ch2-modelling concurrent systems.ppt

Chapter 2:Modelling Concurrent Systems

Prof. Ali MovagharVerification of Reactive Systems

Spring 91

Outline

� A prerequisite for model checking is to provide a model of the system.

� We introduce transition systems, a standard class of models to represent hardware and software

2

of models to represent hardware and software system.

� We explain different aspects for modeling concurrent systems.

� Finally we explain about the state-space explosion problem encountered in model checking!

Transition Systems

� Transition Systems (TSs) model the behavior of systems.

� TSs are directed graphs where nodes

3

� TSs are directed graphs where nodes and edges represent states and transitions respectively.

Transition Systems (Con.)

� A state describes information about a system at a certain moment of its behavior:

4

behavior:

� The current color of a traffic light.

� The current values of all program variables + the program counter.

� The current value of the registers together with the values of the input bits.


� Transitions specify how the system evolvefrom one state to another.

� A switch from one color to another (for traffic light).

5

light).

� The execution of a program statement

� The change of the registers and output bits for a new input.

� In following we formally define a transition system.


� Definition: A transition system TS is a tuple (S,Act,→,I,AP,L) where:

� S is a set of states;

Act is a set of actions;

6

� Act is a set of actions;

� →⊆ S×Act×S is a transition relation;

� I⊆ S is a set of initial states;

� AP is a set of atomic proposition, and

� L: S → 2AP is a labeling function.

� TS is called finite if S, Act, and AP are finite.


� We write instead of .

� The intuitive behavior of a TS is :

� The TS starts in some initial state and evolvesaccording to the transition relation →.

(s, ,s )′α ∈→

0s I∈

s sα ′→

7

according to the transition relation →.

� Evolution means: if s is the current state, a transition

is selected nondeterministically and taken.

� Take means: the action α is performed and the TS evolves from state s to state s΄.

� This procedure is repeated in state s΄ and finishes once

a state is encountered that has no outgoing transition.

s sα ′→


� The labeling function L relates the set of propositions to any state s.

� L(s) stands for atomic propositions which are satisfied by state s.

APL(s) 2∈a AP∈

8

which are satisfied by state s.

� Hence, given a propositional logic formula φ, s satisfies formula φ , if L(s) satisfies it:

s | iff L(s) |=ϕ =ϕ


� Example 2.2: Beverage Vending Machine (BVM)

payget tea

9

� S={pay,select,coffee,tea}

� Act={insert_coin,get_coffee,get_tea,τ}

selectcoffee

pay

tea

get_coffee

insert_coin

get_tea


� The atomic propositions in the TS depends on the properties under consideration.

10

consideration.

� AP=S, L(s) = {s}, or

� AP={paid,drink} to verify “The vending machine only delivers a drink after paying”. Hence, L(pay)={}, L(coffee) = L(tea) = {paid,drink}, L(select)={paid}.


� To formally model a system using LTs, we should define the set of Act and AP.

� Actions are only necessary for modeling

11

� Actions are only necessary for modeling communication mechanism. When action names are irrelevant (e.g. internal actions), we use symbol τ or even remove it.

� Propositions are always chosen depending on the characteristics of interest.


� Let TS= (S,Act,→,I,AP,L) be a transition system. For , , the set of direct α–successor of s is :

s S∈ Actα ∈

12

α–successor of s is :

� Similarly the set of α-predecessor of s is

defined by:

Act

Post(s, ) {s S|s s }, Post(s) Post(s, )α

α∈

′ ′α = ∈ → = α∪

Act

Pr e(s, ) {s S|s s}, Pr e(s) Pr e(s, )α

α∈

′ ′α = ∈ → = α∪


� The notation for the sets of direct successors are expanded to subsets of S ( ):C S⊆S ( ):

� Similary

13

s C s C

Post(C, ) Post(s, ),Post(C) Post(s)

∈ ∈

α = α =∪ ∪

C S⊆

s C s C

Pr e(C, ) Pr e(s, ),Pr e(C) Pr e(s)

∈ ∈

α = α =∪ ∪


� State s in transition system TS is called terminal if and only if Post(s)={}.

