a polynomial translation of - calculus (fcp) to safe petri nets
DESCRIPTION
A Polynomial Translation of - Calculus (FCP) to Safe Petri Nets. Roland Meyer 1 , Victor Khomenko 2 , and Reiner H ü chting 1 1 Department of Computing Science, University of Kaiserslautern, Germany 2 School of Computing Science, Newcastle University, UK. - Calculus. - PowerPoint PPT PresentationTRANSCRIPT
A Polynomial Translation of -Calculus (FCP) to Safe Petri Nets
Roland Meyer1, Victor Khomenko2, and Reiner Hüchting1
1Department of Computing Science,University of Kaiserslautern, Germany
2School of Computing Science,Newcastle University, UK
2
-Calculus
• A formalism (process algebra) for modelling mobile and reconfigurable systems
• Processes communicate by message passing: channels are sent via channels passing an IP address or hyperlink passing a pointer/reference to a procedure
• New fresh channels can be dynamically created• (Logical) interconnect topology changes over time
3
-Calculus: example
P1 P2 P3…
Scheduler
Task generators
TG1 TG2 TGk…
Array of processors
4
-Calculus Syntax
P ::= 0| K a⌊ 1,…,an⌋| P + P| P | P| .P| a:P ::= a<b>| a(x)|
No replication operator ‘!’ – using recursive definitions of the form K a⌊ 1,…,an :=P⌋ instead
Input prefix a(x).P and restriction x:P bind name x in PNOCLASH assumption (can always be enforced by -
conversion): • each name is bound at most once• the sets of bound and free names are disjoint
stop call choice Parallel composition
prefix restriction
5
Finite Control Processes
• -Calculus is expressive (Turing-powerful), so nothing is decidable
• Wanted: a (syntactic) fragment that is decidable but retains a reasonable degree of expressiveness sufficient for modelling practical mobile and reconfigurable systems
• Finite Control Processes (FCP): parallel composition of a fixed number of sequential (i.e. not using the | operator) processes (threads)
• Good compromise between expressiveness and verifiability
6
Motivation for FCPPN translation
• FCPs have complicated semantics, and thus difficult for model checking: checking if two terms are structurally congruent
is graph isomorphism complete difficult to use condensed representations of the
state space difficult to use reductions when exploring the
state space• In contrast, safe low-level PNs are well suited for
model checking, with many efficient heuristics available
7
Our contribution
Safe low-level PNs:Efficient verification
Not convenient for reconfigurability
FCPs:Convenient for
modelling reconfigurability
Verification is hardGap
8
Complexity-theoretic considerations• Any reachable state of an FCP can be represented by a
term bounded by the FCP’s size• Hence an FCP can be simulated by a Turing machine
with linear in the FCP’s size tape (characterises PSPACE)
• A Turing machine with a bounded tape can be simulated by a safe low-level PN of polynomial size
• Hence a polynomial translation from FCPs to safe low-level PNs must exist
• This argument is constructive, but the resulting PN would be big and ugly
• Wanted: A natural polynomial FCPPN translation, suitable for practical verification
9
Related work• Much work concerning -CalculusPN translations
has been performed• Mostly theoretical, often concerning the full -
Calculus and so results in infinite PNs or undecidable PN classes (inhibitor arcs, coloured with infinite sets of colours, etc.)
• Existing FCPPN translations (or restrictions of -CalculusPN translations to FCPs) are non-polynomial and/or have an unnecessarily powerful target formalism (coloured / inhibitor / transfer PNs)
• Our contribution: natural polynomial FCP safe low-level PN translation suitable for practical verification
10
Principles of translation• Replace restricted names by fresh public ones, e.g.
