We present c-reductions, a state space reduction technique. The rough idea is to exploit some equivalence relation on states (possibly capturing system regularities) that preserves behavioral properties, and explore the induced quotient system. This is done by means of a canonizer function, which maps each state into one (of the) canonical representative(s) of its equivalence class. The approach exploits the expressiveness of rewriting logic and its realization in Maude to enjoy several advantages over similar approaches: flexibility and simplicity in the definition of the reductions (supporting not only traditional symmetry reductions, but also name reuse and name abstraction); reasoning support for checking and proving correctness of the reductions; and automatization of the reduction infrastructure via Maude's meta-programming features. The approach has been validated over a set of representative case studies, exhibiting comparable results with respect to other tools.

1. State Space C-Reductions
of Concurrent Systems in Rewriting Logic
Alberto Lluch, Andrea Vandin José Meseguer
IMT Lucca UIUC
International Workshop on Rewriting Logic and its Applications (WRLA'12)
Tallin, March 24-25, 2012

2. state space explosion
0 3 8 ... 6
1 binary counter has ... 2 states
1 n-ary counter has ... n states (data abstraction)
m n-ary counters Mn states! (symmetries,
concurrency, etc.)

3. running example
$ = transfer of 1$
x$ = account with x$

4. credit rule
$
x$ x+1$

5. $ $
Isomorphic...
Isomorphic...
but syntactically different
but syntactically different
0$ 0$
$ $
1$ 0$ 0$ 1$
1$ 1$

6. symmetries in state space exploration problems

7. some tools with symmetry reduction
 Murphy [Ip&Dill@FMSD'96];
 Symmetric SPIN [Bosnacki et al.@SPIN'00];
 TopSPIN [Donaldson et al.@AMAST'06];
 Groove [Rensink@GRABATS'06];
 MiHDa [Montanari et al.@FMCO'02];
 PRISM-symm [Ball et a@CAV06];
 Planners, constraint solvers, etc.

8. some drawbacks
✗ Symmetries denoted with extra primitives;
✗ Limited, fixed symmetry classes;
✗ Rigid “flexibility” vs “guarantees” tradeoff;
✗ Complex changes to model checker;
✗ Unofficial extensions of model checkers;
✗ No support for checking correctness.

9. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

10. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

11. A Kripke structure is a tuple K = (S , → , L, AP) such that
 S is a set of states;
 → ⊆ S × S is a transition relation; $ $ p
 AP are atomic propositions; 0$ 0$

L: S → 2AP maps states into AP subsets.
$ p,q $ p,q
1$ 0$ 0$ 1$
p = there is some empty account
q
q = there are one or less dollars around
1$ 1$

12. A bisimulation between two Kripke structures K and H
is a binary relation ∼ ⊆ SK × SH such that s∼s' implies
 LK(s) = LH(s');
 s →K r implies s' →H r' and r∼r' for some r'; s →K r
≀ ≀
 vice versa. s' →H r'
p p
$ $ $ $
0$ 0$ 0$ 0$
p,q $ $ p,q $
p,q
1$ 0$ 0$ 1$ 0$ 1$
q q
1$ 1$ 1$ 1$

13. A ∼-canonizer for
– a Kripke structure K
– and an equivalence (bisimilation) relation ∼ ⊆ S × S
is a function c : S → S such that s∼c(s) for all states s.
c
$ c $
1$ 0$ 0$ 1$

14. A ∼-canonizer is strong if s∼s' implies c(s) = c(s')
(i.e. if canonical representatives of ∼-equivalence classes are unique)
2$ 1$ 3$ 2$ 1$ 3$
1$ 3$ 2$ c c
1$ 3$ 2$
c c
c
1$ 2$ 3$ 1$ 2$ 3$
2$ 3$ 1$ 2$ 3$ 1$
c
3$ 1$ 2$ c 3$ 1$ 2$
c
3$ 2$ 1$ 3$ 2$ 1$
otherwise we call them weak.

15. The c-reduction of a Kripke structure
K = (S , → , L, AP)
$ $
is
Kc = (S , →;c , L, AP) 0$ 0$
$ $
1$ 0$ c 0$ 1$
1$ 1$

16. Th. If c is a ∼-canonizer then Kc ∼ K.

17. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

18. some symmetry reductions captured
 Full symmetries;
 Rotational symmetries;
 Name reuse (garbage collection);
 Name abstraction.

19. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

20. What is RL?
A rewrite theory R is a tuple (Σ , E ∪ A , R , ϕ)

Σ = signature (e.g. syntax);

E = equations (e.g. functions); Not all equivalence relations ∼
Not all equivalence relations ∼
are tractable as axioms

A = axioms (e.g. ACI); are tractable as axioms

R = rules (e.g. non deterministic behaviour);

ϕ = frozennes map (e.g. rewrite strategy).
Some assumptions:

R has good executability properties;

Topmost rules for a designated [State] kind.

21. --- The main module defining the signature and one initial state
fmod BANK is
...
sorts Object Message Configuration State .
subsort Message Object < Configuration .
op <_|_> : Nat Nat -> Object [ctor] .
op credit : Nat -> Message [ctor] .
op __ : Configuration Configuration -> Configuration [ctor assoc comm] .
op none : -> Configuration [ctor] .
op {_} : Configuration -> State [ctor frozen] .
--- A simple initial state $ $
op init : -> Configuration .
0$ 0$
eq init = < 0 | 0 > < 1 | 0 > credit(0) credit(1) .
endfm

22. --- The behavioural rules of the example
mod BANK-RULES is
$
inc BANK .
vars i x : Nat .
x$ x+1$
vars c1 : Configuration .
--- A simple rule for crediting an account
rl [credit] :
{ < i | x > credit(i) c1 }
=> { < i | s(x) > c1 } .
endm

23. search without reduction $ $
0$ 0$
Maude> search in BANK-RULES : {init} =>* s:State .
$ $
Solution 1 (state 0) 1$ 0$ 0$ 1$
s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}
Solution 2 (state 1) 1$ 1$
s:State --> {credit(1) < 0 | 1 > < 1 | 0 >}
symmetric states
Solution 3 (state 2)
s:State --> {credit(0) < 0 | 0 > < 1 | 1 >}
Solution 4 (state 3)
s:State --> {< 0 | 1 > < 1 | 1 >}
No more solutions.
states: 4 rewrites: 6 in 0ms cpu (2ms real) (9523 rewrites/second)

24. c-extension
The c-extension of a rewrite theory
R = (Σ, E ∪ A , R, ϕ)
is
Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , R , ϕc)
i.e. a correct extension of R with the definition of c.

25. module architecture
BANK
BANK-RULES (R)
BANK-C (Rc)

26. c-extension (example of canonizer)
--- The c-extension of BANK that defines the c-canonizer for object permutations
mod BANK-C is
...
op c : State -> [State] .
vars i j x y : Nat .
vars c1 : Configuration .
ceq c( { < i | x > < j | y > c1 } )
= c( { [[ i <-> j ]]( < i | x > < j | y > c1 ) } )
if [[ i <-> j ]]( < i | x > < j | y > c1 )
<# < i | x > < j | y > c1 .
eq c({c1}) = {c1} [ owise ] .
endm

27. module architecture
BANK
BANK-RULES (R) BANK-PERMUTATION
BANK-C (Rc)

28. c-extension (example of transpositions)
--- Implementation of object permutations
fmod BANK-PERMUTATION is
...
op [[_<->_]] _ : Nat Nat Configuration -> Configuration [frozen] .
op [[_<->_]] _ : Nat Nat Nat -> Nat .
eq [[ i <-> j ]](none) = none .
eq [[ i <-> j ]](obj1 c1) = ([[ i <-> j ]](obj1)) ([[ i <-> j ]](c1)) .
eq [[ i <-> j ]](msg1 c1) = ([[ i <-> j ]](msg1)) ([[ i <-> j ]](c1)) .
eq [[ i <-> j ]](< k | x >) = < [[ i <-> j ]](k) | x > .
eq [[ i <-> j ]](credit(k)) = credit([[ i <-> j ]] k) .
 eq [[ i <-> j ]](i) = j .
eq [[ i <-> j ]](j) = i .
ceq [[ i <-> j ]](k) = k if (i != k) / (j != k) .
endfm

29. Identification of symmetric states
Maude> red c( {credit(0) < 0 | 0 > < 1 | 1 >}) .
result State: {credit(1) < 0 | 1 > < 1 | 0 >}
$
0$ 1$
c
$
1$ 0$

30. The c-reduction of a rewrite theory
R = (Σ, E ∪ A , R , ϕ )
is
Rc = (Σ ⊎ Σc, E ∪ Gc ∪ A , Rc , ϕc)
cc
where Rc is made of rules K(Rcc)= K (R)
K(R ) = K (R)
l => c(r) if cond
for each rule of R
l => r if cond

