500 likes | 634 Views
Symmetry Chapter 14 from “Model Checking” by Edmund M. Clarke Jr., Orna Grumberg, and Doron A. Peled. presented by Anastasia Braginsky March 2012. Outline. Introduction Groups and Permutations Symmetry & Symmetry Example Usual representation Quotient Models & Quotient Models Example
E N D
SymmetryChapter 14 from “Model Checking” by Edmund M. Clarke Jr., Orna Grumberg, and Doron A. Peled presented by Anastasia Braginsky March 2012
Outline • Introduction • Groups and Permutations • Symmetry & Symmetry Example • Usual representation • Quotient Models & Quotient Models Example • Bisimulation Correctness proof • Model Checking with Symmetry
Symmetry • Final-state concurrent systems frequently contain replicated components • caches, • bus protocols, • network protocols • … • Symmetry uses this fact to obtain reduce models for the system
Formal Symmetry • The symmetry in the system implies the existence of nontrivial permutation that preserves both • the state labeling • the transition relation S0 S1 S2 S3
Formal Symmetry • This can be used to define an equivalence relation on the state space • The quotient model is smaller than the original model and is bisimulation equivalent to that model
Group • A groupis a set G together with binary operation o on G (the group multiplication), such that: • Multiplication is associative: ao (boc) = (aob) oc • There is an identity element eG, such that for any element aG,eoa = aoe • For each element aG, there is an inverse element a-1, such that a-1oa = aoa-1 = e
Subgroup • H is a subgroupof G if H⊆G and H is a group under the multiplication operation of G • If S is a subset of a group G, then <S>, the subgroup generated by S, is the smallest subgroup of G containing every element of S
Permutation • A permutationσon a finite set S is a function that is one-to-one and onto σ : S S
Permutation group • Sym S is the set of all permutations on S • SymS forms a group under functional composition • Sym S is called the full symmetric group • A subgroup G of Sym S is called a permutation groupon S
Kinds of permutations • Two permutations σ1, σ2are disjointiff{i| σ1(i)≠i} ∩ {j | σ2(j)≠j } = ø • A permutation that maps i1i2, i2i3, …, ik-1ik, iki1 is called a cycleand is denoted by (i1i2 … ik) • A cycle of length of two is called transposition Two disjoint permutations Cycle Transposition σ1σ2
Permutation presentations • Every finite permutation can be written as a composition of disjoint cycles • Every permutation can be written as a composition of transpositions • For example consider S = {1,2,3,4,5} and permutation σgiven by 13, 24, 31, 45, 52 • σcan be written as • a composition disjoint cycles (1 3) o (2 4 5) • a composition of transpositions (1 3) o (2 5) o (2 4) • The subgroup of Sym S generated by the to permutations (1 3) and (2 4 5): { e, (1 3), (2 4 5), (2 5 4), (1 3)(2 4 5), (1 3)(2 5 4) } 1 2 3 4 5 1 2 3 4 5
Automorphism • Let M = (S, R, L) be a Kripke structure • Let G be a permutation group of on the state space S • A permutation σG is an automorphismof M iff σ preserves the transition relation R • Formally, σshould satisfy the following: σ: S0 S1 S0 S2 S0 S1 S0 S1 S2 S3 S1 S2 S3 S0 S2 S3 S1 S3 S2
Automorphism group • G is an automorphismgroup for the Kripke structure M iff every permutation σG is an automorphism of M • If every generator of the group G is an automorphism of M, then the group G is an automorphism group for M
Token Ring Algorithm • One component process Q Many component processes P • Both P and Q have the following Kripke structure: • States: • n – noncritical section initial state for P • t – has the token initial state for Q • c – critical section r (receive token) n t c s (send token)
Composition Q||P Q || P t , n Q || P c , n Q sends token, P receives token P sends token, Q receives token Q || P n , t Q || P n , c