� Transition systems modelling a � Transition systems modelling a sequential computer program, terminal states represents terminination of the program.

14


� The behavior of a transition system is formally defined by the notion of executions (also called runs).executions (also called runs).

� Informally, an execution of a TS results from the resolution of the possible non-determinism in the system.

15


� Definition: A finite execution fragment σ of TS= (S,Act,→,I,AP,L) is an alternating sequence of states and alternating sequence of states and actions ending with a state:

where n is called the length of execution fragment σ.

16

i 1

0 1 1 2 n n i i 1s s ... s such that s s 0 i n+α

+σ = α α α → ∀ ≤ ≤


� An infinite execution fragment ρ of TS is an infinite alternating sequence of states and actions:

s s ... such that s s 0 iαρ= α α → ∀ ≤

� A maximal execution fragment is a finite execution fragment that ends in a terminal state or an infinite execution fragment.

� An execution fragment, started in an initialstate s0∈S, is called initial.

17

i 1

0 1 1 2 i i 1s s ... such that s s 0 i+α

+ρ= α α → ∀ ≤


� Example 2.8 : executions of the BVM

get_coffee = cgetget_tea = tget

� ρ1 and σ are initial, while only ρ1 and ρ2

are maximal.18

coin tget coin tget

1

tget coin cget

2

coin tget coin

pay select tea pay select tea ...

select tea pay select coffee ...

pay select tea pay select tea.

τ τ

τ τ

τ τ

ρ = → → → → → →

ρ = → → → → →

σ = → → → → →

get_tea = tgetinsert_coin = coint


� Definition: An execution of transition system TS is an initial and maximalexecution fragment.execution fragment.

� in example 2.8, ρ1 is an execution while ρ2

and σ are not.

19


� Definition: A state s∈S is called reachable in TS= (S,Act,→,I,AP,L) if there exists an initial, finite execution there exists an initial, finite execution fragment

� Reach(TS) denotes the set of all reachable states in TS.

20

1 2 n

0 1 ns s ... s s.α α α→ → → =

Sequential Hardware Circuits

� Example 2.11: consider the sequential circuit with input variable x, output variable y and register r where variable y and register r where

and

21

y (x r)λ = ¬ ⊕ r x rδ = ∨

Sequential Hardware Circuits (Con.)

� The circuit behavior is modeled by the transition system TS with state space S=Eval(x,r) where Eval(x,r) stands for S=Eval(x,r) where Eval(x,r) stands for the set of evaluations of x and r

� The initial states of TS are I={<x=0,r=0>,<x=1,r=0>}.

� The set of actions is irrelevant and omitted here.

22


� The transitions results directly from the functions λy and δr :

� For instance if the next input bit (x) equals � For instance if the next input bit (x) equals i=0,1, then

23

x 0, r 1 x i, r 1< = = >→< = = >


� AP={x,y,r} and the labeling relation L assign the set of atomic proposition which has a value equal to 1. which has a value equal to 1.

� The state <x=0,r=1} is labeled with {r} since the circuit function result 0 for y.

24

(x r)¬ ⊕


� Alternatively, using the set of proposition AP΄={x,y}, the register

evaluation is invisible, we obtain:evaluation is invisible, we obtain:

� L΄(<x=0,r=0>)={y} L΄(<x=0,r=1>)={}

L΄(<x=1,r=0>)={x} L΄(<x=1,r=1>)={x,y}

� We can still formalize the property that “the output bit y is set infinitely often”.

25


� This approach can be generalized for the sequential circuits with n input x1,…,xn, m output bits y1,…,ym and k x1,…,xn, m output bits y1,…,ym and k registers r1,…,rk :

� S = Eval(x1,…,xn,r1,…,rk ).

� I ={a1,…,an,c0,1,…,c0,k)| a1,…,an∈{0,1} } where c0,i is the initial value of ri .

26


� AP={x1,…,xn,r1,…,rk ,y1,…,ym}.

