State Space Reduction for Reachability Graph of CSM Automata
1 State Space Reduction For Reachability Graph of CSM Automata by Wiktor B. Daszczuk Institute of Computer Science Warsaw University of Technology Research Report No 10/2000
Nowowiejska Str. 15/19, 00-665 Warsaw, Poland
Summary Classical CTL temporal logics are built over systems with interleaving model concurrency. Many attempts are made to fight a state space explosion problem (for instance, compositional model checking). There are some methods of reduction of a state space based on independence of actions. However, in CSM model, which is based on coincidences rather than on interleaving, independence of actions cannot be defined. Therefore a state space reduction basing on identical temporal consequences rather than on independence of action is proposed. The new reduction is not as good as for interleaving systems, because all successors of a state (in depth of two levels) must be obtained before a reduction may be applied. This leads to reduction of space required for representation of a state space, but not in time of state space construction. Yet much savings may occur in regular state spaces for CSM systems. Warsaw, June 2000 [email protected] I. Introduction
For efficient evaluation of temporal formulas in CTL temporal logic [BenA83, Bose90, Burc90, Clar86, Clar89, Clar92, Lamp83, Mann81, Mann84, Pnue77, Pnue85, Wolp86], an algorithm of finding smallest or largest fixed point of special functional over a reachability graph of a system is often applied [McMi92]. If a ROBDD (Reduced Ordered Binary Decision Diagrams) representation is used [Brya86], it is called a symbolic model checking [McMi92]. Every component of a system is assigned an arbitrary set of boolean variables (for example, {x , x } for a component having 3 or 4 states), and every state of a component is represented as a boolean function over this set ( x x , for example). States of state space are simply conjunctions of functions representing states of components. If a state s of components c has a representation x x , and a state r of component c has a representation y y , then a state being a superposition of these two states (s ,r ) in state space of the two-component system has a boolean function (x x ) (y y ) as a representation. ROBDD representation allows to represent large state spaces in compact form, in general consuming much less memory than exact representation [McMi92]. Moreover, the algorithms of evaluation of temporal formulas using ROBDD are very simple and efficient, because they exploit the feature that sets of states and set operations like union or intersection are represented naturally as boolean functions [Dasz00b]. set is represented as disjunction of functions representing its elements; union is represented as disjunction of functions representing its arguments; intersection is represented as conjunction of functions representing its arguments; complement is represented as negation of function representing its argument. Although a ROBDD representation is very compact and efficient, it is sometimes still too large to be stored in computer memory and to evaluate temporal formulas on it. Therefore, many attempts were made to obtain a reduced state space for temporal verification. All of them work on interleaving models of computations. In the paper a new algorithm is presented for CSM systems [Mieś92a, Mieś92b, Mieś94], which is constructed over coincidences of action rather than on interleaving. In section II, a system of CSM automata is presented together with its state space – Reachability Graph [Mieś92b]. In section III a QsCTL temporal logic is constructed over Reachability Graph of CSM automata. In section IV, an invisibility of actions is defined, which is required for reduction. Section V contains the reduction rule in CSM. For the purpose of the reduction, some additional atomic formulas must be added to the basic set. The principle of acquiring a complete set of atomic boolean formulas is presented in section VI. A proof of correctness of the reduction rule is given in section VII. A shape of reachability graph after reductions applied is described in section VII. Section IX contains an algorithm of reduction. Time complexity of the algorithm is analyzed in section X. Conclusions are presented in section XI. II.
Reachability Graph of a system of CSM automata.
