1

Bisimulations as a Technique for State Space Reductions.

2

Abstraction: the key to scaling up

represents a set of states

abstraction

Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system

Originalsystem

Originalproperty P

symbolic state

Abstract system

Abstractproperty P’

3

Data Abstraction vs. Predicate Abstraction

• Data Abstraction– Abstraction proceeds component-wise,

where variables are components

x:int Even

Odd…, -3, -1, 1, 3, …

…, -2, 0, 2, 4, …

1, 2, 3, …

…, -3, -2, -1

0

Pos

Neg

Zeroy:int

4

Data Abstraction vs. Predicate Abstraction (Cont’d)

• Predicate Abstraction– Use a boolean variable to hold the value of

an associated predicate that expresses a relationship between variables

predicate: x = y true

false(1, 2)

(0, 0)

(1, 1)(-1, -1)

(-1, 3)

(3, 2)

…

…

int * int

5

An ExampleInit:

x := 0; y := 0; z := 1;

goto Body;

Body:

assert (z = 1);

x := (x + 1);

y := (y + 1);

if (x = y) then Z1 else Z0;

Z1: z := 1;

goto Body;

Z0: z := 0;

goto Body;

• x and y are unbounded

• Data abstraction does not work in this case --- abstracting component-wise (per variable) cannot maintain the relationship between x and y

• We will use predicate abstraction in this example

6

Predicate Abstraction Process

• Add boolean variables to your program to represent current state of particular predicates– E.g., add a boolean variable [x=y] to represent

whether the condition x=y holds or not

• These boolean variables are updated whenever program statements update variables mentioned in predicates– E.g., add updates to [x=y] whenever x or y or

assigned

7

An ExampleInit:

x := 0; y := 0; z := 1;

goto Body;

Body:

assert (z = 1);

x := (x + 1);

y := (y + 1);

if (x = y) then Z1 else Z0;

Z1: z := 1;

goto Body;

Z0: z := 0;

goto Body;

• We will use the predicates listed below, and remove variables x and y since they are unbounded.

• Don’t worry too much yet about how we arrive at this particular set of predicates; we will talk a little bit about that later

p1: (x = 0)

p2: (y = 0)

p3: (x = (y + 1))

p4: (x = y)

b1: [(x = 0)]

b2: [(y = 0)]

b3: [(x = (y + 1))]

b4: [(x = y)]

Predicates Boolean Variables

This is our new syntax for representing boolean variables that helps make the correspondence to the predicates clear

8

Transforming Programs

[(x = 0)]

[(y = 0)]

[(x = (y + 1))]

[(x = y)]

x := 0;

An example of how to transform an assignment statement

Predicates Assignment Statement

[(x=0)] := true;

[(x=(y+1))] := if [$(y=0)] then false else top;

[(x=y)] := if [$(y = 0)] then true else if ![$(y=0)] then false else top;

Where: [$P] = prev. value of

[P] top is a non-

deterministic choice between true and false

The statement to the left is replaced the statements below

[(x=0)] := true;

[(x=y)] := H([$(y=0)], ![$(y=0)]);

[(x=(y+1))] := H(false, [$(y=0)]);

Where: true, if e1

H (e, e2) = false, if e2

top, otherwise{

Make a more compact representation using a helper function H (following SLAM notation)

9

State SimulationGiven a program abstracted by predicates E1, …, En, an abstract state simulates a concrete state if Ei holds on the concrete state iff the boolean variable [Ei] is true and remaining concrete vars and control points agree.

(n2,[ [x=0] ! False, [y=0] ! False, [x=(y+1)] ! False, [x=y] ! True, z ! 0])

Concrete Abstract

(n2,[x ! 2, y ! 2, z ! 0])simulates

(n2,[x ! 3, y ! 3, z ! 0])

(n2,[ [x=0] ! False, [y=0] ! True, [x=(y+1)] ! True, [x=y] ! False, z ! 1])

(n2,[x ! 1, y ! 0, z ! 1])simulates

(n2,[x ! 3, y ! 3, z ! 1])

does not simulates

10

Abstractions

• Find reductions independent of the specification .

• Reduce K to K’ and construct a relation R such that for every (CTL) formula – K, s ² iff K’, s’ ² where R(s, s’).

• Note we do not transform to ’.

11

Abstractions

R

s s’

K

K’

12

Bisimulations

• K = (S, S0, R, AP, L)

K’= (S’, S0’, R’, AP, L’)• Note K and K’ use the same set of atomic propositions

AP.• B µ S £ S’ is a bisimulation relation between K and K’

iff for every B(s, s’):– L(s) = L’(s’) (BSIM 1)– If R(s, s1) then there exists s1’ such that R’(s’, s1’) and B(s1,

s1’). (BISIM 2)– If R(s’, s2’) then there exists s2 such that R(s, s2) and B(s2, s2’).

(BISIM 3)

13

Bisimulations

K K’

s s’

s1

14

Bisimulations

K K’

s s’

s1 s1’

15

Bisimulations

K K’

s s’

s2’

16

Bisimulations

K K’

s s’

s2 s1’

17

Examples

p q

p q p q p q …..

18

Examples

p q

p q p q p q …..

