The Problem
Many concurrent components:
Partial Order Reduction
Ralf Huuck
Trying to build the product state space ...
Algorithmic Verification
Ralf Huuck
1
Algorithmic Verification
State Explosion
Ralf Huuck
2
What to do?
Worst
Worstcase:
case:number
numberof
ofstates
states
increases
increasesexponentially
exponentially
with
withnumber
number of
ofprocesses.
processes.
Try
Tryminimizing
minimizingthe
theeffect
effectby
byreduction
reductionheuristics,
heuristics,e.g.:
e.g.:
Partial
PartialOrder
OrderReduction
Reduction
Worst
Worstcase:
case:number
numberofofstates
states
increases
increasesexponentially
exponentially
with
number
with numberofofprocesses.
processes.
Algorithmic Verification
Ralf Huuck
3
Algorithmic Verification
Ralf Huuck
4
1
Overview
•
•
•
•
Informal explanation
Framework for partial order reduction (POR)
POR in SPIN
Summary
Introduction
Algorithmic Verification
Algorithmic Verification
Ralf Huuck
Ralf Huuck
6
5
Motivation
Expanded Asynchronous Product
S0
x:=1
g:=g+2
x:=1
S1
S2
x,y,g
y:=1
1,0,0
0,1,0
y:=1
g:=g+2
x:=1
g:=g*2
g:=g*2
y:=1
S’0
0,0,0
S’1
S’2
1,0,2
1,1,0
g:=g+2
0,1,0
g:=g*2
x:=1
y:=1
1,1,2
consider interleaving execution,
what are the possible runs?
1,1,0
g:=g*2
g:=g+2
1,1,4
Algorithmic Verification
Ralf Huuck
7
Algorithmic Verification
1,1,2
Ralf Huuck
8
2
Expanded Asynchronous Product
x:=1
0,0,0
Possible Runs
1,0,0
x:=1
0,1,0
y:=1
g:=g+2
x,y,g
y:=1
1,0,2
x:=1
0,1,0
1,1,0
g:=g*2
g:=g+2
1,1,4
Algorithmic Verification
1,0,2
1,1,0
0,1,0
g:=g*2
x:=1
1,1,2
1,1,0
g:=g*2
1,1,2
g:=g+2
1,1,4
9
Dependencies (1)
Algorithmic Verification
These 3 plus
3 symmetric
ones, i.e., 6
1,1,2
Ralf Huuck
10
Dependencies (2)
g:=g+2
x:=1
S0
S1
S’1
S0
S’2
S’0
S1
S2
g:=g*2
y:=1
S’1
Dependent:
g:=g+2, g:=g*2 share same object
x:=1, g:=g+2 ordered in same automaton
y:=1, g:=g*2 ordered in same automaton
assume x, y are local variables,
g is a global variable
Which operations are actually dependent
and which are independent?
Ralf Huuck
g:=g+2
x:=1
S2
g:=g*2
y:=1
Algorithmic Verification
g:=g*2
y:=1
How many
runs are in
this system?
Ralf Huuck
S’0
x:=1
g:=g+2
x:=1
1,1,2
0,1,0
y:=1
g:=g*2
y:=1
x,y,g
y:=1
1,0,0
g:=g+2
g:=g*2
1,1,0
g:=g+2
0,0,0
11
Algorithmic Verification
Ralf Huuck
S’2
Independent:
x:=1, y:=1
x:=1, g:=g*2
y:=1, g:=g+2
12
3
Equivalent Runs
Idea
x:=1
0,0,0
1,0,0
0,1,0
y:=1
g:=g+2
• partitioning into equivalent classes
• we have to select one run in each class only
x,y,g
y:=1
1,0,2
x:=1
g:=g*2
1,1,0
0,1,0
g:=g*2
g:=g+2
x:=1
y:=1
1,1,2
1,1,0
g:=g*2
g:=g+2
1,1,4
1,1,2
Algorithmic Verification
These 3 runs
are equivalent
wrt independencies,
same for other 3 runs
Ralf Huuck
13
Necessary Runs
Ralf Huuck
14
Proving Properties
x:=1
0,0,0
• G(g=0 ∨ g>x)
• F(g≥2)
• (g=0)U(x=1)
x,y,g
y:=1
1,0,0
0,1,0
y:=1
g:=g+2
1,0,2
x:=1
g:=g*2
1,1,0
g:=g+2
all hold in reduced graph, i.e.,
considering only 2 necessary runs
0,1,0
g:=g*2
x:=1
y:=1
1,1,2
1,1,0
g:=g*2
g:=g+2
1,1,4
Algorithmic Verification
Algorithmic Verification
Eliminating all
independencies.
