1 / 25

A Polynomial Translation of - Calculus (FCP) to Safe Petri Nets

A Polynomial Translation of - Calculus (FCP) to Safe Petri Nets. Roland Meyer 1 , Victor Khomenko 2 , and Reiner H ü chting 1 1 Department of Computing Science, University of Kaiserslautern, Germany 2 School of Computing Science, Newcastle University, UK. - Calculus.

kat
Télécharger la présentation

A Polynomial Translation of - Calculus (FCP) to Safe Petri Nets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Polynomial Translation of -Calculus (FCP) to Safe Petri Nets Roland Meyer1, Victor Khomenko2, and Reiner Hüchting1 1Department of Computing Science, University of Kaiserslautern, Germany 2School of Computing Science, Newcastle University, UK

  2. -Calculus • A formalism (process algebra) for modelling mobile and reconfigurable systems • Processes communicate by message passing: channels are sent via channels • passing an IP address or hyperlink • passing a pointer/reference to a procedure • New fresh channels can be dynamically created • (Logical) interconnect topology changes over time

  3. -Calculus: example Array of processors … P1 P2 P3 Scheduler … TG2 TGk TG1 Task generators

  4. -Calculus Syntax stop call choice Parallel composition prefix restriction P ::=0| K⌊a1,…,an⌋| P + P| P | P|.P|a:P ::= a<b>| a(x)| No replication operator ‘!’ – using recursive definitions of the form K⌊a1,…,an⌋:=P instead Input prefix a(x).P and restriction x:Pbind name x in P NOCLASH assumption (can always be enforced by -conversion): • each name is bound at most once • the sets of bound and free names are disjoint

  5. Finite Control Processes • -Calculus is expressive (Turing-powerful), so nothing is decidable • Wanted: a (syntactic) fragment that is decidable but retains a reasonable degree of expressiveness sufficient for modelling practical mobile and reconfigurable systems • Finite Control Processes (FCP): parallel composition of a fixed number of sequential (i.e. not using the | operator) processes (threads) • Good compromise between expressiveness and verifiability

  6. Motivation for FCPPN translation • FCPs have complicated semantics, and thus difficult for model checking: • checking if two terms are structurally congruent is graph isomorphism complete • difficult to use condensed representations of the state space • difficult to use reductions when exploring the state space • In contrast, safe low-level PNs are well suited for model checking, with many efficient heuristics available

  7. Gap Our contribution Safe low-level PNs: Efficient verification Not convenient for reconfigurability FCPs: Convenient for modelling reconfigurability Verification is hard

  8. Complexity-theoretic considerations • Any reachable state of an FCP can be represented by a term bounded by the FCP’s size • Hence an FCP can be simulated by a Turing machine with linear in the FCP’s size tape (characterises PSPACE) • A Turing machine with a bounded tape can be simulated by a safe low-level PN of polynomial size • Hence a polynomial translation from FCPs to safe low-level PNs must exist • This argument is constructive, but the resulting PN would be big and ugly • Wanted: A natural polynomial FCPPN translation, suitable for practical verification

  9. Related work • Much work concerning -CalculusPN translations has been performed • Mostly theoretical, often concerning the full -Calculus and so results in infinite PNs or undecidable PN classes (inhibitor arcs, coloured with infinite sets of colours, etc.) • Existing FCPPN translations (or restrictions of -CalculusPN translations to FCPs) are non-polynomial and/or have an unnecessarily powerful target formalism (coloured / inhibitor / transfer PNs) • Our contribution: natural polynomial FCP  safe low-level PN translation suitable for practical verification

  10. Principles of translation • Replace restricted names by fresh public ones, e.g. x.y.P and P[ab/xy] (a & b are fresh) are bisimilar • Recycle the fresh names to avoid generating unbounded number of them: • static bound on the number of names an FCP can ‘remember’ • if Preacts with x.Q and a is a currently unused (recycled) public name then P reacts withQ[a/x] • PN keeps track of the currently used names • Distributed representation of the substitution: • P[ab/xy]=P[a/x][b/y], so [a/x]and [b/y] are treated as independent variables and represented by separate PN places

  11. Translation Parallel composition operator Nsubs  H(N1 || … || Nn) Substitution net Hiding operator Implementation operator State machines implementing threads

  12. Translation: Pre-processing • Ensure that each thread of the FCP has its own set of process definitions: K(u,v):=.L(u,v)K(u,v):=.L(u,v) L(x,y):=.K(x,y) L(x,y):=.K(x,y) K’(u’,v’):=.L’(u’,v’) L’(x’,y’):=.K’(x’,y’) K⌊a,b⌋ | K⌊b,c⌋ K⌊a,b⌋| K’⌊b,c⌋ • At most quadratic increase in size – can be recovered by using symmetries in model checking