Duplicate process P, i times Q || P1||…||Pi t , n, … , n Q || P1||…||Pi c , n, … , n Q P1 Q sends token, P1 receives token P1 sends token, Q receives token P2 Pi Q || P1||…||Pi n , t, … , n Q || P1||…||Pi n , c, … , n … …
Back to Q||P composition σis an automorphism of Q||P Q || P t , n Q || P c , n n,t t,n c,n n,c Q sends token, P receives token P sends token, Q receives token σ: t,n c,n n,c n,t Q || P n , t Q || P n , c
Usual behavior offinite-state systems • States are determined by the values (from domain D) of a set of state variables x1, x2, …, xn • For example, a state of Q||Pi is an (i+1)-touple from domain {n,t,c} • When extracting a Kripke structure from such systems: • S⊆D kIn Q||P example: k=2, S = { (x1=n, x2=t), (c, n), (t, n), (n, c)} • R⊆S xS In Q||P example, R = { ( (x1=n, x2=t), (x1=t, x2=n) ), ( (t,n), (n,t)) … } • dJ ∈L(s) ⇔ xi=dJIn Q||P example: L( (x1=n, x2=t) ) = {n, t}
Usual automorphism representation • The automorphism group is given as a group acting on the indices of the state variables • In Q||P example σis the transposition (1 2) • A permutation σ acting on the set of indices {1, 2, …, n}, defines a new permutation σ’ acting on states in Dn in the following manner: σ‘( (x1, x2, …, xn) ) = (xσ(1), xσ(2), …, xσ(n)) σ = (1 2) x1=di x2=dj x2=di x1=dj x1, x2 x1, x2 x1, x2 x1, x2 n,t t,n c,n n,c σ': t,n c,n n,c n,t
Quotient Models • G is a permutation group acting on the set S • s is an element of S, s∈S • The orbitof s is the set θ(s) = { t | ∃σ∈G ( σ(s)=t ) } • A representative of orbit is denoted rep(θ(s)) ∈θ(s) • Intuitively, the quotient model is obtained by collapsing all the states in one orbit to a single representative state σ1σ2
Quotient Models - formally • M = (S, R, L) is a Kripke structure • G is an automorphism group acting on S • The quotient structure MG = (SG, RG, LG): • SG = {θ(s) | s∈S} the set of orbits of the states in S (groups of states) • RG = { (θ(s1), θ(s2)) | (s1, s2) ∈R } • LG( θ(s) ) = L( rep(θ(s)) )
Representatives choice • RG is independent of the chosen representatives • Because G is an automorphism group • However, LG is not independent of the chosen representatives • Restrict the attention to automorphism groups, that are also invariance groups
Invariance group • G is an invariance group for an atomic proposition p iff the set of states labeled by p is closed under the permutations of G • Formally: • An automorphism groupG of a Kripke structure M = (S, R, L) is an invariance group for atomic proposition p iff • (σ∈G) (s∈S) ( p∈L(s) ⇔ p∈L(σ(s)) ) • p is an invariantunder G
Back to example • G = <(1 2)> is the group generated by permutation on indexes (1 2) • G is an automorphism group of Q||P • The orbits induced by G are {(t,n), (n,t)} and {(c,n), (n,c)} Q || P t , n Q || P c , n Q sends token, P receives token P sends token, Q receives token x1, x2 x1, x2 x1, x2 x1, x2 n,t t,n c,n n,c Q || P n , t Q || P n , c σ=(1 2): t,n c,n n,c n,t
Example’s quotient model • Pick the states (t,n) and (c,n) as representatives t,n c,n
Duplicate process P, i times Q || P1||…||Pi t , n, … , n Q || P1||…||Pi c , n, … , n • The Kripke structure corresponding to Q||Pi has 2(i+1) reachable states • The permutation groupG=<(1 2 … i+1)> is an automorphism group for Q||Pi • G also induces only two orbits Q sends token, P1 receives token P1 sends token, Q receives token Q || P1||…||Pi n , t, … , n Q || P1||…||Pi n , c, … , n σ= (1 2 … i+1)↓ x1,x2,…xi+1 x1,x2,…xi+1 x1,x2,…xi+1 x1,x2,…xi+1 SAME QUOTIENT MODEL! t,n,…n n,t,…n c,n,…n n,c,…n … … … … … n,t,…n c,n,…n n,c,…n t,n,…n
Explicit and quotient modelsare equivalent • We want to prove that: • If a temporal specification f has only invariant propositions, • Then f can be safely checked in the quotient model
