State Space c-Reductions of Concurrent Systems in Rewriting Logic @ ETAPS Workshop WRLA 2013

Alberto Lluch, Andrea VandinIMT Lucca

State Space C-Reductionsof Concurrent Systems in Rewriting Logic

International Workshop on Rewriting Logic and its Applications (WRLA'12)Tallin, March 24-25, 2012

José MeseguerUIUC

typical space reduction

no reductionstrong reductionweak reduction

states explored

size of the system

state space explosion

1 binary counter has ... 2 states

1 n-ary counter has ... n states (data abstraction)

m n-ary counters Mn states! (symmetries, concurrency, etc.)

0 3 8 6...

running example

x$

$ = transfer of 1$

= account with x$

credit rule

x$

$

x+1$

1$ 0$

$

0$

$

1$

0$

$

0$

$

1$ 1$

Isomorphic...

but syntactically different

Isomorphic...

but syntactically different

symmetries in state space exploration problems

some tools with symmetry reduction

Murphy [Ip&Dill@FMSD'96]; Symmetric SPIN [Bosnacki et al.@SPIN'00]; TopSPIN [Donaldson et al.@AMAST'06]; Groove [Rensink@GRABATS'06]; MiHDa [Montanari et al.@FMCO'02]; PRISM-symm [Ball et a@CAV06]; Planners, constraint solvers, etc.

some drawbacks

✗ Symmetries denoted with extra primitives;

✗ Limited, fixed symmetry classes;

✗ Rigid “flexibility” vs “guarantees” tradeoff;

✗ Complex changes to model checker;

✗ Unofficial extensions of model checkers;

✗ No support for checking correctness.

Can we use rewriting logic to...

(i) generalize symmetry reduction techniques?

✔ Define the c-reduction of a Kripke structure;

✔ C-reductions subsume typical symmetry reductions.

(ii) provide some advantages?

✔ Define c-reductions using equations (not in the engine);

✔ Provide a tool supported verification methodology.

(iii) provide a faster state space exploration?

✔ Many experiments.










1$ 0$

$

0$

$

1$

0$

$

0$

$

1$ 1$

p

p,q p,q

q p = there is some empty account

q = there are one or less dollars around

A Kripke structure is a tuple K = (S , → , L, AP) such that S is a set of states;

→ ⊆ S × S is a transition relation;

AP are atomic propositions;

L: S → 2AP maps states into AP subsets.

1$ 0$

$

0$

$

1$

0$

$

0$

$

1$ 1$

0$

$

1$

0$

$

0$

$

1$ 1$

A bisimulation between two Kripke structures K and H

is a binary relation ∼ ⊆ SK × SH such that s∼s' implies

LK(s) = LH(s');

s →K r implies s' →H r' and r∼r' for some r';

vice versa.

s →K r

s' →H r'≀ ≀

p

p,q p,q

q

p

p,q

q

1$ 0$

$

0$

$

1$

c

A ∼-canonizer for

– a Kripke structure K

– and an equivalence (bisimilation) relation ∼ ⊆ S × S

is a function c : S → S such that s∼c(s) for all states s.

c

A ∼-canonizer is strong if s∼s' implies c(s) = c(s')

(i.e. if canonical representatives of ∼-equivalence classes are unique)

3$2$1$

2$3$1$

1$2$3$

3$1$2$

2$1$3$

1$3$2$

cc

c

c

c

otherwise we call them weak.

3$2$1$

2$3$1$

1$2$3$

3$1$2$

2$1$3$

1$3$2$

c

c

c

The c-reduction of a Kripke structure

K = (S , → , L, AP)

is

Kc = (S , →;c , L, AP)

1$ 0$

$

0$

$

1$

0$

$

0$

$

1$ 1$

c

Th. If c is a ∼-canonizer then Kc ∼ K.










some symmetry reductions captured

Full symmetries; Rotational symmetries; Name reuse (garbage collection); Name abstraction.










What is RL?

A rewrite theory R is a tuple (Σ , E ∪ A , R , ϕ) Σ = signature (e.g. syntax); E = equations (e.g. functions); A = axioms (e.g. ACI); R = rules (e.g. non deterministic behaviour); ϕ = frozennes map (e.g. rewrite strategy).

Some assumptions: R has good executability properties; Topmost rules for a designated [State] kind.

