State Space c-Reductions of Concurrent Systems in Rewriting Logic @ ETAPS Workshop WRLA 2013

1,113 views

Published on

We present c-reductions, a state space reduction technique. The rough idea is to exploit some equivalence relation on states (possibly capturing system regularities) that preserves behavioral properties, and explore the induced quotient system. This is done by means of a canonizer function, which maps each state into one (of the) canonical representative(s) of its equivalence class. The approach exploits the expressiveness of rewriting logic and its realization in Maude to enjoy several advantages over similar approaches: flexibility and simplicity in the definition of the reductions (supporting not only traditional symmetry reductions, but also name reuse and name abstraction); reasoning support for checking and proving correctness of the reductions; and automatization of the reduction infrastructure via Maude's meta-programming features. The approach has been validated over a set of representative case studies, exhibiting comparable results with respect to other tools.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,113
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

State Space c-Reductions of Concurrent Systems in Rewriting Logic @ ETAPS Workshop WRLA 2013

  1. 1. State Space C-Reductionsof Concurrent Systems in Rewriting Logic Alberto Lluch, Andrea Vandin José Meseguer IMT Lucca UIUCInternational Workshop on Rewriting Logic and its Applications (WRLA12) Tallin, March 24-25, 2012
  2. 2. state space explosion 0 3 8 ... 61 binary counter has ... 2 states1 n-ary counter has ... n states (data abstraction)m n-ary counters Mn states! (symmetries, concurrency, etc.)
  3. 3. running example$ = transfer of 1$x$ = account with x$
  4. 4. credit rule$x$ x+1$
  5. 5. $ $ Isomorphic... Isomorphic... but syntactically different but syntactically different 0$ 0$ $ $1$ 0$ 0$ 1$ 1$ 1$
  6. 6. symmetries in state space exploration problems
  7. 7. some tools with symmetry reduction Murphy [Ip&Dill@FMSD96]; Symmetric SPIN [Bosnacki et al.@SPIN00]; TopSPIN [Donaldson et al.@AMAST06]; Groove [Rensink@GRABATS06]; MiHDa [Montanari et al.@FMCO02]; PRISM-symm [Ball et a@CAV06]; Planners, constraint solvers, etc.
  8. 8. some drawbacks✗ Symmetries denoted with extra primitives;✗ Limited, fixed symmetry classes;✗ Rigid “flexibility” vs “guarantees” tradeoff;✗ Complex changes to model checker;✗ Unofficial extensions of model checkers;✗ No support for checking correctness.
  9. 9. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  10. 10. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  11. 11. A Kripke structure is a tuple K = (S , → , L, AP) such that S is a set of states; → ⊆ S × S is a transition relation; $ $ p AP are atomic propositions; 0$ 0$ L: S → 2AP maps states into AP subsets. $ p,q $ p,q 1$ 0$ 0$ 1$ p = there is some empty account q q = there are one or less dollars around 1$ 1$
  12. 12. A bisimulation between two Kripke structures K and His a binary relation ∼ ⊆ SK × SH such that s∼s implies LK(s) = LH(s); s →K r implies s →H r and r∼r for some r; s →K r ≀ ≀ vice versa. s →H r p p $ $ $ $ 0$ 0$ 0$ 0$ p,q $ $ p,q $ p,q 1$ 0$ 0$ 1$ 0$ 1$ q q 1$ 1$ 1$ 1$
  13. 13. A ∼-canonizer for – a Kripke structure K – and an equivalence (bisimilation) relation ∼ ⊆ S × Sis a function c : S → S such that s∼c(s) for all states s. c $ c $ 1$ 0$ 0$ 1$
  14. 14. A ∼-canonizer is strong if s∼s implies c(s) = c(s) (i.e. if canonical representatives of ∼-equivalence classes are unique) 2$ 1$ 3$ 2$ 1$ 3$ 1$ 3$ 2$ c c 1$ 3$ 2$ c c c 1$ 2$ 3$ 1$ 2$ 3$ 2$ 3$ 1$ 2$ 3$ 1$ c3$ 1$ 2$ c 3$ 1$ 2$ c 3$ 2$ 1$ 3$ 2$ 1$ otherwise we call them weak.
