Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency of the system is implicitly represented by a boolean ...
Fundamenta Informaticae XXI (2002) 1–24
1
IOS Press
The BDD Space Complexity of Different Forms of Concurrency Michael Baldamus and Klaus Schneider University of Karlsruhe, Institute for Computer Design and Fault Tolerance ��������� � ��� � � ����� ������
,�
�� ����� ��������� ����� ���� ������!�"����� �#���$� �������%�$� ������������� � ���
Abstract. The automated verification of concurrent systems by model checking is often confronted with the state space explosion problem. A widely adopted method to tackle this problem is to use binary decision diagrams (BDDs) for representing systems and state spaces implicitly. However, it may be that even the system representation itself is prohibitively large. It is therefore interesting to study which factors influence the size of a BDD that represents the transition relation of a system. In this article, we consider the BDD representations of synchronous, asynchronous, and interleaved processes with communication via shared variables and present upper bounds for their sizes. To this end, we introduce a general representation strategy where catastrophic exponential growth of the BDD can only be due to the specifics of communication and/or write conflict resolution; it is neither due to the number of processes nor to the concurrency discipline. Moreover, conditions on communication and write conflict resolution are presented that are sufficient for polynomial sized BDD representations. Keywords: Binary Decision Diagrams, Concurrency, Shared Variables, Complexity.
1. Introduction The design of concurrent systems is a relatively error–prone task so that there is a need to provide designers with appropriate tools to reason about the correctness of their designs. In particular, computer–aided verification is well–accepted and is nowadays used in many areas such as the design of safety–critical embedded systems. There are many verification techniques and they are based on different specification formalisms (see [10] for an overview). Model checking [7, 15] has proved to be advantageous for the verification of concurrent finite state systems. Within this approach, the concurrent system is described as a model of the specification logic, so that the verification task is to check whether the specifications are satisfied by the given model. However, all of these techniques suffer from the state space explosion problem of large systems. A lot of approaches have been devised for tackling the problem of state space explosion in model checking. A particularly successful one is symbolic model checking [6], where the transition relation
2
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
of the system is implicitly represented by a boolean formula: any satisfying variable assignment of this formula corresponds to a transition of the system. Moreover, state sets are also represented by boolean formulas in the same symbolic manner. The pivotal point is that many large sets can be represented with small boolean formulas. Binary decision diagrams (BDDs) [3] moreover allow one to store and manipulate normal forms of boolean formulas efficiently. BDDs are obtained by successive case distinctions on the variables that occur in the formulas (cf. Figure 1) until all variables are eliminated. If a particular variable ordering is used for all case distinctions, the ensuing BDDs are normal forms for boolean formulas [3]. Moreover, boolean operations on BDDs can be efficiently computed. These properties make BDDs very attractive for symbolic model checking procedures. A critical factor in the size of a BDD is the chosen variable ordering. In particular, the size of a BDD can be exponential in the number of its variables. There are even formulas that have only exponentially sized BDDs [4]. Clearly, systems whose representations yield such formulas can only be handled to a limited extent by symbolic approaches. It is therefore desirable to estimate BDD sizes in advance, that is, before constructing the BDDs, relative to a given variable ordering. There are tight estimates for all boolean operations on BDDs, and also for further operations like composition and quantification. However, there are not many results that pertain to the BDD size of a system’s representation in terms of the structure of the system. Having a deeper knowledge of the factors that lead to exponential BDD sizes could help to design systems in such a way that tools can handle these systems more efficiently. The contribution of the present article consists of a detailed analysis of BDD representations of concurrent finite state systems. In particular, our estimates take into account (1) the kind of concurrency, that is, interleaved, synchronous or asynchronous parallel execution, (2) the complexity of the communication between the processes, and (3) the way write conflicts are resolved. Having estimations in terms of these factors, we will determine