Not all equivalence relations ∼

are tractable as axioms

Not all equivalence relations ∼

are tractable as axioms

--- The main module defining the signature and one initial state

fmod BANK is

...

sorts Object Message Configuration State .

subsort Message Object < Configuration .

op <_|_> : Nat Nat -> Object [ctor] .

op credit : Nat -> Message [ctor] .

op __ : Configuration Configuration -> Configuration [ctor assoc comm] .

op none : -> Configuration [ctor] .

op {_} : Configuration -> State [ctor frozen] .

--- A simple initial state

op init : -> Configuration .

eq init = < 0 | 0 > < 1 | 0 > credit(0) credit(1) .

endfm

0$

$

0$

$

--- The behavioural rules of the example

mod BANK-RULES is

inc BANK .

vars i x : Nat .

vars c1 : Configuration .

--- A simple rule for crediting an account

rl [credit] :

{ credit(i) c1 }

=> { c1 } .

endm

x$

$

x+1$

search without reductionMaude> search in BANK-RULES : {init} =>* s:State .

Solution 1 (state 0)

s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}


s:State --> {credit(1) < 0 | 1 > < 1 | 0 >}


s:State --> {credit(0) < 0 | 0 > < 1 | 1 >}


s:State --> {< 0 | 1 > < 1 | 1 >}

No more solutions.

states: 4 rewrites: 6 in 0ms cpu (2ms real) (9523 rewrites/second)

symmetric states

1$ 0$

$

0$

$

1$

0$

$

0$

$

1$ 1$

c-extension

The c-extension of a rewrite theory

R = (Σ, E ∪ A , R, ϕ)

is

Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , R , ϕc)

i.e. a correct extension of R with the definition of c.

BANK

module architecture

BANK-RULES (R)

BANK-C (Rc)

c-extension (example of canonizer)--- The c-extension of BANK that defines the c-canonizer for object permutations

mod BANK-C is

...

op c : State -> [State] .

vars i j x y : Nat .

vars c1 : Configuration .

ceq c( { < j | y > c1 } )

= c( { [[ i <-> j ]]( < j | y > c1 ) } )

if [[ i <-> j ]]( < j | y > c1 )

<# < j | y > c1 .

eq c({c1}) = {c1} [ owise ] .

endm

BANK

module architecture

BANK-RULES (R) BANK-PERMUTATION

BANK-C (Rc)

c-extension (example of transpositions)--- Implementation of object permutations

fmod BANK-PERMUTATION is

...

op [[_<->_]] _ : Nat Nat Configuration -> Configuration [frozen] .

op [[_<->_]] _ : Nat Nat Nat -> Nat .

eq [[ i <-> j ]](none) = none .

eq [[ i <-> j ]](obj1 c1) = ([[ i <-> j ]](obj1)) ([[ i <-> j ]](c1)) .

eq [[ i <-> j ]](msg1 c1) = ([[ i <-> j ]](msg1)) ([[ i <-> j ]](c1)) .

eq [[ i <-> j ]](< k | x >) = < [[ i <-> j ]](k) | x > .

eq [[ i <-> j ]](credit(k)) = credit([[ i <-> j ]] k) .

eq [[ i <-> j ]](i) = j .

eq [[ i <-> j ]](j) = i .

ceq [[ i <-> j ]](k) = k if (i != k) /\ (j != k) .

endfm

Identification of symmetric states

Maude> red c( {credit(0) < 0 | 0 > < 1 | 1 >}) .

result State: {credit(1) < 0 | 1 > < 1 | 0 >}

0$ 1$

$

1$

$

0$

c

The c-reduction of a rewrite theory

R = (Σ, E ∪ A , R , ϕ )

is

Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , Rc , ϕc)

where Rc is made of rules

l => c(r) if cond

for each rule of R

l => r if cond

K(Rc) = Kc(R)K(Rc) = K

c(R)

BANK

module architecture

BANK-RULES (R) BANK-PERMUTATION

BANK-C (Rc)

BANK-C-REDUCTION (Rc)

c-reduction (example)

--- The c-reduction of BANK-RULES

mod BANK-C-REDUCTION is

inc BANK-C .

rl [credit] :

{ credit(i) c1 }

=> c({ c1 }) .

endm

search in c-reduced state spaceMaude> search in BANK-C-REDUCTION : {init} =>* s:State .

search in BANK-C-REDUCTION : {init} =>* s:State .


s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}


s:State --> {credit(1) < 0 | 1 > < 1 | 0 >}


s:State --> {< 0 | 1 > < 1 | 1 >}

No more solutions.

states: 3 rewrites: 25 in 0ms cpu (2ms real) (53648 rewrites/second)

1$ 0$

$

0$

$

1$

0$

$

0$

$

1$ 1$

c










Th 1. “K(Rc) is bisimilar to K(R)” (desiderata)

Lemma 0. “Relation ∼ is an equivalence relation”

(i) Check that the action of the group is correct.

