Algebraic Trace Theory

Transcription

1 Algebraic Trace Theory EE249 Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October 21, 2002 ee249 1

2 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms October 21, 2002 ee249 2

3 Abstract Algebra x + 3 = 5 ( x + 3 ) + ( -3 ) = 5 + ( -3 ) x + ( 3 + ( -3 ) ) = 2 x + 0 = 2 x = 2 When is it that the solution of a linear equation is unique? October 21, 2002 ee249 3

4 Uniqueness of Solution Addition is associative There is an identity element There is an inverse for each element No need for commutativity! Axiomatic approach: don t define the objects, define their properties Group = (D, f, id, inv) with the properties above Many possible examples: Integers under addition (Z, +, 0, -) Positive reals under multiplication (R +, x, 1, -1 ) Permutations under functional composition (F,, Id, -1 ) October 21, 2002 ee249 4

5 Algebraic Approach The properties of the functions must be true in any implementation of the algebra Hence they allow you to prove general facts that are independent of the particular implementation of the algebra For example, uniqueness of solutions for linear equations We will represent models of computation as instances of an algebra and prove general facts The algebra gives as a tradeoff between generality and structure October 21, 2002 ee249 5

6 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms October 21, 2002 ee249 6

7 Objective Create models for agent behaviors Study the relationships between different models October 21, 2002 ee249 7

8 A Concrete Model Define a domain of agents The set of finite state automata Defines an interface for each agent A set of signal names Defines a mechanism for instantiating agents A signal renaming function Defines a mechanism for combining agents e.g. product machine Defines a mechanism for encapsulating agents Hide local signal names from the interface October 21, 2002 ee249 8

9 An Abstract Algebraic Model Concurrency Algebra = (D,, proj, rename) Domain of agent (carrier set) Operation of parallel composition on agents Operation of projection on agents encapsulation, scoping Operation of renaming on agents instantiation Note: we don t say what the carrier and the operations are, just that they must exist! But we must provide some properties that we want satisfied October 21, 2002 ee249 9

10 Concurrency Algebra Let W be a set of signal names A signature γ = ( I, O ) is a pair where I and O are subsets of W We call the set A = I Ο the alphabet of a signature γ Each agent in D has an associated signature γ October 21, 2002 ee249 10

11 Definition of the functions If O and O are disjoint, then E E is defined and the signature is ( ( I I ) ( O O ), O O ) If I B A, then proj( B )( E ) is defined and its signature is ( I, O B ) If r is a renaming function with domain A, then rename( r )( E ) is defined and its signature is ( r( I ), r( O ) ) (where r is naturally extended to sets) October 21, 2002 ee249 11

12 Axioms C1. Associativity of composition ( E E ) E = E ( E E ) C2. Commutativity of composition E E = E E C3. Application of renaming functions rename( r )( rename( r )( E ) ) = rename( r r )( E ) October 21, 2002 ee249 12

13 Axioms C4. Renaming and parallel composition commute rename( r )( E E ) = rename( r A )( E ) rename( r A )( E ) C5. Identity of renaming rename( id A )( E ) = E C6. Application of projections proj( B )( proj( B )( E ) ) = proj( B )( E ) October 21, 2002 ee249 13

14 Axioms C7. Identity of projection proj( A )( E ) = E C8. Projection and parallel composition commute proj( B )( E E ) = proj( B A )( E ) proj( B A )( E ) C9. Projection and renaming commute proj( r( B ) )( rename( r )( E ) ) = rename( r B )( proj( B )( E ) ) October 21, 2002 ee249 14

15 Algebra of Agents Model of agents Concurrency Algebra A Concurrency Algebra Set of agents Parallel composition of agents Projection of agents Renaming of agents October 21, 2002 ee249 15

16 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms October 21, 2002 ee249 16

17 Objective of Trace Theory Start from models of individual behaviors Construct models of agents that form a concurrency algebra Construct relationships between models of agents from relationships between individual behaviors Again we use an algebra to define a model of individual behaviors October 21, 2002 ee249 17

18 Trace and Trace Structure Algebras Model of individual behaviors Model of agents Trace algebra C Trace Algebra Set of traces Projection of traces Renaming of traces Concurrency Algebra A Concurrency Algebra Set of agents Parallel composition of agents Projection of agents Renaming of agents October 21, 2002 ee249 18

