NASA/CR-2001-210663 ICASE
Report
No.
2001-5
Saturation: An Efficient Iteration Symbolic State-space Generation Gianfranco
Ciardo
The College Gerald The Radu
Strategy
of William
& Mary,
Williamsburg,
Virginia
Liittgen
University
of Sheffield,
Sheffield,
United
Kingdom
Siminiceanu
The College
February
of William
2001
& Mary,
Williamsburg,
Virginia
for
The
NASA
STI
Program
Office...
Since its founding, NASA has been dedicated to the advancement of aeronautics and space science. The NASA Scientific and Technical Information (STI) Program Office plays part in helping NASA maintain this important
CONFERENCE
PUBLICATIONS.
Collected
from scientific
papers
and
technical conferences, symposia, seminars, or other meetings sponsored cosponsored by NASA.
a key
or
role. SPECIAL technical,
The NASA STI Program Office is operated by Langley Research Center, the lead center for NASA's scientific and technical information.
NASA
collection
of aeronautical
programs,
projects,
and missions, having
and space
science STI in the world. The Program is also NASA's institutional mechanism disseminating development
PUBLICATION. Scientific, or historical information from
often concerned with subjects substantial public interest.
The NASA STI Program Office provides access to the NASA STI Database, the largest
in Profile
TECHNICAL
Office for
the results of its research and activities. These results are
published by NASA in the NASA STI Report Series, which includes the following report types:
TRANSLATION.
English-
language translations of foreign and technical material pertinent NASA's mission.
Specialized
services
scientific to
that complement
the
STI Program Office's diverse offerings include creating custom thesauri, building customized
TECHNICAL PUBLICATION. completed research or a major
Reports significant
of
phase of research that present the results of NASA programs and include extensive data or theoretical analysis. Includes
data bases, organizing and publishing research results.., even providing videos.
For more information Program
Office,
about
the NASA
STI
see the following:
compilations of significant scientific and technical data and information deemed to be of continuing reference counterpart of peer-reviewed professional
papers,
value. NASA's formal
but having
•
Access the NASA STI Program Page at http://www.sti.nasa.gov
•
Email your question help@ sti.nasa.gov
•
Fax your question
Home
less
stringent limitations on manuscript length and extent of graphic
via the Internet
to
presentations. TECHNICAL
MEMORANDUM.
Help Desk at (301)
to the NASA
STI
621-0134
Scientific and technical findings that are preliminary or of specialized interest, •
e.g., quick release reports, working papers, and bibliographies that contain minimal annotation. Does not contain extensive
analysis.
CONTRACTOR
Telephone the NASA (301) 621-0390
STI Help Desk at
Write to: REPORT.
Scientific
technical findings by NASA-sponsored contractors and grantees.
and
NASA STI Help Desk NASA Center for AeroSpace 7121 Standard Drive Hanover,
MD 21076-1320
Information
NASA/CR-2001-210663 ICASE
Report
No. 2001-5
=
_;_
_
._i_i!i.......
_-%i
_; _
Saturation: An Efficient Iteration Symbolic State-space Generation Gianfranco
Strategy
for
Ciardo
The College
of William
& Mary,
Williamsburg,
Virginia
Gerald L_ttgen The University
of Sheffield,
Sheffield,
United
Kingdom
Radu Siminiceanu The College
of William
& Mary,
Williamsburg,
Virginia
ICASE NASA Langley Hampton, Operated
Research
Virginia by Universities
Center Space Research
Association
National Aeronautics and Space Administration Langley Research Center Hampton, Virginia 23681-2199
February
2001
Prepared for Langley Research Center under Contract NAS 1-97046
Available
fi'om tile following:
NASA Center 7121 Standard Hanover,
for AeroSpace Drive
MD 21076
(301) 621 0390
1320
hffomlation
(CASI)
National
TectHficalhffomlation
5285 Port Royal
Road
Spfingfield, VA22161 (703) 487 4650
2171
Service(NTIS)
SATURATION:
AN
EFFICIENT
SYMBOLIC GIANFRANCO
Abstract. using
This
paper
Multi-valued
is not encoded application
as a single
of various strategy,
several
of magnitude
orders
peak
memory
Key
is often
words,
Subject
1.