Unwinding preserves bisimulation

19

Examples

p

q q

s sr

p

q q

r rs

20

Examples

p

q q

s sr

p

q q

r rs

21

Examples

p

q q

s sr

p

q q

r rs

22

Examples

p

q q

s sr

p

q q

r rs

23

Examples

p

q q

s sr

p

q q

r rs

24

Examples

p

q q

s sr

p

q q

r rs

25

Examples

p

q q

s sr

p

q q

r rs

26

Bisimulations

• K = (S, S0, R, AP, L)

K’= (S’, S0’, R’, AP, L’)• K and K’ are bisimilar (bisimulation equivalent)

iff there exists a bisimulation relation B µ S £ S’ between K and K’ such that:– For each s0 in S0 there exists s0’ in S0’ such that

B(s0 , s0’).– For each s0’ in S0’ there exists s0 in S0 such that

B(s0 , s0’).

27

The Preservation Property.

• K = (S, S0, R, AP, L)

K’= (S’, S0’, R’, AP, L’)• B µ S £ S’, a bisimulation.• Suppose B(s, s’).• FACT: For any CTL formula (over AP),

K, s ² iff K’, s’ ² .• If K’ is smaller than K this is worth

something.

28

Bisimulation Quotients

• Bisimulation equivalenec is an equivalence relation.

• K = (S, S0, R, AP, L)• There is a maximal bisimulation B µ S £ S.

– Let R be this bisimulation.– [s] = {s’ j s R s’}.

• R can be computed “easily”.• K’ = K / R is the bisimulation quotient of K.

29

Bisimulation Quotient

• K = (S, S0, R, AP, L)• [s] = {s’ j s R s’}.• K’ = K / R = (S’, S’0, R’, AP,L’).

– S’ = {[s] j s 2 S}– S’0 = {[s0] j s0 2 S0}– R’ = {([s], [s’]) j R(s1, s1’) for some s1 2 [s]

and s1’ 2 [s’]}– L’([s]) = L(s).

30

Examples

p

q q

r rs

31

Examples

p

q q

r rs

32

Examples

p

q

r s

33

Abstractions

• Bisimulations don’t produce often large reduction.

• Try notions such as simulations, data abstractions, symmetry reductions, partial order reductions etc.

• Not all properties may be preserved.• They may not be preserved in a strong

sense.

34

Graph Simulation

Definition Two edge-labeled graphs G1, G2

A simulation is a relation R between nodes:

• if (x1, x2) R, and (x1,a,y1) G1,

then exists (x2,a,y2) G2 (same label)

s.t. (y1,y2) Rx1 x2

a

R

G1 G2

y1

a

Ry2

Note: if we insist that R be a function graph homeomorphism

35

Graph Bisimulation

Definition Two edge-labeled graphs G1, G2

A bisimulation is a relation R between nodes s.t. both R and R-1 are simulations

36

Set Semantics for Semistructured Data

Definition Two rooted graphs G1, G2 are equal if there exists a bisimulation R from G1 to G2 such that (root(G1), root(G2)) R

• Notation: G1 G2

• For trees, this is precisely our earlier definition

37

Examples of Bisimilar Graphs

a b

c

a b

c c

a

aa

aaa

...

=

=

38

Examples of non-Bisimilar Graphs

• This is a simulation but not a bisimulation– Why ?

• Notice: G1, G2 have the same sets of paths

a a a

b ccb

G1= G2=

39

• Simulation acts like “subset”{a, b} {a, b, c}

{a, b:{c}} {d, a:{e,f}, b:{c,g}}

• Question:

• if DB1 DB2 and DB2 DB1 then DB1 DB2 ?

Examples of Simulation

a b

c

a b

c

d

e f g

a b a bc

40

Answerif DB1 DB2 and DB2 DB1 then DB1 DB2 ?

No. Here is a counter example:

aa

b b

a

DB1 DB2 and DB2 DB1 but NOT DB1 DB2

DB1 DB2

41

Path SimulationIntuition: every path in concrete system is simulated by a path in abstract system

simulates

simulates

simulates

simulates

A concrete path s1, s2, … is simulated by an abstract path a1, a2, … if Sim(si,ai) for all i.

Concrete Abstract

42

Computation SimulationIntuition: every path in concrete system is simulated by a path in abstract system

Concrete Abstract

There may be extra paths (termed “infeasible” paths) that are not present in the concrete system. These are due to the approximate nature of our computation with abstract tokens. Specifically, they arise from the over-approximations in test branching discussed previously.

Infeasible path due to over-approximation.

43

Reflection of LTL Properties

Concrete Abstract

Infeasible path due to over-approximation.

If there is a violating path in the abstract system, then there is not necessarily a violating path in the concrete system, since the violating abstract trace may be an infeasible path due to over-approximation. Technically, this means that properties are not preserved by abstraction.

If there is a violating path in the concrete system, then there is a violating path in the abstract system, since the simulation property guarantees that each concrete trace has a corresponding trace in the abstract system. Technically, this means that properties are reflected by abstraction.

44

Facts About a (Bi)Simulation

• The empty set is always a (bi)simulation

• If R, R’ are (bi)simulations, so is R U R’

• Hence, there always exists a maximal (bi)simulation:– Checking if DB1=DB2: compute the maximal

bisimulation R, then test (root(DB1),root(DB2)) in R

45

Computing a (Bi)Simulation

• Computing the maximal (bi)simulation:– Start with R = nodes(G1) x nodes(G2)– While exists (x1, x2) R that violates the

definition, remove (x1, x2) from R

• This runs in polynomial time ! Better:– O((m+n)log(m+n)) for bisimulation– O(m n) for simulation– Compare to finding a graph homeomorphism !

NP Complete