15. How to Preserve Properties
Core principle:
outside stubborn(m)
m2 implies
in stubborn(m)
plus property specific requirements
presence of right path justifies absence of left path
8
16. How to Preserve Properties
Core principle:
outside stubborn(m)
m w1 m1 t m2 implies
in stubborn(m)
plus property specific requirements
presence of right path justifies absence of left path
8
17. How to Preserve Properties
Core principle:
outside stubborn(m)
m w1 m1 t m2 implies m t m1 ’ w1 m2
in stubborn(m)
plus property specific requirements
presence of right path justifies absence of left path
8
20. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
9
21. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d
9
22. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d
m t m1 ’ w1 m2 w2 d
9
23. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
9
24. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
9
25. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
9
26. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t 9
27. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t t 9
28. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 9
deadlock!
29. Preservation of Deadlocks
Core principle + m w m’
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 9
deadlock!
30. Preservation of Deadlocks
Core principle + m w m’
implies
t
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 9
deadlock!
31. Preservation of Deadlocks
Core principle + m w m’
implies t
t
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 9
deadlock!
32. Preservation of LTL/CTL
LTLX:
Core principle
+Visibility: all transitions in stubborn(m) invisible to φ or
stubborn(m) = T
+Proviso: Once in every cycle: stubborn(m) = T
CTLX:
LTL
+ |stubborn(m)| = 1 or stubborn(m) = T
Consequences:
- only local properties yield reduction
- Proviso avoids infinite stuttering
- Proviso known to cause explosion
- Proviso requires cycle detection (e.g. depth first)
- CTL only performant when number of conflicts is small
33. LoLA’s Approaches
Let φ be state predicate Assume m does not satisfy φ
wrup(m, φ ) = some set of transitions such that every path
to an m’ that satisfies φ contains at least
one transition of wrup(m, φ ).
Examples:
wrup(m, “m* reached”) = •p, for some p with m(p) < m*(p)
= p•, for some p with m(p) > m*(p)
wrup(m,p>k) = wrup(m,p≥k) = •p
wrup(m,p<k) = wrup(m,p≤k) = p•
wrup(m, φ1 ∧φ2) = wrup(m, φ1) if m does not satisfy φ1
= wrup(m, φ2) if m does not satisfy φ2
wrup(m, φ1 ∨φ2) = wrup(m, φ1)∪ wrup(m, φ2)
wrup(m, t not dead) = {t} 11
38. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
in wrup(m, φ)
m1
t 1st in ample(m)
m
m0 12
39. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
in wrup(m, φ)
m1
t 1st in ample(m)
m
m1 closer to m’ than m
m0 12
40. Effect
• Can be applied to global predicates
• Astonishing goal-orientation
• Has been relaxed by Kristensen/Valmari (wrup must
be contained only once in an scc)
• They perform better if predicate unreachable
• Unrelaxed method better if predicate reachable
• Can be extended to boundedness:
• Bounded net: wrup(m) = {t : |t•|>|•t|}
• Bounded place: wrup(m,p) = •p
relaxed
41. TSCC based properties
Valmari:
core principle
+ weak proviso: Every transition in stubborn(m) at
least once in every tscc of reduced system:
every tscc of original state space visited in reduced
state space
42. TSCC based properties
Idea:
- Construct Valmari’s tscc-preserving state space
- Pick one element of each tscc of reduced state space
- check mutual reachability for home state
- check reachability of m0 for reversibility
- check rechability of φ for liveness of φ
userconfig.H:
twophase TWOPHASE
43. CTL/LTL properties
• CTL: Separate search space for each subformula
• Use wrup for EF and AG
• Use traditional CTL method for other