  15. 15. The c-reduction of a Kripke structure K = (S , → , L, AP) $ $is Kc = (S , →;c , L, AP) 0$ 0$ $ $ 1$ 0$ c 0$ 1$ 1$ 1$
  16. 16. Th. If c is a ∼-canonizer then Kc ∼ K.
  17. 17. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  18. 18. some symmetry reductions captured Full symmetries; Rotational symmetries; Name reuse (garbage collection); Name abstraction.
  19. 19. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  20. 20. What is RL?A rewrite theory R is a tuple (Σ , E ∪ A , R , ϕ) Σ = signature (e.g. syntax); E = equations (e.g. functions); Not all equivalence relations ∼ Not all equivalence relations ∼ are tractable as axioms A = axioms (e.g. ACI); are tractable as axioms R = rules (e.g. non deterministic behaviour); ϕ = frozennes map (e.g. rewrite strategy).Some assumptions: R has good executability properties; Topmost rules for a designated [State] kind.
  21. 21. --- The main module defining the signature and one initial statefmod BANK is ... sorts Object Message Configuration State . subsort Message Object < Configuration . op <_|_> : Nat Nat -> Object [ctor] . op credit : Nat -> Message [ctor] . op __ : Configuration Configuration -> Configuration [ctor assoc comm] . op none : -> Configuration [ctor] . op {_} : Configuration -> State [ctor frozen] . --- A simple initial state $ $ op init : -> Configuration . 0$ 0$ eq init = < 0 | 0 > < 1 | 0 > credit(0) credit(1) .endfm
  22. 22. --- The behavioural rules of the examplemod BANK-RULES is $ inc BANK . vars i x : Nat . x$ x+1$ vars c1 : Configuration . --- A simple rule for crediting an account rl [credit] : { < i | x > credit(i) c1 } => { < i | s(x) > c1 } .endm
  23. 23. search without reduction $ $ 0$ 0$Maude> search in BANK-RULES : {init} =>* s:State . $ $Solution 1 (state 0) 1$ 0$ 0$ 1$s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}Solution 2 (state 1) 1$ 1$s:State --> {credit(1) < 0 | 1 > < 1 | 0 >} symmetric statesSolution 3 (state 2)s:State --> {credit(0) < 0 | 0 > < 1 | 1 >}Solution 4 (state 3)s:State --> {< 0 | 1 > < 1 | 1 >}No more solutions.states: 4 rewrites: 6 in 0ms cpu (2ms real) (9523 rewrites/second)
  24. 24. c-extensionThe c-extension of a rewrite theory R = (Σ, E ∪ A , R, ϕ)is Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , R , ϕc)i.e. a correct extension of R with the definition of c.
