Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Bisimulations as a Technique for State Space Reductions.

Published byValerie Black Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Bisimulations as a Technique for State Space Reductions."— Presentation transcript:

1 1 Bisimulations as a Technique for State Space Reductions.

2 2 Abstraction: the key to scaling up represents a set of states abstraction Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system Original system Original property P symbolic state Abstract system Abstract property P’

3 3 Data Abstraction vs. Predicate Abstraction Data Abstraction –Abstraction proceeds component-wise, where variables are components x:int Even Odd…, -3, -1, 1, 3, … …, -2, 0, 2, 4, … 1, 2, 3, … …, -3, -2, -1 0 Pos Neg Zero y:int

4 4 Data Abstraction vs. Predicate Abstraction (Cont’d) Predicate Abstraction –Use a boolean variable to hold the value of an associated predicate that expresses a relationship between variables predicate: x = y true false(1, 2) (0, 0) (1, 1) (-1, -1) (-1, 3) (3, 2) … … int * int

5 5 An Example Init: x := 0; y := 0; z := 1; goto Body; Body: assert (z = 1); x := (x + 1); y := (y + 1); if (x = y) then Z1 else Z0; Z1: z := 1; goto Body; Z0: z := 0; goto Body; x and y are unbounded Data abstraction does not work in this case --- abstracting component- wise (per variable) cannot maintain the relationship between x and y We will use predicate abstraction in this example

6 6 Predicate Abstraction Process Add boolean variables to your program to represent current state of particular predicates –E.g., add a boolean variable [x=y] to represent whether the condition x=y holds or not These boolean variables are updated whenever program statements update variables mentioned in predicates –E.g., add updates to [x=y] whenever x or y or assigned

7 7 An Example Init: x := 0; y := 0; z := 1; goto Body; Body: assert (z = 1); x := (x + 1); y := (y + 1); if (x = y) then Z1 else Z0; Z1: z := 1; goto Body; Z0: z := 0; goto Body; We will use the predicates listed below, and remove variables x and y since they are unbounded. Don’t worry too much yet about how we arrive at this particular set of predicates; we will talk a little bit about that later p1: (x = 0) p2: (y = 0) p3: (x = (y + 1)) p4: (x = y) b1: [(x = 0)] b2: [(y = 0)] b3: [(x = (y + 1))] b4: [(x = y)] Predicates Boolean Variables This is our new syntax for representing boolean variables that helps make the correspondence to the predicates clear

8 8 Transforming Programs [(x = 0)] [(y = 0)] [(x = (y + 1))] [(x = y)] x := 0; An example of how to transform an assignment statement PredicatesAssignment Statement [(x=0)] := true; [(x=(y+1))] := if [$(y=0)] then false else top; [(x=y)] := if [$(y = 0)] then true else if ![$(y=0)] then false else top; Where: [$P] = prev. value of [P] top is a non-deterministic choice between true and false The statement to the left is replaced the statements below [(x=0)] := true; [(x=y)] := H([$(y=0)], ![$(y=0)]); [(x=(y+1))] := H(false, [$(y=0)]); Where: true, if e 1 H (e, e 2 ) = false, if e 2 top, otherwise { Make a more compact representation using a helper function H (following SLAM notation)

9 9 State Simulation Given a program abstracted by predicates E 1, …, E n, an abstract state simulates a concrete state if E i holds on the concrete state iff the boolean variable [E i ] is true and remaining concrete vars and control points agree. (n2,[ [x=0] ! False, [y=0] ! False, [x=(y+1)] ! False, [x=y] ! True, z ! 0]) ConcreteAbstract (n2,[x ! 2, y ! 2, z ! 0]) simulates (n2,[x ! 3, y ! 3, z ! 0]) (n2,[ [x=0] ! False, [y=0] ! True, [x=(y+1)] ! True, [x=y] ! False, z ! 1]) (n2,[x ! 1, y ! 0, z ! 1]) simulates (n2,[x ! 3, y ! 3, z ! 1]) does not simulates

10 10 Abstractions Find reductions independent of the specification . Reduce K to K’ and construct a relation R such that for every (CTL) formula  –K, s ²  iff K’, s’ ²  where R (s, s’). Note we do not transform  to  ’.

11 11 Abstractions R s s’ K K’

12 12 Bisimulations K = (S, S 0, R, AP, L) K’= (S’, S 0 ’, R’, AP, L’) Note K and K’ use the same set of atomic propositions AP. B µ S £ S’ is a bisimulation relation between K and K’ iff for every B (s, s’): –L(s) = L’(s’) (BSIM 1) –If R(s, s 1 ) then there exists s 1 ’ such that R’(s’, s 1 ’) and B (s 1, s 1 ’). (BISIM 2) –If R(s’, s 2 ’) then there exists s 2 such that R(s, s 2 ) and B (s 2, s 2 ’). (BISIM 3)

13 13 Bisimulations K K’ s s’ s1s1

14 14 Bisimulations K K’ s s’ s1s1 s1’s1’

15 15 Bisimulations K K’ s s’ s2’s2’

16 16 Bisimulations K K’ s s’ s2s2 s1’s1’

17 17 Examples p q pqpqpq …..

18 18 Examples p q pqpqpq ….. Unwinding preserves bisimulation

19 19 Examples p qq ssr p qq rrs

20 20 Examples p qq ssr p qq rrs

21 21 Examples p qq ssr p qq rrs

22 22 Examples p qq ssr p qq rrs

23 23 Examples p qq ssr p qq rrs

24 24 Examples p qq ssr p qq rrs

25 25 Examples p qq ssr p qq rrs

26 26 Bisimulations K = (S, S 0, R, AP, L) K’= (S’, S 0 ’, R’, AP, L’) K and K’ are bisimilar (bisimulation equivalent) iff there exists a bisimulation relation B µ S £ S’ between K and K’ such that: –For each s 0 in S 0 there exists s 0 ’ in S 0 ’ such that B (s 0, s 0 ’). –For each s 0 ’ in S 0 ’ there exists s 0 in S 0 such that B (s 0, s 0 ’).