operators
• LTL: search counterexample path: F φ ➪ G¬φ,
GF φ ➪ FG¬φ, FGφ ➪ GF¬φ
• G ¬φ LTL preserving, but drop Proviso
• FG¬φ,GF¬φ:
• drop Proviso if m satisfies ¬φ
• wrup(m,¬φ) if m satisfies φ
45. Symmetric Behavior
Goal: symmetry in transition system
σ is symmetry if: ΣTS: set of all
σ is bijection R(m0) R(m0) symmetries in R(m0)
m [t> m’ iff ex. t’: σ(m) t’> σ(m’)
σ(m0) = m0
by induction:
m0 m1 m2 ... path
σ(m0) σ(m1) σ(m2) ... path as well
-Id is always symmetry [ΣTS,o] is
-If σ symmetry, so is σ-1 group
-If σ1 and σ2 symmetries, so is σ1 o σ2
18
47. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
19
48. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
fix some subgroup Σ ⊆ ΣTS
19
49. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
fix some subgroup Σ ⊆ ΣTS
m ~ m’ iff ex. σ ∈ Σ such that σ(m) = m’
19
50. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
fix some subgroup Σ ⊆ ΣTS
m ~ m’ iff ex. σ ∈ Σ such that σ(m) = m’
~ is equivalence relation
19
51. Reduced Transition System
TSΣ = [R(m0)/~ , EΣ , [m0]Σ]
EΣ = { [ [s],[s’] ] | ex. s ∈ [s], ex. s’ ∈ [s’] : [s,s’] ∈ E}
Size of reduced system:
| R(m0)/~ | ≥ | R(m0) | / | Σ |
|Σ | can be exponential in size of Petri net
20
54. Construction of reduced
R := E := ø; dfs(m0);
dfs(m) Approximation
R := R ∪ {m};
FOR ALL t: activated in m DO
m’ = m + Δt;
IF can find σ with σ(m’)∈ R THEN
E := E ∪{[m, t, σ(m’) ]}; The “Orbit-
ELSE Problem”
E := E ∪{[m,t, m’ ]};
dfs(m’);
END
END
23
55. “Traditional” Symmetry
Tools
• Depend on “scalar set” data type
• =, ≠, arrays, for each, no constant
• Cannot model networks other than cliques
• LoLA: can handle all kinds of symmetry in
the net structure
56. PN automorphisms
Bijection σ: P∪T → P∪T is PN automorphism,
iff, for all x,y ∈ P∪T:
- m0(x) = m0(σ(x))
- If [x,y] ∈ F then [σ(x),σ(y)] ∈ F and W([x,y]) = W([σ(x),σ(y)])
Every PN automorphism induces symmetry in state space:
σ(m)(σ(p)) = m(p)
25
58. Schreier-Sims generating set
U1
U2
U3 subgroup induces partition of whole group
pick one element of each class (“orbit”)
Group: all automorphisms
U1: all automorphisms that map p1 to p1
U2: all automorphisms that map p1 to p1, p2 to p2
...
Un: Id
has O(n^2) elements
60. 2 3
Example
1 4
E={2 id, 3 2 ,3 2 3, 2 3
;
id, }
1 g1 4 1 g2 4 1 g3 4 1 g4 4
id o id = id g2 o id =
id o g4 = g2 o g4 =
g1 o id = g3 o id =
g1 o g4 = g3 o g4 =
29
61. Another Example
8 7
5 6
4 3 g = g1 o g2 o g3
1 2
1. Layer: 1 →1 ... 8
2. Layer 1 → 1, 2 → 2,4,5
3. Layer 1 → 1, 2 → 2, 3 → 3,6
7 + 2 + 1 = 10 generators for
8 x 3 x 2 = 48 automorphisms
30
62. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
31
63. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...}
31
64. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...}
2. m2 := MIN{g2i-1(m1), i = ...}
31
65. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...}
2. m2 := MIN{g2i-1(m1), i = ...}
3. m3 := MIN{g3i-1(m2), i = ...}
31
66. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...} ........
2. m2 := MIN{g2i-1(m1), i = ...} n. mn := MIN{gni-1(mn-1), i = ...}
3. m3 := MIN{g3i-1(m2), i = ...}
31
67. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...} ........
2. m2 := MIN{g2i-1(m1), i = ...} n. mn := MIN{gni-1(mn-1), i = ...}
3. m3 := MIN{g3i-1(m2), i = ...} canrep(m) := mn
31
74. Summary Symmetries
calculation of symmetries, exact solution of orbit problem:
equivalent to graph isomorphism (NP)
Many other orbit algorithms available in LoLA, even more by
Tommi Junttila
best choice depends on structure of symmetry group
symmetries 34
76. Two approaches
compress states (use place invariants)
save space and time
exempt states from storage (use transition invariants)
space/time tradeoff
36
78. First approach: use place invariants
Let i be place invariant:.
