 0 | 0 > < 1 | 1 >}) .result State: {credit(1) < 0 | 1 > < 1 | 0 >} $ 0$ 1$ c $ 1$ 0$
  32. 32. C-reductionof a rewritetheory
  33. 33. The c-reduction of a rewrite theory M =( ,E∪A,R,ϕ)is M/c = ( ⊎ c , E ∪ Gc ∪ A , Rc , ϕc) ccwhere Rc is made of rules K(M/c) = K (M) K(M/c) = K (M) l => c(r) if condfor each rule of R l => r if cond
  34. 34. module architecture BANKBANK-RULES (M) BANK-PERMUTATION BANK-C (M+c) BANK-C-REDUCTION (M/c)
  35. 35. c-reduction (example)--- The c-reduction of BANK-RULESmod BANK-C-REDUCTION is inc BANK-C . rl [credit] : { < i | x > credit(i) c1 } => c({ < i | s(x) > c1 }) .endm
  36. 36. search in c-reduced state spaceMaude> search in BANK-C-REDUCTION : {init} =>* s:State .search in BANK-C-REDUCTION : {init} =>* s:State . $ $Solution 1 (state 0) 0$ 0$s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >} $ $Solution 2 (state 1) cs:State --> {credit(1) < 0 | 1 > < 1 | 0 >} 1$ 0$ 0$ 1$Solution 3 (state 2)s:State --> {< 0 | 1 > < 1 | 1 >} 1$ 1$No more solutions.states: 3 rewrites: 25 in 0ms cpu (2ms real) (53648 rewrites/second)
  37. 37. exploiting the c-reduced state spaceAnother example: 4 accounts, 4 transfers for each Maude> search in BANK/C : {init(4,4)} =>* s:State . search in BANK/C : {init(4, 4)} =>* s:State . ... states: 70 rewrites: 14333 in 26ms cpu (26ms real) (536615 rewrites/second) Unreduced state space has 625 statesModel checking example “eventually there will be no more transfers toprocess, forever” Maude> red modelCheck({init(4,4)}, <>[]~ some-message) . reduce in MUTEX-CHECK : modelCheck({init(4, 4)}, <> []~ some-message) . rewrites: 14485 in 17ms cpu (19ms real) (841906 rewrites/second) result Bool: true
  38. 38. CHECKING CORRECTNESS OF REDUCTIONS t ct i ons a l ng redu ion-leve “defini ecificat ” the sp several pros has
  39. 39. Does c provide a correct c-reduction?Th 1. “K(M/c) is bisimilar to K(M)” (desiderata)Lemma 0. “Relation ∼ is an equivalence relation” (i) Check that the action of the group is correct.Lemma 1. “Relation ∼ is a bisimulation” Proof plan for (ii) Check that ∼ strongly preserves AP; group-theoretic (iii) Check that ∼ and R “commute”. reductionsLemma 2. “Function c is a ∼-canonizer” (iv) Check that c is a ∼-canonizer.
  40. 40. group theoretic equivalence relationsThe action ⟦ ⟧ of a group G on the set of states S defines an equivalence relation: s∼s iff ⟦ f ⟧(s) = s for some f ∈ G.
  41. 41. modules and checks
  42. 42. modules and checks
  43. 43. (ii) Checking that ∼ strongly preserves APIDEA: Define a rewrite theory M/G to “move” inside orbits: M/G = (Σ ⊎ ΣG, E ∪ EG ∪ A , RM/G , ϕ)where RM/G = { s => [[g]](s) , g in H}Theorem: ∼ strongly preserves AP if AP is stable in R∼.
  44. 44. Can we check such stability automatically?Yes, with InvA (under some conditions)fmod BANK-AP is eq [two-dollars-eq] : two-dollars({ < i | s(s(x)) > c1 }) = true .endfmfmod BANK-PERMUTATION-RULES is rl [transposition] : { < i | x > < j | y > c1 } => { [[ i <-> j ]] ( < i | x > < j | y > c1) } .endmMaude> (analyze-stable two-dollars(s:State) in BANK-AP BANK-PERMUTATION-RULES .)rewrites: 15571 in 16ms cpu (19ms real) (918643 rewrites/second)Checking BANK-PERMUTATION-RULES ||- two-dollars => O two-dollars ...Proof obligations generated: 2 For non discharged proof obligationsProof obligations discharged: 2 For non discharged proof obligationsSuccess! one can use the Maude ITP tool one can use the Maude ITP tool
  45. 45. Step III:Checking...
  46. 46. modules and checks
  47. 47. (iii) Checking that ∼ and R commute M For all M/G-transitions u → u and u vM/G for all M-transitions from u to v. M/G * M u v M θ(l) θ(r) For all M/G-rules l => r and for all M-rules from l => r.M/G M/G Similar functionalities (e.g. critical pair generation) Similar functionalities (e.g. critical pair generation) are already available in some Maude tools M * are already available in some Maude tools θ(r) v (e.g. in the Coherence Checker). (e.g. in the Coherence Checker).
  48. 48. (iii) Checking that ∼ and R commuteHow do we check joinability of critical pairs (R rules vs R∼)? M For each M/G-rule l=>r, M-rules l=>r doθ(l) θ(r) Compute the MGUs θ for l=l For each θ do M/G Compute transitions θ(r)→θ(vi) Check if at least one θ(vi) M v1 is reachable from θ(r) NOTE 1: Can be done using Maudes ... unify and search commands.θ(r) vn M/G NOTE 2: We are currently implementing a M tool for this.
  49. 49. Conclusion
  50. 50. t ct i ons a l ng redu ion-leve“defini ecificat ” the sp several pros has
  51. 51. preliminary version presented at WRLA 2012 conference version presented at ICFEM 2012 yet more work is to be done... Better integration in Maude  Conciliate with other state space reduction techniques;  Tool support and its integration in MFE. Beyond group theoretic symmetries  Abstractions that yield bisimulations?  Axiomatisations of bisimulations in process algebras? Beyond bisimulation  Weak bisimulation? Trace equivalence (for LTL)?
  52. 52. thanks! alberto.lluch@imtlucca.it http://www.albertolluch.com http://www.linkedin.com/in/albertolluch http://www.imtlucca.it/alberto.lluch+lafuente State Space C-Reductions (full manuscript) http://eprints.imtlucca.it/1350/

×