2 runs left
1,1,2
Ralf Huuck
15
Algorithmic Verification
Ralf Huuck
16
4
Proving Properties
Visibility
• G(g=0 ∨ g>x)
• F(g≥2)
• (g=0)U(x=1)
• introduces dependency that was not assumed to exist
• dependencies not only from data objects but also formula
• remove x:=1, y:=1 from independencies
all hold in full and reduced graph,
with states of the 2 necessary runs
• G(x≥y)
holds in reduced graph,
but not full graph
WHY?
Algorithmic Verification
Ralf Huuck
17
Equivalent Runs
Ralf Huuck
18
Equivalent Runs
x:=1
0,0,0
x,y,g
y:=1
1,0,0
x:=1
0,1,0
y:=1
g:=g+2
1,0,2
x:=1
0,1,0
1,0,2
1,1,0
g:=g*2
0,1,0
g:=g*2
x:=1
1,1,2
Partition 1
1,1,0
g:=g*2
1,1,2
Ralf Huuck
g:=g*2
y:=1
g:=g+2
1,1,4
x:=1
1,1,0
g:=g+2
x:=1
1,1,2
x,y,g
y:=1
0,1,0
y:=1
g:=g*2
y:=1
0,0,0
1,0,0
g:=g+2
g:=g*2
1,1,0
g:=g+2
Algorithmic Verification
Algorithmic Verification
1,1,4
19
Algorithmic Verification
Partition 2
g:=g+2
1,1,2
Ralf Huuck
20
5
Equivalent Runs
Equivalent Runs
x:=1
0,0,0
1,0,0
1,0,2
x:=1
0,1,0
1,0,2
1,1,0
g:=g*2
0,1,0
g:=g*2
x:=1
1,1,2
1,1,0
g:=g*2
1,1,2
Ralf Huuck
g:=g*2
y:=1
Partition 3
g:=g+2
1,1,4
x:=1
1,1,0
g:=g+2
x:=1
1,1,2
x,y,g
y:=1
0,1,0
y:=1
g:=g*2
y:=1
0,0,0
1,0,0
g:=g+2
g:=g*2
1,1,0
g:=g+2
Algorithmic Verification
x:=1
0,1,0
y:=1
g:=g+2
x,y,g
y:=1
g:=g+2
1,1,4
21
Algorithmic Verification
Partition 4
1,1,2
Ralf Huuck
22
Questions
• Given a set of processes how can we automatically identify
classes of equivalent runs?
• How to avoid full construction upfront, but
deciding on-the-fly which states and transitions are
necessary?
Theory
Such techniques are addressed as partial
order reduction, which, e.g., SPIN makes use of.