  25. 25. module architecture BANKBANK-RULES (R) BANK-C (Rc)
  26. 26. c-extension (example of canonizer)--- The c-extension of BANK that defines the c-canonizer for object permutationsmod BANK-C is ... op c : State -> [State] . vars i j x y : Nat . vars c1 : Configuration . ceq c( { < i | x > < j | y > c1 } ) = c( { [[ i <-> j ]]( < i | x > < j | y > c1 ) } ) if [[ i <-> j ]]( < i | x > < j | y > c1 ) <# < i | x > < j | y > c1 . eq c({c1}) = {c1} [ owise ] .endm
  27. 27. module architecture BANKBANK-RULES (R) BANK-PERMUTATION BANK-C (Rc)
  28. 28. c-extension (example of transpositions)--- Implementation of object permutationsfmod BANK-PERMUTATION is ... op [[_<->_]] _ : Nat Nat Configuration -> Configuration [frozen] . op [[_<->_]] _ : Nat Nat Nat -> Nat . eq [[ i <-> j ]](none) = none . eq [[ i <-> j ]](obj1 c1) = ([[ i <-> j ]](obj1)) ([[ i <-> j ]](c1)) . eq [[ i <-> j ]](msg1 c1) = ([[ i <-> j ]](msg1)) ([[ i <-> j ]](c1)) . eq [[ i <-> j ]](< k | x >) = < [[ i <-> j ]](k) | x > . eq [[ i <-> j ]](credit(k)) = credit([[ i <-> j ]] k) . eq [[ i <-> j ]](i) = j . eq [[ i <-> j ]](j) = i . ceq [[ i <-> j ]](k) = k if (i != k) / (j != k) .endfm
  29. 29. Identification of symmetric statesMaude> red c( {credit(0) < 0 | 0 > < 1 | 1 >}) .result State: {credit(1) < 0 | 1 > < 1 | 0 >} $ 0$ 1$ c $ 1$ 0$
  30. 30. The c-reduction of a rewrite theory R = (Σ, E ∪ A , R , ϕ )is Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , Rc , ϕc) ccwhere Rc is made of rules K(Rcc)= K (R) K(R ) = K (R) l => c(r) if condfor each rule of R l => r if cond
  31. 31. module architecture BANKBANK-RULES (R) BANK-PERMUTATION BANK-C (Rc) BANK-C-REDUCTION (Rc)
  32. 32. c-reduction (example)--- The c-reduction of BANK-RULESmod BANK-C-REDUCTION is inc BANK-C . rl [credit] : { < i | x > credit(i) c1 } => c({ < i | s(x) > c1 }) .endm
  33. 33. search in c-reduced state spaceMaude> search in BANK-C-REDUCTION : {init} =>* s:State .search in BANK-C-REDUCTION : {init} =>* s:State . $ $Solution 1 (state 0) 0$ 0$s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >} $ $Solution 2 (state 1) cs:State --> {credit(1) < 0 | 1 > < 1 | 0 >} 1$ 0$ 0$ 1$Solution 3 (state 2)s:State --> {< 0 | 1 > < 1 | 1 >} 1$ 1$No more solutions.states: 3 rewrites: 25 in 0ms cpu (2ms real) (53648 rewrites/second)
  34. 34. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  35. 35. Does c provide a correct c-reduction?Th 1. “K(Rc) is bisimilar to K(R)” (desiderata)Lemma 0. “Relation ∼ is an equivalence relation” (i) Check that the action of the group is correct.Lemma 1. “Relation∼ is a bisimulation” Proof plan for (ii) Check that ∼ strongly respects AP; group-theoretic (iii) Check that ∼ and R “commute”. reductionsLemma 2. “Function c is a ∼-canonizer” (iv) Check that c is a ∼-canonizer.
  36. 36. modules and checks BANK check (i)BANK-RULES (R) BANK-AP BANK-PERMUTATION (R∼) check (iv)check (iii)check (ii) BANK-C (Rc) BANK-PERMUTATION-RULES (R∼) BANK-C-REDUCTION (Rc)
  37. 37. group theoretic equivalence relationsThe action ⟦∙⟧ of a group G on S defines an equivalence relation: s∼s iff ⟦ f ⟧(s) = s for some f ∈ G.
  38. 38. modules and checks BANK check (i)BANK-RULES (R) BANK-AP BANK-PERMUTATION (R∼) BANK-C (Rc) BANK-PERMUTATION-RULES (R∼) BANK-C-REDUCTION (Rc)
  39. 39. (i) Checking group actionsImplement the action ⟦∙⟧ of G on S as [[_]]_ : G State ->State .… but we just need to implement the action of the generators.Check that the we actually have a group action by showing: ⟦g⟧⟦g-1⟧(s) = s for each generator g of G. HINT: induction on S (structure of states).For example, in the case of permutations one has to show [[ i <-> j]] ([[ i <-> j]] (s)) = s
  40. 40. (i) Checking group actionsImplement the action ⟦∙⟧ of G on S as [[_]]_ : G State ->State .… but we just need to implement the action of the generators.Check that the we actually have a group action by showing: ⟦e⟧(s) = s, for e the identity of G; ⟦g ∘ g⟧(s) = ⟦g⟧(⟦g⟧(s)) for each pair of generators g, g of G; ⟦g⟧⟦g-1⟧(s) = s for each generator g of G.HINT: induction on G (generators ) and S (structure of states).