Introduction. such
constructing
and
storing
Diagrams
sizes
techniques
eration
latter using
asynchronous an event This
systems,
requires
global
frameworks allowing
each event
including
Petri
each component results
consumption
nets
when
compared
these
updates
relatively the
of a system
This
permits
this paper
state
the
introduces performing
the algorithm's
required
spaces.
saturation,
state-space
fundamental
challenges
is itself
[31] and
vector
generation
with
work
symbolic
by the
which authors
which
construct
as a BDD
algebras
Decision fashion.
as it increased
the
state-space
generation
techniques
are known
not to work
suffer
state-space
from
in the
exploited
and state
context the
fact
state
the
local
spaces
functions
explosion.
of state-space that,
vector
[11]. Hence,
manipulation
in most satisfy
gen-
in event-based
by iteratively
[28]. Additionally,
[5], next-state
Binary
in a compact
circuits,
explicit
of a system's
functions
which
to be updated
state-space
traditional
requires
One research
usually
sets of states digital
formal
systems
of a workstation.
large
protocols,
for many
digital
diagrams,
of synchronous
encoded
of locality
memory
representing
next-state
process
of today's
use of decision
just a few components
techniques
ideas
small
[25] (MDDs),
of local
which
to other
systems
On top of usually
the overall
most
Unfortunately,
in previous Diagrams
of the state
implementing
functions.
In particular,
complexity
106 states,
[10].
BDD-based
function
function
generators,
diagrams,
high
as communication
application
to classic
for storing
verification
about
102° states
Decision
only the
next-state
from
was addressed
Multi-valued
is in contrast
single,
mental
problem
The
for implicitly
for the
such
space.
state-space
is one of the
suggests
structure
systems,
next-state
of integer
state
decision
in the
literature
spaces
[18, 19], to about
needed
[16].
spaces
successful
of state
well for asynchronous The
as a data
the
of asynchronous
Science
checkers
state
in the
to be very
manageable
memory
work,
spaces
it in the tool SMART.
BDD-based
generation
as model
pursued
[8] (BDDs),
proved
existing
Computer
huge
a system's
multi-valued
State-space
tools,
to related
state
as cross-products
to build
than
strategy,
but
FOR
AND RADU SIMINICEANU t
for generating
and implements
close to the final
iteration
widely
function,
saturation, faster
algorithm
STRATEGY
GENERATION*
L/JTTGEN$,
In contrast
strategies
called
verification
This
Boolean
classification.
direction
a novel
Diagrams.
iteration
a new elegant
STATE-SPACE
CIARDO t, GERALD
presents
Decision
ITERATION
firing
of MDDs. applying
a
concurrency
a product
somewhat
independently
of the others.
showed
significant
improvements
in speed
generators
[30].
form Experi-
and memory
*This work was supported by the National Aeronautics and Space Administration under NASA Contract No. NAS1-97046 while the authors were in residence at ICASE, NASA Langley Research Center, Hampton, VA 23681-2199, USA. G. Ciardo and R. Siminiceanu were also partially supported by NASA Grant No. NAG-I-2168. tDepartment of Computer Science, P.O. Box 8795, College of William and Mary, Williamsburg, VA 23187-8795, USA, emaih {ciardo, radu}@cs.wm.edu. SDepartment of Computer Science, The University of Sheffield, 211 Portobello Street, Sheffield $1 4DP, U.K., emaih
[email protected].
In this state
paper
space
we take
considered
often
all events
affecting
considered The
enough
reduces We
on
case
390KB
Our
notation,
space evaluated
in
surveyed
in Section
2.
MDDs
high-level
for
states;
(ii)
s E S,
which
states
can
algebras,
and
Ale is the
can
enter
system
where
.....
space
2.1. structures common K
state
of our
of the
system;
and
this
of node
are
discussed
function
as
with
(iii)
in state
set
s.
saturation
system
e.
23,
models.
Finally,
for future
step.
Af -- [Jecc We
say
Moreover,
Ale,
that
where
Ale (s)
event
novel
e is called
is
work
expressed the
is
such
set
of
describing
as Petri
nets
set
of states
disabled
in a
"type"
function,
C is a finite
is the
state-
algorithm
related
model
cases,
much
framework
our
describing
next-state
In many
only
work.
system states
state
using
to engineers.
as well as our 4, and
the
PC
formal
in Section
directions
--+
our
to
requirements.
to handle
feedback
of
in contrast
III
be able
introduces
that
orders
associated
Pentium
faster
of potential
Af : S
a union
event
the
A discrete-state
the
in a single
to construct
system and
Spaces. S,
able
section
idea
and memory
will
proof
indicate
several
to its final
tools
saturated.
overhead,
studies
close
MHz
are
management.
and
important
provide
next
conclusions
State
state
also
cache
fires
elegant
administration
algorithm
on a 800
asynchronous
(i)
or fires,
paper
In
being and
functions
point
iterations,
other
words,
to the
to
E N, so that
encode
that
of the
model
closed
with
respect
in
$.