  13. Translation: Substitution net Public names Recyclable names Operations: • test(x=y) • map(x,y) • unmap(x,y) The operations do not interfere when applied to different names Complimentary places allow to determine which names are currently unused Input names Formal parameters Restricted names

  14. Translation: Control of threads • Model the control of each thread by a finite state machine; its transitions carry two labels: • communication action send(a,b), rec(a,b) or  • set of commands working with the substitution: test(x=y), map(x,y), unmap(x,y) • Additional transitions are inserted to initialise restricted names, pass parameters, and to unmap bound names when they go out of scope

  15. Control of threads: Examples {test(x=p1), test(y=p1)} {test(x=p1), map(y,p1)} send(p1,p1) rec(p1,p1) x<y>.S+… x(y).S+… S S … … … … send(p1,p2) rec(p1,p2) {test(x=p1), test(y=p2)} {test(x=p1), map(y,p2)} … … rec(nnn,nnn) send(nnn,nnn) Send Receive {test(x=nnn), map(y,nnn)} {test(x=nnn), test(y=nnn)} {map(r,n1)}  r.P P … …  {map(r,n2)} …  {map(r,nnn)} Restriction

  16. Translation: Parallel composition • Synchronise the send actions with the corresponding rec actions, with the resulting label  and the sets of commands united • the original transitions are not removed and available for further synchronisations {test(u=a), test(v=b)} {test(u=a), test(v=b)} u<v>.P+… u<v>.P+… P P … … … … send(a,b) send(a,b) || {test(u=a), test(v=b), test(x=a), map(y,b)}  … … … … rec(a,b) rec(a,b) S S x(y).S+… x(y).S+… {test(x=a), map(y,b)} {test(x=a), map(y,b)}

  17. Translation: Hiding • Remove the non- transitions after all the parallel compositions are performed • All the remaining transitions are –labelled, so can drop this label – only a set of commands is attached to each transition now {test(u=a), test(v=b)} u<v>.P+… P … … send(a,b) {test(u=a), test(v=b), test(x=a), map(y,b)}  … … rec(a,b) S x(y).S+… {test(x=a), map(y,b)}

  18. Translation: Implementation operator • Implements the commands attached to each transition by adding arcs between this transition and the places in the substitution net: xa x=a xa x=a x=a [r*n] … … … … … … test(x=a) map(x,a) unmap(x,a) r*n r=n map(r,n) … … … … fnfn i1n inin f1n

  19. Implementation operator: Examples • Example: communication and restriction: y=b r=n yb r*n u<v>.P+… P … … r.P P {test(u=a), test(v=b), test(x=a), map(y,b)} … … {map(r,n)} … … S x(y).S+… … … u=a x=a v=b fnfn i1n inin f1n

  20. Correctness and size of the translation • Weak bisimulation between FCP and PN • Strong bisimulation between FCP and the ‘stable’ transition system of PN • The size of the resulting PN is O(|FCP|4) • dominated by the number of transitions modelling communication • reduced down to O(|FCP|3) on the next slide • the PN is significantly smaller in practice than the worst case suggests

  21. Optimisations • Split the transitions modelling communication: • model communication between a<b> and x(y) not by a single step but by a pair of steps: the first checks that a=x, and the second maps y to b • reduces the size of the resulting PN from O(|FCP|4) down to O(|FCP|3) • Bound names that are never simultaneously active can share the same row of places in the substitution net • Can statically compute good approximations of the domains of bound names • Can share subnets for unmapping bound names that go out of scope • Can use symmetries reduction during model checking • Etc. – see the paper and technical report

  22. Extensions • Polyadic communication: exchanges multiple names in a single reaction, i.e. prefixes a<x1,…,xn> and b(y1,…,yn)can react iff a=b, and after synchronisation each yi gets the value of xi • can be achieved by generalising the ‘communication splitting’ idea • Match and mismatch:modelled by transitions testing the [non-]equality of two names in the substitution • reachable states corresponding to the ‘stuck between the guards’ situation have to be declared invalid (they can easily be distinguished from the valid ones, so still OK for model checking)

  23. Experimental results • Translation has been implemented in the fcp2pn tool: http://homepages.cs.ncl.ac.uk/victor.khomenko/tools/fcp2pn • The practicality of the approach was demonstrated as follows: • a number of FCPs, including scalable ones, were translated to safe PNs using fcp2pn • the PNs grow much slower with |FCP| than the worst-case bound suggests • optimisations work very well • the PNs were checked for deadlocks using LOLA, with good results

  24. Conclusions • First polynomial translation from FCPs to safe low-level PNs • The translation is natural, i.e. there is a close correspondence between the control flows of the FCP and the resulting PN • The resulting PN is suitable for practical model checking • Proposed a number of optimisations • Extensions to polyadic communication and match/mismatch • Implemented in the fcp2pn tool • Encouraging experimental results

  25. Thank you! Any questions?

More Related