Partial Order Reduction

1
Partial Order Reduction
2
Basic idea
P1
P2
P3
a1
a2
a3
a1
a2
a3
a1
a1
a3
a3
a2
a2
a1
a2
a3
3 independent processes
23 states
Can we do better?
3
Basic idea
P1
P2
P3
a1
a1
a2
a3
a2
a3
3 independent processes
4 representative states
4
Transitions

• A transition can be thought of as a guarded
  command (as in Murphi)
• Program is a finite set of transitions ?i
• g(x) gt x a(x)
• ?i is enabled if g(x) is true
• Result of executing the command is ?i(x)

5
Depth-first search

• expand_state(s)
• ForEach ??i in enabled(s) do
• s ?i(s)
• if s not in Table then
• set on_stack(s)
• insert s in Table
• expand_state(s)
• set completed(s)

6
Search w/ Ample Sets

• expand_state(s)
• ForEach ??i in ample(s) do -- subset of
  enabled
• s ?(s)
• if s not in Table then
• set on_stack(s)
• insert s in Table
• expand_state(s)
• set completed(s)

7
Independent transitions

• A binary relation on transitions I is called an
  independence relation if, whenever (?, ?) in I,
  for every state s, two conditions are met
• If ? is enabled in s, then ? enabled in ?(s) (and
  vice versa)
• If ?, ? in enabled(s) then ?(?(s)) ?(?(s))
• Note there are many independence relations.
• D is a dependence relation if it is the
  complement of an independence relation.

8
Invisible Transitions

• Assume every state s has a set of labels, L(s)
• L(s) ? AP, where AP is a set of propositional
  symbols (p, q, r)
• Assume there is a subset AP of AP called the
  visible symbols
• These are the propositional symbols appearing in
  the property to be proved.
• A transition alpha is invisible if, whenever
  s?(s), we have L(s) ? AP L(s) ? AP
• Intuition no visible change resulting from
  executing ?.

9
Stuttering

• Two sequences are stuttering equivalent if the
  only difference between them is the number of
  sequential repetitions of states with identical
  visible symbols.
• Two state graphs are stuttering equivalent if
  every path in one is stuttering equivalent to
  some path in the other
• A property is stuttering invariant if it holds
  equally on all stuttering equivalent paths.
• All linear temporal logic formulas are stuttering
  invariant if they do not include the next time
  operator forward reference (stuttering is
  relative to symbols in property)
• All invariants and deadlock are stuttering
  invariant.

10
Conditions on Ample Sets

• C0 ample(s) ? iff enabled(s) ?
• C1 For every path starting with s in the full
  state graph, some transition in ample(s) must be
  executed before every transition that is
  dependent on a transition in ample(s)
• C2 If ample(s) ?? enabled(s), then every
  transition in ample(s) is invisible.
• C3 If ? is enabled in some state on a cycle in
  the reduced state graph, ? must appear in
  ample(s) for some state in the cycle.

11
Rationale for C1 C2
? in ample(s) ?1, ?2, ?3 not in ample(s)
But this path, which is stuttering
equivalent, is preserved.
s
?1
?
This path is omitted
?2
?1
?
?3
?
?2
?3
?
C1 ?1, ?2, ?3 are all independent of ?, so they
commute.
C2 ? is invisible, so blue path is
stuttering equivalent to the one that was omitted.
12
Rationale for C3
P1
P2
Reduced graph
p
s1
s1
p
ample(s1) ?1 ample(s2) ?2 ample(s3) ?3
?1
?1
?3
?
p
p
s3
s2
q
s2
?2
?2
s3
2 independent processes
? never appears in the reduced graph. We could
falsely verify the property ?q. This is
sometimes called the ignoring problem
13
(No Transcript)
14
Practical conditions

• Exact conditions C0 - C3 are too difficult to
  check
• Basically require generation of full state graph,
  which defeats the purpose of the optimization
• However, ample sets can be more or less accurate.
• By sacrificing some accuracy, we can make them
  easier to check
• Limit case ample(s) enabled(s) for all states
  s.
• Goal is to check by syntactic analysis of program
  source.

15
Practical conditions

• C3 If ? is enabled in some state on a cycle in
  the reduced state graph, ? must appear in
  ample(s) for some state in the cycle.
• C3 ensure ample(s) enabled(s) for some state
  in every cycle in the reduced graph.
• C2 implies that if ? does not appear in
  ample(s), ? is independent of everything in
  ample(s)
• C3 implies C3 Suppose C3 satisfied, and let ?
  be an enabled transition in some state s in the
  cycle. If ? is not in ample(s), it will be
  enabled in the next state, etc. (this fact is
  easy to prove from the definition of ample). So
  it will stay enabled until the point when it
  appears in an ample set.
• Implementation If state s has a successor that
  is on the stack, choose ample(s) enabled(s).
  There is a back edge.

16
Practical conditions for C1

• Assume we have finite number of processes
• Each process has a variable PCi reresenting the
  program counter (current statement label).
• Each transition belongs to one process
• currenti(s) set of transitions enabled when
  process i is in a state with same PC value as s
• Dependency
• Transitions within same process are assumed to be
  all dependent
• Transitions are dependent if they access same
  shared variable.
• Transition are dependent if both read or write
  same queue.

17
To find an ample set at state s

• guess that it is set of transitions from process
  i that are enabled in s.
• Check whether it really is ample
• No, if there is an enabled dependent transition
  from another process at state s
• Otherwise, there is a transition of Pi that is
• Not enabled in s
• But is enabled at some s with same PCi value as
  s.
• Some other process enables the transition (e.g.,
  via a queue or shared variable).
• Previous two conditions can be checked easily