180 likes | 354 Views
Partial Order Reduction. Basic idea. P 1. P 2. P 3. a 1. a 2. a 3. a 1. a 2. a 3. a 1. a 1. a 3. a 3. a 2. a 2. a 1. a 2. 3 independent processes. a 3. 2 3 states. Can we do better?. Basic idea. P 1. P 2. P 3. a 1. a 1. a 2. a 3. a 2. 3 independent processes. a 3.
E N D
Basic idea P1 P2 P3 a1 a2 a3 a1 a2 a3 a1 a1 a3 a3 a2 a2 a1 a2 3 independent processes a3 23states Can we do better?
Basic idea P1 P2 P3 a1 a1 a2 a3 a2 3 independent processes a3 4 representative states
Transitions • A “transition” can be thought of as a guarded command (as in Murphi) • Program is a finite set of transitions i • g(x) ==> x := a(x) • i is enabled if g(x) is true • Result of executing the command is i(x)
Depth-first search expand_state(s): ForEach iin enabled(s) do s’:= i(s); if s’ not in Table then set on_stack(s’); insert s’ in Table; expand_state(s’); set completed(s);
Search w/ Ample Sets expand_state(s): ForEach iin ample(s) do -- subset of enabled s’:= (s); if s’ not in Table then set on_stack(s’); insert s’ in Table; expand_state(s’); set completed(s);
Independent transitions • A binary relation on transitions I is called an independence relation if, whenever (, ) in I, for every state s, two conditions are met: • If is enabled in s, then enabled in (s) (and vice versa) • If , in enabled(s) then ((s)) = ((s)) • Note: there are many independence relations. • D is a dependence relation if it is the complement of an independence relation.
Invisible Transitions • Assume every state s has a set of labels, L(s) • L(s) AP, where AP is a set of propositional symbols (p, q, r) • Assume there is a subset AP’ of AP called the visible symbols • These are the propositional symbols appearing in the property to be proved. • A transition alpha is invisible if, whenever s’=(s), we have L(s) AP’ = L(s’) AP • Intuition: no visible change resulting from executing .
“Stuttering” • Two sequences are stuttering equivalent if the only difference between them is the number of sequential repetitions of states with identical visible symbols. • Two state graphs are stuttering equivalent if every path in one is stuttering equivalent to some path in the other • A property is stuttering invariant if it holds equally on all stuttering equivalent paths. • All linear temporal logic formulas are stuttering invariant if they do not include the “next time” operator [forward reference] (stuttering is relative to symbols in property) • All invariants and deadlock are stuttering invariant.
Conditions on Ample Sets • C0: ample(s) = iff enabled(s) = • C1: For every path starting with s in the full state graph, some transition in ample(s) must be executed before every transition that is dependent on a transition in ample(s) • C2: If ample(s) enabled(s), then every transition in ample(s) is invisible. • C3: If is enabled in some state on a cycle in the reduced state graph, must appear in ample(s) for some state in the cycle.
Rationale for C1 & C2 in ample(s); 1, 2, 3 not in ample(s) But this path, which is stuttering equivalent, is preserved. s 1 This path is omitted 2 1 3 2 3 C1: 1, 2, 3 are all independent of , so they commute. C2: is invisible, so blue path is stuttering equivalent to the one that was omitted.
Rationale for C3 P1 P2 Reduced graph p s1 p s1 ample(s1) = {1} ample(s2) = {2} ample(s3) = {3} 1 3 1 p p q s3 s2 s2 2 2 s3 2 independent processes never appears in the reduced graph. We could falsely verify the property “q”. This is sometimes called the “ignoring problem”
Practical conditions • Exact conditions C0 - C3 are too difficult to check • Basically require generation of full state graph, which defeats the purpose of the optimization • However, ample sets can be more or less accurate. • By sacrificing some accuracy, we can make them easier to check • Limit case: ample(s) = enabled(s) for all states s. • Goal is to check by syntactic analysis of program source.
Practical conditions • C3: If is enabled in some state on a cycle in the reduced state graph, must appear in ample(s) for some state in the cycle. • C3’: ensure ample(s) = enabled(s) for some state in every cycle in the reduced graph. • C2 implies that if does not appear in ample(s’), is independent of everything in ample(s’) • C3’ implies C3: Suppose C3’ satisfied, and let be an enabled transition in some state s’ in the cycle. If is not in ample(s’), it will be enabled in the next state, etc. (this fact is easy to prove from the definition of ample). So it will stay enabled until the point when it appears in an ample set. • Implementation: If state s has a successor that is on the stack, choose ample(s) = enabled(s). [There is a back edge.]
Practical conditions for C1 • Assume we have finite number of processes • Each process has a variable PCi reresenting the program counter (current statement label). • Each transition belongs to one process • currenti(s) – set of transitions enabled when process i is in a state with same PC value as s • Dependency • Transitions within same process are assumed to be all dependent • Transitions are dependent if they access same shared variable. • Transition are dependent if both read or write same queue.
To find an ample set at state s • guess that it is set of transitions from process i that are enabled in s. • Check whether it really is “ample” • No, if there is an enabled dependent transition from another process at state s • Otherwise, there is a transition of Pi that is • Not enabled in s • But is enabled at some s’ with same PCi value as s. • Some other process enables the transition (e.g., via a queue or shared variable). • Previous two conditions can be checked “easily”