Tree-like automata synchronisation topologies and their reductions - PowerPoint PPT Presentation

Tree-like automata synchronisation topologies and their reductions Micha� l Knapik , Laure Petrucci TDCS seminar, 16th July 2020 ICS PAS/LIPN, CNRS

Outline Motivations and Contributions Asynchronous Products, Synchronisation Topologies Tree Topologies, Reductions 2

Motivations and Contributions

Motivations • Our typical pipeline of system model design and verification: • Abstract components {M i } n i =1 and interfaces. • Specify relevant property ϕ . • Verify φ over (huge) model: M 1 | | . . . | |M n | = ϕ . 3

Motivations • Our typical pipeline of system model design and verification: • Abstract components {M i } n i =1 and interfaces. • Specify relevant property ϕ . • Verify φ over (huge) model: M 1 | | . . . | |M n | = ϕ . • The usual bottleneck: computing M 1 | | . . . | |M n . 3

Motivations • Our typical pipeline of system model design and verification: • Abstract components {M i } n i =1 and interfaces. • Specify relevant property ϕ . • Verify φ over (huge) model: M 1 | | . . . | |M n | = ϕ . • The usual bottleneck: computing M 1 | | . . . | |M n . • Assume-guarantee approach can sometimes alleviate this, e.g. find a model A that subsumes M 1 and check A| | . . . | |M n | = ϕ . 3

Motivations • Our typical pipeline of system model design and verification: • Abstract components {M i } n i =1 and interfaces. • Specify relevant property ϕ . • Verify φ over (huge) model: M 1 | | . . . | |M n | = ϕ . • The usual bottleneck: computing M 1 | | . . . | |M n . • Assume-guarantee approach can sometimes alleviate this, e.g. find a model A that subsumes M 1 and check A| | . . . | |M n | = ϕ . Might work for some properties and models, but still needs costly computation of large parallel product. 3

Motivations • Our typical pipeline of system model design and verification: • Abstract components {M i } n i =1 and interfaces. • Specify relevant property ϕ . • Verify φ over (huge) model: M 1 | | . . . | |M n | = ϕ . • The usual bottleneck: computing M 1 | | . . . | |M n . • Assume-guarantee approach can sometimes alleviate this, e.g. find a model A that subsumes M 1 and check A| | . . . | |M n | = ϕ . Might work for some properties and models, but still needs costly computation of large parallel product. • So it’d be good to have tools for static analysis and transformation of network {M i } n i =1 before computing parallel product. 3

Contributions (current / expected) Current • (Trivial) definition of synchronisation topology. • A technique for reachability-preserving reduction of tree-like topologies for a class of very simple automata . The result is polynomial w.r.t. number of components. • The technique does not preserve safety properties - example. • Implementation and initial tests. Expected (in the final version of this work) • Generalisation of reachability-preserving reductions for tree-like topologies for any type of automata + implementation. Expected (future work) • Lot of things: different topologies, properties, applications, etc. 4

Asynchronous Products, Synchronisation Topologies

Labeled Transition Systems Labelled Transition System ( LT S ) LT S is tuple M = �S , s 0 , Acts , → , L� where: 1. S is a finite set of states and s 0 ∈ S the initial state; 2. Acts is a finite set of action names; 3. → ⊆ S × Acts × S is a transition relation; 4. L : S → 2 PV labels states with propositions. (We put acts ( M ) = Acts , states ( M ) = S , etc.) 5

Asynchronous Product Asynchronous Product ( M 1 ||M 2 ) • M i = �S i , s 0 i , → i , Acts i � : LT S , for i ∈ { 1 , 2 } • M 1 ||M 2 = �S 1 × S 2 , ( s 0 1 , s 0 2 ) , → , Acts 1 ∪ Acts 2 � with trans. rules: act act ∈ Acts 1 \ Acts 2 ∧ s 1 − − → 1 s ′ 1 act → u ( s ′ ( s 1 , s 2 ) − − 1 , s 2 ) (non-sync left trans.) act act ∈ Acts 2 \ Acts 1 ∧ s 2 − − → 2 s ′ 2 act ( s 1 , s 2 ) − − → ( s 1 , s ′ 2 ) (non-sync right trans.) act act → 1 s ′ → 2 s ′ act ∈ Acts 1 ∩ Acts 2 ∧ s 1 − − 1 ∧ s 2 − − 2 act ( s 1 , s 2 ) − − → ( s ′ 1 , s ′ 2 ) (sync. trans.) • (Generalised to any number of components in the usual way.) 6

Asynchronous Product Asynchronous Product ( M 1 ||M 2 ) • M i = �S i , s 0 i , → i , Acts i � : LT S , for i ∈ { 1 , 2 } • M 1 ||M 2 = �S 1 × S 2 , ( s 0 1 , s 0 2 ) , → , Acts 1 ∪ Acts 2 � with trans. rules: act act ∈ Acts 1 \ Acts 2 ∧ s 1 − − → 1 s ′ 1 act → u ( s ′ ( s 1 , s 2 ) − − 1 , s 2 ) (non-sync left trans.) act act ∈ Acts 2 \ Acts 1 ∧ s 2 − − → 2 s ′ 2 act ( s 1 , s 2 ) − − → ( s 1 , s ′ 2 ) (non-sync right trans.) act act → 1 s ′ → 2 s ′ act ∈ Acts 1 ∩ Acts 2 ∧ s 1 − − 1 ∧ s 2 − − 2 act ( s 1 , s 2 ) − − → ( s ′ 1 , s ′ 2 ) (sync. trans.) • (Generalised to any number of components in the usual way.) 6