A system of CSM automata is presented in [Mieś92a, Mieś92b, Mieś94]. The general features of CSM automata are: every component automaton has exactly one initial state; component automata are Moore-like (signals are generated in states); 3 arcs are labeled with boolean formulas over input alphabet (if formula is fulfilled, the arc may be followed, for example if signal q is active then the formula q p m is fulfilled); arcs leading form a state to the same state are allowed (they are called ears ); automata are complete, i.e. the disjunction of all formulas on arcs leading out of a given state equals true ; signals (letters of input alphabet) come from output of automata and from external world; input and output alphabets are not disjoint (an automaton generates signals for himself of for other automata); special symbols denote the formulas: -always true (an arc may be always followed), -always false (a lack of arc); if more than one formula is fulfilled on arcs leading out of a given state – the transitions is chosen in non-deterministic way; all automata in a system perform always one transition synchronously in a lock-step manner (no external clock is required) The state space of a system of CSM automata, called Reachability Graph (RG), is obtained as presented in Fig. 1. States of RG are superpositions of states of component automata. Arcs between states are obtained as products of arcs of component automata, i.e. formula on arc of RG is a conjunction of formulas on arcs in component automata (letters on arcs in Fig. 1. represent boolean formulas rather than single letters of input alphabet). Fig. 1. A product of CSM Automata - RG
4 A set of signals generated in a state of RG is a unions of sets of signals generated in states of components automata. For simplicity, output signals generated in states are omit in Fig. 1. If the state generate signals p,q , and state generates signals q,m , then the state of RG generates signals p,q,m . The complete algorithm of obtaining RG from component CSM automata is given in [Mieś92b]. III.
The Temporal Logic
The QsCTL temporal logic constructed over RG is as follows: The set of states of Kripke Structure is simply a set of states of Reachability Graph of CSM automata. The succession relation is simply a set of arcs of RG (excluding ears leading out of non-terminal states, therefore a graph is denoted RG —@ ). The initial state is an initial state of RG. The set of atomic boolean formulas is: a signal being generated in states of RG (denoted as a name of the signal), staying in a given state of RG (denoted in s ), staying in one of a set S of states of RG (denoted in S ), staying in a state s of RG having a as projection on a component automaton a given state s a . A set of atomic boolean formulas true in a given state s is denoted (s) . The modalities used in the temporal logic are following: - always (often denoted AG ), - eventually (often denoted AF ), ○ - next (often denoted AX ), U - until (weak until, often denoted AU w ), ○ a - next in automaton a , true by definition in a state having a as projection on an automaton a a terminal state. Additionally, a quantified formulas of a form Q s S; s: ( Q is or ) are allowed. Such formulas are not allowed when using classical algorithm of evaluation. In classical algorithm, an evaluation is performed bottom-up (sets of states where atomic formulas are fulfilled are evaluated first, and then embracing formulas). The formula in s , where s is a state variable passing through a scope of a quantifier, cannot be evaluated [Dasz00a]. Checking in spheres (see section V) is performed top-down and therefore quantified formulas may be evaluated. For definition of QsCTL temporal logic for systems of CSM automata see [Dasz]. IV.
Invisibility of states
The obtaining of RG —@ for a set of CSM automata in general leads to the explosion of states (a Cartesian product of all states of component automata in worst case). The manner of reduction of a state space proposed for interleaving system in [Gert99] cannot be applied to CSM systems, because no pair of states in component automata can be expected to be 5 independent for sure. For example, an automaton may omit an action if it is informed (via signal) that another automaton has performed the action in past. Instead, I propose a reduction that is based on deleting arcs if it does not change temporal consequences. More precisely, the reduction is based on deleting invisible arcs (see later for definition 1 of invisibility) from RG —@ . If an arc leading from s i to s j , then every pair of arcs: first leading from s i to s j and the arc leading from s i to s j and second leading from s j to one of its successors s k1 , ..., s km (Fig. 2) is replaced by single arc leading directly from s i to the successor of s j (Fig. 3). Let us define the invisibility of an arc. Definition 1.
An arc leading from s i to its successor s j is invisible , according to a given set of atomic propositions , if every proposition belonging to has the same boolean value in s i and in s j ( is true in both states or is false in both states): (s i ) = (s j ) , ~ (s i ) =~ (s j ) . V. Reduction rule
First a reduction of a single state in RG —@ will be defined. The principle of reduction is following: Reduction rule.
