Tree-like automata synchronisation topologies and their reductions - - PowerPoint PPT Presentation

Tree-like automata synchronisation topologies and their reductions

Micha l Knapik, Laure Petrucci TDCS seminar, 16th July 2020

ICS PAS/LIPN, CNRS

Outline

Motivations and Contributions Asynchronous Products, Synchronisation Topologies Tree Topologies, Reductions

2

Motivations and Contributions

Motivations

• Our typical pipeline of system model design and verification:
• Abstract components {Mi}n

i=1 and interfaces.

• Specify relevant property ϕ.
• Verify φ over (huge) model: M1|

| . . . | |Mn | = ϕ.

3

Motivations

• Our typical pipeline of system model design and verification:
• Abstract components {Mi}n

i=1 and interfaces.

• Specify relevant property ϕ.
• Verify φ over (huge) model: M1|

| . . . | |Mn | = ϕ.

• The usual bottleneck: computing M1|

| . . . | |Mn.

3

Motivations

• Our typical pipeline of system model design and verification:
• Abstract components {Mi}n

i=1 and interfaces.

• Specify relevant property ϕ.
• Verify φ over (huge) model: M1|

| . . . | |Mn | = ϕ.

• The usual bottleneck: computing M1|

| . . . | |Mn.

• Assume-guarantee approach can sometimes alleviate this,

e.g. find a model A that subsumes M1 and check A| | . . . | |Mn | = ϕ.

3

Motivations

• Our typical pipeline of system model design and verification:
• Abstract components {Mi}n

i=1 and interfaces.

• Specify relevant property ϕ.
• Verify φ over (huge) model: M1|

| . . . | |Mn | = ϕ.

• The usual bottleneck: computing M1|

| . . . | |Mn.

• Assume-guarantee approach can sometimes alleviate this,

e.g. find a model A that subsumes M1 and check A| | . . . | |Mn | = ϕ. Might work for some properties and models, but still needs costly computation of large parallel product.

3

Motivations

• Our typical pipeline of system model design and verification:
• Abstract components {Mi}n

i=1 and interfaces.

• Specify relevant property ϕ.
• Verify φ over (huge) model: M1|

| . . . | |Mn | = ϕ.

• The usual bottleneck: computing M1|

| . . . | |Mn.

• Assume-guarantee approach can sometimes alleviate this,

e.g. find a model A that subsumes M1 and check A| | . . . | |Mn | = ϕ. Might work for some properties and models, but still needs costly computation of large parallel product.

• So it’d be good to have tools for static analysis and transformation
• f network {Mi}n

i=1 before computing parallel product. 3

Contributions (current / expected)

Current

• (Trivial) definition of synchronisation topology.
• A technique for reachability-preserving reduction of tree-like

topologies for a class of very simple automata. The result is polynomial w.r.t. number of components.

• The technique does not preserve safety properties - example.
• Implementation and initial tests.

Expected (in the final version of this work)

• Generalisation of reachability-preserving reductions for tree-like

topologies for any type of automata + implementation. Expected (future work)

• Lot of things: different topologies, properties, applications, etc.

4

Asynchronous Products, Synchronisation Topologies

Labeled Transition Systems

Labelled Transition System (LT S) LT S is tuple M = S, s0, Acts, →, L where:

• 1. S is a finite set of states and s0 ∈ S the initial state;
• 2. Acts is a finite set of action names;
• 3. → ⊆ S × Acts × S is a transition relation;
• 4. L: S → 2PV labels states with propositions.

(We put acts(M) = Acts, states(M) = S, etc.)

5

Asynchronous Product

Asynchronous Product (M1||M2)

• Mi = Si, s0

i , →i, Actsi: LT S, for i ∈ {1, 2}

• M1||M2 = S1 × S2, (s0

1, s0 2), →, Acts1 ∪ Acts2 with trans. rules:

act ∈ Acts1 \ Acts2 ∧ s1

act

− − →1 s′

1

(s1, s2)

act

− − → u(s′

1, s2)

(non-sync left trans.) act ∈ Acts2 \ Acts1 ∧ s2

act

− − →2 s′

2

(s1, s2)

act

− − → (s1, s′

2)

(non-sync right trans.) act ∈ Acts1 ∩ Acts2 ∧ s1

act

− − →1 s′

1 ∧ s2 act

− − →2 s′

2

(s1, s2)

act

− − → (s′

1, s′ 2)

(sync. trans.)

• (Generalised to any number of components in the usual way.)