� L(a1,…,an,c1,…,ck) ={xi|ai=1}∪{ri|ci=1}∪{yi| s |= λyi(a1,…,an,c1,…,ck) =1}i yi 1 n 1 k

� if and only if .

27

1 n 1 k 1 n 1 k(a ,..., a ,c ,..., c ) (a ,..., a ,c ,..., c )τ ′ ′→

jj r 1 n 1 kc (a ,..., a ,c ,..., c )′ = δ

Data-Dependant Systems

� Example 2.12: Consider an extension of BVM (Example 2.2) which

� counts the number of coffee and tea left ;� counts the number of coffee and tea left ;

� returns inserted coin if the machine is empty.

� For simplicity, BVM is modeled by two locations start and select.

28

Data-Dependant Systems (Con.)

� We exploit conditional transitions g:α to

model the data-dependant behavior of the system, where g is a condition and the system, where g is a condition and α is an action which is possible once g holds.

� Hence below transitions model insertion of coin and refilling the machine:

29

true:coinstart select→ true:refillstart start→


� Suppose the variables of ncof and ntea record the number of bottles of coffee and tea respectively.and tea respectively.

30

ncof 0:cgetselect start>→ ntea 0:tgetselect start>→

ncof 0 ntea 0:ret _ coinselect start= ∧ =→


� The effect of each action on variables ncof and ntea is shown below:

Action Effect

� The graph consisting of locations as node and conditional transition as edge is not a TS.

31

Action Effect

refillcgettgetcoinret_coin

ncof:= max; ntea:=maxncof:=ncof-1ntea:=ntea-1No changeNo change


� However a TS can be obtained by unfolding this graph.graph.

32


� This approach in modeling data-dependant systems can be formalized by program graphs over a set of Var of by program graphs over a set of Var of typed variables.

� A program graph over a set of typed variables is a digraph whose edges are labeled by conditions on these variables and actions.

33


� The effect of the actions is formalized by means of mapping

Effect: Act×Eval(Var) → Eval(Var)Effect: Act×Eval(Var) → Eval(Var)

� This indicates how the evaluation η of variables is changed by performing an action.

34


� Definition: A program graph overt set Var of type variables is a tuple (Loc,Act,Effect,→,Loc0,g0) where:

Loc is a set of locations and Act is a set of actions;� Loc is a set of locations and Act is a set of actions;

� Effect : Act×Eval(Var) → Eval(Var);

� →⊆ Loc×Cond(Var)×Act×Loc;

� Loc0⊆Loc is a set of initial locations;

� g∈Cond(Var) is the initial condition.

35


� We write instead of .

� The condition g is called guard of the conditional transition.

g:α ′→ℓ ℓ ( ,g, , )′α ∈→ℓ ℓ

conditional transition.

� The behavior in location depends on the current variable evaluation η. A non-deterministic choice is made between transitions whose guard is satisfied in evaluation η (η |= g).

36

Loc∈ℓ


� Each program graph can be interpreted as a transition system which results from unfolding.from unfolding.

� In other words, the semantics of a program graph is defined by a transition system.

37


� The states of the corresponding TS consist of a location of program graph together with an evaluation η of

Loc∈ℓ

graph together with an evaluation η of the variables: .

� Initial states are initial locations that satisfy the initial condition g0.

� The set AP is comprised by locations and boolean conditions for the variables.

38

,⟨ η⟩ℓ


� The labeling of states is such that is labeled with and with all conditions (over Var) that hold in η.

,⟨ η⟩ℓ

ℓ

(over Var) that hold in η.

� The transition relation is defined as follows: whenever and g holds in the current evaluation η, then :

39

g:α ′→ℓ ℓ

, ,Effect( , )α ′⟨ η⟩ →⟨ α η ⟩ℓ ℓ


� Definition: The transition system TS(GP) of program graph GP= (Loc,Act,Effect, →,Loc0,g0) over set Var (Loc,Act,Effect, →,Loc0,g0) over set Var is the tuple (S,Act,→,I,AP,L) where:

� S = Loc ×Eval(Var);

� → ⊆ S ×Act ×S is defined by the following

rule:

40

g: | g

, ,Effect( , )

α

α

′→ ∧ η =

′⟨ η⟩ →⟨ α η ⟩

ℓ ℓ

ℓ ℓ


� I ={ ,η|= g0};

� AP = Loc ∪ Cond(Val);

� L( )={ }∪{g Cond(Var) | η|= g}.

