Partial Order Reduction

1
Partial Order Reduction
2

• Reduce size of state space to be searched
• Exploite commutativity of concurrently executed
  transactions which result in same state when
  executed in different orders
• Best suited for asynchronous systems
• Method constructs a reduced state graph (full
  state graph never constructed)
• Behaviours of reduced state graph are a subset of
  the behavours of full state graph
• Behaviours not present do not add any information
• Equivalence relation among behaviours such that
  the checked property cannot distinguish between
  equivalent behaviours
• Method more appropriately called model checking
  using representations property cannot
  distinguish between equivalent behaviours

3

• Equivalence relation R
• Binary relation R on a set S that is
• Reflexive, symmetric, transitive
• Partitions S into equivalence classes s ? s
  iff (s,s) ? R

4

• Method based on dependency relation among
  transitions
• Modify definition of Kripke structure now have
  a set T of transition relations. Note refer to
  each a ? T as a transition instead of a
  transition relation
• Have (S, T, S0, L) where each a ? T is subset of
  S x S gives rise to (S, R, So, L)

5

• For a ? T, say a is enabled at state s if there
  is s such that a(s,s) holds otherwise say a is
  disabled at s.
• The set of transitions enabled at s is denoted
  enabled(s)
• a is deterministic iff for all s there is at most
  one s such that a(s,s) assume a is
  deterministic- write sa(s).
• Path from state s s0
  a0 a1
• ? s0 --gt s1 --gt s2

6

• Interleaving imposes an arbitrary ordering
  between concurrent events
• Many specification languages can distinguish
  between behaviours that only differ in this
  manner
• Want to take advantage of cases where specs do
  not distinguish between such behaviours
• State explosion due to concurrency n transitions
  that can execute concurrently yield n! different
  orderings or sequences of events each subset of
  transitions yields a state so 2n different
  states. See Fig 10.1 -- 3! orderings and 23 8
  states
• If the specification does not distinguish between
  the sequences of events, it is beneficial to
  consider only 1 sequence, with n1 states

7
(No Transcript)
8

• Goal reduce the number of states while
  preserving the correctness of the checked
  property
• The reduced state graph is generated explicitly
  using DFS reduction algorithm then MC applied
• reduction constructs a graph with fewer states
  and edges,
• this speeds up the construction of the graph and
  uses less memory
• Reduction can be applied on the fly while doing
  the MC
• DFS reduction algorithm can be replaced by BFS
  reduction algorithm and combined with symbolic MC

9
? Search starts with initial state s0 and
proceeds recursively ? For each s it selects a
subset ample(s) of the enabled transitions
enabled(s) (see later how to calculate
ample(s)) ? The DFS explores only successors
generated by ample(s) (lines 6-16) ? A state is
labelled as on_stack (line 2 and 12) when it is
first encountered and as completed (line 17) when
all its successors have been searched. So it is
marked as on_stack when it is on the DFS stack
10

• When MC algorithm is applied to the reduced state
  graph it terminates with a positive answer when
  the property holds for the full state graph
• Question sufficient conditions for ample(s)
• Sufficiently many behaviours present in reduced
  state graph to give correct answer
• The state graph must be significantly smaller
• The overhead in calculating ample(s) must be
  sufficiently small
• We now begin the development of the concepts that
  will allow us to reduce the state space
  independence and invisibility

11

• In interleaving model, transitions that can be
  executed concurrently from some state are
  interleaved in either order this can be
  formulated by defining an independence relation
  on pairs of transitions that can execute
  concurrently
• Definition an independence relation I lt T x T is
  a symmetric, antireflexive relation satisfying,
  for all s and all ( a,ß ) ? I
• Enabledness If a, ß ? enabled(s) , then a ?
  enabled(ß(s) (and conversely, since I is
  symmetric))
• Commutativity a, ß ? enabled(s) a(ß(s))
  ß(a(s))
• The dependency relation D is the complement
  of I D (T x T) I
• Remark each transition enables the other and
  executing independent transitions in either order
  results in the same state. Se Fig10.3 When it is
  hard to determine if transitions are independent
  of each other, assuming they are dependent
  preserves the correctness (ie, when I doubt
  default to assuming dependence and you will do
  no harm!) The definition of independence can be
  used for reduction even when 2 independent
  transitions cannot be executed in parallel (eg
  when 2 transitions of different processes
  increment a shared variable).

