Investigating structural symmetry in models of concurrent systems

1
Investigating structural symmetry in models of
concurrent systems

• Alastair Donaldson,
• Dr. Alice Miller, Prof. Muffy Calder
• Department of Computing Science
• University of Glasgow

2
Overview

• Background

• Kripke structures and symmetry

• Detecting symmetry

• Exploiting symmetry

• Conclusions and future work

3
Model checking and the state-space explosion
problem

• Increase in no. of components in model ?
  combinatorial growth of state-space
• Exhaustive exploration of state-space quickly
  becomes infeasible

4
Techniques to combat the state-space explosion
problem

• Abstraction

• Partial order reduction

• Symbolic representation (BDDs)

• Compositional reasoning

• Induction

• Incomplete exploration

and
5
Symmetry

• Concurrent systems often have a lot of replicated
  structure
• This structure can be exploited when model
  checking, to avoid repeatedly exploring
  equivalent behaviours

user1_at_ringing user2_at_calling
user1_at_calling user2_at_ringing
6
Kripke structures

• Let AP be a set of atomic propositions. A Kripke
  structure over AP is a 4-tuple M(S,so,R,L)
• S finite set of states
• so ? S initial state
• R ? S ? S total transition relation
• L S ? 2AP labelling function

7
Kripke structures of concurrent systems

• A concurrent system P is represented in a
  specification language (e.g. Promela)

• A model checker (e.g. SPIN) takes system
  specification and explores corresponding Kripke
  structure

• Kripke structure associated with system P is
  denoted M(P)

8
Symmetries of a Kripke structure

• Let M(S,so,R,L) be a Kripke structure
• A symmetry, or automorphism, of M is a
  rearrangement of states which leaves arrows fixed
• Formally, a bijection s S ? S is an
  automorphism of M if it satisfies
• (s,t) ? R ? (s(s),s(t)) ? R
• symmetry automorphism
• Set of all automorphisms of a Kripke structure
  forms a group, Aut(M)

9
Symmetries of a Kripke structure

• Let G be a subgroup of Aut(M), (G Aut(M) )

• The state set S of M is partitioned by G using
  the following equivalence relation
• For s, t ? S, s t ? t ?(s) for some ? ? G

• By ?(s) we denote the equivalence class, or
  orbit, of s under the action of G

10
Quotient Kripke structures

• Choose a unique representative, rep(?(s)), from
  each orbit
• The quotient Kripke structure of M by G is a
  4-tuple MG(SG,to,RG,LG), where
• SG rep(?(s)) s ? S
• t0 rep(?(s0))
• RG (rep(?(s)),rep(?(t))) (s,t) ? R
• LG SG ? 2AP LG(rep(?(s))) L(rep(?(s)))

11
Checking properties over the quotient structure

• Theorem
• For all CTL formulae ? which are invariant
  w.r.t. the group G, we have
• M ? ? MG ?

Require that maximal propositional subformula f
holds at s ? it holds at ?(s)
12
Example a simple token-passing model

• The model is of a network of 5 process which
  pass a token peer-to-peer

• Token is sent initially to an arbitrary process

13
Kripke structure ? quotient structure for the
model
i
r0
r1
r2
r3
r4
r2
r3
r3
r2
s0
s1
s2
s3
s4
s2
s3
s3
s2
14
Kripke structure ? quotient structure for the
model
i
r0
s0
15
Exploiting symmetry during search

• If t ? reached
• Append t to reached
• Append t to unexplored

• If rep(t) ? reached
• Append rep(t) to reached
• Append rep(t) to unexplored

16
Finding symmetry

• Problem how do we know what symmetry there is
  in the first place?
• Correspondence between symmetry in topology of
  system and symmetry in associated Kripke structure

17
Process communication graph of a concurrent system

• Let P be a concurrent system
• The process communication graph for P is a
  directed, coloured graph
• C(P) (V,E,C), where
• V is the set of processes in P
• (pi,pk) ? E iff pi can send messages to pk
• C assigns each process pi ? V to a process type
• Aut(C(P)) is the group of automorphisms of the
  directed, coloured graph C(P)

18
SPIN-to-GRAPE

• Takes output of a SPIN state-space search
• Produces input file for manipulation with GAP and
  GRAPE
• For small models allows us to investigate
  structural symmetry

19
Example Bi-directional ring
GD5
dihedral group on 5 objects
G10
20
Example 3-tier architecture
Database
GS3 S2
Servers
wreath product of symmetric groups on 3 objects
and 2 objects
G72
Clients
21
Example 4D Hypercube
GS4K
semi-direct product of symmetric group acting on
4D vectors, and group of complementation
permutations
Nodes
G384
22
General result

• For a concurrent system P, where processes of the
  same type behave similarly
• Aut(C(P)) Aut(M(P))

• These symmetries permute process ids

• We can check properties which are invariant
  under such id permutations

• Aut(M(P)) may contain additional symmetries

23
How do we find C(P)?

• Automatically analyze program text

• Ask the user to specify it

Check the correctness of their specification
statically and/or dynamically
24
The constructive orbit problem

• If rep(t) ? reached
• Append rep(t) to reached
• Append rep(t) to unexplored
• How do we get a function rep so that
  rep(s)rep(t) ? ? s ? G s.t. s(s)t ?
• Could use lex-least state of each orbit

25
The constructive orbit problem

• Given a state s and a group G, find the
  lex-least state in the orbit of s under G
• NP-hard (Babai, Luks 1983)

• Can be solved in polynomial time for certain
  classes of symmetry group

• Prototype implementation in SPIN uses good
  heuristics and allows multiple representatives
  (Bosnacki et al. 2000)

26
The constructive orbit problem

• Idea
• Extract communication structure from model
• Use GRAPE to find aut. group G
• Use GAP to find the largest subgroup of G for
  which the COP is solvable in polynomial time
• Apply symmetries from this group on-the-fly

27
Conclusions

• The two main problems with applying symmetry
  reduction to model checking are
• finding symmetry
• exploiting symmetry efficiently
• Use of SPIN-to-GRAPE has shown that symmetry can
  be found by looking at process communication
  structure of system
• Current methods hindered by the constructive
  orbit problem.

28
Future work

• Automate detection of symmetry for the Promela
  language
• Write software to automatically check that system
  satisfies required restrictions
• Use GAP to restrict attention to symmetries for
  which the COP is polynomial

29
References

• E. Clarke, E. Emerson, S. Jha, A. Sistla (1998)
• Symmetry Reductions in Model Checking.
  Proceedings of CAV 1998, LNCS 1427
• M. Calder and A. Miller (2002)
• Five ways to use induction and symmetry in the
  verification of networks of processes by
  model-checking. Proceedings of AVoCS 2002, pp.
  29-42