In a given RG —@ , if the arc x is leading from s i to s j is invisible according to a given set of atomic propositions , and the state s j has successors s k1 … s km , with arcs x leading from s j to s k1 , x from s j to s k2 , … x m from s j to s km , then the RG —@ may be reduced by replacing subset of arcs x , x , …, x m by subset of arcs y , …, y m , where y leads directly from s i to s k1 , y from s i to s k2 , …, y m from s i to s km . The reduction may be applied to every arc x p , p=1..m individually, i.e. it is possible that for some p the reduction is applied and for some n , n p the reduction is not applied. The state s j is preserved in RG —@ is the latter case. After reduction, a state s j disappears from paths going through states s k1 .. s km , for which a reduction was applied. State s j will be called skipped on these paths. The reduction may be applied under certain conditions: Fig. 3. A fragment of RG -@ after reduction s i s k1 s k2 s k3 s n Fig. 2. A fragment of RG --@ before reduction s i s j s k1 s k2 s k3 s n Reduction restrictions. i. if s i = s j (an ear), the reduction cannot be applied; ii. if s j = s k1 , m=1 (an ear), the reduction cannot be applied; iii. if there is a state s kn = s i , then the reduction cannot be applied to the arc x n , therefore the arcs x and x n are preserved (to prevent creating new ear), yet still other arcs x p , p = , p n , may be reduced to y p . ; iv. if the proposition is of a form s j : , where the state s j can be statically found, or s j belongs to a set S defining a range of a state quantifier (the set S must be statically obtained), then the reduction cannot be applied; v. there is an exception to restriction iv , when all the successors of s i are also successors of s j (Fig. 4): in this case reduction may be applied. Comment 1.
An example of a range of a quantifier that cannot be statically obtained is following: s FUT(p); s: ■ FUT(p) denotes a set of states accessible form p (being a future of p [Dasz, Dasz00a]) Comment 2.
If a set defining a range of a quantifier cannot be statically obtained, no reduction can be applied (no state can be deleted from RG -@ ). VI.
Proposition set completeness
Proposition set completeness.
In some cases, specific propositions must be added to a set to guarantee that all temporal propositions over have the same boolean value in both full RG —@ and RG —@ with s j deleted (RG —@-x ): i. if the next-step operator ○ is used, it must refer to a state s that may be statically found or is a state variable running through a set S defining a range of a state quantifier (the set S must be statically obtained); in this case a proposition in s must be added to for every such state s or each element of set S ; ii. the next-step operator ○ may refer only directly to the state (it may not be nested); if the next-step operator in nested, no reduction may be applied; iii. if the next-in-automaton operator ○ a is used, and it refers to a state s that may be statically found or is a state variable running through a set S defining a range of a state quantifier (the set defining the range of the quantifier must be statically obtained), in this case a proposition in s| a must be added to for every such state s or each element of set S ; iv. if the next-in-automaton operator ○ a is used, and it refers to a state s that cannot be statically found or is a state variable running through a set S defining a range of a state quantifier, and the set S cannot be statically obtained, then a proposition in p a must be added to for every state p a of the component automaton a . Fig. 4. Illustration of reduction restriction v s i s j s k1 s k2 s k3
7 The set satisfying the above completeness conditions will be called complete and denoted c . VII.
Correctness of the reduction
Theorem 1.
If in RG —@ there is an invisible arc x leading from s i to s j , and the reduction rule holds for x over c and reduction restrictions do not have effect, then RG —@ with a reduction applied (RG —@-x ) may be used as well as RG —@ to evaluate all formulas over a c .. To prove the theorem, first we show the stuttering bisimulation between states in RG —@ and in RG —@-x . Definition 2.
Two states s and s’ in Kripke structures K and K’ , are in stuttering simulation relation [Gert99], if for every path in K starting from s there exists a path ’ in K’ starting from s’ , and every of these two paths may be split into partitions (sequences of states) B , B , … in K , B ’ , B ’ , … in K’ , such that for each h>0 , B h and B h ’ are nonempty and finite, and for every state s p in B h and every state s p ’ in B h ’ (s p1 ) c = (s p2 ’) c , ~ (s p1 ) c =~ (s p2 ’) c . States s and s’ will be called stuttering bisimilar . Proof.