Algorithmic Verification
Algorithmic Verification
Ralf Huuck
Ralf Huuck
24
23
6
Labeled Transition System
enabled/reachable
• action a∈A is enabled in state s∈S
iff τ(a,s) is defined
• enabled(s) denotes set of all actions enabling in transition
from state s
• sate s is deadlock state iff enabled(s)=∅
• execution sequence is sequence of subsequent transitions
• state s is reachable iff there exists an execution sequence
from s0 to s
(S,s0,A,τ,Π,L) is labeled transition system
where
• S finite set of states
• s0 initial state
• A finite set of actions
• τ: S× A→ S (partial) transition function
• Π finite set of Boolean propositions
• L:S→ 2Π labeling function
(similar to a Kripke structure with symbols on transitions)
Algorithmic Verification
Ralf Huuck
25
Example
Ralf Huuck
26
Partial Order Reduction
enabled actions
in (0,0,0)
x:=1
0,0,0
• avoid construction including “unnecessary” interleavings if
possible
• decide per state which outgoing transitions to include
• reduction function r:S→ 2A, i.e., which actions have to be
taken care of in a certain state
x,y,g
y:=1
1,0,0
0,1,0
y:=1
g:=g+2
1,0,2
x:=1
g:=g*2
1,1,0
g:=g+2
0,1,0
g:=g*2
x:=1
y:=1
1,1,2
1,1,0
g:=g*2
g:=g+2
1,1,4
Algorithmic Verification
Algorithmic Verification
deadlockstate
state
deadlock
1,1,2
Ralf Huuck
27
Algorithmic Verification
Ralf Huuck
28
7
Reduced LTS
Independence
smallest (Sr,s0r,Ar,τr,Πr,Lr) such that
two actions a,b∈A (a≠b) are independent
iff for all states s∈S where {a,b}⊆enabled(s)
1. b∈enabled(τ(s,a)) and a∈enabled(τ(s,b))
2. τ(τ(s,a),b) = τ(τ(s,b),a)
•
•
•
•
Sr ⊆ S,
s0=s0r,
Lr=L∩(Sr× 2Π)
for any s∈ Sr and a∈r(s) where τ(s,a) is defined,
τr(s,a) is defined
This means actions do not disable each other (1) and
their permutation leads to the same state (2).
Algorithmic Verification
Ralf Huuck
29
Algorithmic Verification
Ralf Huuck
30
Example
independent
actions
x:=1
0,0,0
1,0,0
0,1,0
y:=1
g:=g+2
x,y,g
y:=1
1,0,2
x:=1
1,1,0
g:=g+2
Proving Properties
g:=g*2
0,1,0
g:=g*2
x:=1
y:=1
1,1,2
1,1,0
g:=g*2
g:=g+2
1,1,4
Otherindependent
independent
Other
actions?
actions?
1,1,2
Algorithmic Verification
Algorithmic Verification
Ralf Huuck
Ralf Huuck
32
31
8
Properties
Preserving Deadlock
POR is typically done with respect to certain classes of
properties, e.g.:
To preserve deadlock states the reduction function must
satisfy:
• absence of deadlock,
• local property, depends on state of a single process
or state of single shared object
• next-free LTL property, i.e., LTL with until operator only
C0 r(s)=∅ iff enabled(s)=∅
C1 (persistency) for any execution sequence
with all ai∉r(s) (0·i<n), an-1 is independent of all ai∈ r(s)
Algorithmic Verification
Ralf Huuck
33
Example
Algorithmic Verification
Ralf Huuck
34
Theorem
β1
Thispath
pathcan
canbe
beomitted
omitted
This
β2
α
β3
α
α
s
α
Any reduced
reduced system
system satisfying
satisfying C0
C0 and
and C1
C1
Any
preserves
deadlocks.
preserves deadlocks.
β1
β2
β3
deadlockstate
state
deadlock
Algorithmic Verification
Ralf Huuck
35
Algorithmic Verification
Ralf Huuck
36
9
Local Properties
Example
x=0
property φ is local
iff
for all s∈ S and independent actions a,b∈ A
if {a,b}⊆enabled(s) then:
if φ holds in s but not in τ(s,a)
then φ holds in τ(s,b) but not in τ(τ(s,b)a).
local
property
x:=1
0,0,0
1,0,0
0,1,0
y:=1
g:=g+2
x,y,g
y:=1
1,0,2
x:=1
g:=g*2
1,1,0
0,1,0
g:=g*2
g:=g+2
x:=1
y:=1
Intuition: φ cannot be changed by the combined effect of two
independent actions, it only depends on local changes.