  41. 41. modules and checks BANKBANK-RULES (R) BANK-AP BANK-PERMUTATION (R∼)check (ii) BANK-C (Rc) BANK-PERMUTATION-RULES (R∼) BANK-C-REDUCTION (Rc)
  42. 42. (ii) Checking that ∼ strongly preserves APIDEA: Define a rewrite theory R∼ to “move” inside orbits: R∼ = (Σ ⊎ Σ∼, E ∪ E∼ ∪ A , R∼ , ϕ)where R∼ = { s => [[g]](s) }Theorem: ∼ strongly preserves AP if AP is stable in R∼.
  43. 43. Can we check such stability automatically?Yes, with InvA (under some conditions)fmod BANK-AP is eq [two-dollars-eq] : two-dollars({ < i | s(s(x)) > c1 }) = true .endfmfmod BANK-PERMUTATION-RULES is rl [transposition] : { < i | x > < j | y > c1 } => { [[ i <-> j ]] ( < i | x > < j | y > c1) } .endmMaude> (analyze-stable two-dollars(s:State) in BANK-AP BANK-PERMUTATION-RULES .)rewrites: 15571 in 16ms cpu (19ms real) (918643 rewrites/second)Checking BANK-PERMUTATION-RULES ||- two-dollars => O two-dollars ...Proof obligations generated: 2 For non discharged proof obligationsProof obligations discharged: 2 For non discharged proof obligationsSuccess! one can use the Maude ITP tool one can use the Maude ITP tool
  44. 44. modules and checks BANKBANK-RULES (R) BANK-AP BANK-PERMUTATION (R∼)check (iii) BANK-C (Rc) BANK-PERMUTATION-RULES (R∼) BANK-C-REDUCTION (Rc)
  45. 45. (iii) Checking that ∼ and R commute R u v R u vFor all equivalent states u, u and for all R-transitions from u to v.
  46. 46. (iii) Checking that ∼ and R commute R u v R∼ R∼ * R * u vFor all R∼reachable pairs of states u->u and for all R-transitions from u to v.
  47. 47. (iii) Checking that ∼ and R commute R u v R∼ R∼ R * u1 v1 R∼ R∼ R * u2 v2 R u vFor all R∼-transitions u->u and for all R-transitions from u to v.
  48. 48. Consider:  Each R-rules from l => r  Each R∼-rules l => r Rθ(l) ≡A θ(l) θ(r) R∼R∼ R *θ(r) w
  49. 49. (iii) Checking that ∼ and R commute R For all R∼-transitions u → u and u v R∼ for all R-transitions from u to v.R∼ * R u v Rθ(l) θ(r) For all R∼-rules l => r and for all R-rules from l => r.R∼ R∼ Similar functionalities (e.g. critical pair generation) Similar functionalities (e.g. critical pair generation) are already available in some Maude tools R * are already available in some Maude toolsθ(r) v (e.g. in the Coherence Checker). (e.g. in the Coherence Checker).
  50. 50. (iii) Checking that ∼ and R commuteIDEA: Show joinability of critical pairs (R rules vs R∼)Theorem: If all such pairs are joinable, ∼ is a bisimulation
  51. 51. modules and checks BANKBANK-RULES (R) BANK-AP BANK-PERMUTATION (R∼) check (iv) BANK-C (Rc) BANK-PERMUTATION-RULES (R∼) BANK-C-REDUCTION (Rc)
  52. 52. (iv) checking that c is a ∼-canonizerIDEA: Exploit the form of typical reduction strategies: Local strategies c({t}) = c([[g]]({t})) if [[g]]({t})<{t} c({t}) = {t} [owise] Enumeration strategies c({t}) = min{[[f]]({t})}
  53. 53. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  54. 54. typical space reductionstatesexplored no reduction strong reduction weak reduction size of the system
  55. 55. typical time reductionruntime no reduction strong reduction weak reduction size of the system
  56. 56. will we have the same in Maude? Full symmetries in Maude [D.Rodriguez@WRLA08]
  57. 57. will we have the same in Maude?Q1. Overhead of meta-level based c-reductions?Q2. Similar performance gains as model checkers?Q3. Performance for c-reductions not based on full permutations (e.g. rotations)?