6

Asynchronous Product

Asynchronous Product (M1||M2)

• Mi = Si, s0

i , →i, Actsi: LT S, for i ∈ {1, 2}

• M1||M2 = S1 × S2, (s0

1, s0 2), →, Acts1 ∪ Acts2 with trans. rules:

act ∈ Acts1 \ Acts2 ∧ s1

act

− − →1 s′

1

(s1, s2)

act

− − → u(s′

1, s2)

(non-sync left trans.) act ∈ Acts2 \ Acts1 ∧ s2

act

− − →2 s′

2

(s1, s2)

act

− − → (s1, s′

2)

(non-sync right trans.) act ∈ Acts1 ∩ Acts2 ∧ s1

act

− − →1 s′

1 ∧ s2 act

− − →2 s′

2

(s1, s2)

act

− − → (s′

1, s′ 2)

(sync. trans.)

• (Generalised to any number of components in the usual way.)

6

Asynchronous Product

Asynchronous Product (M1||M2)

• Mi = Si, s0

i , →i, Actsi: LT S, for i ∈ {1, 2}

• M1||M2 = S1 × S2, (s0

1, s0 2), →, Acts1 ∪ Acts2 with trans. rules:

act ∈ Acts1 \ Acts2 ∧ s1

act

− − →1 s′

1

(s1, s2)

act

− − → u(s′

1, s2)

(non-sync left trans.) act ∈ Acts2 \ Acts1 ∧ s2

act

− − →2 s′

2

(s1, s2)

act

− − → (s1, s′

2)

(non-sync right trans.) act ∈ Acts1 ∩ Acts2 ∧ s1

act

− − →1 s′

1 ∧ s2 act

− − →2 s′

2

(s1, s2)

act

− − → (s′

1, s′ 2)

(sync. trans.)

• (Generalised to any number of components in the usual way.)

6

Asynchronous Product

Asynchronous Product (M1||M2)

• Mi = Si, s0

i , →i, Actsi: LT S, for i ∈ {1, 2}

• M1||M2 = S1 × S2, (s0

1, s0 2), →, Acts1 ∪ Acts2 with trans. rules:

act ∈ Acts1 \ Acts2 ∧ s1

act

− − →1 s′

1

(s1, s2)

act

− − → u(s′

1, s2)

(non-sync left trans.) act ∈ Acts2 \ Acts1 ∧ s2

act

− − →2 s′

2

(s1, s2)

act

− − → (s1, s′

2)

(non-sync right trans.) act ∈ Acts1 ∩ Acts2 ∧ s1

act

− − →1 s′

1 ∧ s2 act

− − →2 s′

2

(s1, s2)

act

− − → (s′

1, s′ 2)

(sync. trans.)

• (Generalised to any number of components in the usual way.)

6

Synchronisation Topology

Synchronisation Topology G

• Net = {Mi}n

i=1: LT S, for i ∈ {1, . . . , n}

• G = Net, T : a graph with vertices Net and edges T s.t.

(Mi, Mj) ∈ T iff i = j and acts(Mi) ∩ acts(Mj) = ∅

7

Synchronisation Topology

Synchronisation Topology G

• Net = {Mi}n

i=1: LT S, for i ∈ {1, . . . , n}

• G = Net, T : a graph with vertices Net and edges T s.t.

(Mi, Mj) ∈ T iff i = j and acts(Mi) ∩ acts(Mj) = ∅

7

Tree Topologies, Reductions

Tree Topologies and Live-reset Automata

First restriction: G is laid out as a tree

r0 r1 r2 r3 r4 ?open ?chooseL ?open ?chooseR ?chooseL beep R s0 !open M1 t0 t1 t2 !chooseL τ τ !chooseR M2

• parent(M1) = parent(M2) = R, children(R) = {M1, M2}
• downacts(M): actions over which M synchronises with any child,

e.g., downacts(R) = {open, chooseL, chooseR}

• upacts(M): actions over which M synchronises with its parent,

e.g., upacts(M2) = {chooseL, chooseR}

• locacts(M): the remaining actions, e.g., locacts(R) = {beep}

8

Tree Topologies and Live-reset Automata

Second restriction: all automata are live-reset

r0 r1 r2 r3 r4 ?open ?chooseL ?open ?chooseR ?chooseL beep R s0 !open M1 t0 t1 t2 !chooseL τ τ !chooseR M2

• M is live-reset if each synchronisation with its parent moves M to

the initial state.

9

Tree Topologies and Live-reset Automata

Why these restrictions?

• Tree topology: allows recursive bottom-up reduction for subtrees.
• Live-reset automata: synchronisations are fire-and-forget, little

additional bookkeeping needed.