As shown in [Gert99], for any pair of stuttering bisimilar states s and s’ , K,s╞ iff K’,s’╞ ( is a CTL -X formula). Indeed, every not skipped state s p in RG —@ and in RG —@-x ( K and K’ ) is stuttering bisimilar, even if skipped state s j is in future of s p in RG —@ : For every path starting from s p , not going through s j in RG —@ , the sequences of states in K and in K’ are identical (partitions contain simply single, the same state, Fig. 5). For every path starting from s p , going through s j in RG —@ (and therefore through s i ): partitions from s p to the predecessor of s i in RG —@ and in RG —@-x contain single state; partition B h containing s i consists of s i and s j (as (s i ) c = (s j ) c ), while partition B h ’ consists of s i’ only; next partitions B g and B g ’ , g > h , contain single state (Fig. 6). Fig. 5. Paths not going through s j s p’ s p ... ... B B B B B B
8 Finding stuttering bisimilar paths going through s j is easy because for every path going through s i , s j and s kn in RG —@ there is exactly one path going through s i and s kn in RG —@-x . A state s j is not stuttering bisimilar with skipped state s i’ , because if we try to take s j in RG —@ ( K ) and s i ’ in RG —@-x ( K’ ) as stuttering bisimilar: we will find a stuttering bisimilar path in RG -@-x for every path in RG —@ (partition B consists of s j only, while partition B ’ consists of s i ’ only, next partitions contain single, the same state), we will not find a stuttering bisimilar path in RG —@ for path in RG —@-x that starts from s i and has a successor of s i other than s j and s k1 , …, s km as second element (a path (s i , s n , ...) in Fig. 3; there is no arc from s j to s n in RG —@ !). This is the reason why if a formula s j : appears, no state s j can be skipped (reduction restriction iv ). Then, the exception (reduction restriction v ) is following: for every path in RG —@ starting from s j there exists a stuttering bisimilar path in RG --@-x (partition B consists of s j only, while partition B ’ consists of s i ’ only, next partitions contain single, the same state), there are not any successors of s i other than s j and s k1 , …, s km , therefore the previous case is the only one (see Fig. 4). ■ VIII.
Reduced reachability graph
The reduction rule lets reduce graphs of a shape “rhombus with diameter” to the diameter only (arc (s i , s k1 ) in Fig. 7). It is because the CSM model is based on coincidences, not on interleaving. In interleaving models, no “diameter” (s i , s k1 ) exists in cases like in Fig. 7, and the reduced graph consists of a pair of arcs: either ((s i ,s j1 ), (s j1 ,s k1 )) or ((s i ,s j2 ), (s j2 ,s k1 )) . As the correspondence between states in RG —@ and in RG —@-x is symmetric, the relation is stuttering bisimulation [Gert99]. For every pair of stuttering bisimilar states s and s’ it holds that RG —@ ,s ╞ iff RG —@-x ,s’ ╞ (we showed that s cannot be skipped). The next-step operators ( ○ and ○ a ) may be used in formulas , because the operators never refer to reduced states or their predecessors (because of atomic formulas of type in s included in c ). After reduction of x , next invisible arcs may be reduced from RG —@ . We will name a reduced reachability graph (RRG) a RG —@ in which a Fig. 6. Paths going through s j s i ... ... B f B f’ B h B g B h’ B g’ ... s j s i ’ ... Fig. 7. Reduction of “rhombus with diameter” s i s j1 s k1 s j2 s i s k1
9 number of reductions are applied. A minimal
RRG (MRRG) will be a graph in which no further reduction can be applied. MRRG has not a canonical form – it may depend on an order in which candidates for reduction are taken. As the next-step operator ○ may be used in formulas over (but states, to which the operator refers, cannot be skipped), and because there is no assumption on the independence of actions, the scope of sets of atomic propositions is much wider than in [Gert99]. The RRG is smaller of reduced arcs (‘ x ’) and skipped states (‘ s j ’). IX.
