presented by Anastasia Braginsky March 2012

1

SymmetryChapter 14 from “Model Checking”

by Edmund M. Clarke Jr., Orna Grumberg, and Doron A. Peled

presented by

Anastasia Braginsky

March 2012

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel Checking

2

Outline Introduction Groups and Permutations Symmetry & Symmetry Example Usual representation Quotient Models & Quotient Models Example Bisimulation Correctness proof Model Checking with Symmetry


3

Symmetry Final-state concurrent systems frequently contain

replicated components • caches,

• bus protocols,

• network protocols

• …

Symmetry uses this fact to obtain reduce models for the system


4

Formal Symmetry The symmetry in the system implies the

existence of nontrivial permutation that preserves both • the state labeling

• the transition relation S0 S1

S2 S3


5

Formal Symmetry This can be used to define an

equivalence relation on the state space

The quotient model is smaller than the original model and is bisimulation equivalent to that model


6

Group A group is a set G together with binary

operation o on G (the group multiplication), such that:• Multiplication is associative: a o (b o c) = (a o b) o c

• There is an identity element eG, such that for any element aG, e o a = a o e

• For each element aG, there is an inverse element a-1, such that a-1 o a = a o a-1 = e


7

Subgroup H is a subgroup of G if H⊆G and H is a

group under the multiplication operation of G

If S is a subset of a group G, then <S>, the subgroup generated by S, is the smallest subgroup of G containing every element of S


8

Permutation A permutation σ on a finite set S is a

function that is one-to-one and onto

σ : S S


9

Permutation group Sym S is the set of all permutations on S

• Sym S forms a group under functional composition

Sym S is called the full symmetric group

A subgroup G of Sym S is called a permutation group on S


10

Kinds of permutations Two permutations σ1, σ2 are disjoint iff {i | σ1(i)≠i } ∩ {j | σ2(j)≠j } = ø A permutation that maps i1i2, i2i3, …, ik-1ik, iki1 is called a cycle and is

denoted by (i1 i2 … ik) A cycle of length of two is called transposition

Two disjoint permutations Cycle Transposition

σ1 σ2


11

Permutation presentations Every finite permutation can be written as a composition of disjoint cycles Every permutation can be written as a composition of transpositions For example consider S = {1,2,3,4,5} and permutation σ given by

13, 24, 31, 45, 52

σ can be written as • a composition disjoint cycles (1 3) o (2 4 5)• a composition of transpositions (1 3) o (2 5) o (2 4)

The subgroup of Sym S generated by the to permutations (1 3) and (2 4 5):{ e, (1 3), (2 4 5), (2 5 4), (1 3)(2 4 5), (1 3)(2 5 4) }

1 2 3 4 5

1 2 3 4 5


12

Automorphism Let M = (S, R, L) be a Kripke structure Let G be a permutation group of on the state space S A permutation σG is an automorphism of M iff σ preserves the transition

relation R Formally, σ should satisfy the following:

σ:

1 2 1 2 1 2, , , ,s S s S s s R s s R

S0 S1 S2

S3S0 S1 S2

S3

S0 S1

S2 S3

S0 S2

S1 S3

S0 S1

S2


13

Automorphism group G is an automorphism group for the Kripke

structure M iff every permutation σG is an automorphism of M

If every generator of the group G is an automorphism of M, then the group G is an automorphism group for M


14

Token Ring Algorithm One component process Q Many component

processes P Both P and Q have the following Kripke structure:

States:• n – noncritical section initial state for P

• t – has the token initial state for Q

• c – critical section

n t c

r (receive token)

s (send token)


15

Composition Q||P

Q || P t , n

Q sends token,

P receives

token

Q || Pn , t

P sends token,

Q receives

token

Q || P n , c

Q || P c , n


16

Duplicate process P, i times

Q || P1||…||Pi

t , n, … , n

Q sends token,

P1 receives token

Q || P1||…||Pi

n , t, … , n

P1 sends token,

Q receives token

Q || P1||…||Pi

n , c, … , n

Q || P1||…||Pi

c , n, … , n

Q P1

P2PI

…

…

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingBack to Q||P composition

σ is an automorphism of Q||P

17

Q || P t , nQ

sends token,

P receives

tokenQ || Pn , t

P sends token,

Q receives

tokenQ || P n , c

Q || P c , n

n,t t,n c,n

n,cn,t t,n c,n

n,c

σ:


Usual behavior offinite-state systems

States are determined by the values (from domain D) of a set of state variables x1, x2, …, xn

• For example, a state of Q||Pi is an (i+1)-touple from domain {n,t,c}

When extracting a Kripke structure from such systems:• S⊆D k In Q||P example: k=2, S = { (x1=n, x2=t), (c, n), (t, n), (n, c)}

• R⊆S xS In Q||P example, R = { ( (x1=n, x2=t), (x1=t, x2=n) ), ( (t,n), (n,t)) … }

• dJ ∈L(s) ⇔ xi=dJ In Q||P example: L( (x1=n, x2=t) ) = {n, t}

18


Usual automorphism representation

The automorphism group is given as a group acting on the indices of the state variables

In Q||P example σ is the transposition (1 2) A permutation σ acting on the set of indices {1, 2, …, n}, defines a new

permutation σ’ acting on states in Dn in the following manner:

σ‘( (x1, x2, …, xn) ) = (xσ(1), xσ(2), …, xσ(n))

σ = (1 2) x1=di x2=dj x2=di x1=dj

19

n,t t,n c,n

n,cn,t t,n c,n

n,c

σ':

x1, x2 x1, x2 x1, x2 x1, x2

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingQuotient Models

G is a permutation group acting on the set S s is an element of S, s∈S The orbit of s is the set

θ(s) = { t | ∃σ∈G ( σ(s)=t ) } A representative of orbit is denoted

rep(θ(s)) ∈ θ(s) Intuitively, the quotient model is obtained by

collapsing all the states in one orbit to a single representative state

20

σ1 σ2

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingQuotient Models - formally

M = (S, R, L) is a Kripke structure G is an automorphism group acting on S The quotient structure MG = (SG, RG, LG):

• SG = {θ(s) | s∈S} the set of orbits of the states in S (groups of states)

• RG = { (θ(s1), θ(s2)) | (s1, s2) ∈R }

• LG( θ(s) ) = L( rep(θ(s)) )21

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingRepresentatives choice

RG is independent of the chosen representatives

• Because G is an automorphism group

However, LG is not independent of the chosen representatives

Restrict the attention to automorphism groups, that are also invariance groups

22

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingInvariance group

G is an invariance group for an atomic proposition p iff the set of states labeled by p is closed under the permutations of G

Formally:• An automorphism group G of a Kripke structure M = (S, R,

L)

is an invariance group for atomic proposition p iff

• (σ∈G) (s∈S) ( p∈L(s) ⇔ p∈L(σ(s)) ) p is an invariant under G

23

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingBack to example

G = <(1 2)> is the group generated by permutation on indexes (1 2) G is an automorphism group of Q||P The orbits induced by G are

{(t,n), (n,t)} and {(c,n), (n,c)}

24

Q || P t , nQ

sends token,

P receives

tokenQ || Pn , t

P sends token,

Q receives

tokenQ || P n , c

Q || P c , n

n,t t,n c,n

n,cn,t t,n c,n

n,c

σ=(1 2):

x1, x2 x1, x2 x1, x2 x1, x2

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingExample’s quotient model

Pick the states (t,n) and (c,n) as representatives

25

t,n c,n


Duplicate process P, i times

The Kripke structure corresponding to Q||Pi has 2(i+1) reachable states

The permutation group G=<(1 2 … i+1)> is an automorphism group for Q||Pi

G also induces only two orbits

26

Q || P1||…||Pi

t , n, … , n

Q sends token,

P1 receives token

Q || P1||…||Pi

n , t, … , n

P1 sends token,

Q receives token

Q || P1||…||Pi

n , c, … , n

Q || P1||…||Pi

c , n, … , n

…

t,n,…n n,t,…n c,n,…n

n,c,…nt,n,…n n,t,…n c,n,…n

n,c,…n

σ = (1 2 … i+1) ↓x1,x2,…xi+1

…

…

x1,x2,…xi+1 x1,x2,…xi+1 x1,x2,…xi+1

…

…

SAME QUOTIENT

MODEL!