Asynchronous Product Asynchronous Product ( M 1 ||M 2 ) • M i = �S i , s 0 i , → i , Acts i � : LT S , for i ∈ { 1 , 2 } • M 1 ||M 2 = �S 1 × S 2 , ( s 0 1 , s 0 2 ) , → , Acts 1 ∪ Acts 2 � with trans. rules: act act ∈ Acts 1 \ Acts 2 ∧ s 1 − − → 1 s ′ 1 act → u ( s ′ ( s 1 , s 2 ) − − 1 , s 2 ) (non-sync left trans.) act act ∈ Acts 2 \ Acts 1 ∧ s 2 − − → 2 s ′ 2 act ( s 1 , s 2 ) − − → ( s 1 , s ′ 2 ) (non-sync right trans.) act act → 1 s ′ → 2 s ′ act ∈ Acts 1 ∩ Acts 2 ∧ s 1 − − 1 ∧ s 2 − − 2 act ( s 1 , s 2 ) − − → ( s ′ 1 , s ′ 2 ) (sync. trans.) • (Generalised to any number of components in the usual way.) 6

Asynchronous Product Asynchronous Product ( M 1 ||M 2 ) • M i = �S i , s 0 i , → i , Acts i � : LT S , for i ∈ { 1 , 2 } • M 1 ||M 2 = �S 1 × S 2 , ( s 0 1 , s 0 2 ) , → , Acts 1 ∪ Acts 2 � with trans. rules: act act ∈ Acts 1 \ Acts 2 ∧ s 1 − − → 1 s ′ 1 act → u ( s ′ ( s 1 , s 2 ) − − 1 , s 2 ) (non-sync left trans.) act act ∈ Acts 2 \ Acts 1 ∧ s 2 − − → 2 s ′ 2 act ( s 1 , s 2 ) − − → ( s 1 , s ′ 2 ) (non-sync right trans.) act act → 1 s ′ → 2 s ′ act ∈ Acts 1 ∩ Acts 2 ∧ s 1 − − 1 ∧ s 2 − − 2 act ( s 1 , s 2 ) − − → ( s ′ 1 , s ′ 2 ) (sync. trans.) • (Generalised to any number of components in the usual way.) 6

Synchronisation Topology Synchronisation Topology G • Net = {M i } n i =1 : LT S , for i ∈ { 1 , . . . , n } • G = � Net , T � : a graph with vertices Net and edges T s.t. ( M i , M j ) ∈ T iff i � = j and acts ( M i ) ∩ acts ( M j ) � = ∅ 7

Synchronisation Topology Synchronisation Topology G • Net = {M i } n i =1 : LT S , for i ∈ { 1 , . . . , n } • G = � Net , T � : a graph with vertices Net and edges T s.t. ( M i , M j ) ∈ T iff i � = j and acts ( M i ) ∩ acts ( M j ) � = ∅ 7

Tree Topologies, Reductions

Tree Topologies and Live-reset Automata First restriction: G is laid out as a tree ? chooseL ? open ? open r 1 r 2 beep ? chooseR r 0 r 3 ? chooseL r 4 R ! open ! chooseL t 0 t 1 t 2 s 0 τ τ M 1 M 2 ! chooseR • parent ( M 1 ) = parent ( M 2 ) = R , children ( R ) = {M 1 , M 2 } • downacts ( M ): actions over which M synchronises with any child, e.g., downacts ( R ) = { open , chooseL , chooseR } • upacts ( M ): actions over which M synchronises with its parent, e.g., upacts ( M 2 ) = { chooseL , chooseR } • locacts ( M ): the remaining actions, e.g., locacts ( R ) = { beep } 8

Tree Topologies and Live-reset Automata Second restriction: all automata are live-reset ? chooseL ? open ? open r 1 r 2 beep ? chooseR r 0 r 3 ? chooseL r 4 R ! open ! chooseL t 0 t 1 t 2 s 0 τ τ M 1 M 2 ! chooseR • M is live-reset if each synchronisation with its parent moves M to the initial state. 9

Tree Topologies and Live-reset Automata Why these restrictions? • Tree topology : allows recursive bottom-up reduction for subtrees. • Live-reset automata : synchronisations are fire-and-forget, little additional bookkeeping needed. 10

Reduction for Trees of Height 1 • G : a live-reset tree of height 1, with root R and children ( R ) = {M 1 , . . . , M n } . • We compute sum-of-squares product SQ ( G ) using only square products R||M i for i ∈ { 1 , . . . , n } (and some gadgets). • R||M 1 || . . . ||M n | = EFp iff SQ ( G ) | = EFp 11

Reduction for Trees of Height 1, ct’d SQ ( G ) (* We will build a new LT S G r . *) 1. Let states ( G r ) = ∅ , transitions ( G r ) = ∅ . 2. Make a fresh initial state s 0 sq and put it in states ( G r ). 3. Put � n i =1 states ( R||M i ) in states ( G r ). 4. Put � n i =1 transitions ( R||M i ) in transitions ( G r ). 5. Via epsilon-transitions, connect s 0 sq with the initial state of each R||M i , for i ∈ { 1 , . . . , n } . act → sq ( s ′ root , s 0 6. For each transition ( s root , s i ) − − i ) in R||M i s.t. act root , s 0 → sq ( s ′ j ) to transitions ( G r ), act ∈ upacts ( M i ) add ( s root , s i ) − − for all j ∈ { 1 , . . . , n } , i � = j . 7. Throw away from states ( G r ) all the states from which no state with the root’s action enabled can be reached. 8. Return G r . 12