The algorithm
Basing on the reduction principle presented above, an algorithm of reduction may be proposed. Three additional assumptions should be taken to construct the algorithm: a)
In a situation similar to illustrated in Fig. 8, attempts to apply the reduction may be done infinitely in a cycle in RG —@ . First s l1 is skipped, then s l2 , s l3 , s l4 and s l1 again. The solution is to finish attempts to skip the successors of s i when a cycle is identified (a state s l1 is tried to be skipped for the second time). As a result, s l4 will be chosen as a successor of s i (Fig. 9). b) In a similar situation to a previous one (circle like in Fig. 8), a searching for successors in a cycle (using the reduction rule and the above assumption (a)) will fall into a “trap”. Having the arc (s i , s l4 ) after skipping successors of s i , successors of states in a circle are searched. As a result, the following arcs are taken to reduced graph: (s l4 , s l3 ) , (s l3 , s l2 ) , (s l2 , s l1 ) , (s l1 , s l4 ) . Surprisingly, no reduction is achieved (although the graph has different shape). The result is illustrated in Fig. 9. This weakness of the reduction can be solved by a principle that if a state already taken to the resulting graph is tried to be skipped, the algorithm stops searching for next successors. Using this assumption, a graph shown in Fig. 10 will be achieved. Fig. 8. A cycle in RG —@ subject to reduction s l1 s l2 s l4 s i s l3 Fig. 9. The result of reduction with a “trap” s l4 s l3 s l1 s i s l2
10 c)
A “one-pass” algorithm does not guarantee that the reduced graph is minimal (it is RRG, not necessary MRRG). It is possible that starting from initial state of reduced graph, new reductions are possible. However, the assumption is made that the “one-pass” reduction is enough. The first version of the algorithm works on fully obtained RG —@ (off-line version): 1. Mark the initial state as preserved. 2.
Mark all states as unchecked. 3.
Get one of preserved and unchecked states. If all preserved states are checked, stop the algorithm. 4.
Find the successors of the state taken in p.3. 5.
Check which successors found in p.4 (or p.6) may be skipped. Additional constraint: if a state under check was already checked in analysis of the state taken in p.3, it cannot be skipped (this prevents infinite analysis of successors forming a circle). If nothing may be reduced, go to 8. 6.
Find the successors of states reduced in p.5. 7.
Go to 5. 8.
Mark the state taken in p.3 as checked, and not skipped successors (or successors of successors, …) as preserved. 9.
Go to 3. The on-line version of the algorithm is performed during elaboration of RG —@ . 1. Obtain the initial state, mark it as preserved. 2.
Mark the initial state as unchecked. 3.
Get one of preserved and unchecked states. If all preserved states are checked, stop the algorithm. 4.
Obtain the successors of the state taken in p.3. 5.
Check which successors obtained in p.4 (or p.6) may be skipped. Additional constraint: if a state under check was already checked in analysis of the state taken in p.3, it cannot be skipped (this prevents infinite analysis of successors forming a circle). If nothing may be reduced, go to 8. 6.
Obtain the successors of states reduced in p.5. 7.
Go to 5. 8.
Mark the state taken in p.3 as checked, and not reduced successors (or successors of successors, …) as preserved. 9.
Go to 3. While running this reduction algorithm, the reduction restriction v may be even relaxed: if more than one successor of a state are candidates to be skipped, and some of them are used in formulas s: , and every successor of s i is also a successors of at lest one candidate to be skipped, then all candidates may be reduced at once. Fig. 10. The result of reduction without a “trap” s l4 s l3 s i X. Time complexity
The time complexity of the algorithm is: For off-line version, for every state at most all arcs (successors, successors of successors, etc.) should be checked, therefore the complexity is O(N ) where N is the number of states in RG (the number of arcs is at most N ). For on-line version, every state must be taken to obtain its successors. For every taken state, at most all arcs (successors, successors of successors, …) should be checked, therefore the complexity of obtaining RRG is multiplied by O(N ), where N is the number of states in full RG. The worst-case complexity is poor, but it is achieved in case of large number of arcs in RG —@ (a graph near to a clique). Yet the reduction in such graphs may be substantial. In more “linear” graphs reduction is less (only invisible sequences generally) and the time of reduction is near to O(N). XI.