0, | Loc⟨ η⟩ ∈ℓ ℓ

,⟨ η⟩ℓ ℓ ∈� L( )={ }∪{g Cond(Var) | η|= g}.

� The definition TS(PG) determines a very large set of propositions AP. But generally only a small part of AP is necessary to formulate system properties.

41

,⟨ η⟩ℓ ℓ ∈

Structural Operation Semantics

� The transition relation of TS(PG) is defined using the so-called SOS-notation: premisenotation:

� Which implies if the proposition above the “solid line” holds, then the proposition under the fraction bar holds as well.

� If the premise is a tautology, the rule is called axiom.

42

premise

conclusion

Structural Operation Semantics (Con.)

� The relations defined by SOS rules are the smallest relation satisfying the indicated axioms and rules.indicated axioms and rules.

� The semantics of many modeling languages like process algebras are defined using SOS rules.

43

Parallelism and Communication

� In reality most hard- and software systems are not sequential but parallel.

� We describe several mechanisms to � We describe several mechanisms to provide operational models for parallel systems by means of TSs.

� These Mechanisms range from simple mechanism where no communication take place between TSs to message-passing one.

44

Parallelism and Communication (Con.)

� Assume the operational (stepwise) behavior of the processes that run in parallel are given by transition systems parallel are given by transition systems TS1, …, TSn.

� Our goal is to define an operator || such that TS = TS1 || TS2 || … || TSn is a transition system that specifies the behavior of parallel composition of TSs.

45

Parallelism and Communication (Con.)

� It should be noted that each TSi may be a transition system that is composed of several transition systems:several transition systems:

TSi = TSi,1 || TSi,2 || … || TSi,n

� Hence complex systems can be described in a rather structured way using the parallel composition in a hierarchical way.

46

Parallelism and Communication: Interleaving

� In this model, it is assumed that a system is actually composed of a set of independent components.independent components.

� Hence, the global system state is composed of the current individual states of the components.

47

Parallelism and Communication: Interleaving (Con.)

� Actions of an independent components are merged or “interleaved” with actions from other components.actions from other components.

� Thus concurrency is presented by pure interleaving : nondeterministic choice between activities of parallel processes.

48


� Example: Two independent traffic lights

� ||| denotes interleaving operator.� ||| denotes interleaving operator.

49

||| =


� An important justification for interleaving is the fact that the effect of currently executed, independent actions currently executed, independent actions α and β is identical to the effect when αand β are executed in arbitrary order:

� Effect(α|||β,η)=Effect(α;β)+ Effect(α;β)

� where ; stands for sequential execution and + stands for non-deterministic choice.

50


� Definition: The transition system TS1|||TS2 where TSi=(Si,Acti,→i,Ii,APi,Li) is defined by is defined by

� (S1×S2,Act1∪Act2, →,I1×I2,AP1∪AP2,L)

� Where the TS → is defined by :

� Labeling function is defined :

51

11 1

1 2 1 2

s s

s ,s s ,s

α

α

′→

′⟨ ⟩ →⟨ ⟩

22 2

1 2 1 2

s s

s ,s s ,s

α

α

′→

′⟨ ⟩ →⟨ ⟩

1 2 1 2L( s ,s ) L(s ) L(s )⟨ ⟩ = ∪

Parallelism and Communication: Com. via shared variable

� Consider two independent value assignments x:=x+1 ||| y:=y-2.

� The order of their execution is not � The order of their execution is not important, so they can be easily interleaved.

52

||| =


� Consider two parallel assignments on a shared variable x, x:=2.x ||| x:= x+1.