19 What Is a Trace? An element of a set of objects with the following two operations projection renaming Satisfying a set of axioms You must see a pattern here Don t define the objects, define their properties! A trace algebra is a mathematical structure (a set plus the operations) that satisfies the axioms Examples of traces? October 21, 2002 ee249 19

20 Trace Algebra A trace algebra C c over W is a triple ( B C, proj, rename ) where For every A W, B C ( A ) is the set of traces over A Also use B C to denote all traces proj( B ) and rename( r ) are partial functions from B C to B C October 21, 2002 ee249 20

21 Axioms of Trace Algebra T1. Definition of projection proj( B )( x ) is defined if there is A such that x B C ( A ) and B A. When defined proj( B )( x ) is an element of B C ( B ) T2. Application of projection proj( B )( proj( B )( x ) ) = proj( B )( x ) T3. Identity of projection If x B C ( A ) then proj( A )( x ) = x October 21, 2002 ee249 21

22 Axioms of Trace Algebra T5. Definition of renaming rename( r )( x ) is defined iff x B C ( dom( r ) ). When define, rename( R )( x ) is an element of B C ( codom( r ) ) T6. Application of renaming rename( r )( rename( r )( x ) ) = rename( r r )( x ) T7. Identity of renaming If x B C ( A ) then rename( id A )( x ) = x October 21, 2002 ee249 22

23 Axioms of Trace Algebra T9. Projection and renaming commute proj( r( B ) )( rename( r )( x ) ) = rename( r B )( proj( B )( x ) ) T4. Diamond property Let x B C ( A ) and x B C ( A ) be such that proj( A A )( x ) = proj( A A )( x ). For all A A A there is x B C ( A ) such that x = proj( A )( x ) and x = proj( A )( x ) October 21, 2002 ee249 23

24 Examples of trace algebras C I = ( B CI, proj I, rename I ) For every A, the set of traces B CI ( A ) of traces over A is A (finite and infinite sequences over A) proj I ( B )( x ) is the sequence formed by removing every symbol a not in B (the sequence shrinks) rename I ( r )( x ) is the sequence formed by applying r to each element of the sequence October 21, 2002 ee249 24

25 Examples of Trace Algebras The singleton { x o } Here all behaviors are the same. It conveys no information B C ( A ) = 2 A proj( B )( x ) = x B rename( r )( x ) is the natural extension to sets Abstracts time and retains only occurrence information October 21, 2002 ee249 25

26 Examples of Trace Algebras B C ( A ) = ( 2 A ) ω proj( B )( x ) is intersection with B Events carry a time stamp (Tagged Signal Model) B C ( A ) = { x( t ) x : R + 2 A } Real-valued time stamps Projection is the restriction of the image October 21, 2002 ee249 26

27 Examples of Trace Algebras Interpret the set of signals A as a set of state variables A state is an assignment σ : A V where V is the set of possible values of the state variables B C ( A ) = ( A V ) ω Sequence of assignment functions Projection is a restriction of the domain of the assignment function October 21, 2002 ee249 27

28 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms October 21, 2002 ee249 28

29 Trace and Trace Structure Algebras Model of individual behaviors A trace structure contains a set of traces Model of agents Trace algebra C Trace Algebra Set of traces Projection of traces Renaming of traces Trace structure algebra A Concurrency Algebra Set of agents Parallel composition of agents Projection of agents Renaming of agents October 21, 2002 ee249 29

30 Constructing agents We want to go from individual behaviors to models of agents We want the model of agents to be a concurrency algebra Set of agents, with parallel composition, projection and renaming satisfying the axioms Naturally if a trace is an individual behavior, and agent is a set of those behaviors October 21, 2002 ee249 30

31 Trace Structures A trace structure (or agent) over a trace algebra C is the set of ordered pairs ( γ, P ) where γ is a signature over W (reminder: γ = ( I, O ) ) A is the alphabet of γ P is a subset of B C ( A ) In other words, P is a set of traces over the alphabet A Each trace in P represents a possible behavior of the agent October 21, 2002 ee249 31

