Fast and Simple Nested Fixpoints Abstract 1 Introduction 2 A Fixpoint

Download PDF
0 downloads 0 Views 178KB Size Report
Comment
Sep 2, 1996 - sions, hierarchical systems of equations, model- checking. 1 Introduction ... Our idea consists in removing one sort of xpoint iterations simply ... D of height h, i.e., the maximal number of el- ements in a ... This results in the following set of equations: ... task of computing the least (resp. greatest) so- lution of anĀ ...
Fast and Simple Nested Fixpoints Helmut Seidl FB IV { Informatik Universitat Trier D{54286 Trier, Germany email: [email protected] September 2, 1996

Abstract We give an alternative proof of the result of Long et al. in [12] that nested xpoint expressions e of alternation depth d > 1 can be evaluated over a complete lattice of height h in time O(d  ( hd?je1j )dd=2e+1 ). The advantage of our proof is that it is both extremely short and extremely simple. Keywords: Evaluation of xpoint expressions, hierarchical systems of equations, modelchecking.

1 Introduction

which were slightly improved by Bhat and Cleaveland [4]. A major improvement in the general case has been achieved by Long et al. [12]. They pointed out that the exponent in the worst case complexity can be lowered even to \about" d=2+1. Their paper explains the method for certain special kinds of formulas. Nevertheless, the argumentation is non{trivial and involved. Their result itself, however, is (at least in our opinion) so important that a simpler explanation is worthwhile. In fact, our argumentation turns out to be almost trivial. Our idea consists in removing one sort of xpoint iterations simply by syntactical iteration, i.e., unfolding. The whole art consists in doing so without overly increasing the size of the resulting system. To make our idea precise, this short note is organized as follows. Section 2 introduces basic notions concerning (hierarchical) systems of equations. Section 3 deals with the case of alternation depth 1. Section 4 formalizes our idea of syntactical removal of xpoint iterations and derives the main result. Section 5 contains a brief discussion of our method and concludes.

Since Kozen's seminal paper [11] on modal { calculus in 1983, this logic has been widely used for the speci cation of properties of concurrent processes (see, e.g., [13, 14]). Especially, the model-checking problem, i.e., the question to determine whether or not a given system satis es a formula, has attracted attention. In [8], Emerson and Lei presented an algorithm where the exponent in the worstcase complexity is given by d + 1 where d is the alternation depth of the formula to be veri ed. Their 2 A Fixpoint Calculus method has been re ned by Cleaveland, Klein and Ste en [7]. For formulas of alternation In essence, the model-checking problem for { depth 1, even linear algorithms have been pro- formulas boils down to the evaluation of a xposed (see, e.g., [2], [1] or [6]). For other impor- point expression like tant fragments of {calculus, Emerson, Jutla and Sistla exhibited polynomial algorithms [9] x1 :f1 (x2 :f2 (h x1 ; x2 ); y:g (h x1 ; y)) 1

over some nite complete lattice. Instead of de ning such kinds of expressions (together with their semantics) formally, we prefer to introduce the slightly more exible concept of hierarchical systems of equations. In a subsequent example, we hope to convince the reader that xpoint expressions very easily can be translated into our formalism. Assume we are given a nite complete lattice D of height h, i.e., the maximal number of elements in a strictly increasing sequence d0 @ d 1 @ : : : @ d r in D equals h + 1. Let denote a set of operator symbols where each f 2 denotes a monotonic function [ f ] : Dk ! D for some k  1. As right hand sides of equations we allow expressions built up from formal variables from some set Y and constants by application of operators from . The set of all these expressions is denoted by E [D (Y ). Every expression e 2 E [D (Y ) denotes a function [ e] : (Y ! D) ! D. This function is monotonic since all operations in are monotonic. A hierarchical system of equations with free variables from F is a pair (S; H). S is the nite basic set of equations x = ex ; x 2 X , where for every x, ex is an expression in E [D (X [ F ), and H is a hierarchy on X . A hierarchy consists of a sequence H = (hXk ; k i; : : : ; hX1 ; 1 i) of mutually disjoint nonempty sets Xj where X  X1 [ : : : [ Xk together with quali cations j 2 f;  g. Intuitively, hierarchy H on S is introduced in order to re ect the nesting of scopes of variables within which xpoint iteration is performed. The set X0 = Xn(X1 [ : : : [ Xk ) represents the \non{recursive" auxiliary variables. We assume a suitable linear ordering \" on X0 such that y 2 X0 occurs in right hand side ex ; x 2 X0 , only if y < x. Fixpoint iteration is (potentially) performed on the variables in X1 [ : : : [ Xk . These are therefore also called iteration variables.