Lemma 1. “Relation∼ is a bisimulation”

(ii) Check that ∼ strongly respects AP;

(iii) Check that ∼ and R “commute”.

Lemma 2. “Function c is a ∼-canonizer”

(iv) Check that c is a ∼-canonizer.

Does c provide a correct c-reduction?

Proof plan for

group-theoretic

reductions

BANK

modules and checks

BANK-RULES (R)BANK-AP

BANK-PERMUTATION-RULES (R∼)

BANK-PERMUTATION (R∼)

BANK-C (Rc)


check (i)

check (ii)

check (iii)check (iv)

The action ⟦∙⟧ of a group G on S defines an equivalence relation:

s∼s' iff ⟦ f ⟧(s) = s' for some f ∈ G.

group theoretic equivalence relations

BANK

modules and checks




BANK-C (Rc)


check (i)

(i) Checking group actions

Implement the action ⟦∙⟧ of G on S as

[[_]]_ : G State ->State .

… but we just need to implement the action of the generators.

Check that the we actually have a group action by showing:⟦g⟧⟦g-1⟧(s) = s for each generator g of G.

HINT: induction on S (structure of states).

For example, in the case of permutations one has to show

[[ i <-> j]] ([[ i <-> j]] (s)) = s

(i) Checking group actions

Implement the action ⟦∙⟧ of G on S as

[[_]]_ : G State ->State .

… but we just need to implement the action of the generators.

Check that the we actually have a group action by showing:

⟦e⟧(s) = s, for e the identity of G;

⟦g ∘ g'⟧(s) = ⟦g⟧(⟦g'⟧(s)) for each pair of generators g, g' of G;

⟦g⟧⟦g-1⟧(s) = s for each generator g of G.

HINT: induction on G (generators ) and S (structure of states).

BANK

modules and checks




BANK-C (Rc)


check (ii)

(ii) Checking that ∼ strongly preserves AP

IDEA: Define a rewrite theory R∼ to “move” inside orbits:

R∼ = (Σ ⊎ Σ∼

, E ∪ E∼ ∪ A , R∼ , ϕ)

where R∼

= { s => [[g]](s) }

Theorem: ∼ strongly preserves AP if AP is stable in R∼.

Maude> (analyze-stable two-dollars(s:State) in BANK-AP BANK-PERMUTATION-RULES .)

rewrites: 15571 in 16ms cpu (19ms real) (918643 rewrites/second)

Checking BANK-PERMUTATION-RULES ||- two-dollars => O two-dollars ...

Proof obligations generated: 2

Proof obligations discharged: 2

Success!

Can we check such stability automatically?

Yes, with InvA (under some conditions)

fmod BANK-AP is

eq [two-dollars-eq] : two-dollars({ c1 }) = true .

endfm

fmod BANK-PERMUTATION-RULES is

rl [transposition] : { < j | y > c1 }

=> { [[ i <-> j ]] ( < j | y > c1) } .

endm

For non discharged proof obligations

one can use the Maude ITP tool

For non discharged proof obligations

one can use the Maude ITP tool

BANK

modules and checks




BANK-C (Rc)


check (iii)

v'

v

u'

uR

R

(iii) Checking that ∼ and R commute

For all equivalent states u, u' and for all R-transitions from u to v.

v'

v

u'

u

R∼

R

* R *R∼


For all R∼reachable pairs of states u->u' and for all R-transitions from u to v.

v'

v

u'

uR

u1'R

R

R

v1'

u2' v2'*R∼

R∼


*

R∼

R∼

For all R∼-transitions u->u' and for all R-transitions from u to v.

w

θ(r)

θ'(r')

θ(l)R

R

R∼*

R∼

θ'(l')

Consider:

Each R-rules from l => r

Each R∼-rules l' => r'

≡A

v'

v

u'

uR

R

R∼


*R∼

For all R∼-transitions u → u' and

for all R-transitions from u to v.