x.y.P and P[ab/xy] (a & b are fresh) are bisimilar • Recycle the fresh names to avoid generating unbounded
number of them: static bound on the number of names an FCP can ‘remember’ if P reacts with x.Q and a is a currently unused
(recycled) public name then P reacts with Q[a/x] PN keeps track of the currently used names
• Distributed representation of the substitution: P[ab/xy]=P[a/x][b/y], so [a/x] and [b/y] are treated as
independent variables and represented by separate PN places
11
Translation
Nsubs H(N1 || … || Nn)
Substitutionnet
Implementationoperator
Hidingoperator
State machinesimplementing
threads
Parallelcomposition
operator
12
Translation: Pre-processing• Ensure that each thread of the FCP has its own set
of process definitions:K(u,v):=.L(u,v)
K(u,v):=.L(u,v)L(x,y):=.K(x,y)
L(x,y):=.K(x,y)
K’(u’,v’):=.L’(u’,v’)
L’(x’,y’):=.K’(x’,y’)
K a,b | K b,c⌊ ⌋ ⌊ ⌋ K a,b⌊ ⌋ | K’ b,c⌊ ⌋• At most quadratic increase in size – can be
recovered by using symmetries in model checking
13
Translation: Substitution net
p1 p2 pnp n1 n2
nnn
i1
ini
f1
fnf
r1 Restricted names
are never mapped to public ones, so
no places here
rnr
Inputnames
Formalparameters
Restrictednames
Public names Recyclable names Operations:• test(x=y)• map(x,y)• unmap(x,y)The operations do not interfere when applied to different names
Complimentary places allow to determine which names are currently unused
14
Translation: Control of threads• Model the control of each thread by a finite state
machine; its transitions carry two labels: communication action send(a,b), rec(a,b) or set of commands working with the substitution:
test(x=y), map(x,y), unmap(x,y)• Additional transitions are inserted to initialise
restricted names, pass parameters, and to unmap bound names when they go out of scope
15
Control of threads: Examples
S
send(p1,p1)
send(p1,p2)
send(nnn,nnn)
{test(x=p1),test(y=p1)}
…
… …
{test(x=p1),test(y=p2)}
{test(x=nnn),test(y=nnn)}
S
rec(p1,p1)
rec(p1,p2)
rec(nnn,nnn)
{test(x=p1),map(y,p1)}
…… …
{test(x=p1),map(y,p2)}
{test(x=nnn),map(y,nnn)}
x<y>.S+…
x(y).S+…
Send Receive
r.P P
{map(r,n1)}
{map(r,n2)}
{map(r,nnn)}
…
… …
Restriction
16
Translation: Parallel composition• Synchronise the send actions with the
corresponding rec actions, with the resulting label and the sets of commands united the original transitions are not removed and
available for further synchronisations
Psend(a,b)… …
{test(u=a),test(v=b)}u<v>.P+…
Srec(a,b)… …
{test(x=a),map(y,b)}
x(y).S+…
{test(u=a), test(v=b),test(x=a), map(y,b)}
Psend(a,b)… …
{test(u=a),test(v=b)}u<v>.P+…
Srec(a,b)… …
{test(x=a),map(y,b)}
x(y).S+…
||
17
Translation: Hiding• Remove the non- transitions after all the parallel
compositions are performed• All the remaining transitions are –labelled, so can
drop this label – only a set of commands is attached to each transition now
Psend(a,b)… …
{test(u=a),test(v=b)}u<v>.P+…
Srec(a,b)… …
{test(x=a),map(y,b)}
x(y).S+…
{test(u=a), test(v=b),test(x=a), map(y,b)}
18
Translation: Implementation operator• Implements the commands attached to each
transition by adding arcs between this transition and the places in the substitution net:
test(x=a)
… …
x=a
map(x,a)
… …
x=axa
unmap(x,a)
… …
x=a xa
map(r,n)… …
r=nr*n
i1n inin…
f1n fnfn…
[r*n]
19
Implementation operator: Examples• Example: communication and restriction:
P… …
u<v>.P+…
S… …
x(y).S+…
{test(u=a), test(v=b),test(x=a), map(y,b)}
P… …
r.P
{map(r,n)}
u=a v=b x=a
y=byb
i1n inin
r=nr*n
…f1n fnfn
…
20
Correctness and size of the translation• Weak bisimulation between FCP and PN• Strong bisimulation between FCP and the ‘stable’
transition system of PN• The size of the resulting PN is O(|FCP|4)
dominated by the number of transitions modelling communication
reduced down to O(|FCP|3) on the next slide the PN is significantly smaller in practice than
the worst case suggests
21
Optimisations• Split the transitions modelling communication:
model communication between a<b> and x(y) not by a single step but by a pair of steps: the first checks that a=x, and the second maps y to b
reduces the size of the resulting PN from O(|FCP|4) down to O(|FCP|3)
• Bound names that are never simultaneously active can share the same row of places in the substitution net
• Can statically compute good approximations of the domains of bound names
• Can share subnets for unmapping bound names that go out of scope
• Can use symmetries reduction during model checking• Etc. – see the paper and technical report
22
Extensions• Polyadic communication: exchanges multiple names
in a single reaction, i.e. prefixes a<x1,…,xn> and b(y1,…,yn) can react iff a=b, and after synchronisation each yi gets the value of xi
can be achieved by generalising the ‘communication splitting’ idea
• Match and mismatch: modelled by transitions testing the [non-]equality of two names in the substitution reachable states corresponding to the ‘stuck
between the guards’ situation have to be declared invalid (they can easily be distinguished from the valid ones, so still OK for model checking)
23
Experimental results• Translation has been implemented in the fcp2pn tool:
http://homepages.cs.ncl.ac.uk/victor.khomenko/tools/fcp2pn• The practicality of the approach was demonstrated
as follows: a number of FCPs, including scalable ones, were
translated to safe PNs using fcp2pn the PNs grow much slower with |FCP| than the
worst-case bound suggests optimisations work very well the PNs were checked for deadlocks using
LOLA, with good results
24
Conclusions• First polynomial translation from FCPs to safe low-
level PNs• The translation is natural, i.e. there is a close
correspondence between the control flows of the FCP and the resulting PN
• The resulting PN is suitable for practical model checking
• Proposed a number of optimisations• Extensions to polyadic communication and
match/mismatch• Implemented in the fcp2pn tool• Encouraging experimental results
25
Thank you!Any questions?