Bisimulation relation • Is a binary relation between state transition systems, which behave in the same way in the sense that one system simulates the other and vice-versa equivalence between models that strongly preserves CTL* (-calculus) If M1 M2 then for every CTL*formula , M1|= M2|=
Bisimulation Relation- formally • Let M=(S,R,L) and M’=(S’,R’,L’) be two structures with the same set of atomic propositions AP. A relation B⊆SxS’’is a bisimulation relation between M and M’ iff • For all s and s’, if B(s,s’) then the following holds: • L(s) = L’(s’) • s1 such that R(s,s1) there is s’1 such that R’(s’,s’1) and B(s1,s’1) • s’1 such that R’(s’,s’1) there is s1 such that R(s,s1) and B(s1,s’1) • Bisimulation example: b’ B a’ a’ a b b’
Lemma • Let M=(S,R,L) be a Kripke structure with AP as the set of atomic propositions, • Let G be an invariance group for all propositions in AP • Let MG be the quotient model for M • Let B⊆SxSG be a relation defined by: • For every sS, B(s,θ(s)) • Then, B is a bisimulation relation between M and MG
Definition: M=(S,R,L) & M’=(S’,R’,L’) have the same AP B⊆SxS’ is a bisimulation relation between M and M’iff∀s,s’, if B(s,s’), then: L(s) = L’ (s’) s1 such that R(s,s1) there is s’1 such that R’ (s’,s’1) and B(s1, s’1) s’1 such that R’ (s’,s’1) there is s1 such that R(s,s1) and B(s1, s’1) Proof -1 • First let’s show that: L(s)=LG(θ(s)) • By definition of MG: LG( θ(s) )=L( rep(θ(s)) ) • rep(θ(s))θ(s) there is a permutation σ∈G such that σ(s)=rep(θ(s)) • G is an invariance group for all propositions in AP For all pAP, ( p∈L(s) ⇔ p∈L( rep(θ(s)) ) ) • Thus: L(s)= L( rep(θ(s)) )=LG(θ(s)) Lemma: M=(S,R,L): a Kripke structure over AP G: invariance group for all propositions in AP MG: the quotient model for M B⊆SxSG is a relation defined by: For every s∊S, B(s,θ(s)) B is a bisimulation relation between M & MG
Proof -2 • Consider relation (s,t)R • By definition of RG: ( θ(s),θ(t ) )RG • By definition of B: ( t, θ(t ) )B Lemma: M=(S,R,L): a Kripke structure over AP G: invariance group for all propositions in AP MG: the quotient model for M B⊆SxSG is a relation defined by: For every s∊S, B(s,θ(s)) B is a bisimulation relation between M & MG Definition: M=(S,R,L) & M’=(S’,R’,L’) have the same AP B⊆SxS’ is a bisimulation relation between M and M’iff∀s,s’, if B(s,s’), then: • L(s) = L’ (s’) • s1 such that R(s,s1) there is s’1 such that R’ (s’,s’1) and B(s1, s’1) • s’1 such that R’ (s’,s’1) there is s1 such that R(s,s1) and B(s1, s’1) B s θ(s) B t θ(t)
Proof -3 • Consider relation ( θ(s),θ(t ) )RG • By definition of θ theremust be somerep(θ(t))θ(t) • Let’s denote rep( θ(t) ) as t, need to prove that (s,t)R and B(t, θ(t)) • By definition of RG there must be some s1 and t1 such that s1θ(s), t1θ(t), and (s1,t1)R • s1θ(s), t1θ(t) ∃σ1G,∃σ2G, σ1(s)=s1 σ2(t)=t1 • G is automorphism group (s1,t1)R (s,t)R Lemma: M=(S,R,L): a Kripke structure over AP G: invariance group for all propositions in AP MG: the quotient model for M B⊆SxSG is a relation defined by: For every s∊S, B(s,θ(s)) B is a bisimulation relation between M & MG Definition: M=(S,R,L) & M’=(S’,R’,L’) have the same AP B⊆SxS’ is a bisimulation relation between M and M’iff∀s,s’, if B(s,s’), then: • L(s) = L’ (s’) • s1 such that R(s,s1) there is s’1 such that R’ (s’,s’1) and B(s1, s’1) • s’1 such that R’ (s’,s’1) there is s1 such that R(s,s1) and B(s1, s’1) B s θ(s) B t θ(t)
It can be also proven that • If B(s,s’) is a bisimulation, then for every CTL* formula f, s⊨ f s’⊨f
Corollary • Let M be a structure defined over AP and let G be an invariance group for AP • Then for every sS and every CTL* formula defined over AP M,s ⊨ f MG,θ(s)⊨f
Theorem • Let M=(S,R,L) be a Kripke structure • Let G be an automorphism group of M • Let f be a CTL* formula • If G is an invariance group for all the atomic propositions p occurring in f • Then M,s⊨ f MG,θ(s)⊨ f