12
(No Transcript)
13

• Can we just drop one of the transitions from
  state s?? No!! this can result in problems
• Problem 1 the checked property might be
  sensitive to the choice of states s1 and s2 not
  just s and r
• Problem 2 the states s1 and s2 might have other
  successors in addition to r which may not be
  explored if either is eliminated
• To deal with the problems we first must discuss
  invisible transitions and the related concept of
  stuttering.
• Definition Let L S ? 2AP be the labeling
  function a transition a ? T is invisible wrt a
  set of propositions AP lt AP if for all s,s such
  that s a(s), L(s) n AP L(s) n AP ie,
  its execution does not change the values of
  propositional variables in AP. A transition that
  is not invisible is visible.

14

• Definition Two infinite paths s1 s0 -gt and
  s2 r0 -gt are stuttering equivalent, denoted
  s1 s2 if there are two infinite sequences of
  positive integers 0 i0 lt i1 lt i2 lt and 0
  j0 lt j1 lt j2 lt such that for every k 0, the
  propositions true from s ik to sik 1 are the
  same as the propositions true from r jk to rjk
  1. Call a finite sequence of identically
  labelled states a block.
• See Fig. 10.4

15
(No Transcript)
16

• Definition An LTL formula Af is invariant under
  stuttering iff for each pair of paths ? and ?,
  such that ? ?, ? f iff ? f.
  Denote the subset of the logic LTL without the
  next time operator as LTL_X
• Theorem Any LTL_X property is invariant under
  stuttering.
• Proof By structural induction.
• Base step Easy to see property A f where f is
  propositional formula is invariant under
  stuttering
• Induction step Show that if Af and A? are
  invariant under stuttering then AG f, AF f and
  Af U ? are invariant under stuttering.
• Remark it can be shown that any LTL formula
  that is invariant under stuttering can be
  expressed in LTL_X.

17

• Two structures M and M are stuttering equivalent
  if
• M and M have the same set of states
• for each path s from s in M there exists s from
  s in M such that s s
• For each path s from s in M there exists s from
  s in M such that s s.
• Corollary Let M and M be stuttering equivalent
  structures. Then for every LTL_X formula Af and
  every initial state s0, M,s0 Af iff M, s0
  Af
• Proof Take the LTL_X formula AF such that M,s0
  Af then for all paths ? from s0 ? f. Let
  s be a path in M from s0 since M and M are
  stuttering equivalent, there is a path s of M
  such that s s since s f and s s we can
  conclude s f therefore for all paths s from
  s0 in M s f. We conclude M s0 Af. The
  other direction is analogous.

18

• In Fig.10.3, assume a is invisible. Then L(s)
  L(s1) and L(s2) L(r). We conclude ss1r ss2r.
  
• Blocks are ss1 r and s s2r

19

• Give systematic way to select ample sets used by
  the DFS so that for every path not considered by
  reduced state graph there is a stuttering
  equivalent path considered. Reduction depends on
  the AP that appear in the LTL_X formula.
• Say state is fully expanded when ample(s)
  enabled(s)
• Conditions for selecting ample(s) to preserve
  satisfaction of an LTL_X formula
• C0 ample(s) Ø iff enabled(s) Ø
• C1 Along every path in full state graph that
  starts at s the following holds a transition
  that is dependent on a transition in ample(s)
  cannot be executed without a transition in
  ample(s) occurring
• C2 (Invisibility) If s is not fully expanded
  then every a ? ample(s) is invisible
• C3 (cycle) A cycle is not allowed if it contains
  a state in which some transition a is enabled but
  is never included in ample(s) for any state s on
  the cycle

20

• Rationale for each condition
• C0 guarantees that if a state has at least one
  successor, then the reduced state graph contains
  a successor for this state.
• To justify C1 first observe
• Lemma Assuming C1 holds, the transitions in
  enabled(s) - ample(s) are independent of those
  in ample(s).
• Proof (Argue by contradiction) Let ? ?
  enabled(s) ample(s). Suppose (?,ß) ? D (are
  dependent) where ß ? ample(s). Because ? is
  enabled in the full state graph there is a path
  starting at ?. But then ?, a transition
  dependent on some transition in ample(s) is
  executed before a transition in ample(s) this
  contradicts C1.

