1 Bisimulations as a Technique for State Space Reductions.

2 Abstraction: the key to scaling up represents a set of states abstraction Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system Original system Original property P symbolic state Abstract system Abstract property P’

3 Data Abstraction vs. Predicate Abstraction Data Abstraction –Abstraction proceeds component-wise, where variables are components x:int Even Odd…, -3, -1, 1, 3, … …, -2, 0, 2, 4, … 1, 2, 3, … …, -3, -2, -1 0 Pos Neg Zero y:int

4 Data Abstraction vs. Predicate Abstraction (Cont’d) Predicate Abstraction –Use a boolean variable to hold the value of an associated predicate that expresses a relationship between variables predicate: x = y true false(1, 2) (0, 0) (1, 1) (-1, -1) (-1, 3) (3, 2) … … int * int

5 An Example Init: x := 0; y := 0; z := 1; goto Body; Body: assert (z = 1); x := (x + 1); y := (y + 1); if (x = y) then Z1 else Z0; Z1: z := 1; goto Body; Z0: z := 0; goto Body; x and y are unbounded Data abstraction does not work in this case --- abstracting component- wise (per variable) cannot maintain the relationship between x and y We will use predicate abstraction in this example

6 Predicate Abstraction Process Add boolean variables to your program to represent current state of particular predicates –E.g., add a boolean variable [x=y] to represent whether the condition x=y holds or not These boolean variables are updated whenever program statements update variables mentioned in predicates –E.g., add updates to [x=y] whenever x or y or assigned

7 An Example Init: x := 0; y := 0; z := 1; goto Body; Body: assert (z = 1); x := (x + 1); y := (y + 1); if (x = y) then Z1 else Z0; Z1: z := 1; goto Body; Z0: z := 0; goto Body; We will use the predicates listed below, and remove variables x and y since they are unbounded. Don’t worry too much yet about how we arrive at this particular set of predicates; we will talk a little bit about that later p1: (x = 0) p2: (y = 0) p3: (x = (y + 1)) p4: (x = y) b1: [(x = 0)] b2: [(y = 0)] b3: [(x = (y + 1))] b4: [(x = y)] Predicates Boolean Variables This is our new syntax for representing boolean variables that helps make the correspondence to the predicates clear

8 Transforming Programs [(x = 0)] [(y = 0)] [(x = (y + 1))] [(x = y)] x := 0; An example of how to transform an assignment statement PredicatesAssignment Statement [(x=0)] := true; [(x=(y+1))] := if [$(y=0)] then false else top; [(x=y)] := if [$(y = 0)] then true else if ![$(y=0)] then false else top; Where: [$P] = prev. value of [P] top is a non-deterministic choice between true and false The statement to the left is replaced the statements below [(x=0)] := true; [(x=y)] := H([$(y=0)], ![$(y=0)]); [(x=(y+1))] := H(false, [$(y=0)]); Where: true, if e 1 H (e, e 2 ) = false, if e 2 top, otherwise { Make a more compact representation using a helper function H (following SLAM notation)

9 State Simulation Given a program abstracted by predicates E 1, …, E n, an abstract state simulates a concrete state if E i holds on the concrete state iff the boolean variable [E i ] is true and remaining concrete vars and control points agree. (n2,[ [x=0] ! False, [y=0] ! False, [x=(y+1)] ! False, [x=y] ! True, z ! 0]) ConcreteAbstract (n2,[x ! 2, y ! 2, z ! 0]) simulates (n2,[x ! 3, y ! 3, z ! 0]) (n2,[ [x=0] ! False, [y=0] ! True, [x=(y+1)] ! True, [x=y] ! False, z ! 1]) (n2,[x ! 1, y ! 0, z ! 1]) simulates (n2,[x ! 3, y ! 3, z ! 1]) does not simulates

10 Abstractions Find reductions independent of the specification . Reduce K to K’ and construct a relation R such that for every (CTL) formula  –K, s ²  iff K’, s’ ²  where R (s, s’). Note we do not transform  to  ’.

11 Abstractions R s s’ K K’

12 Bisimulations K = (S, S 0, R, AP, L) K’= (S’, S 0 ’, R’, AP, L’) Note K and K’ use the same set of atomic propositions AP. B µ S £ S’ is a bisimulation relation between K and K’ iff for every B (s, s’): –L(s) = L’(s’) (BSIM 1) –If R(s, s 1 ) then there exists s 1 ’ such that R’(s’, s 1 ’) and B (s 1, s 1 ’). (BISIM 2) –If R(s’, s 2 ’) then there exists s 2 such that R(s, s 2 ) and B (s 2, s 2 ’). (BISIM 3)

13 Bisimulations K K’ s s’ s1s1

14 Bisimulations K K’ s s’ s1s1 s1’s1’

15 Bisimulations K K’ s s’ s2’s2’

16 Bisimulations K K’ s s’ s2s2 s1’s1’

17 Examples p q pqpqpq …..

18 Examples p q pqpqpq ….. Unwinding preserves bisimulation

19 Examples p qq ssr p qq rrs

20 Examples p qq ssr p qq rrs

21 Examples p qq ssr p qq rrs

22 Examples p qq ssr p qq rrs

23 Examples p qq ssr p qq rrs

24 Examples p qq ssr p qq rrs

25 Examples p qq ssr p qq rrs

26 Bisimulations K = (S, S 0, R, AP, L) K’= (S’, S 0 ’, R’, AP, L’) K and K’ are bisimilar (bisimulation equivalent) iff there exists a bisimulation relation B µ S £ S’ between K and K’ such that: –For each s 0 in S 0 there exists s 0 ’ in S 0 ’ such that B (s 0, s 0 ’). –For each s 0 ’ in S 0 ’ there exists s 0 in S 0 such that B (s 0, s 0 ’).