1,1,2
1,1,0
g:=g*2
g:=g+2
1,1,4
Algorithmic Verification
Ralf Huuck
37
Preserving Local Properties
Algorithmic Verification
1,1,2
Ralf Huuck
38
Example
To preserve local properties the reduction function must
satisfy:
C2 (cycle) for any cyclic execution sequence
p
q
0
0
a1
q
b
¬p
a2
q
1
1
1
a0
where, sn=s0 there is an si (0· i<n) such that r(si)=enabled(si)
Two concurrent processes,
a’s and b are independent
Algorithmic Verification
Ralf Huuck
39
Algorithmic Verification
Ralf Huuck
40
10
Full State Graph
Full State Graph
p,q
p,q
0
a1
0
a1
p,q
a2
b
a0
p.q
p,q
1
¬p,q
1
a’s and b are independent,
whenever having the choice
between them, why not choosing
some a?
b
a2
b
a0
p.q
Algorithmic Verification
a1
¬p,q
¬p,q
a0
1
Ralf Huuck
41
Algorithmic Verification
a2
1
Ralf Huuck
¬p,q
1
a0
42
Theorem
p,q
This means, we never see
b and never ¬p.
0
a1
p,q
a2
b
a0
p.q
1
¬p,q
1
Any reduced
reduced system
system satisfying
satisfying
Any
C0,
C1,
and
C2
C0, C1, and C2
preserves local
local properties.
properties.
preserves
b
0
Therfore, cannot hide ¬p completely!
Ralf Huuck
a1
b
¬p,q
Algorithmic Verification
a1
b
1
Reduced State Graph?
C2 requires in any cycle
there is an si (0· i<n) such
that r(si)=enabled(si).
b
0
a2
¬p,q
¬p,q
1
0
b
1
a2
1
¬p,q
1
a0
43
Algorithmic Verification
Ralf Huuck
44
11
Next-free LTL
Invisibility
• only allows Until as temporal operator,
• strict subset of LTL
• cannot, e.g., distinguish between the next and the second
next state
• closed under stuttering
prop(φ) set of propositions in φ
• action a is φ-invisible in s iff
τ(s,a) is undefined or π∈ L(s) ⇔ π ∈ L(τ(s,a)) for all π∈
prop(φ)
• a is globally φ-invisible iff
it is φ-invisible for all s∈S
This means some action cannot change some truth value.
Algorithmic Verification
Ralf Huuck
45
Preserving Next-free LTL
Algorithmic Verification
Ralf Huuck
46
Example (1)
C3 (invisibility) for any state s∈S,
all actions are globally φ-invisible or r(s)=enabled(s)
p
globally
ααglobally
φ−invisible
φ−invisible
¬p
p
¬p
β2
α
β3
α
β1
β3
α
β2
s
α
β1
p
¬p
p
Which LTL and/or next-free LTL
propertied do (not) hold here?
¬p
More sophisticated examples?
Algorithmic Verification
Ralf Huuck
47
Algorithmic Verification
Ralf Huuck
48
12
Example (2)
Theorem
p
Thispath
pathcan
canbe
beomitted
omitted
This
¬p
β2
p
¬p
β1
α
β3
α
β3
α
β2
s
α
β1
Any reduced
reduced system
system satisfying
satisfying
Any
C0,
C1,
C2,
and
C3
C0, C1, C2, and C3
preserves next-free
next-free LTL
LTL properties.
properties.
preserves
p
¬p
p
¬p
Algorithmic Verification
Ralf Huuck
49
Algorithmic Verification
Ralf Huuck
50
Well, yes but ...
• We defined constraints such that a reduced system still
satisfies certain properties.