32 Note:, proj An Algebra TS and rename of Trace TS denote operations on trace structures, Structures which are derived from the corresponding operations on Let individual Note: the Τ be a traces operations set of proj trace T and on individual structures rename (agents) T traces proj T and rename T are naturally extended to sets of A Trace tracesstructure Algebra is the 4-tuple ( Τ,, proj TS, rename TS ) where For T = T T : γ = (( I I ) (O O ), O O ) P = { x B C ( A ) : proj T ( A )( x ) P and proj T ( A )( x ) P } proj TS ( B )( T ) = ( ( I, O B ), proj T ( B )( P ) ) rename TS ( r )( T ) = ( ( r( I ), r( O ) ), rename T ( r )( P ) ) October 21, 2002 ee249 32

33 Example B C ( A ) = A T = ( ( { a, b }, ), { abab } ) T = ( ( { b, c }, ), { bcb } ) T = T T P = { x B C ( A ) : proj( A )( x ) P and proj( A )( x ) P } P = { abacb, abcab } Note: P is maximal such that its projections correspond to the agents that are being composed October 21, 2002 ee249 33

34 Example B C ( A ) = ( 2 A ) ω T = ( ( { a, b }, ), { <{ a, b }, { a }, { b } > } ) T = ( ( { b, c }, ), { < { b }, { c }, { b } > } ) T = T T P = { < { a, b }, { a, c }, { b } > } Note that under this trace algebra (with time stamps) we don t get non-determinism due to interleaving semantics October 21, 2002 ee249 34

35 Example B C ( A ) = ( 2 A ) ω (also = N 2 A ) T = ( ( { a, b }, ), { < { a }, { a }, { b } > } ) T = ( ( { a, b }, ), { < { b }, { a }, { b } > } ) T = T T Need P B C ( A ) such that proj( A )( P 1 ) = { a } and proj( A )( P 1 ) = { b } Obviously this isn t possible when projection is defined as set intersection In other words, T and T are incompatible October 21, 2002 ee249 35

36 Theorem If C is a Trace Algebra, then the Trace Structure Algebra derived from C is a Concurrency Algebra I.e. the operations of parallel composition, projection and renaming satisfy the axioms of concurrency algebra Note: the result is independent of the particular Trace Algebra (models of behaviors) that we start from October 21, 2002 ee249 36

37 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms October 21, 2002 ee249 37

38 Trace and Trace Structure Algebras Trace algebra C Trace structure algebra A Abstract Domain Ψ u Ψ l Ψ inv Trace algebra C Trace structure algebra A Detailed Domain Goal: Study the problem of heterogeneous interaction Formalize the concepts of abstraction and refinement October 21, 2002 ee249 38

39 Relationships between models Each semantic domain has a refinement order Based on trace containment T 1 T 2 means T 1 is a refinement of T 2 Guiding intuition: T 1 T 2 means T 1 can be substituted for T 2 Abstraction mapping If a function H between agent domains is monotonic, detailed implies abstract: If T 1 T 2 then H(T 1 ) H(T 2 ) Analogy for real numbers r and s: If r s then r s Conservative approximations A pair of functions Ψ = (Ψ l, Ψ u )is a conservative approximation if Ψ u (T 1 ) Ψ l (T 2 ) implies T 1 T 2 Analogy: r s implies r s Abstract implies detailed October 21, 2002 ee249 39

40 Conservative Approximations if Ψ u ( T impl ) Ψ l ( T spec ) then T impl T spec Intuitively Ψ u ( T impl ) is an upper bound of the implementation (has more behaviors) Intuitively Ψ l ( T spec ) is a lower bound of the specification (has less behaviors) Hence we are being conservative False negatives are possible. False positives are ruled out The verification at the more abstract level should be easier October 21, 2002 ee249 40

41 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms October 21, 2002 ee249 41

42 Constructing Approximations How do we build a conservative approximation? As before, we prefer to work at the level of the individual behavior October 21, 2002 ee249 42

43 Trace and Trace Structure Algebras Trace algebra C Trace structure algebra A Abstract Domain Homomorphism h Derive Ψ u Ψ l Ψ inv Trace algebra C Trace structure algebra A Detailed Domain Let T spec and T impl be trace structures in A. Then if Ψ u ( T impl ) Ψ l ( T spec ) then T impl T spec October 21, 2002 ee249 43

44 Homomorphisms on Traces Let C and C be two Trace Algebras A homomorphism h is a function from the traces in C (B C ) to the traces in C (B C ) such that h commutes with the operations of projection and renaming h( proj( B )( x ) ) = proj ( B )( h( x ) ) h( rename( r )( x ) ) = rename ( r )( h( x ) ) The homomorphism h is in general many-toone Hence C is in general more abstract than C October 21, 2002 ee249 44