This
order,
as
which
are
known
i E $ if and $ is finite;
system
only
long to
is usually
consideration
is the
i.e.,
U Af(s)
Af,
$
-- {s}
Af is composed
as we
consider
yield
the
if it can
and
of events
the
system
in s if Ale (s)
-- _;
desired
be reached
for most
each
set
containing
U Af(Af(s))
U ....
functions
Ale often
enough.
This
i.e.,
reachable
point,
s through
zero
asynchronous
the
Ale, for
or more
systems,
e E C,
results
in state
event the
the Af* (s),
of several
fixed
from
practical
smallest
firings.
size
of $ is
problem.
Diagrams.
state
to When
however,
explosion
system
under
closure.
any
Decision
in asynchronous a global
C_ S
transitive
state-space
Multi-valued
case
$
s and
we assume
due
space
reflexive
these
fixed
$ [21].
enormous
e occurs,
state
denotes
iterate
In this
a suite
associated
The our
objects:
expresses
will
an
is
nodes
already
for
efficient
more
verification
details
three
a given
function
event
reachable
initial
"chaotic"
state from
a model
as follows.
Structured
we are
and
presents
often
1 second
state-based
possible
7 contains
specify
reached
problem,
Even
event
it is enabled.
The
we can
Section
are
in under
3 then
it to
[II].
old
reachable
exhaustively
are
experimental
our
the every
Moreover,
allows
much
more
as
which
shape.
also
and
than
algorithm
future
and
that long
descendants
but
[12],
faster
implementation
applying
initial
next-state
when
otherwise,
Section Some
must
be
that
all its
a simpler
SMART
philosophers'
is organized
Encoding
the
of our
strategy
eliminates
generators
is currently
paper
6, while
formalism
process
than
5 by
tool
philosophers,
imply
MDDs.
Section
the
state-space
dining
algorithm.
enables
in
results
including
and
as
saturated
concise,
saturation
observing
order,
a novel
is processed, only
by
in any
it to its final
[II],
of magnitude
further
events proposing
is not
algorithm
for I000
of this
generation
events,
requirements
systems
remainder
a node
work
order
by
bringing
when
previous
existing
states,
freedom
algorithm
step
system's
one
well-known
asynchronous The
other memory
10627
of memory.
larger
and
of the
new
about
peak
of about
our
the
thereby
i.e.,
of firing
the
the
work,
to
a significant
firing this
node,
fashion,
average than
by
exploit
MDD
number
faster
approach
built
generation
implemented
the
space
We
a given
average
magnitude
In
[21].
Compared
performs
related
be
state-space
the
previous
can
in a depth-first
resulting
of correctness.
it
our
of a system
One
possible
design, is a K-tuple
way
when
where
to cope the
system
a system
model
(iK,...
, il),
where
with has
this
problem
some
is composed i k is the
local
is to
structure. of t_ state
use We
efficient
data
consider
subraodels, for submodel
the
for some k.
(We
S 4 =
S = {1000, 1010, 1100, 1110, 1210, 2000,
{0,1,2,3}
s 3 = {o, 1,2}
2010, 2100, 2110,
s 2 = {o, 1} ¢_1
=
{0,
1,
2210, 3010, 3110, 3200, 3201, 3202,
2}
3210, 3211, 3212}
F_G.
use superscripts __ sK
× ...
for submodel × $1
with
can be partitioned
corresponding
submarkings.
local state
into
index
for that
nodes,
(0.0) and
node
(k-1.q),
as eliminating
same
level.
a node
(k.p),
(ik,ik-1,
encoded
would
cannot
"'"
=
{a E S K ×
E S k
by the MDD.
We reserve
the indexes
In particular,
B((0.0))
a system reached system
step. through models,
×
'''
×
:
acyclic
node,
of the
graph
Level they
K
where:
k is the level
node
nodes.
the
1}, for each
where
non-terminal
prefixed
= {0}.
(K.r),
the
0 consists
of
have a special
same
:
is often
of arcs
it through
as) another
any integer
-- (0.1)} = (k.p)}
by a substate
node
sequence
at the
7 ----dr
in A((k.p)),
(k.p);
"above"
(k.p).
form
a (global)
the sets 0 and Sk ×...