their impact on the size of the BDD representation. It turns out that the number of processes has only a limited influence on the BDD size: An exponential BDD growth can only result from complex communication and/or complex write conflict resolution. Based on our analysis, we can furthermore define classes of concurrent systems that can be polynomially represented with BDDs: For example, the overall BDD size of a system with & processes grows polynomially if the following conditions are met: first, the number of shared variables does not depend on & , and second, their bit length grows only logarithmically with & . The resolution of write conflicts, on the other hand, may be arbitrary in this case (cf. Section 6). Our estimations necessarily depend on certain variable orderings. An essential characteristic of our approach is that all BDD size estimates are based on representing all processes initially with mutually disjoint sets of boolean variables. Boolean variables that represent shared variables appear as local copies that are equated afterward to guarantee the consistency of the model. This allows us to consider process– wise constraints for variable orderings, in the sense that good orderings used to represent individual processes are not broken up. What positive effects these orderings have on the BDD representation of individual processes translates to positive effects on the BDD representation of the entire system. In this sense, our analysis constructs as a side effect compositional heuristics for variable orderings for the entire system out of constraints for process–wise variable orderings. In a final stage we show that all estimates remain valid if one does not use local copies of boolean variables that represent shared variables and, at the same time, sticks to the ordering constraints with respect to all other boolean variables. The crucial point is that it is not obvious how one could do without those copies in obtaining our results in the first place. In other words, they seem to be necessary as an analytical tool and can be discarded only afterward.
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
3
We are not aware of any other work on upper bounds for BDD sizes in representing shared variable systems. There is, however, related work on representing combinatorial and sequential digital circuits [5, 12, 13]. Both [5] and [12] consider the width of circuits, which is defined as the maximum number of wires through any cut through the circuit’s netlist. It turns out that the size of the representation BDD is exponential in this measure, while the number of gates appears as a linear factor. Hence, there is the same observation: Not the number of system components, but the communication aspect is responsible for exponential BDD sizes. This result was also obtained in the setting of BDD trees [13], which generalizes that of BDDs. Like [5, 12], [13] is concerned with digital circuits. It turns out that circuit representations with BDD trees can be one order of magnitude smaller than with BDDs given that the circuits themselves have an appropriate tree structure. It is beyond the scope of the present article to consider BDD tree representations. Another difference is that the work presented here does not depend on tree–like communication topologies. Similar to [1], our work might be seen as a systematic broadening of [12]. In [1] disjoint sets of variables are used to encode distinct processes, in a similar vein as here. However, the finite state machines of [1] communicate via transition predicates, as opposed to our communication via shared variables. It is therefore almost trivial to work with disjoint variable sets in contrast to our more difficult setting. Finally, [8] comes closest to our work: [8] considers the representation of systems of CCS processes without value–passing [14]. The estimation given in [8] yields an upper bound that is exponential in the number of so–called actions and linear in the number of processes, which is a somewhat similar result as ours. Due to the CCS setting, however, the only concurrency discipline considered in [8] is interleaving, while we consider also synchronous and asynchronous parallel execution. Moreover, we consider communication over shared variables. The article is organized as follows: In the next section, we briefly go through preliminaries required for the rest of the article. In Section 3, we show how systems consisting of synchronous, asynchronous and interleaved processes are represented in terms of transition systems, and Section 4 refines this to boolean encodings used for the BDD construction. Section 5 is concerned with general size estimates of these BDD representations, which is our main result. We then identify in Section 6 classes of concurrent systems that will have a polynomial BDD representation. In Section 7 we show that all estimates remain valid without local copies of boolean variables introduced to represent shared data variables. Section 8 concludes the article.