A representation of this formula by a hierarchical system is obtained by introducing an extra equation for each xpoint subexpression. For our example this gives set S consisting of:

x1 = f1 (x2 ; y) x2 = f2 (h x1 ; x2 ) y = g (h x1 ; y) Hierarchy H now is obtained by dividing the set of xpoint variables of  into \layers" within which only xpoints of the same kind occur. Thus for our example formula , H = (hX2 ; i; hX1 ;  i) where X1 = fyg and X2 = fx1 ; x2 g. Auxiliary variables can be introduced for returning the result for the whole formula (in case it does not have a xpoint on top level) or to remove multiple occurrences of the same subexpression. In our example, we could introduce a fresh auxiliary variable z to receive the value for h x1 . This results in the following set of equations:

x1 x2 y z

= = = =

f1 (x2 ; y) f2 (z; x2 ) g (z; y) h x1

2

Usually, if H is understood, we write S for the hierarchical system. We also denote the fact that Xj is quali ed with j by Xj : j . Fix some 0  j  k, and let X 0 = X0 [ : : : [Xj . Then the j {th subsystem Sj of S is given by the base set of equations x = ex ; x 2 X 0 ; together with hierarchy Hj = (hXj ; j i; : : : ; hX1 ; 1 i). Note that the free variables of Sj are contained in F [ Xj +1 [ : : : [ Xk . An environment  for S is a mapping  : F ! D. The solution of S relative to environment  in D, denoted by [ S ] , is a mapping X ! D. It is de ned by induction on length k of hierarchy H. If k = 0, then no xpoint iteraExample 1 Assume we are given a xpoint tion is necessary. Values [ S ]  x; x 2 X0 , are expression like obtained by successively evaluating right hand   x1:f1 (x2 :f2 (h x1 ; x2 ); y:g (h x1 ; y)) sides according to ordering \". Formally, let 2

X0 = fx1; : : : ; xm g where x1 < : : : < xm, and assume : fx1 ; : : : ; xj ?1 g ! D, given by xi = [ S ]  xi, i < j , has already been de ned. Then [ S ]  xj = [ ex ] ( + ). Note that we use the \+"{operator to combine two functions with disjoint domains into one. For k > 0, let X 0 = XnXk and Sk?1 denote the (k ? 1){th subsystem of S . Consider monotonic function G : (Xk ! D) ! Xk ! D given by G x = [ ex ] ( + + [ Sk?1 ] ( + )). In case Xk is quali ed as , let  denote the least xpoint of G. Otherwise, let  denote the greatest xpoint of G. Then [ S ]  is de ned by [ S ]  x =  x if x 2 Xk and [ S ]  x = [ Sk?1 ] ( + ) x if x 2 X 0 . j

Fact 1 Assume k > 1 and S is system of equations with hierarchy H given by (hXk ; k i; hXk?1 ; k?1 i; : : : ; hX1 ; 1 i). If

uniform cost measure, i.e., storing and retrieving elements from D, comparing elements from D for equality and applying operators from

are all counted for 1. Accordingly, P we de ne the size of system S as jS j = x2X 1 + jexj. In case the alternation depth of system S equals 1, computation of the solution reduces to the task of computing the least (resp. greatest) solution of an ordinary system of equations over complete lattice D. This can be done by a standard worklist algorithm. We conclude:

Proposition 2 Given a system S of alterna-

tion depth 1 and environment  for the free variables in S , the solution of S can be computed in time O(h  jS j). 2