2.1 shows a four-level
$ using
a key difference
efficiently
"below"
example
state
encoded
× 31, respectively.
MDD
and the set S
stored.
space
expressible
for our purposes,
for K > k > l > 1, as
node((K.r),a)
Figure
next-state
for
levels.
pattern
from
for i E $a
[8, 9], we allow
respectively,
are actually
and
global
i th arc,
setting
if 7 = 0, the and empty{k.p)[i sequence (ik,5) k] = q.
over 2K variables,
we explicitly
If the
BDD
This will be convenient
multiple
reached
k-1.
original
node.
node((k.p),/3)
that,
However,
as an MDD
this function
S 1
the state
is straightforward.
of the
, n a-
0 or 1 because
at level
in the
k-l+1,
× S k-}-I
nodes
for generating
one step
a generic
Thus,
for example,
{0,...
non-terminal
0 and I at each level k to encode
highlighted
Instead,
node
"'"
= 0 and B((0.1))
function
the
p are then,
A((k.p))
the next-state
nets,
i.e., a directed
for indexes
indexes.)
as the composition
interval
only a single
to nodes
Unlike
(k.p) node({k-l.q),5)
{/_
to MDDs
integer
one or more
to the same
of length
S l
---
algorithms
for event
size n a. In Petri
(k.p) to denote
(i.e., have the
define
=
the substates
Many
it.
subscripts
MDD,
lead to arcs spanning
by p or reaching
by it; only the
by
can be written
initial
ordered)
pointing
= q.
duplicate
×
contains
encoded
the
encoded
later.)
B((k.p))
B((k.p))
finite
(We use boldface
all arcs pointing
S k-1 ×
$
and
Level K contains
(k.p)[i]
node({k.p),7) The substates
with
1 contain
(0.1).
we can recursively ×
space
some
We write
has n a arcs
node
"'" ,i l) E S k
having
sa
(k.p)
such nodes
state
and the marking
we write having
* A non-terminal
sa
level.
through
as we will explain
nodes,
space
K + 1 levels.
two terminal
redundant
the
$ C_S via a (quasi-reduced
K-1
is to node
and
for exponentiation--
identifying
levels
* A non-terminal
them
--not
root, whereas
meaning,
MDD
into K subsets,
are organized
and p is a unique
Thus,
example
When
K > k > 1, one can encode * Nodes
An
indexes
each
set of places
Given
2.1.
BDDs
update
been
proposed
in our new approach
recording
function
have
the
MDD when
as the cross-product
K state nodes
firing
is that
directly,
before
adding event.
next-state
adapting
we do not encode
components
a given
of local
[28], and
the
and after new
states
For asynchronous functions.
2.2. Product-form Behavior. An asynchronous systemmodelexhibitssuchbehaviorif, for each evente, its next-state function Ale can be written as a cross-product of K local functions, i.e., Ale = Afff
× ...
First,
× A;_ where
many
partition
modeling
formalisms
of its places.
coarsen where
H k : Sk ___+ 2 Sk ' for all K > k > 1. This requirement
Second,
K or refine
since,
we may
in the
with
worst
Afe_,j (i a) =
representations, However,
this
Finally, state
and
Afe_,j (i 2) =
where
K
= 1 or where
some
Af_k = Af_
Aft to substates
sets of states: for _" c g. 3.
A Novel
event-based state enough
then
iteration
strategy.
previous
work
level k, all events As main
e with
contribution
only simplifies
idea is to fire events we say that the firing shown
of any event
by contradiction
routine of the
node
for firing state respect
space
concentrate Just
that
under
on the
as in traditional
nodes,
and
paper,
functions states
operation
event.
k, if the
x Hcz(il),
local be
= k are said to be requirement,
Alek' while Af_k (i')
that
that
= {i'} for
by gk.
We also
for K > k > l > 1; to
Af_-(X)
are found.
= Oec_-Afe(X),
the
for each
We refer to a specific
through
The
of an
system's
is considered order
of state-space
MDDs
behavior
event.
as long as each
the efficiency
cycled
we describe
function
in any order,
influences
strategy
we present but
a novel
often
of iteration
generation.
level-by-level
iteration
strategy,
improves
its time
of level-wise
and just
also significantly
and exhaustively,
instead
if it encodes
any node
below
in order
to reveal
construction, on which
can be carried solely
Recall
next-state
a set of states
at its level or at a lower level, i.e., if/3((k.p})
to the levels
manipulations
these
(k.p} is saturated
some event,
]'
as
In our
and fired, at each
= k.
algorithm,
node-wise
an MDD
k
to explicit
and Last(e)
at level k is denoted
= H_(i k) x ...