27 27 The Preservation Property. K = (S, S 0, R, AP, L) K’= (S’, S 0 ’, R’, AP, L’) B µ S £ S’, a bisimulation. Suppose B (s, s’). FACT: For any CTL formula  (over AP), K, s ²  iff K’, s’ ² . If K’ is smaller than K this is worth something.

28 28 Bisimulation Quotients Bisimulation equivalenec is an equivalence relation. K = (S, S 0, R, AP, L) There is a maximal bisimulation B µ S £ S. –Let R be this bisimulation. –[s] = {s’ j s R s’}. R can be computed “easily”. K’ = K / R is the bisimulation quotient of K.

29 29 Bisimulation Quotient K = (S, S 0, R, AP, L) [s] = {s’ j s R s’}. K’ = K / R = (S’, S’ 0, R’, AP,L’). –S’ = {[s] j s 2 S} –S’ 0 = {[s 0 ] j s 0 2 S 0 } –R’ = {([s], [s’]) j R(s 1, s 1 ’) for some s 1 2 [s] and s 1 ’ 2 [s’]} –L’([s]) = L(s).

30 30 Examples p qq rrs

31 31 Examples p qq rrs

32 32 Examples p q rs

33 33 Abstractions Bisimulations don’t produce often large reduction. Try notions such as simulations, data abstractions, symmetry reductions, partial order reductions etc. Not all properties may be preserved. They may not be preserved in a strong sense.

34 34 Graph Simulation Definition Two edge-labeled graphs G 1, G 2 A simulation is a relation R between nodes: if (x 1, x 2 )  R, and (x 1,a,y 1 )  G 1, then exists (x 2,a,y 2 )  G 2 (same label) s.t. (y 1,y 2 )  R x1x2 a R G1G1 G2G2 y1 a R y2 Note: if we insist that R be a function  graph homeomorphism

35 35 Graph Bisimulation Definition Two edge-labeled graphs G1, G2 A bisimulation is a relation R between nodes s.t. both R and R -1 are simulations

36 36 Set Semantics for Semistructured Data Definition Two rooted graphs G 1, G 2 are equal if there exists a bisimulation R from G 1 to G 2 such that (root(G 1 ), root(G 2 ))  R Notation: G 1  G 2 For trees, this is precisely our earlier definition

37 37 Examples of Bisimilar Graphs a b c ab cc a a a a a a... = =

38 38 Examples of non-Bisimilar Graphs This is a simulation but not a bisimulation –Why ? Notice: G 1, G 2 have the same sets of paths a aa bc cb G1=G1= G2=G2=

39 39 Simulation acts like “subset” {a, b}  {a, b, c} {a, b:{c}}  {d, a:{e,f}, b:{c,g}} Question: if DB 1  DB 2 and DB 2  DB 1 then DB 1  DB 2 ? Examples of Simulation a b c a b c d e f g a b a b c

40 40 Answer if DB 1  DB 2 and DB 2  DB 1 then DB 1  DB 2 ? No. Here is a counter example: aa b b a DB 1  DB 2 and DB 2  DB 1 but NOT DB 1  DB 2 DB 1 DB 2

41 41 Path Simulation Intuition: every path in concrete system is simulated by a path in abstract system simulates A concrete path s 1, s 2, … is simulated by an abstract path a 1, a 2, … if Sim(s i,a i ) for all i. ConcreteAbstract

42 42 Computation Simulation Intuition: every path in concrete system is simulated by a path in abstract system ConcreteAbstract There may be extra paths (termed “infeasible” paths) that are not present in the concrete system. These are due to the approximate nature of our computation with abstract tokens. Specifically, they arise from the over-approximations in test branching discussed previously. Infeasible path due to over-approximation.

43 43 Reflection of LTL Properties ConcreteAbstract Infeasible path due to over-approximation. If there is a violating path in the abstract system, then there is not necessarily a violating path in the concrete system, since the violating abstract trace may be an infeasible path due to over-approximation. Technically, this means that properties are not preserved by abstraction. If there is a violating path in the concrete system, then there is a violating path in the abstract system, since the simulation property guarantees that each concrete trace has a corresponding trace in the abstract system. Technically, this means that properties are reflected by abstraction.

44 44 Facts About a (Bi)Simulation The empty set is always a (bi)simulation If R, R’ are (bi)simulations, so is R U R’ Hence, there always exists a maximal (bi)simulation: –Checking if DB 1 =DB 2 : compute the maximal bisimulation R, then test (root(DB 1 ),root(DB 2 )) in R

45 45 Computing a (Bi)Simulation Computing the maximal (bi)simulation: –Start with R = nodes(G 1 ) x nodes(G 2 ) –While exists (x 1, x 2 )  R that violates the definition, remove (x 1, x 2 ) from R This runs in polynomial time ! Better: –O((m+n)log(m+n)) for bisimulation –O(m n) for simulation –Compare to finding a graph homeomorphism ! NP Complete

Download ppt "1 Bisimulations as a Technique for State Space Reductions."

Similar presentations

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Possible World Semantics for Modal Logic

Possible World Semantics for Modal Logic
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Efficient Query Evaluation on Probabilistic Databases

Efficient Query Evaluation on Probabilistic Databases
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Similar presentations

Ads by Google