2. Preliminaries Symbolic state space traversal as well as the symbolic representation of transition relations of finite state concurrent systems crucially depends on efficient methods to manipulate large propositional formulas. In particular, canonical normal forms are useful to check the equivalence of formulas efficiently, which is required to check whether a fixpoint has been reached. In the past decade, binary decision diagrams (BDDs) [3] have proved to be well suited for this purpose [6, 2, 12]. BDDs are constructed by successive case distinctions on the truth value of the variables that occur in the formula. We consider the two cases, where a variable ' is either true or false, and construct the two cofactors ( )+*-,. and ( )/*1. 0 of a formula ) , where ' has been replaced by either 2 or 3 . By repeating this Shannon decomposition, we finally end up with the constants 2 and 3 . BDDs can be pictorially illustrated
4
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
as shown, for example, in Figure 1. It is important that for any fixed variable ordering used for the case distinctions, all equivalent formulas yield the same BDD. The size of the BDD can be furthermore reduced when common subgraphs are shared and unnecessary case distinctions, that is, those where the cofactors ( )+* ,. and ( )+* . 0 are equivalent, are eliminated. Nowadays, efficient implementations of BDD data structures and algorithms are available in the form of BDD packages (see e.g. [9]). In the following, we denote the BDD for a boolean formula ) by 4657598:)465?598:)@;A= . A lot of research has been directed toward the efficient construction and manipulation of BDDs. Upper bounds are well–known for all boolean operations and also for composition and quantification. The following lemma states one result that we will often use in the following. Lemma 2.1. Let B be any binary boolean operation such as conjunction or disjunction. Then, for all boolean formulas ) and C , the size of 465?5D8:)9BEC?; is at most =>46575F8:)@;A=�GH=>465?598IC7;A= . We will make extensive use of finite vectors of boolean variables. For every finite vector ' J , its length is denoted by =�'K J = , and '@J L denotes the M –th component of ' J , given that 3ONPMQNR=�'K J = . We abbreviate for any natural number &TSU2 the set VW3WXZYZYZYAX[&]\ by ( &^* . Furthermore, if _ J and ` J are vectors of boolean variables, d ` where =�_ J =�ab=c` J = holds, then we abbreviate by _e J J the following formula: fhi g f L�j
_ ` _ ` 8+J L46575F8+_P ` _ appear before all J L ’s have an exponential size in =�J = .
3. Modelling Interleaved, Asynchronous and Synchronous Concurrent Systems with Shared Data Variables We use finite transition systems to model both shared variable processes in isolation and entire systems of such processes. Technically, a transition system can be seen as a triple 8�:�I�XZnXZ
; where is a state set, :hD is a set of initial states and l is a transition relation. We assume that every transition is labelled with a boolean formula. The intuition is that such a formula is an enabling condition. We write Q u� for 8:�XZ�I;]w with label ) . To model shared variable processes in isolation, we assume that every process has a finite set of control flow locations and a finite set of variables O , where each 'wO has a finite set . of possible values. For simplicity, is assumed to contain also those variables that are exclusively used by , and we do not distinguish such variables and truly shared variables. It is easy to see that our asymptotic results would remain valid if we did make such a distinction. A valuation of ’s variables is a function, say, from O to the union . Ax . with 8I';Fw . for each 'w O . The set of
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
i�¡ 0
¢ ¡ ,
0
¢ ¡
,
i¤£
0
¢�£
,
,
5
0
¢�£ 0
,
¢�¥
i�¥ 0 0
,
¢�¥
,
,
0 0
, ¦ ¨ Figure 1. BDD for §D
©¦ .