• But: How to find a suitable reduction?
• Also: building full state graph and then reducing is
inefficient.
POR in SPIN
Challenging!
Let’s have a look at SPIN ...
Algorithmic Verification
Algorithmic Verification
Ralf Huuck
Ralf Huuck
52
51
13
System Construction in SPIN
Preliminaries
1. depth first search
2. reduction function based on process structure
(S,s0,A,τ,Π,L) full LTS from set of processes P
each process P∈P is set of actions, i.e., P⊆A
we assume: P is a partitioning of A, i.e,
1. P,Q∈P, P≠Q ⇒ P∩Q=∅, and
2. A=∪P∈PP
Pid:A→P returns process (ID) for a given action
Algorithmic Verification
Ralf Huuck
53
Restriction of Process Structure
Algorithmic Verification
Ralf Huuck
54
Safety
We do not allow concurrency within a process:
Action a is safe
iff
it is independent from any b where Pid(a)≠Pid(b)
for all a,b∈ P, a≠ b, s∈ S:
a,b∈enabled(s) ⇒ b∉enabled(τ(s,a))
This means we still have choice (if-then-else) in a process,
but no processes within processes.
Algorithmic Verification
Ralf Huuck
55
Algorithmic Verification
Ralf Huuck
56
14
Safety Example
Safety Example
g:=g+2
x:=1
S0
S1
safe actions
S’1
S1
S’0
Ralf Huuck
S2
g:=g*2
y:=1
S’2
Which actions are safe in this example?
Algorithmic Verification
S0
g:=g*2
y:=1
S’0
g:=g+2
x:=1
S2
S’1
S’2
They are independent of any action in other process.
57
Next-free Safety
Algorithmic Verification
Ralf Huuck
58
Next-free Safe Example
Action a is safe
iff
it is independent from any b where Pid(a)≠Pid(b)
g:=g+2
x:=1
S0
S1
g:=g*2
y:=1
Action a is next-free safe for some φ∈LTL-X
iff
• it is independent from any b where Pid(a)≠Pid(b), and
• globally φ-invisible
S’0
S2
S’1
S’2
Which actions are next-free safe for:
• G (g=2)
• G (x<g)
Algorithmic Verification
Ralf Huuck
59
Algorithmic Verification
Ralf Huuck
60
15
Next-free Safe Example
Reduction Function Ample (part 1)
S1
S2
g:=g*2
y:=1
S’0
Let s∈S be a state. Let P∈P be a process such that
1. enabled(s)∩ P ≠∅
2. for all a∈enabled(s)∩P, a is (next-free) safe
3. for all a∈enabled(s)∩P, τ(s,a) is not on DFS stack
g:=g+2
x:=1
S0
S’1
S’2
next-free safe actions
for φ=G (g=2)
Other(counter)examples?
(counter)examples?
Other
Algorithmic Verification
Ralf Huuck
61
Reduction Function Ample
Algorithmic Verification
Ralf Huuck
Reminder: DFS Algorithm
Let s∈S be a state. Let P∈P be a process such that
1. enabled(s)∩ P ≠∅
2. for all a∈enabled(s)∩P, a is (next-free) safe
3. for all a∈enabled(s)∩P, τ(s,a) is not on DFS stack
Hash table:
q1
Stack:
.
q1
Remember DFS algorithm?
Stack keeps record of states we
have seen before, but not fully
explored.
Algorithmic Verification
62
Ralf Huuck
q2
q1 q2 q4
q3
q4
q2
q4
q5
63
Algorithmic Verification
Ralf Huuck
64
16
Reduction Function Ample (part 2)
Example (POR deadlock)
Let s∈S be a state. Let P∈P be a process such that
1. enabled(s)∩ P ≠∅
2. for all a∈enabled(s)∩P, a is (next-free) safe
3. for all a∈enabled(s)∩P, τ(s,a) is not on DFS stack
deadlock
x:=1
0,0,0
1,0,0
0,1,0
y:=1
g:=g+2
1,0,2
We define a reduction function ample as follows:
• if there is no such process then ample(s)=enabled(s).