Conclusions
Although no independence of actions may be found in CSM systems, and the principle of semantics of CSM is coincidence of actions rather than interleaving, a reduction rule was found and an efficient reduction algorithm was proposed. The weak point of the rule is that all successors of a state and successors of successors (two arcs depth) must be evaluated before reduction (while the algorithm proposed in [Gert99] may choose preserved arcs not evaluating all arcs in some cases). Therefore, not savings may be acquired in time of obtaining reduced RG. But saving in space required for storing state space may be substantial. The advantage of proposed reduction rule is that it may be used even when a next-step operator ○ is used. Also, because of natural “diameters” in state space (coincidences), the reduction ratio (number of states and arcs in RG/ number of states and arcs in RG —@ ) may be greater than for interleaving systems. References [BenA83] Ben-Ari M., Pnueli A., Manna z., “The Temporal Logic of Branching Time”,
Acta Informatica , 20(3), pp. 207-226 [Bose90] Bose s., Fisher A. L., 1990, Automatic Verification of Synchronous Circuits Using Symbolic Simulation and Temporal Logic”, in
Proc. of the IFIP International Workshop on Applied Formal Methods for VLSI Design , Leuven, Belgium, 1989, L.J.M. Larsen (ed.), North-Holland, Amsterdam, 1990, pp. 759-764 [Brya86] Bryant R. E., 1986, “Graph-based algorithms for Boolean Function Manipulation”,
IEEE Transactions on Computers , C-35 (8), August 1986, pp. 677-691 [Burc90] Burch J., Clarke E. M., McMillan K. L., Dill D. L., 1990, “Sequential Circuit Verification Using Symbolic Model Checking”, in
Proc. of the 27 th ACM/IEEE Design Automation Conference , IEEE Computer Society press, Los Alamitos, CA, June 1990, pp. 46-51 [Clar86] Clarke E. M., Emerson E. A., Sistla A. P., 1986, Automatic Verification of Finite State Concurrent Systems Using Temporal Logic Specifications”,
ACM Transactions on Programming Languages and Systems , 8(2) (April 1986), pp. 244-263 [Clar89] Clarke E. M., Long D. E., McMillan K. L., “Compositional Model Checking”, in
Proc. of the Fourth Annual Symposium on Logic in Computer Science , IEEE Computer Society Press, Washington D.C., June 1989, pp. 353-361 [Clar92] Clarke E. M., Grumberg O., Long D. E., 1992, “Model Checking and Abstraction”, in
Proc. of the 19 th Annual ACM Symposium on Principles of Programming Languages , ACM, New York, January 1992 [Dasz] Daszczuk W. B., “
Verification Of Temporal Properties In Concurrent Systems ”, PhD thesis (in preparation), Institute of Computer Science, Warsaw University of Technology [Dasz00a] Daszczuk W. B., 2000, “Evaluation of Temporal Formulas Based on ‘Checking in Spheres’ Algorithm”,
Institute of Computer Science, WUT, ICS Research Report
No 8/2000 [Dasz00b] Daszczuk W. B., 2000, “Evaluation of Temporal Formulas Based on ‘Checking in Spheres’ Algorithm Using ROBDD Representation”,
Institute of Computer Science, WUT, ICS Research Report
No 9/2000 [Gert99] Gerth R., Kuiper R., Peled D., Penczek W., 1999, “A Partial Order Approach to Branching Time Logic Model Checking”,
Information and Computation , Vo. 150, No. 2 (1999), pp. 132-152 [Lamp83] Lamport L. 1983, “What Good Is Temporal Logis ?”, in
Proc. of the IFIP Cogress on Information Processing , R.E.A. Mason (ed.), North-Holland Amsterdam, 1983, pp. 657-667 [Mann81] Manna Z., Pnueli A., “Verification of Concurrent Programs: Temporal Proof Principles”, in
Proc. of the Workshop on Logics of Programs , Lecture Notes in Computer Science vol. 193, Springer-Verlag, New York, 1981, pp. 200-252 [Mann84] Manna Z., Wolper P., “Synthesis of Communicating Processes from Temporal Logic Specification”,
ACM Transactions on Programming Languages and Systems , 6(1984), pp. 68-93 [McMi92] McMillan K. L., 1992, “
Symbolic Model Checking, An Approach to the State Explosion Problem ”. PhD thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, 1992 [Mieś92a] Mieścicki J., 1992, “On the behavior of a system of concurrent automata”,
Institute of Computer Science, WUT, ICS Research Report
No 20/92 [Mieś92b] Mieścicki J., 1992, “Concurrent system of communicating machines”,
Institute of Computer Science, WUT, ICS Research Report
No 35/92 [Mieś94] Mieścicki J., 1994, “Boolean Formulas and the Families of Sets”,
Bull. Polish Ac. of Sc., Sci. Tech , vol. 42, No 1 [Pnue77] Pnueli P., 1977, “The Temporal Logic of Programs”, in