Saturation.
of strategy
a naive
of this
our previous
¢
the product-form
× SZ; and to sets of events:
a product-form
reachable
choice
First(e)
× ...
Node
using
by iterating
the
,il))
on level
= Last(e)
Af_k = O{e:First(e)=Last(e)=k}
H¢((ik,...
e _a'2¢i_
to a different
of e. Let First(e)
violating
"starting"
(ja,j2)
in our studies.
e depends
First(e)
is possible
Af__ Last(e)
the
table,
on nodes safely
).
ll.
Node
is updated
to (1.1)
(*, 0, 1), with
arbitrary
the sequence
(1.3)
to point
(cf. Snapshot first
of calls RecFire(es1,1,
and its arc (1.3)[0]
to the unique
to the MDD,
arc (2.2)[1]
component, (2.2)[0])
is set to 1 (cf. Snapshot
then
becomes
identical
to node
but
deleted.
Returning
from
table
to the outcome
since the state
of the firing
(c)).
and (d)),
(1.1)
(cf.
RecFire
on
(cf. Snapshot
set 3 3 × {1} × {0} was already
(f)).
encoded
level
event:/1
3
*
2
*
1
event:/2
event:13event:e21event:e321
•
1_0
•
0_1
•
0_1
0_2
•
1_0
0_1
0_1,2_1
0_1,1_2,2_0
*
2
2
@
@
(1) (a)
(d)
(f)
(e)
2
_2
2
1
@
@
(k)
_2
(in)
(1) F_G. 3.2. * Snapshots
(f-o):
event
e321
result
of the
causing
is,
second
the
only
that
state
({0}
X
To summarize, final
of work any
encapsulated
(cf. 2
X
S
since
diagram needed
further
fire
or to
state in
is marked
is now
enabled,
by
Check
events
({1}
(o)).
Thus,
x {1,2}
x
MDD
nodes
will
eventually
are
explore
subspaces.
discovered
that
{k.p)
and
its
become
descendants.
(2.1)
(cf. Snapshot 0, and
to
the
(cf.
the
(m)).
returns
(1.1),
be
(k))
The
result
This
node
node the
overall
will
either
at
is a new encoding (2.2)
deleted. (3.2)
not
(3.2)
descendant and
and
exhaustively
in node
former
disconnected
and
(h-j)),
Snapshot
disabled
whence
the
node
to
(3.2)[0]).
MDD,
terminates
to
known
found
(3.2)[1],
it to become
algorithm
of e321
but
Snapshots
equal
now
Union(2,
states
(cf.
enabled, encoding
in
Further is declared state
space
Sl).
saturated
uses
our
firing
was
in position
causing more
The
13 is not of nodes
saturated
it becomes
which
node
(3.2)
event
a chain
x {1, 2} x $1
calls
reserved
no
MDD.
routines.
Local
is in turn since
{1}
its firing
(n)),
add
build
RecFire
Event/3,
of node
e321
2).
to
to the
saturated.
Snapshot
Saturate(3,
deleted,
subspace
and
and RecFire
of them
to be
added
to be the
13 or
calls
Each
entire
descendant (cf.
we call
(1.4)
to be
the
(2.3)
as the
U
(2.3) but
Snapshot 1)
node
of the Saturate
The
(g-i)).
created
is removed
to
S
Snapshots
node
is found
saturated
(0, 0, 0).
(1, 2, 1),
is added
position
is saturated,
newly
node
which x $1
(2.2)
(cf.
attempt,
attempts
the
the
as
first
node $2
firing
of the execution
pattern
the
saturated
adds
explored, the
Once by
first
Example
(n)
as soon
as they
disconnected,
are created,
but
Once
all
events
{k.p)
for
its
in
encoding
ga
never are
be
each
node
modified.
exhaustively
benefits
in
advance
This fired
reduces in
from
some the
be present the node
in
amount {k.p),
"knowledge"
4.
Garbage
gorithm
Collection,
by means
collection
policies,
on extending 4.1.
mention
such that
(k.p) is disconnected
in traditional
symbolic
In our algorithm, nodes
set and its arcs
(k.p)[i]
a hit in the
the delete-flag decide
the indexes
union
the
the entries
in UC[k]
of numbers
of nodes
is optimal
4.2.
loops
consider
these
explored
without
speed-ups
/3(