10

Reduction for Trees of Height 1

• G: a live-reset tree of height 1, with root R and

children(R) = {M1, . . . , Mn}.

• We compute sum-of-squares product SQ(G) using only square

products R||Mi for i ∈ {1, . . . , n} (and some gadgets).

• R||M1|| . . . ||Mn |

= EFp iff SQ(G) | = EFp

11

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1, ct’d

SQ(G) (* We will build a new LT S Gr. *)

• 1. Let states(Gr) = ∅, transitions(Gr) = ∅.
• 2. Make a fresh initial state s0

sq and put it in states(Gr).

• 3. Put n

i=1 states(R||Mi) in states(Gr).

• 4. Put n

i=1 transitions(R||Mi) in transitions(Gr).

• 5. Via epsilon-transitions, connect s0

sq with the initial state of each

R||Mi, for i ∈ {1, . . . , n}.

• 6. For each transition (sroot, si)

act

− − →sq (s′

root, s0 i ) in R||Mi s.t.

act ∈ upacts(Mi) add (sroot, si)

act

− − →sq (s′

root, s0 j ) to transitions(Gr),

for all j ∈ {1, . . . , n}, i = j.

• 7. Throw away from states(Gr) all the states from which no state with

the root’s action enabled can be reached.

• 8. Return Gr.

12

Reduction for Trees of Height 1: Example

r0 r1 r2 r3 r4 ?open ?chooseL ?open ?chooseR ?chooseL beep R s0 !open M1 t0 t1 t2 !chooseL τ τ !chooseR M2

= ⇒

s0r0 s0r3 s0r2 s0r1 s0r4

• pen
• pen

beep t0r4 t2r1 t0r1 t1r1 t0r2 t1r2 t2r2 t0r3 t1r3 t2r3 t1r4 t2r4 t0r0 t1r0 t2r0 τ chooseL τ chooseR τ τ τ τ beep beep beep τ chooseL τ τ τ chooseL chooseR chooseL

• pen
• pen

13

Reduction for Trees of Height 1: Example

r0 r1 r2 r3 r4 ?open ?chooseL ?open ?chooseR ?chooseL beep R s0 !open M1 t0 t1 t2 !chooseL τ τ !chooseR M2

= ⇒

s0r0 s0r3 s0r2

• pen

beep t0r4 t2r1 t0r1 t1r1 t0r3 t1r3 t2r3 t1r4 τ τ chooseR τ τ beep beep beep τ chooseL chooseL

• pen
• pen

s0

sq

ǫ

13

Notes and Limitations

• Generalisation for trees of any size: easy, omitted here.

14

Notes and Limitations

• Generalisation for trees of any size: easy, omitted here.
• If a tree sync. topology has n components, each of size size m, then

the asynchronous product can reach size mn. The size of the sum-of-squares product is at most (n − 1) · m2.

14

Notes and Limitations

• Generalisation for trees of any size: easy, omitted here.
• If a tree sync. topology has n components, each of size size m, then

the asynchronous product can reach size mn. The size of the sum-of-squares product is at most (n − 1) · m2.

• Theorem: R||M1|| . . . ||Mn |

= EFp iff SQ(G) | = EFp.

14

Notes and Limitations

• Generalisation for trees of any size: easy, omitted here.
• If a tree sync. topology has n components, each of size size m, then

the asynchronous product can reach size mn. The size of the sum-of-squares product is at most (n − 1) · m2.

• Theorem: R||M1|| . . . ||Mn |

= EFp iff SQ(G) | = EFp.

• But there is a sync. topology s.t.

R||M1|| . . . ||Mn | = EGp and SQ(G) | = EGp.

r0 r1 r2 p ?chooseR ?chooseL beep Ry s0 s1 p !chooseL τ My

1

t0 p t1 !chooseR τ My

2

14

The Tool: Unreadable Screenshots

automaton: 0x5570d7723910 automaton: 0x5570d7722d70 automaton: 0x5570d77232f0 automaton: 0x5570d772c710 automaton: 0x5570d772bc40 automaton: 0x5570d772c350 automaton: 0x5570d773d780 beep 1 heep 1

• pen

2 chooseL 4 chooseR 3

• pen

beep chooseL

• pen

1 T R 2 L T 1 R L 2 L R 1 R chooseL 2 L chooseR 1 R chooseL 2 L chooseR

A0x5570d7723910 A0x5570d7722d70 beep A0x5570d77232f0

• pen

A0x5570d772c350 chooseL chooseR A0x5570d772c710 L R A0x5570d772bc40 R L L R A0x5570d773d780 R L

• pen

• pen

• pen

15

THANK YOU

16