� The different order of execution results in � The different order of execution results in different final value for x

53

||| =


� Thus interleaving is not appropriate when two components compete on a shared variable.

� Hence to deal with parallel programs with shared variables, an interleaving operator will shared variables, an interleaving operator will be defined on the level of program graphs PG1 and PG2.

� TS(PG1 ||| PG2) describe a parallel system communicating via shared variables.

54


� Definition: Program graph PG1 ||| PG2

over Var1∪Var2, where for i=1,2, PGi= (Loci,Acti,Effecti, →i,Loc0,i,g0,i), is (Loci,Acti,Effecti, →i,Loc0,i,g0,i), is defined by

� PG1 ||| PG2=(Loc1×Loc2,Act1∪Act2,Effect,→,Loc0,1×Loc0,2, g0,1 ∧g0,2) where

� → is defined by the rules :

55


g:11 1

g:

1 2 1 2, ,

α

α

′→

′⟨ ⟩ →⟨ ⟩

ℓ ℓ

ℓ ℓ ℓ ℓ

g:22 2

g:

1 2 1 2, ,

α

α

′→

⟨ ⟩ →⟨ ⟩

ℓ ℓ

ℓ ℓ ℓ ℓ

� Effect(α,η)=Effecti(α,η) if α∈Acti.

� Program graphs PG1 and PG2 have the variables Var1∩Var2 in common. Variables in Var1\Var2 are local variables of PG1.

56


� Example 2.22: consider the program graphs PG1 and PG2 that correspond to assignments x:=x+1 and x:=2.x.assignments x:=x+1 and x:=2.x.

57


� its underlying transition system TS(PG1|||PG2) is shown below:

� The non-determinism in�

� TS(PG1|||PG2)≠TS(PG1)|||TS(PG2).

58

The non-determinism inthe initial state does notrepresent concurrency butjust a possible resolution of contention on x.


� Question: which actions of program graphs can be interleaved arbitrary (i.e. executed arbitrary) and which one can executed arbitrary) and which one can not? (page 42)

� Read examples 2.24 and 2.25.

59

Parallelism and Communication: Handshaking

� Until now, we have introduced two mechanisms for parallel processes:

� Interleaving: processes evolve completely � Interleaving: processes evolve completely autonomously.

� Com. via shared variables: processes communicate via shared variables.

60

Parallelism and Communication: Handshaking (Con.)

� The third mechanism in which current processes that want to interact have to do this in a synchronous fashion.do this in a synchronous fashion.

� In other words, processes can interact if they are both participating in this interaction at the same time- they shake hands.

61


� During handshaking, information can be exchanged.

� Here we abstract of information � Here we abstract of information exchange (message contents) by considering the occurrence of handshake.

� A set H of handshake actions is distinguished with .

62

Hτ∉


� Informally, if both parallel processes are ready to execute the same handshake action, can message passing take place.action, can message passing take place.

� All actions outside H (Act\H) are independent and therefore can be executed autonomously in an interleaved fashion.

63


� Definition: The transition system TS1||HTS2 , where TSi=(Si,Acti,→i,Ii,APi,Li) i=1,2 and H⊆Act1∩Act2 with , is Hτ∉i=1,2 and H⊆Act1∩Act2 with , is defined by:

� (S1×S2,Act1∪Act2, →,I1×I2,AP1∪AP2,L)

� L(⟨s1,s2⟩)=L1(s1)∪L2(s2)

� The transition relation → is defined by the below rules:

64

Hτ∉


� Interleaving for α∉H:

11 1

1 2 1 2

s s

s ,s s ,s

α

α

′→

′⟨ ⟩ →⟨ ⟩

22 2

1 2 1 2

s s

s ,s s ,s

α

α

′→

′⟨ ⟩ →⟨ ⟩

� Handshaking for α∈H:

65

1 2 1 2s ,s s ,s′⟨ ⟩ →⟨ ⟩ 1 2 1 2s ,s s ,s ′⟨ ⟩ →⟨ ⟩

1 21 1 2 2

1 2 1 2

s s s s

s ,s s ,s

α α

α

′ ′→ →

′ ′⟨ ⟩ →⟨ ⟩


� We write TS1||TS2 for TS1||HTS2 for H= Act1∩ Act2.