For all reachable m:
i • m = i • m0
37
79. First approach: use place invariants
Let i be place invariant:.
For all reachable m:
i • m = i • m0
i • m0 – Σp’≠p i(p’) • m(p’)
.... and, for a place p with i(p) ≠ 0: m(p) = i(p)
37
80. Example
3 2
invariant 1: [ 1 1 0 0 0 ] invariant 2: [ 0 0 0 1 1 ]
that is, for all reachable markings m:
m(p1) = 1 – m(p2) m(p5) = 2 – m(p4)
only p2,p3,p4 need to be stored (40 % compression)
38
82. Overhead
appears to be:
preprocessing
- time compute invariants
- space |inv| • |places|
state space
construction
- time recover saved
components
39
83. Overhead
appears to be: actually is:
preprocessing
- time compute invariants compute upper triangular
form
- space |inv| • |places| 1bit • |places|
state space
construction
- time recover saved search, insert performed
components on smaller vectors
39
84. State space construction
state
yes/no state
pointer depository
(short
vectors)
state (recover
removed components)
1 0 1
0 0 0
= 1
0 - -2
-1 = 3
1
2 1 1
40
85. State space construction
state
yes/no state
pointer depository
(short
vectors)
state (recover
removed components)
1 0 1 Observe:
0 0 0
= 1
0 - -2
-1 = 3
1
values of i
irrelevant,
2 1 1
supp(i) sufficient!
40
87. Results
1. Space reduction 30% - 55%
2. Preprocessing time insignificant
3. Run time reduction proportional to space reduction
Reason: search and insert operations take
80 – 95 % of overall run time
... are now performed on shorter vectors
4. combination with most other reduction techniques
possible
preduction 42
89. Second approach:
what happens if some states are
removed from the depository?
43
90. Second approach:
what happens if some states are
removed from the depository?
43
91. Second approach:
what happens if some states are
removed from the depository?
construction still terminates as long as
removed states do not form cycles!
43
92. Second approach:
what happens if some states are
removed from the depository?
construction still terminates as long as
removed states do not form cycles!
use structural knowledge about cycles
43
94. Transition invariants
cycle in state space corresponds to transition
invariant
Assume: Set U of transitions s.t. for every transition
invariant i:
U ∩ supp(i) ≠∅
Then: store states that enable transitions in U
do not store other states
U can be determined from triangular form
44
95. Example
3 2
transition invariant: [2,2,3,3]
U = {t}
store only states where t is enabled
45
96. Problems:
1. Too many states enable transitions in U
Solution: combine with partial order reduction
2. Unacceptable run time overhead
Solution 1: heuristically store additional states
Solution 2: remove only non-branching states
46
100. Results
1. Controllable space/time trade-off
2. Combination with partial order reduction compulsory
3. Combination with a few other reduction techniques
possible
4. Only simple properties can be verified (no access to
graph structure of the state space)
50
109. The sweep-line method (extended)
If p is not monotonous:
t
s’
s p(s’) < p(s)
-mark s’ “persistent”
-start new sweep from s’
110. The sweep-line method (extended)
If p is not monotonous:
t
s’
s p(s’) < p(s)
-mark s’ “persistent”
-start new sweep from s’
Consequently: not too often p(s’) < p(s)
111. Setting for LoLA’s measure
-incremental: “transition offsets”
Δ p(t) : m [t> m‘ p(m’) = p(m) + Δ p(t)
-not necessarily monotonous
(in every cycle: one negative Δ p or all Δ p = 0)
112. The measure
partition T into U and TU
in U: all transitions linear independent
in TU: all transitions linear dependent of U
i.e. |U| = rank(C)
-for t in U: Δ p (t) := 1
-for t in TU: Δ p(t) determined by (unique) lin. combination of U
(for t in TU: Δ p(t) >0, =0, <0 )
typical size: |U| 60% - 100% of |T|
![Plan
• Stubborn sets [Petri Nets 1999]
• Symmetry [Acta Informatica 2000]
• Invariants [TACAS 2003]
• Sweep-Line [TACAS 2004]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)