Explicit and quotient modelsare equivalent We want to prove that:

• If a temporal specification f has only invariant propositions,

• Then f can be safely checked in the quotient model

27

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingBisimulation relation

Is a binary relation between state transition systems, which behave in the same way in the sense that one system simulates the other and vice-versa

equivalence between models that strongly preserves CTL* (-calculus)

If M1 M2 then for every CTL* formula , M1 |= M2 |=

28


Bisimulation Relation- formally

Let M=(S,R,L) and M’=(S’,R’,L’) be two structures with the same set of atomic propositions AP. A relation B⊆SxS’’is a bisimulation relation between M and M’ iff

For all s and s’, if B(s,s’) then the following holds:1. L(s) = L’(s’)

2. s1 such that R(s,s1) there is s’1 such that R’(s’,s’1) and B(s1,s’1)

3. s’1 such that R’(s’,s’1) there is s1 such that R(s,s1) and B(s1,s’1)

Bisimulation example:

29

a ba’

b’

b’a’

B

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingLemma

Let M=(S,R,L) be a Kripke structure with AP as the set of atomic propositions,

Let G be an invariance group for all propositions in AP Let MG be the quotient model for M

Let B⊆SxSG be a relation defined by:

• For every sS, B(s,θ(s))

Then, B is a bisimulation relation between M and MG

30

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof -1

Definition:M=(S,R,L) & M’=(S’,R’,L’) have the same

APB⊆SxS’ is a bisimulation relation between

M and M’ iff ∀s,s’, if B(s,s’), then:

1. L(s) = L’ (s’)

2. s1 such that R(s,s1) there is s’1 such that R’ (s’,s’1) and B(s1, s’1)

3. s’1 such that R’ (s’,s’1) there is s1 such that R(s,s1) and B(s1, s’1)

Lemma:M=(S,R,L): a Kripke structure over APG: invariance group for all propositions in

APMG: the quotient model for MB⊆SxSG is a relation defined by:

For every s∊S, B(s,θ(s))B is a bisimulation relation between M & MG

First let’s show that: L(s)=LG(θ(s))

By definition of MG: LG( θ(s) )=L( rep(θ(s)) )

rep(θ(s))θ(s) there is a permutation σ∈G such that σ(s)=rep(θ(s))

G is an invariance group for all propositions in AP For all pAP,

( p∈L(s) ⇔ p∈L( rep(θ(s)) ) ) Thus: L(s)= L( rep(θ(s)) )=LG(θ(s))


Consider relation (s,t)R By definition of RG:

( θ(s),θ(t ) )RG

By definition of B: ( t, θ(t ) )B

st

θ(s)

θ(t)

B



For every s∊S, B(s,θ(s))B is a bisimulation relation between M & MGDefinition:M=(S,R,L) & M’=(S’,R’,L’) have the same



1. L(s) = L’ (s’)



B


Consider relation ( θ(s),θ(t ) )RG

By definition of θ there must be some rep(θ(t))θ(t)

Let’s denote rep( θ(t) ) as t, need to prove that (s,t)R and B(t, θ(t))

By definition of RG there must be some s1 and t1 such that s1θ(s), t1θ(t), and (s1,t1)R

s1θ(s), t1θ(t) ∃σ1G,∃σ2G, σ1(s)=s1 σ2(t)=t1

G is automorphism group (s1,t1)R (s,t)R

st

θ(s)

θ(t)

B



For every s∊S, B(s,θ(s))B is a bisimulation relation between M & MGDefinition:M=(S,R,L) & M’=(S’,R’,L’) have the same



1. L(s) = L’ (s’)



B

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingIt can be also proven that

If B(s,s’) is a bisimulation, then for every CTL* formula f,

s ⊨ f s’ ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingCorollary

Let M be a structure defined over AP and let G be an invariance group for AP

Then for every sS and every CTL* formula defined over AP

M,s ⊨ f MG,θ(s) ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingTheorem

Let M=(S,R,L) be a Kripke structure Let G be an automorphism group of M Let f be a CTL* formula

If G is an invariance group for all the atomic propositions p occurring in f

Then M,s ⊨ f MG,θ(s) ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof (some definitions)

M is defined over AP and f is defined over AP’⊆AP

The restriction of M to AP’ is the structure M’=(S,R,L’) that is identical to M, except that for sS, L’(s)=L(s)∩AP’

For every CTL* formula defined over AP’ and for every sS

M,s ⊨ f M’,s ⊨ f

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof

Let M’G be the quotient model of M’, induced by G By the definition of quotient model, M’G is the

restriction of MG to AP’ Thus for every VSG, MG,V ⊨ f M’G,V ⊨ f G is an invariance group for AP’, so the corollary applies,

thus:

M’,s ⊨ f M’G, θ(s) ⊨ f Altogether: M,s ⊨ f MG,θ(s) ⊨ f


Model Checking with Symmetry How to perform the model checking

itself?• Compact explicit Kripke structure

• Use OBDD


Find the reachable set of states How to find the set of states in an explicit Kripke

structure that are reachable from initial states?• BFS or DFS from the set of initial structures is performed

• Maintain list of reached states and list of unexplored states

• Assume function ξ(q), which maps a state q to the unique state representing the orbit of q

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingAlgorithm

reached := ø;unexplored := ø;for all initial states s do

append ξ(s) to reach;append ξ(s) to unexplored;

end for allwhile unexplored ≠ ø do

remove a state s from unexplored;for all successor states q of s do

if ξ(q) is not in reachedappend ξ(q) to

reached;append ξ(q) to

unexplored;end if

end for allend while

It is important to compute the orbit relation efficiently

• This is as least as hard as the graph isomorphism problem

• Which is in NP, but not known to be NP complete


OBDD as the underlying representation

The construction of the quotient model is more complex At least

• If R is represented by the OBDD R(v1,…,vk,v’1,…,v’k)

• And σ is a permutation on the state variables (recall the usual representation)

Then, it is straightforward to check that σ is an automorphism of M

Check R(v1,…,vk,v’1,…,v’k) == R(vσ(1),…,vσ(k),v’σ(1),…,v’σ(k))

• R(vσ(1),…,vσ(k),v’σ(1),…,v’σ(k)) is the OBDD representing the transition relation of the permuted structure

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingOrbit relation

Given a Kripke structure M=(S,R,L) and an automorphism group G on M with r generators g1, g2,…,gr

The orbit relation Θ ( Θ(x,y)(xθ(y)) ) is the least fixpoint of the equation:

Least fixpoint: 1. Start from the smallest relation, where each state is in relation with

itself

2. Stop when no more iterations of applying the recursive equation add new value

, ( , ) ( ( ))ii

Y x y x y z Y x z y g z

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingLemma 2

The least fixpoint of equation:

Is the orbit relation Θ induced by the group G generated by g1, g2,…,gr

, ( , ) ( ( ))ii


IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof - fixpoint:

Θ has reflexivity and transitivity, therefore:

Θ(x,y) ( x=y ( z( Θ(x,z) Vi y=gi(z) ) ) )

Θ(x,y) Θ(y,x) By the definition of the orbit relation ∃σG such that y=σ(x) Let assume x≠y (otherwise the result is immediate)

σG σ is composition of generators, thus y=gk(g’’…g’((x)))

Lets set z=g’’…g’((x)) gk, k≤r, z such that Θ(x,z) and y=gk(z), therefore:

Θ(x,y) ( x=y ( z( Θ(x,z) Vi y=gi(z) ) ) )

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof – least fixpoint

We want to prove that• If T is any fixpoint of equation

• Then Θ T

We will prove that Θ(x,y) T(x,y)

46

, ( , ) ( ( ))ii


IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingProof – least fixpoint – cont.

By the definition of the orbit relation Θ(x,y) ∃σG such that x=σ(y)

σG σ is composition of generators, thus σ =gim … gi2 gi1 1≤ij≤r

Because T is a fix point of the equation it can be proved by induction that for every 1≤ l ≤m

T(x, gil (… gi2 (gi1(x)) ) ) holds

For l ≤m we see that T(x,y) holds47

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingComplexity

The size of OBDD for the orbit relation should be bounded If suitable OBDD is available, this fixpoint equation can be

computed Having Θ, we can compute ξ :S S (unique representative

of the orbit) Assuming we have the OBDD representation of the

mapping function ξ, the transition RG:

RG(x,y) = x1y1 ( R(x1,y1) ξ(x1)=x ξ(y1)=y )

48

IntroductionGroups & Permutations SymmetryUsual representationQuotient ModelsCorrectness proofModel CheckingSUMMARY!

Formal definitions for symmetry

Formal proof: symmetric quotient model is equivalent

Model checking with symmetry

Formal proof: the recursive orbit calculation is correct

49

Questions?

Thank you!!

50

presented by Anastasia Braginsky March 2012

Documents

o b o c

o efor

group multiplication

binary operation o

finite set s

element ag

subgroup of g

identity element