  58. 58. Q1. meta-level vs ad-hoc?runtime(seconds) 90 80 meta-level 70 60 50 40 30 20 ad-hoc 10 0 1 2 3 4 5 6 7 8 size of the system (instance parameter)
  59. 59. Q2. Maude vs SymmSPIN?relative timereduction factor 2 no reduction symmSPIN 1.5 strong c-reduction weak c-reduction 1 0.5 0 size of the system 2 3 4 (instance parameter) -0.5 -1
  60. 60. Q3. space reduction in dining philosophers?
  61. 61. Dining philosophers (rotational symmetries) ~ ~ = philosopher eating = philosopher resting
  62. 62. Dining philosophers (msg. ids)1 2 3 4 4 3 ~ msg id reuse ~ msg id permutation ~ msg id abstraction
  63. 63. Q3. space reduction in dining philosophers states msg id reuse explored 600000 msg abstraction msg id reuse & permutations msg abstraction + philosopher rotation 500000 400000 300000 200000 100000 size of the system 0 2 3 4 5 6 7 8 9 (instance parameter)
  64. 64. Q3. time reduction in dining philosophers states msg reuse&permutation msg abstraction explored msg abstraction + philosopher rotation 7 8 9 size of the system (instance parameter)
  65. 65. Q1. Overhead of meta-level based c-reductions? ✔ Significant improvement when not resorting to the meta-level.Q2.Performance against model checkers? ✔ Similar in space reduction; ✔ Comparable time reduction.Q3. Performance for c-reductions not based on full permutations (e.g. Rotations)? ✔ Significant space gains in rotational.
  66. 66. conclusion
  67. 67. Can we use rewriting logic to... (i) generalize symmetry reduction techniques? ✔ Define the c-reduction of a Kripke structure; ✔ C-reductions subsume typical symmetry reductions.(ii) provide some advantages? ✔ Define c-reductions using equations (not in the engine); ✔ Provide a tool supported verification methodology.(iii) provide a faster state space exploration? ✔ Many experiments.
  68. 68. Related work (Maude) Full symmetries in Maude [D.Rodriguez@WRLA08] ✔ Full object permutations, meta-representation order; ✭ More symmetries and examples, no meta-representation order, verification methodology. Equational abstractions [Palomino et al.@JLAP10] ✔ Identify states to reduce state space; ✭ Bisimulation, reduction application control.
  69. 69. Related work (ii) SymmSPIN et al. [Bosnacki et al.@SPIN01] ✔ Heuristics for canonizers; ✭ No extension needed, object references allowed, formal checks; Groove [Rensink@GRABATS06] ✔ Up-to-isomorphism GTS; ✭ Programmable reductions, not just iso. HD-automata [Montanari et al.@TCS05] ✔ Name reuse techniques; ✭ On-the-fly reduction, algebraic state structure.
  70. 70. Current and Future Work Better integration in Maude  Conciliate with other state space reduction techniques (equational abstractions, partial order reduction);  Tool support and its integration in MFE. Beyond group theoretic symmetries  Abstractions that yield bisimulations?  Exploit axiomatisations of bisimulation for process algebras? Beyond bisimulation  Weak bisimulation?  Trace equivalence (for LTL)?
  71. 71. http://sysma.lab.imtlucca.it/tools/c-reducer/
  72. 72. thanks!
  73. 73. alberto.lluch@imtlucca.itlinkedin.com/in/albertolluch

×