� When H={}, then TS1||{}TS2 reduces to � When H={}, then TS1||{}TS2 reduces to TS1|||TS2.

� The handshaking operator ||H is communicative, but not associative:

� TS1||HTS2 = TS2||HTS1.

� TS1||H (TS2||H’TS3)≠(TS1||HTS2)||H’TS3.

66


� The (multiway) handshaking operator in TS=TS1||HTS2||H…||HTSn, where H⊆Act1∩…∩Actn, is appropriate to H⊆Act1∩…∩Actn, is appropriate to model broadcasting!

� The handshaking operator is similar to parallel operator in CSP algebra.

67


� Example 2.28: consider two processes P1 and P2 of the form :

Pi loop forever

68

Pi loop forever…requestcritical sectionrelease….end loop

Modeled by


� P1 and P2 can communicate with a new process Arbiter to enter their critical sections :sections :

� Arbiter mimics a

binary semaphore.

� TSArb= (TS1 ||| TS2) || Arbiter guarantees mutual exclusion (why?).

69


70


� Read Example 2.30.

� It should be noted that the parallel operators introduced are time-abstract.operators introduced are time-abstract.

� See example 2.31.

71

Parallelism and Communication: Channel Systems

� Channel systems are parallel systems where processes communicate via channels.channels.

� Channels are first-in, first-out buffers that may contain messages.

� Processes are program graphs PGi

extended with communication actions:

� c!v transmits the value v along channel c.

� c?x receives a message via c and assigns it to x. 72

Parallelism and Communication: Channel Systems (Con.)

� Definition: A program graph over (Var,Chan) is a tuple (Loc,Act,Effect,→,Loc0,g0) as before with the only →,Loc0,g0) as before with the only difference that

� → ⊆ Loc×(Cond(Var)×(Act∪Comm)×Loc

� Comm={c!v,c?x|c∈Chan, v∈dom(c), x∈Var with dom(c)⊆dom(x)}

73


� A channel system CS over (Var,Chan) consists of program graphs PGi over (Var,Chan) with Var=∪1≤i≤nVari.(Var,Chan) with Var=∪1≤i≤nVari.

� We denote CS=[PG1 | … | PGn]

� As before the conditional transitions labeled by α:g, α∈Act can happen whenever g holds.

74


� The occurrences of conditional transitions labeled by g:c!v or g:c?x depends on the current evaluation and depends on the current evaluation and the capacity and content of channel.

� Handshaking : if cap(c)=0, then process Pi

can perform only if another process Pj receives .

75

c!v

i i′→ℓ ℓ

c!x

j j′→ℓ ℓ


� Asynchronous: if cap(c)>0

� Pi can send if the channel c is not full.

� Pj can receive if channel c is not empty.

� The Effect of actions are defined as below; the channel is treated as a buffer:

� Channel systems are used to model communication protocols.

76

Executable if … Effect

c!v c is not “full” Enqueue(c,v)

c?x C is not “empty” ⟨x:= Front(c);Dequeue(c);⟩


� Example 2.23: Alternating Bit Protocol

� The Sender S sends its messages along an unreliable channel c to a receiver R, who unreliable channel c to a receiver R, who sends its acknowledges along a reliable channel d to the sender.

77

Sender Receiverc, cap(c)= ∞

�d, cap(d)= ∞


� S and R uses two bits 0,1 to distinguish retransmissions of m from transmissions of subsequent (and previous) messages:

When S sends message m tagged with 0 � When S sends message m tagged with 0 <m,0>, it waits to receive <0> (sent by R), otherwise retransmits the <m,0>.

� When S receives <0>, it transmits the new message tagged by 1.

� When S receives <1>, it retransmit its message <m,0>.