all valuations of ’s variables is denoted by ª« . A –update is defined to be of the form '¬®a¯ with '°w±O and ¯ew . . The set of all –updates is denoted by ² . As usual, the update of a variable ' by a value ¯ (from . ) in a valuation is denoted by ^( '³¬®a¯/* and is defined by ^( 'E¬®a¯+*´8
_
;]a
8
_
if 'a µ _ if '°a _ . ;
¯
An empty update @( ¶�* is given by ^( ¶�*·a¸ . Then a (shared variable) process is a transition system 8�:�I�XZ¹XZ
; over , O and the family 8: . ; . ¤6 . The intuition is that transitions correspond to the execution of , where at most one variable is updated in each transition. º
The set of states is given by aª«¹ , that is, a state is assumed to consist of a valuation of ’s variables and a control flow location. º '
Transitions must be such that 8:X[»W;« ¸8:�cX[»�c; if and only if �¹a¼@( ¶�* or �¹a¼@( 'T¬®a¯/* for some and some ¯±wT . , where ) is a formula over . .K¿ j7À
We write 8:+X[»W;} ½ 8:�cX[»�c; whenever 8:+X[»W;¾ 8:A�X[»��; with Aa@( ¶�* , and we write 8:X[»�; -� Á
8:�IX[»��;
whenever 8:+X[»W;K Â8: X[» ; with a^( '}¬®a ¯+* . Note that @( ¶�*]a@( '}¬®aÃ+8I'y;I* given that either update does not occur in parallel with any other update of by some other process. If there are such concurrent updates, then ^( ¶�* and @( '³¬®a8I';I* can in general not be substituted for each other (see below). For the remainder of this article, we fix some arbitrary collection , . . . , 465?598 8:õ�;:;A= Ä 3K|
L�j
�
465?598
8:L[;:;
G
= OLZ=�|
z= L�=�|z
0
~ G®8:~�&
|
~
-
ú�.L.Ô;A=�G=>465?598
|
3W; G=>465?598
upper bound for =>465?598 Ä L�j 0
3K|
465?598
�
8:
L ;:;
G
=
L =�|
z= L =�|~
~ G®8:~�&
�
( 3�;A= 8:
ã ;:;A=
|
~ |
3W; G=>465?598
-
ú�.L.Ô;A=�G=>465?598
( 3�;A=
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
(a) 465?5D8
Ä
L�j
YZYZY¤; : 0
(b) 465?598: L k
M ¡ ,
B Ç 0
�
8:
(c) 465?5D8:p× L k :÷ùK( L ; :
L ;:; :
B Ç 0
,
0
M ¥
, 0
,
,
NPO%ORQ ��S!��T Ç ���
,
13
0
, 0
NPO%ORQ � â�U;V�W Ç � ,
0
,
0 0
Figure 3. BDDs used to prove Theorem 5.1. Thick arrows designate generic arcs. A “ X ”–exponent designates a BDD stripped of its leafs.
upper bound for =>465?598 Ä L�j
3¾|
�
465?5D8
8:
L ;:;
G
=
L =�|
z= L =�|
z
0
~
�
8:
f ;:;A=
|
~
-
G/8:~�&Ô|
3W;nGH=>465?598
ú/.0.o;A=�GH=>465?598
( 3�;A=
Proof: As the other two cases are similar but easier, we consider only the upper bound for representing the interleaved transition relation. First of all, we apply Lemma 2.1 and Lemma 5.1 to Definition 4.1, obtaining
�
=>465?598 N
8:
õ ;:;A= 4x5?5
Ä L�j
8: L k
�
8:
L ;:;nmo8:p] L kÔ:÷�ù�( L ;
G 8:~�&
|3W;nGH=>465?598
-
ú�.L.o;A=�GH=>465?598
( 3�;A= Y
0
It remains to obtain an upper bound for Ä 465?5
L�j
�
8: L k
8:
L ;:;nmo8:p× L kÔ:÷ùK( L ; Y
0
� Ä 8: L ;:;Ñm³8:p× L kT:÷�ùK( L ;:; has the To this end, consider Figure 3. First of all, the BDD for 8 L�j 8: L k 0 � structure depicted in (a), where Y L stands for the BDD for 8: L k 8: L ;:;¹m 8:p× L kE:÷�ùK( L ; without leafs; this structure is so since the variable sets of distinct Y L ’s do not overlap. Hence, the upper bound is Ä L�j 0
465?5
8: L k
�
8:
L ;:;¹mo8:p× L k
:÷ùK( L ;
~
|~WY
14
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
� Now it remains to obtain an upper bound for =>4x5?5F8:8:�L6k 8:L[;:;Km8:p×�L«k:÷ùK(�L[;:;A= . To this end, � � 8: L ;:; is 3r|Ë=>465?598 8: L ; ;A= ; the size of consider (b) and (c) in Figure 3. The size of 46575F8: L k 465?598:p× L k°:÷�ùK( L ; is 3K|ë=>465?598�:÷ùK( L ;A= . Thus, together with Lemma 2.1 and Lemma 5.2, we have 4x5?5
�
8: L k
8:
L ;:;nmo8:p× L kÔ:÷�ùK( L ; N
3
|
465?598
�
8:
L ;:;
G
=
L =6|
z= L =6|
z
Y
@A In practice, scalable systems can often be represented so that the BDD representation of any individual process grows at most polynomially as the number of processes grows. Hence, by Theorem 5.1, the upper bound for the size of an overall representation BDD will usually grow polynomially if the upper bounds for 4657598 ú/.0o . ; and 465?598 ()�3 ; grow polynomially. Theorem 5.1 thus follows through on our claim that disadvantageous communication and write conflict resolution are the principal reasons for exponential growth of overall representation BDDs. Our block–wise variable ordering constraints are decisive in obtaining this result; the reason is that, without them, we could only use Lemma 2.1 and Theorem 5.1 and not the BDD in Figure 3(a). This situation would require to replace the sum over ( &^* by a product over ( &^* . With that sum, we have the following corollary to Theorem 5.1. It states our results in terms of asymptotic growth.