• otherwise choose arbitrary P satisfying above
requirements and define ample(s)=enabled(s)∩P.
x:=1
Ralf Huuck
0,1,0
g:=g*2
x:=1
y:=1
1,1,2
65
x:=1
0,0,0
g:=g+2
x,y,g
y:=1
Ralf Huuck
66
0,0,0
deadlock
y:=1
x,y,g
0,1,0
g:=g*2
x:=1
1,1,0
g:=g+2
ample
amplesets
setsfor
for
deadlock
deadlock
x:=1
0,1,0
1,1,0
g:=g*2
g:=g*2
g:=g+2
x:=1
y:=1
1,1,2
1,1,0
g:=g*2
1,1,2
1,1,2
∅
1,1,0
g:=g*2
g:=g+2
1,1,4
Algorithmic Verification
Algorithmic Verification
1,1,2
0,1,0
y:=1
1,0,2
Consider
Considersimple
simple
safety
safetyonly.
only.
Reduction (POR deadlock)
1,0,0
g:=g+2
What
Whatare
arethe
the
ample
amplesets?
sets?
1,1,0
g:=g*2
Example (POR deadlock)
deadlock
g:=g*2
1,1,0
g:=g+2
1,1,4
Algorithmic Verification
x,y,g
y:=1
g:=g+2
1,1,4
1,1,2
∅
Ralf Huuck
67
Algorithmic Verification
Ralf Huuck
68
17
Example (2)
Reduction (2)
φ = F (g=2)
x:=1
0,0,0
1,0,0
g:=g+2
φ = F (g=2)
x,y,g
y:=1
y:=1
0,1,0
y:=1
1,0,2
x,y,g
0,1,0
g:=g*2
x:=1
1,1,0
ample
amplesets
setsfor
for
next
nextfree-safe
free-safe
x:=1
0,1,0
1,1,0
g:=g*2
g:=g+2
g:=g*2
g:=g+2
x:=1
y:=1
1,1,2
1,1,0
g:=g*2
1,1,2
1,1,2
∅
1,1,0
g:=g*2
g:=g+2
1,1,4
g:=g+2
1,1,4
1,1,2
∅
Algorithmic Verification
Ralf Huuck
69
Example (3)
Algorithmic Verification
Ralf Huuck
70
On-the-fly Construction
φ = F (x<y)
x:=1
0,0,0
Constructing full state space first and then reducing it is not
very smart, but:
x,y,g
y:=1
1,0,0
0,1,0
y:=1
g:=g+2
1,0,2
x:=1
g:=g*2
1,1,0
no
noreduction
reduction
g:=g*2
g:=g+2
ample
amplesets
setsfor
for
next
nextfree-safe
free-safe
x:=1
1,1,2
.
We
Wecan
cando
doPOR
PORwhile
whileconstruction
constructionthe
thestate
statespace
space
0,1,0
y:=1
Basically, use DFS algorithm for state space construction and
only follow the paths in the ample sets.
1,1,0
g:=g*2
POR does not always help, but the more independent actions
the better.
g:=g+2
1,1,4
1,1,2
∅
Algorithmic Verification
0,0,0
∅
Ralf Huuck
71
Algorithmic Verification
Ralf Huuck
72
18
Partial Order Reduction
•
•
•
•
Summary
Algorithmic Verification
Ralf Huuck
tackles state explosion
general framework for reduction
SPIN example for implementation of reduction function
other methods out there, e.g., symmetry reduction,
automata minimizations, abstractions etc.
73
Algorithmic Verification
Ralf Huuck
74
Good news ☺
We
Weare
aredone
donewith
with“standard”
“standard”model
modelchecking.
checking.
Algorithmic Verification
Ralf Huuck
75
19