78


� The program graph of the sender S:

79


� The program graph of the receiver R:

80


� The complete system is presented as a channel system over chan= {c, d, tmr_on, tmr_off,timeout} and Var= { tmr_on, tmr_off,timeout} and Var= { x,y,mi} : ABP=[S|Timer|R].

� The behavior of a channel system can be given by a transition system, similar to the mapping from program graphs to transition systems.

81


� The states of TS(CS), where CS=[PG1|…|PGn] over (Chan,Var), are tuples :1 n,..., , ,⟨ η ξ⟩ℓ ℓtuples :

� indicates the current location of component PGi;

� η(∈Eval(Var)) keeps track of the current values of the variables;

� ξ ,ξ(c)∈dom(c)*, records the current content of the various channels.

82

1 n,..., , ,⟨ η ξ⟩ℓ ℓ

iℓ


� Definition: The transition system of CS, denoted by TS(CS), where CS=[PG1|…|PGn] over (Chan,Var) and CS=[PG1|…|PGn] over (Chan,Var) and PGi= (Loci, Acti, Effecti, →i,Loc0,i,g0,i), is defined by TS(CS)=(S,Act,→,I,AP,L):

� S=(Loc1×…×Locn)×Eval(Var) ×Eval(Chan);

� Act=∪0≤i≤nActi ∪{τ};

� I={ |∀1≤i≤n.( ∈Loc0,i∧η|= g0,i)};

83

1 n,..., , ,⟨ η ξ⟩ℓ ℓ

iℓ


� AP=∪1≤i≤nLoci∪Cond(Var);

� L( )={ }∪

{g∈Cond(Var)| η|=g};

1 n,..., , ,⟨ η ξ⟩ℓ ℓ 1 n,...,ℓ ℓ

{g∈Cond(Var)| η|=g};

� → is defined by the following rules:

� Interleaving for α∈Acti:

84

g:ii i

1 i n 1 i n,..., ,..., , , ,..., ,..., , ,

Effect( , )

α

α

′→

′ ′⟨ η ξ⟩ →⟨ η ξ⟩

′η = α η

ℓ ℓ

ℓ ℓ ℓ ℓ ℓ ℓ


� Asynchronous message passing for c∈Chan, cap(c)>0:

� Receive a value along channel c and assign it to x:

g:c?x | g len( (c) k) 0 (c) v ...v′→ ∧ η = ∧ ξ = > ∧ ξ =ℓ ℓ

where η’=η[x:=v1] and ξ’=ξ[c:=v2…vk]

� Transmit value v∈dom(c) over channel c:

where ξ’=ξ[c:=v1v2…vkv]85

g:c?xii i 1 k

1 i n 1 i n

| g len( (c) k) 0 (c) v ...v

,..., ,..., , , ,..., ,..., , ,τ

′→ ∧ η = ∧ ξ = > ∧ ξ =

′ ′ ′⟨ η ξ⟩ →⟨ η ξ ⟩

ℓ ℓ


g:c!vii i 1 k

1 i n 1 i n

| g len( (c) k) cap(c) (c) v ...v

,..., ,..., , , ,..., ,..., , ,τ

′→ ∧ η = ∧ ξ = < ∧ ξ =

′ ′⟨ η ξ⟩ →⟨ η ξ ⟩

ℓ ℓ



� Synchronous message passing over c∈Chan, cap(c)=0:

1 2g :c?x g :c!v| g | g i j′ ′→ ∧ η = ∧ η = ∧ → ∧ ≠ℓ ℓ ℓ ℓ

where η’=η[x:=v].

� See example 2.34.

86

1 2g :c?x g :c!vi ji i 1 2 j j

1 i j n 1 i j n

| g | g i j

,..., ,..., ,..., , , ,..., ,..., ,..., , ,τ

′ ′→ ∧ η = ∧ η = ∧ → ∧ ≠

′ ′ ′⟨ η ξ⟩ →⟨ η ξ⟩

ℓ ℓ ℓ ℓ

ℓ ℓ ℓ ℓ ℓ ℓ ℓ ℓ

Parallelism and Communication: Synchronous Parallelism

� In synchronous systems components evolve in a lock step fashion.