4 Syntactical Removal of Fixpoint Iterations

k = k?1 then for every environment , S together with H has the same solution as S together with hierarchy (hXk [ The idea of our algorithm is based on the trivXk?1; k i; hXk?2; k?2 i; : : : ; hX1 ; 1 i). 2 ial observation that in a lattice of height h, the least xpoint is reached after at most h iterDe ne the n{th iterate of g on d by It follows that we can always remove suc- ations. 0 n n?1 cessive occurrences of 's or  's in the hi- g d = d and for n > 0, g d = g (g d). We erarchy until we end up with a hierarchy (hXk ; k i; : : : ; hX1 ; 1 i) where j 6= j ?1 for all j > 1. Systems with this property are called normalized. The length k of the hierarchy of a normalized system is also called its alternation depth. Note that we deviate here from the de nitions in [4], [7] or [8] for formulas. the de nitions there re ect the possibility of extracting closed formulas and computing their meanings once and for all beforehand. It is for simplicity that we refrain from integrating a similar idea for hierarchical systems of equations into our de nition and algorithm but remark that such an optimization is clearly possible as well.

have:

Observation 3 If g : D ! D is monotonic

then the least xpoint (resp. greatest xpoint) of g is given by gh ? (resp. gh >). 2

The same observation holds true for monotonic mapping g : (Y ! D) ! (Y ! D) if exponent h is replaced with exponent q = h  #Y where #Y denotes the cardinality of set Y . So let S denote a normalized system of alternation depth k + 1 with hierarchy (hXk+1 ; k+1 i; : : : ; hX1 ; 1 i). For every q  1 and : Xk+1 ! D, we construct system S h ; qi with alternation depth k. S h ; qi is obtained from S by (syntactically) unrolling the 3 Systems with Alternation iteration on the variables in Xk+1. Depth 1 De ne X 00 = fhx; j i j x 2 X ; 0  j < qg, and X 0 = X [ X 00. S h ; qi consists of the equaIn order to formally estimate computational tions x = e0x ; x 2 X 0 , together with hiercosts, let us assume that our algorithm is im- archy (hX 0 k ; k i; : : : ; hX 0 1 ; 1 i) where for j = plemented on a Random Access Machine with 1; : : : ; k, Xj0 = Xj [ fhx; ii j x 2 Xj ; 0  i < qg. 3

The right hand sides e0x of the equations are de ned as follows. If x 2 Xk+1 , then

 e0x is obtained from ex by replacing each occurrence of variable y 2 X with hy; q ? 1i;  e0hx;0i = x, and  for j > 0, e0hx;ji is obtained from ex by re-

z = h x1 hz; 1i = h hx1 ; 1i hz; 0i = h hx; 0i with hierarchy H = (hX1 ;  i) where X1 = fy; hy; 1i; hy; 0ig. Note that variables xi ; hxi; j i now have become auxiliary. 2 We have:

placing each occurrence of variables y with Proposition 4 Let  be an environment for S (and hence also for each S h ; qi). Then the hy; j ? 1i. following holds: If x 2 XnXk+1 , then 1. jS h ; qij  (q + 1)  jS j. 0  ex  ex, and 2. S h ; qi can be constructed from S in time 0 O((q + 1)  jS j).  for all j , ehx;ji is obtained from ex by replacing each occurrence of y 2 X with 3. If q = h  #Xk+1 and Xk+1 :  then hy; j i. [ S ]  x = [ S h?; qi]  x for all x 2 X where variable assignment ? maps every Intuitively, S h ; qi is obtained by taking q exx 2 Xk+1 to ?. tra copies of S . The variables hx; j i, x 2 Xk+1 , In case Xk+1 :  , the same holds true if are meant to receive the j {th iteration for vari? is replaced with >, mapping every x 2 able x. hx; 0i receives the start value x for the Xk+1 to >. 2 iteration whereas for j > 0, the value of hx; j i is computed relative to the values of hy; j ?1i, i.e., the former approximation. Finally, variables x Proof. We only consider Assertion (3). Let receive the values of the q{th approximation. X 0 = XnXk+1 and Sk denote the k{th subsystem of S . Consider monotonic function Example 2 Consider the system of equations G : (Xk+1 ! D) ! Xk+1 ! D given by from our last example and assume we are going G x = [ ex ] ( + + [ Sk ] ( + )). W.l.o.g. to compute its solution over lattice D = f0 @ Xk+1 is quali ed as . Then [ S ], restricted to Xk+1 , equals the least xpoint of G. Since 1g with height 1. D has height h,  = Gq ? for q = h  #Xk+1 . Removing least xpoint iteration on fx1 ; x2 g Now consider hierarchical system S 0 = S h?; qi. results in: Assertion 3 follows if we were able to prove for every 0  j  q (for simplicity, we introduce x1 = f1 (hx2 ; 1i; hy; 1i) h x; qi as a renaming of x): x2 = f2 (hz; 1i; hx2 ; 1i) hx1 ; 1i = f1 (hx; 0i; hy; 0i) (1) If x 2 Xk+1 then [ S 0 ]  hx; j i = Gj ? x. hx2 ; 1i = f2 (hz; 0i; hx; 0i) (2) If x 62 Xk+1 then [ S 0 ]  hx; j i = [ Sk ] ( + hx1 ; 0i = ? Gj ?) x. hx2 ; 0i = ? y = g (z; y) It is not di cult to see that Claim (2) holds for hy; 1i = g (hz; 1i; hy; 1i) j whenever Claim (1) holds for j . Therefore, we concentrate on a proof of Claim (1). hy; 0i = g (hz; 0i; hy; 0i) 4