For all R∼-rules l' => r' and

for all R-rules from l => r.

Similar functionalities (e.g. critical pair generation)

are already available in some Maude tools

(e.g. in the Coherence Checker).

Similar functionalities (e.g. critical pair generation)

are already available in some Maude tools

(e.g. in the Coherence Checker).v'

θ(r)

θ'(r')

θ(l)R

R

R∼*

R∼


IDEA: Show joinability of critical pairs (R rules vs R∼)

Theorem: If all such pairs are joinable, ∼ is a bisimulation

BANK

modules and checks




BANK-C (Rc)


check (iv)

(iv) checking that c is a ∼-canonizer

c({t}) = c([[g]]({t})) if [[g]]({t})<{t}

c({t}) = {t} [owise]

c({t}) = min{[[f]]({t})}

Local strategies

Enumeration strategies

IDEA: Exploit the form of typical reduction strategies:










typical space reduction


states explored

size of the system

typical time reduction


runtime

size of the system

will we have the same in Maude?

Full symmetries in Maude [D.Rodriguez@WRLA'08]

will we have the same in Maude?

Q1. Overhead of meta-level based c-reductions?

Q2. Similar performance gains as model checkers?

Q3. Performance for c-reductions not based

on full permutations (e.g. rotations)?

Q1. meta-level vs ad-hoc?runtime

(seconds)

size of the system

(instance parameter)

1 2 3 4 5 6 7 80

10

20

30

40

50

60

70

80

90

meta-level

ad-hoc

2 3 4

-1

-0.5

0

0.5

1

1.5

2

Q2. Maude vs SymmSPIN?

relative time reduction factor

no reductionsymmSPINstrong c-reductionweak c-reduction

size of the system


Q3. space reduction in dining philosophers?

~ ~

Dining philosophers (rotational symmetries)

= philosopher eating

= philosopher resting

~

Dining philosophers (msg. id's)

3 4 4 31 2

~

~msg id abstraction

msg id

permutation

msg id reuse

Q3. space reduction in dining philosophers

2 3 4 5 6 7 8 90

100000

200000

300000

400000

500000

600000

states explored

msg id reusemsg abstractionmsg id reuse & permutationsmsg abstraction + philosopher rotation

size of the system


Q3. time reduction in dining philosophers

7 8 9

states explored

size of the system


msg reuse&permutationmsg abstractionmsg abstraction + philosopher rotation

Q1. Overhead of meta-level based c-reductions?

✔ Significant improvement

when not resorting to the meta-level.

Q2.Performance against model checkers?

✔ Similar in space reduction;

✔ Comparable time reduction.

Q3. Performance for c-reductions not based

on full permutations (e.g. Rotations)?

✔ Significant space gains in rotational.

conclusion










Related work (Maude)

Full symmetries in Maude [D.Rodriguez@WRLA'08]

✔ Full object permutations, meta-representation order;

✭ More symmetries and examples, no meta-representation order, verification methodology.

Equational abstractions [Palomino et al.@JLAP'10]

✔ Identify states to reduce state space;

✭ Bisimulation, reduction application control.

mailto:D.Rodriguez@WRLA

Related work (ii) SymmSPIN et al. [Bosnacki et al.@SPIN'01]

✔ Heuristics for canonizers;

✭ No extension needed, object references allowed, formal checks;

Groove [Rensink@GRABATS'06]

✔ Up-to-isomorphism GTS;

✭ Programmable reductions, not just iso.

HD-automata [Montanari et al.@TCS'05]

✔ Name reuse techniques;

✭ On-the-fly reduction, algebraic state structure.

mailto:Rensink@GRABATS

Current and Future Work Better integration in Maude

Conciliate with other state space reduction techniques (equational abstractions, partial order reduction);

Tool support and its integration in MFE.

Beyond group theoretic symmetries

Abstractions that yield bisimulations?

Exploit axiomatisations of bisimulation for process algebras?

Beyond bisimulation

Weak bisimulation?

Trace equivalence (for LTL)?

http://sysma.lab.imtlucca.it/tools/c-reducer/

thanks!

[email protected]/in/albertolluch

mailto:[email protected]

http://linkedin.com/in/albertolluch

Technology

State Space c-Reductions of Concurrent Systems in Rewriting Logic @ ETAPS Workshop WRLA 2013