21

• In order to guarantee the correctness of the DFS
  reduction algorithm, we need to assure that if
  we chose the next transition to explore from
  ample(s), we do not omit any paths that are
  essential for checking the correctness of the
  graph. C1 implies such a path will have one of
  the following forms
• The path has a prefix ß1ß2 ßna where a ?
  ample(s) and each ßi is independent of all
  transitions in ample(s) including a
• The path is an infinite sequence of transitions
  ß0ß1ß2. , where each ßi is independent of all
  transitions in ample(s)
• C1 also implies that if along a finite sequence
  of transitions executed from s none of the
  transitions in ample(s) has occurred then all
  transitions in ample(s) remain enabled (Because
  each transition in the sequence is independent of
  transitions in ample(s) it cannot disable them)

22
(No Transcript)
23

• In Fig 10.5 in order to discard the left or right
  path we need that a is invisible, This is
  guaranteed by C2.
• But C1 and C2 are not sufficient to guarantee
  that reduced state graph is stuttering equivalent
  to full state graph possibility that some
  transition is delayed forever because of a cycle
  in the constructed state graph a
• See Fig 10.6 and 10.7 - In 10.6 Assume ß is
  independent of a1,a2, a3, and those 3 transitions
  are interdependent. The process on the left can
  execute the visible transition ß exactly once.
  Assume there is one proposition p that is changed
  by ß, so that ß is visible. The process on the
  right performs the invisible transitions a1,a2,
  a3, repeatedly in a loop.

24
(No Transcript)
25

• Full state graph in LHS of 10.7. Using C0, C1
  and C2 and DFS reduction algorithm can result in
  the reduced state graph on RHS a cycle this
  cannot happen if we have C3.
• Now show that the problems discussed earlier
  cannot happen under C0-C3. Re-consider Figure 10.3

26
(No Transcript)
27

• Assume DFS red alg choses ß as ample(s) and does
  not include s1 in reduced graph.
• Consider Problem 1 (the checked property might be
  sensitive to the choice of states s1 and s2 not
  just s and r) By C2, ß must be invisible thus
  sequences s, s2, r and s, s1, r are stuttering
  equivalent so LTL_X properties do no distinguish
  between them
• Consider Problem 2 (the states s1 and s2 might
  have other successors in addition to r which may
  not be explored if either is eliminated). Refer
  to Figure 10.8, and suppose we had chosen the
  RHS. Assume ? is enabled at s1. We can show ? is
  still enabled at r and sequences a,? and ß, a, ?
  are stuttering equivalent

28
(No Transcript)
29

• First note ? cannot be dependent upon ß
  (otherwise the sequence a, ? violates C1 since
  transitions dependent on ß cannot be executed
  before ß). Thus ? is independent of ß. Because
  it is enabled at s1 it must also be enabled at
  r. Assume that ?, when executed from r results in
  state r and when executed from s results in s.
  Since ß is invisible the two state sequences
  s,s1,s and s, s2, r, r are stuttering
  equivalent. Thus LTL_X properties cannot
  distinguish between the two.
• The following example uses the DFS reduction
  algorithm to find the reduced state space wrt the
  formula
• G- (CR0 CR1) for the mutual exclusion
  property. The subset AP of atomic propositions
  is CR0, CR1

30
(No Transcript)
31

• Read sections 2.2.3 and 2.3 to understand
  notation note only ?0,?1,d0,d1 are visible.

32

• Problem while checking C0 and C2 are quite
  simple, C1 and C3 offer challenges.
• Checking the condition C1 is at least as hard as
  searching the full state space! Need to have a
  tradeoff between efficiency of computation and
  the amount of reduction. We will avoid checking
  C1 for an arbitrary set of enabled transitions
  There are fast methods to guarantee C1 methods
  but they may not lead to greatest possible
  reduction. Efficient ways to enforce C3 depend on
  the specific search strategy (details on these
  methods in section 10.5.1)
• Heuristics for finding ample sets depending on
  the model of computation (eg shared variable, MP)
  in section 10.5.2)