Proof (some definitions) • M is defined over AP and f is defined over AP’⊆AP • The restriction of M to AP’ is the structure M’=(S,R,L’) that is identical to M, except that for sS, L’(s)=L(s)∩AP’ • For every CTL* formula defined over AP’ and for every sS M,s⊨ f M’,s⊨ f
Proof • Let M’G be the quotient model of M’, induced by G • By the definition of quotient model, M’G is the restriction of MG to AP’ • Thus for every VSG,MG,V⊨ f M’G,V⊨ f • G is an invariance group for AP’, so the corollary applies, thus: M’,s⊨ f M’G, θ(s) ⊨f • Altogether: M,s⊨ f MG,θ(s) ⊨ f
Model Checking with Symmetry • How to perform the model checking itself? • Compact explicit Kripke structure • Use OBDD
Find the reachable set of states • How to find the set of states in an explicit Kripke structure that are reachable from initial states? • BFS or DFS from the set of initial structures is performed • Maintain list of reached states and list of unexplored states • Assume function ξ(q), which maps a state q to the unique state representing the orbit of q
reached := ø; unexplored := ø; for all initial states s do appendξ(s) to reach; appendξ(s) to unexplored; end for all whileunexplored ≠ ø do remove a state s from unexplored; for all successor states q of s do ifξ(q) is not in reached appendξ(q) to reached; appendξ(q) to unexplored; end if end for all end while It is important to compute the orbit relation efficiently This is as least as hard as the graph isomorphism problem Which is in NP, but not known to be NP complete Algorithm
OBDD as the underlying representation • The construction of the quotient model is more complex • At least • If R is represented by the OBDD R(v1,…,vk,v’1,…,v’k) • Andσis a permutation on the state variables (recall the usual representation) • Then, it is straightforward to check that σ is an automorphism of M • Check R(v1,…,vk,v’1,…,v’k) ==R(vσ(1),…,vσ(k),v’σ(1),…,v’σ(k)) • R(vσ(1),…,vσ(k),v’σ(1),…,v’σ(k)) is the OBDD representing the transition relation of the permuted structure
Orbit relation • Given a Kripke structure M=(S,R,L) and an automorphismgroup G on M with r generators g1, g2,…,gr • The orbit relationΘ ( Θ(x,y)(xθ(y)) ) is the least fixpoint of the equation: • Least fixpoint: • Start from the smallest relation, where each state is in relation with itself • Stop when no more iterations of applying the recursive equation add new value
Lemma 2 • The least fixpoint of equation: • Is the orbit relation Θ induced by the group G generated by g1, g2,…,gr
Proof - fixpoint: • Θ has reflexivity and transitivity, therefore: Θ(x,y) ( x=y ( z( Θ(x,z) Vi y=gi(z) ) ) ) • Θ(x,y) Θ(y,x) • By the definition of the orbit relation ∃σG such that y=σ(x) • Let assume x≠y (otherwise the result is immediate) • σG σ is composition of generators, thus y=gk(g’’…g’((x))) • Lets set z=g’’…g’((x))gk, k≤r, z such that Θ(x,z) and y=gk(z), therefore: Θ(x,y) ( x=y ( z( Θ(x,z) Vi y=gi(z) ) ) )
Proof – least fixpoint • We want to prove that • If T is any fixpoint of equation • Then Θ T • We will prove that Θ(x,y) T(x,y)
Proof – least fixpoint – cont. • By the definition of the orbit relation Θ(x,y) ∃σG such that x=σ(y) • σG σ is composition of generators, thus σ =gim… gi2 gi11≤ij≤r • Because T is a fix point of the equation it can be proved by induction that for every 1≤ l ≤m T(x, gil (… gi2(gi1(x)) ) ) holds • For l ≤m we see that T(x,y) holds
Complexity • The size of OBDD for the orbit relation should be bounded • If suitable OBDD is available, this fixpoint equation can be computed • Having Θ, we can compute ξ :S S (unique representative of the orbit) • Assuming we have the OBDD representation of the mapping function ξ, the transition RG: RG(x,y) = x1y1 ( R(x1,y1) ξ(x1)=x ξ(y1)=y )
Questions? Thank you!!