� Synchronous hardware circuits in which all � Synchronous hardware circuits in which all components are connected to a central clock and all perform a step on each clock pulse.

87

Parallelism and Communication: Synchronous Parallelism (Con.)

� Definition: The synchronous product TS1⊗TS2, where

� TSi =(Si,Act, →i,Ii, APi,Li) and � TSi =(Si,Act, →i,Ii, APi,Li) and

� *:Act×Act →Act be a mapping that assigns α*βto each pair of actions α and β

is given by (S1×S2, Act, →, I1×I2, AP1∪AP2, L) where

88

Parallelism and Communication: Synchronous Parallelism (Con.)

� The transition relation is defined by:

1 21 1 2 2

*

1 2 1 2

s s s s

s ,s s ,s

α β

α β

′ ′→ →

′ ′⟨ ⟩ →⟨ ⟩

� α*β denotes the synchronous execution of action α and β.

� L(⟨s1,s2⟩)=L1(s1)∪L2(s2).

� It should be noted that compared to parallel operator ||, there is no autonomous transition of TS1 or TS2.

89

1 2 1 2s ,s s ,s⟨ ⟩ →⟨ ⟩

The state-space Explosion Problem

� Program graphs and channel systems introduced to model data-dependant and communication systems.and communication systems.

� In following we discuss on the cardinality of resulting transition systems, since verification techniques are based on analyzing the TSs.

90

The state-space Explosion Problem (Con.)

� Program graph representation:

� Recall that the states of the unfolded TS are of the form ⟨ ,η⟩, where location and ℓ ℓare of the form ⟨ ,η⟩, where location and variable evaluation η.

� Assume all variables in Var have finite domain.

� The number of states in the resulting TS is:

91

ℓ ℓ

x Var

| Loc | . | dom(x) |∈

∏


� The number of states grows exponentiallyin the number of variables in the program graph.

� Parallelism

� In all variant of parallel operators, the state space of the complete system is built of the local state space Si of the components.

92


� Hence the number of states in S is growing exponentially in the number of components.

Additionally the size of local state of each � Additionally the size of local state of each component grows exponentially with number of variable.

� Thus the “exponential blowup” in the number of parallel components and number of variables explains the problem.

93


� Channel systems

� For the size of TS of channel systems, similar observation can be made as for the similar observation can be made as for the representation of program graphs.

� Additionally, the size of channels affects on the number of states.

94


� Thus for CS=[PG1|…|PGn] over Var=Var1∪…∪Varn and channels Chan, the cardinality of state space is :

which can be rewritten as :

95

ncap(c)

i

i 1 c Chan

| PG |. | dom(c) |= ∈

∏ ∏

i

ncap(c)

i

i 1 x Var c Chan

| Loc | . | dom(x) . | dom(c) |= ∈ ∈

∏ ∏ ∏

Summery

� Transition systems are a fundamental model for modeling software and hardware systems.hardware systems.

� An execution of a TS is an alternatingsequence of states and actions that starts in an initial state and that cannot be prolonged.

96

Summery (Con.)

� Interleaving amounts to represent the evolvement of “simultaneous” activities of independent concurrent processes by the nondeterministic choice between these nondeterministic choice between these activities.

� In case of shared variable communication, parallel composition on the level of transition systems does not faithfully reflect the system’s behavior. Instead, composition on program graphs has to be considered.

97

Summery (Con.)

� Concurrent processes that communicate via handshaking on the set H of actions execute actions outside H autonomously whereas they execute actions in H synchronously.execute actions in H synchronously.

� In channel systems, concurrent processes communicate via FIFO-buffers. Handshaking

communication is obtained when channels have capacity 0. For channels with a positive capacity, communication takes place asynchronously.

98

Summery (Con.)

� The size of transition system representations grows exponentially in various components, such as the various components, such as the number of variables in a program graph or the number of components in a concurrent system. This is known as the state-space explosion problem.

99

ch2-modelling concurrent systems.ppt

Documents