27 The Preservation Property. K = (S, S 0, R, AP, L) K’= (S’, S 0 ’, R’, AP, L’) B µ S £ S’, a bisimulation. Suppose B (s, s’). FACT: For any CTL formula  (over AP), K, s ²  iff K’, s’ ² . If K’ is smaller than K this is worth something.

28 Bisimulation Quotients Bisimulation equivalenec is an equivalence relation. K = (S, S 0, R, AP, L) There is a maximal bisimulation B µ S £ S. –Let R be this bisimulation. –[s] = {s’ j s R s’}. R can be computed “easily”. K’ = K / R is the bisimulation quotient of K.

29 Bisimulation Quotient K = (S, S 0, R, AP, L) [s] = {s’ j s R s’}. K’ = K / R = (S’, S’ 0, R’, AP,L’). –S’ = {[s] j s 2 S} –S’ 0 = {[s 0 ] j s 0 2 S 0 } –R’ = {([s], [s’]) j R(s 1, s 1 ’) for some s 1 2 [s] and s 1 ’ 2 [s’]} –L’([s]) = L(s).

30 Examples p qq rrs

31 Examples p qq rrs

32 Examples p q rs

33 Abstractions Bisimulations don’t produce often large reduction. Try notions such as simulations, data abstractions, symmetry reductions, partial order reductions etc. Not all properties may be preserved. They may not be preserved in a strong sense.

34 Graph Simulation Definition Two edge-labeled graphs G 1, G 2 A simulation is a relation R between nodes: if (x 1, x 2 )  R, and (x 1,a,y 1 )  G 1, then exists (x 2,a,y 2 )  G 2 (same label) s.t. (y 1,y 2 )  R x1x2 a R G1G1 G2G2 y1 a R y2 Note: if we insist that R be a function  graph homeomorphism

35 Graph Bisimulation Definition Two edge-labeled graphs G1, G2 A bisimulation is a relation R between nodes s.t. both R and R -1 are simulations

36 Set Semantics for Semistructured Data Definition Two rooted graphs G 1, G 2 are equal if there exists a bisimulation R from G 1 to G 2 such that (root(G 1 ), root(G 2 ))  R Notation: G 1  G 2 For trees, this is precisely our earlier definition

37 Examples of Bisimilar Graphs a b c ab cc a a a a a a... = =

38 Examples of non-Bisimilar Graphs This is a simulation but not a bisimulation –Why ? Notice: G 1, G 2 have the same sets of paths a aa bc cb G1=G1= G2=G2=

39 Simulation acts like “subset” {a, b}  {a, b, c} {a, b:{c}}  {d, a:{e,f}, b:{c,g}} Question: if DB 1  DB 2 and DB 2  DB 1 then DB 1  DB 2 ? Examples of Simulation a b c a b c d e f g a b a b c

40 Answer if DB 1  DB 2 and DB 2  DB 1 then DB 1  DB 2 ? No. Here is a counter example: aa b b a DB 1  DB 2 and DB 2  DB 1 but NOT DB 1  DB 2 DB 1 DB 2

41 Path Simulation Intuition: every path in concrete system is simulated by a path in abstract system simulates A concrete path s 1, s 2, … is simulated by an abstract path a 1, a 2, … if Sim(s i,a i ) for all i. ConcreteAbstract

42 Computation Simulation Intuition: every path in concrete system is simulated by a path in abstract system ConcreteAbstract There may be extra paths (termed “infeasible” paths) that are not present in the concrete system. These are due to the approximate nature of our computation with abstract tokens. Specifically, they arise from the over-approximations in test branching discussed previously. Infeasible path due to over-approximation.

43 Reflection of LTL Properties ConcreteAbstract Infeasible path due to over-approximation. If there is a violating path in the abstract system, then there is not necessarily a violating path in the concrete system, since the violating abstract trace may be an infeasible path due to over-approximation. Technically, this means that properties are not preserved by abstraction. If there is a violating path in the concrete system, then there is a violating path in the abstract system, since the simulation property guarantees that each concrete trace has a corresponding trace in the abstract system. Technically, this means that properties are reflected by abstraction.

44 Facts About a (Bi)Simulation The empty set is always a (bi)simulation If R, R’ are (bi)simulations, so is R U R’ Hence, there always exists a maximal (bi)simulation: –Checking if DB 1 =DB 2 : compute the maximal bisimulation R, then test (root(DB 1 ),root(DB 2 )) in R

45 Computing a (Bi)Simulation Computing the maximal (bi)simulation: –Start with R = nodes(G 1 ) x nodes(G 2 ) –While exists (x 1, x 2 )  R that violates the definition, remove (x 1, x 2 ) from R This runs in polynomial time ! Better: –O((m+n)log(m+n)) for bisimulation –O(m n) for simulation –Compare to finding a graph homeomorphism ! NP Complete