45 Commutative Diagram h( x ) apply proj x apply h apply h apply proj x proj( B )( x ) x = h( proj( B )( x ) ) = proj ( B )( h( x ) ) October 21, 2002 ee249 45

46 Building the Upper Bound Let P be a set of traces, and consider the natural extension to sets h( P ) of h Clearly P h -1 ( h( P ) ) Because h is many-to-one This indeed is an upper bound! Equality holds if h is on-to-one Hence define Ψ u ( T ) = ( γ, h( P ) ) October 21, 2002 ee249 46

47 Building the Upper Bound h -1 ( h( P ) ) h(p) P October 21, 2002 ee249 47

48 Building the Lower Bound We want P h -1 ( lb of P ) If x is not in P, then h( x ) should not be in the lower bound of P Hence define Ψ l ( T ) = h( P ) h( B C ( A ) P ) There is a tighter lower bound October 21, 2002 ee249 48

49 Building the Lower Bound h( P ) - h( B C (A) P ) h -1 ( h( P ) - h( B C (A) P ) ) h( B C (A) P ) B C ( A ) - P October 21, 2002 ee249 49

50 Theorem The pair of functions just defined forms a conservative approximation if Ψ u ( T impl ) Ψ l ( T spec ) then T impl T spec This is an example of a conservative approximation induced by a homomorphism October 21, 2002 ee249 50

51 Examples of homomorphisms From B C ( A ) = A to B C ( A ) = 2 A h( x ) = { a a appears in x at least once } Prove that this is a homomorphism Must show it commutes with projection and renaming What do the upper and lower bounds look like? October 21, 2002 ee249 51

52 Outline Introduction Concurrency Algebras Trace Algebras Trace Structure Algebras Conservative Approximations Homomorphisms Conservative Approximations: inverses October 21, 2002 ee249 52

53 Approximations: Inverses Apply Ψ u Apply Ψ l Consider T such that Ψ u (T) = Ψ l (T) = T Ψ u Ψ l October 21, 2002 ee249 53

54 Approximations: Inverses Apply Ψ u Apply Ψ l Consider T such that Ψ u (T) = Ψ l (T) = T Then Ψ inv (T ) = T Ψ u Ψ l October 21, 2002 ee249 54

55 Approximations: Inverses Apply Ψ u Apply Ψ l Consider T such that Ψ u (T) = Ψ l (T) = T Then Ψ inv (T ) = T Ψ inv Can be used to embed high-level model in low level October 21, 2002 ee249 55

56 Combining MoCs T 1 T 2 Want to compose T 1 and T 2 from different trace structure algebras Ψ inv T 1 T 2 Construct a third, more detailed trace algebra, with homomorphisms to the other two Construct a third trace structure algebra Construct cons. approximations and their inverses Map T 1 and T 2 to T 1 and T 2 in the third trace structure algebra Compose T 1 and T 2 October 21, 2002 ee249 56

57 Combining MoCs T 1 T 2 Want to compose T 1 and T 2 from different trace structure algebras T 1 T 2 T Compose T 1 and T 2 Get T Project back to T 1 and T 2 Map back in the abstract domain Find restrictions due to the interaction at the higher level (constraint application) Ψ inv Find greatest possible T 1 and T 2 that still have the same interaction (don t cares, synthesis) October 21, 2002 ee249 57

58 Key Insight Using this process you can Find restrictions due to the interaction at the higher level (constraint application) Find greatest possible T 1 and T 2 that still have the same interaction (don t cares, synthesis) October 21, 2002 ee249 58

59 A Sample of Trace Algebras A* ( (A) - { }) * pomsets(a) (A V)* (sf: stutter free) (A V)* ( (A))* ((A V V) (A r E )) tomsets((a V --> V) (A r E )) (sf) (A V) 2 (A V) (A) (A*) A {0, 1, X} ((A V --> V) ( (A r C ) - { }))* (sf) (A x V)* Interleaving semantics Explicit simultaneity Partial order models State based asynchronous time State based synchronous time Event based synchronous time Metric time Non-metric time Pre-post State based discrete time Event based discrete time Discrete time with interleaving Combinational GALS Interleaving with values October 21, 2002 ee249 59