Corollary 5.1. (Space Complexity of BDD Sizes in Representing the Interleaved, Asynchronous and Synchronous Transition Relations) Relative to any variable ordering satisfying í and í ý , the space 0 � � � complexity of 46575F8 8: f ;:; , 465?598 8:Pã�;:; and 465?598 8: õ ;:; is as follows:
Z Ä 465?598
�
Lcj
8:
L ;:;
G
=
L =�|U= L =
G�&
-
ú/.0.o;A=ZG=>4x5?5F8
G=>46575F8
�
8A=>465?5F8
8:õ�;:;A= ;
()3�;A=
0
Z Ä 465?598
Lcj
�
8:
L ;:;
G
=
L =�|U= L =
G�&
G=>46575F8
-
8A=>465?598
ú/.0.o;A=ZG=>4x5?5F8
8:
ã ;:;A= ;
()3�;A=
0
Z Ä L�j
�
4657598
�
8:
L ;:;
G
=
L =�|ë= L =
G�&ÔGH=>465?598
-
8A=>465?598
ú�.L.o;A=�GH=>465?598
�
8:
f ;:;A= ;
( 3�;A=
0
The rest of this section is concerned with devising an upper bound for the BDD normal form of ú/.0. , . . the communication formula. Let ÒxÓÑ . auV\[ XZYZYZY¤X7[ f 1 ÿ�2 � f \ for each ' w} . An ordering constraint 0
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
15
í^] is then given by
'J
'J
. ¤
= =
�`_ �¡
GZGZG
= 0
0
�a_ �b�c'dfe � b
.. .
�a_ �¡ ' J ÿ�K�;�4x5?5F8 . ¤
zK|8A=ÁÒxÓÑ . =�
3W;�ÓÑI÷ �ø . ~
ÿ�K�;�46575F8
-
ú/.0.o;A=�N
. ¤
46575
L �1 ÿ52
�
'J
d
'J
� L Y
It remains to obtain an upper bound for 465?5 'lw
L 51 ÿ�2
�
'J
d
'J
� L X
. Actually, however, we determine the exact size of each such a BDD. To this end, we observe that such a BDD can be thought of as consisting of =ÁÒxÓÑ . =�|~ sections (cf. Figure 4). The topmost ÿ5��;�465?598
( 3 . ;A= Y
It remains to obtain an upper bound for 465?5D8 ( 3 . ; , 'ÃwU . Actually, however, we determine the exact size of each such BDD. To this end, we observe that such a BDD can be thought as consisting of =ÁÒxÓÑ . =c| ~ sections (cf. Figure 5). The topmost section corresponds to the process with the lowest index
18
Michael Baldamus and Klaus Schneider / The BDD Space Complexity of Different Forms of Concurrency
Figure 5. Illustration of the proof of 6.1. The diagram depicts the conflict resolution BDD for any v �t7Theorem u`v�u � o . Outgoing edges not shown lead directly to the w –leaf. Dangling and qar hjs l\qRm t outgoing edges lead directly to the –leaf.
h i I k�G�lm g with j
¡
g
LX . ¡ x