We proceed by induction on j . For j = 0, Claim (1) holds by de nition. Now assume j > 0. Then we know that [ S 0 ]  hx; j i = [ ehx;j i ] ( + [ S 0 ] ) = [ ex ] ( + ) where y = [ S 0]  hy; j ? 1i. By induction hypothesis, y = Gj ?1 ? y if y 2 Xk+1 and y = [ Sk ] ( + Gj?1 ?) y otherwise. But then, by the de nition of G, [ S 0 ]  hx; j i = [ ex ] ( + Gj ?1 ? +[[Sk ] ( + Gj ?1 ?)) = Gj ? x for every x 2 Xk+1 which we wanted to prove.

2

Note that syntactical unrolling of xpoint computations is as well possible for sets Xj , j < k + 1. To eliminate iteration on Xj , we simply replace subsystem Sj with system Sj h ; qi where q = h  #Xj and = ? if Xj :  and = > otherwise. We combine Fact 1 together with Prop. 4 to derive our main Theorem:

quali ed as . If we remove all sets quali ed  from the hierarchy, we obtain from Prop. 4:

jS 0 j  (n1 h + 1)    (nsh + 1)  jS j Likewise, if we remove all sets quali ed  from the hierarchy, we obtain

jS 0j  (m1h + 1)    (mt h + 1)  jS j We may remove that kind of quali cation where sizes sum up to  n=2. W.l.o.g. assume that this is the case for  , i.e., n1 + : : : + ns  n=2. First assume d is even. Then s = t = d=2. Hence, s (n1 h + 1)    (ns h + 1)  ( nh 2s + 1) d=2  ( nh d + 1)

Theorem 1 Assume S is a normalized hier- Now consider the case where d is odd. Since archical system of alternation depth d > 1 with (d ? 1)=2  s; t  (d + 1)=2, we have: n iteration variables. Then there exists a system S 0 of alternation depth 1 with identical set nh s of free variables such that the following holds: (n1 h + 1)    (ns h + 1)  ( 2s + 1) (d+1)=2  ( dnh 1. If d is even, jS 0 j  ( hdn + 1)d=2  jS j; ? 1 + 1) If d is odd, jS 0 j  ( dh?n1 + 1)(d+1)=2  jS j; and our assertion follows. 2 0 2. jS j can be constructed in time propor- Finally applying Prop. 2, we conclude: tional to its size; 3. [ S ]  x = [ S 0 ]  x for every environment Corollary 2 The solution of a normalized  and every variable x of S . system S of alternation depth d > 1 and with n iteration variables can be computed in time 2 O(h  ( dh?n1 + 1)dd=2e  jS j). Proof. Repeatedly applying Prop. 4 to the subsystems of S we either may remove from the hierarchy all subsets quali ed with  or all Corollary 3 A xpoint expression e with alsubsets quali ed with  . Subsequent normal- ternation depth d > 1 and n occurrences of  ization according to Fact 1 yields the desired or  can be evaluated in time system S 0 . It remains to estimate the size of O(h  ( dh?n1 + 1)dd=2e  jej). 2 S0. For the following calculations we rst recall that for all x1 ; : : : ; xr 2 N , x1 + : : : + xr  m 5 Discussion and Conclusion implies that x1  : : :  xr  ( mr )r . Let n1 ; : : : ; ns be the sequence of sizes of We presented a simple method for computing the sets in the hierarchy quali ed as  and the solution of hierarchical system S of equam1; : : : ; mt the corresponding sequence for sets tions. The algorithm has the same or even 5

the Construction and Analysis of Systems slightly better estimation of its worstcase com(TACAS), LNCS 1055, 107{126, 1996 plexity than the one sketched in [12]. Additional bene t is gained from the new distinc- [5] J.R. Burch, E.M. Clarke, K.L. McMillan: tion between iteration variables and auxiliary Symbolic Model Checking 1020 States and Beyond. Inf. and Comput. 98, 142{170, 1992 ones. In light of our exposition, the algorithmic idea [6] R. Cleaveland, B. Ste en: A Linear Time Model Checking Algorithm for the of Long et al. in [12] can be interpreted as Alternation{Free Modal {Calculus. Formal 0 evaluating system S (which we constructed by Methods in System Design 2, 121{147, 1993 syntactical xpoint removal) without explicitly constructing S 0 . Their hope is that usually x- [7] R. Cleaveland, M. Klein, B. Ste en: Faster Model Checking for the Modal {Calculus. points are reached after much fewer iterations Proc. 4th Conf. on Computer Aided Veri cathan theoretically possible. tion (CAV), LNCS 663, 410{422, 1992 It seems, however, that this potential gain may [8] E.A. Emerson, C.{L. Lei: Ecient Modell as well be achieved by our method if we do Checking in Fragments of the Propositional { not construct S 0 in advance which clearly may Calculus. Proc. 1st IEEE Symp. on Logic in Computer Science (LICS), 267{278, 1986 cause a tremendous waste in space and time but create an algorithmic description of it and [9] E.A. Emerson, C.S. Jutla, A.P. Sistla: On apply some general demand{driven equation Model{Checking for Fragments of {Calculus. solver (e.g., the one from [10]) which builds up Proc. 5th Conf. on Computer Aided Veri cation (CAV), LNCS 697, 385{396, 1993 the system to be evaluated \by need". A practical evaluation on real world bench- [10] C. Fecht, H. Seidl: An Even Faster Solver for General Systems of Equations. Tech. Report marks is highly desirable to nd out whether 96{11, Trier, 1996. To appear in Proc. 3rd Int. the presented theoretical improvement also Static Analysis Symposium (SAS), 1996 leads to practical improvements over existing conventional algorithms, e.g., the one of [11] D. Kozen: Results on the Propositional { Calculus. TCS 27, 333{354, 1983 Cleaveland, Klein and Ste en [7]. Long, A. Browne, E.M. Clarke, S. Jha, Acknowledgement: Many thanks to Andre [12] D.E. W.R. Marrero: An Improved Algorithm for Arnold who patiently listened to rough the Evaluation of Fixpoint Expressions. Proc. sketches of the ideas and encouraged submis6th Conf. on Computer Aided Veri cation sion for publication. (CAV), LNCS 818, 338{350, 1994

[13] C. Stirling: Modal and Temporal Logics. In: S. Abramsky, D. Gabbay, and T. Maibaum (eds.): Handbook of Logic in Computer Science, 477{563, 1992 [14] M.Y. Vardi: A Temporal Fixpoint Calculus. Proc. 15th Int. Conf. on Principles of Programming Languages (POPL), 250{259, 1988 [15] M.Y. Vardi, P. Wolper: Automata{Theoretic Techniques for Modal Logics of Programs. JCSS 32, 183{221, 1986

6 References [1] H.R. Andersen: Model Checking and Boolean Graphs. TCS 126(1), 3{30, 1994 [2] A. Arnold, P. Crubille: A Linear Time Algorithm for Solve Fixpoint Equations on Transition Systems. Inf. Proc. Letters (29), 57{66, 1988 [3] O. Bernholtz, M.V. Vardi, P. Wolper: An Automata{Theoretic Approach to Branching{ Time Model Checking (Extended Abstract). Proc. 6th Conf. Computer Aided Veri cation (CAV), LNCS 818, 142{155, 1994 [4] G. Bhat, R. Cleaveland: Ecient Local Model Checking for Fragments of the Modal Calculus". Proc. Tools and Al;gorithms for

6