31. module architecture
BANK
BANK-RULES (R) BANK-PERMUTATION
BANK-C (Rc)
BANK-C-REDUCTION (Rc)

32. c-reduction (example)
--- The c-reduction of BANK-RULES
mod BANK-C-REDUCTION is
inc BANK-C .
rl [credit] :
{ < i | x > credit(i) c1 }
=> c({ < i | s(x) > c1 }) .
endm

33. search in c-reduced state space
Maude> search in BANK-C-REDUCTION : {init} =>* s:State .
search in BANK-C-REDUCTION : {init} =>* s:State .
$ $
Solution 1 (state 0)
0$ 0$
s:State --> {credit(0) credit(1) < 0 | 0 > < 1 | 0 >}
$ $
Solution 2 (state 1) c
s:State --> {credit(1) < 0 | 1 > < 1 | 0 >} 1$ 0$ 0$ 1$
Solution 3 (state 2)
s:State --> {< 0 | 1 > < 1 | 1 >}
1$ 1$
No more solutions.
states: 3 rewrites: 25 in 0ms cpu (2ms real) (53648 rewrites/second)

34. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

35. Does c provide a correct c-reduction?
Th 1. “K(Rc) is bisimilar to K(R)” (desiderata)
Lemma 0. “Relation ∼ is an equivalence relation”
(i) Check that the action of the group is correct.
Lemma 1. “Relation∼ is a bisimulation” Proof plan for
(ii) Check that ∼ strongly respects AP; group-theoretic
(iii) Check that ∼ and R “commute”. reductions
Lemma 2. “Function c is a ∼-canonizer”
(iv) Check that c is a ∼-canonizer.

36. modules and checks
BANK check (i)
BANK-RULES (R)
BANK-AP BANK-PERMUTATION (R∼)
check (iv)
check (iii)
check (ii) BANK-C (Rc)
BANK-PERMUTATION-RULES (R∼)
BANK-C-REDUCTION (Rc)

37. group theoretic equivalence relations
The action ⟦∙⟧ of a group G on S defines an equivalence relation:
s∼s' iff ⟦ f ⟧(s) = s' for some f ∈ G.

38. modules and checks
BANK check (i)
BANK-RULES (R)
BANK-AP BANK-PERMUTATION (R∼)
BANK-C (Rc)
BANK-PERMUTATION-RULES (R∼)
BANK-C-REDUCTION (Rc)

39. (i) Checking group actions
Implement the action ⟦∙⟧ of G on S as
[[_]]_ : G State ->State .
… but we just need to implement the action of the generators.
Check that the we actually have a group action by showing:
⟦g⟧⟦g-1⟧(s) = s for each generator g of G.
HINT: induction on S (structure of states).
For example, in the case of permutations one has to show
[[ i <-> j]] ([[ i <-> j]] (s)) = s

40. (i) Checking group actions
Implement the action ⟦∙⟧ of G on S as
[[_]]_ : G State ->State .
… but we just need to implement the action of the generators.
Check that the we actually have a group action by showing:
 ⟦e⟧(s) = s, for e the identity of G;
 ⟦g ∘ g'⟧(s) = ⟦g⟧(⟦g'⟧(s)) for each pair of generators g, g' of G;
 ⟦g⟧⟦g-1⟧(s) = s for each generator g of G.
HINT: induction on G (generators ) and S (structure of states).

41. modules and checks
BANK
BANK-RULES (R)
BANK-AP BANK-PERMUTATION (R∼)
check (ii) BANK-C (Rc)
BANK-PERMUTATION-RULES (R∼)
BANK-C-REDUCTION (Rc)

42. (ii) Checking that ∼ strongly preserves AP
IDEA: Define a rewrite theory R∼ to “move” inside orbits:
R∼ = (Σ ⊎ Σ∼, E ∪ E∼ ∪ A , R∼ , ϕ)
where R∼ = { s => [[g]](s) }
Theorem: ∼ strongly preserves AP if AP is stable in R∼.

43. Can we check such stability automatically?
Yes, with InvA (under some conditions)
fmod BANK-AP is
eq [two-dollars-eq] : two-dollars({ < i | s(s(x)) > c1 }) = true .
endfm
fmod BANK-PERMUTATION-RULES is
rl [transposition] : { < i | x > < j | y > c1 }
=> { [[ i <-> j ]] ( < i | x > < j | y > c1) } .
endm
Maude> (analyze-stable two-dollars(s:State) in BANK-AP BANK-PERMUTATION-RULES .)
rewrites: 15571 in 16ms cpu (19ms real) (918643 rewrites/second)
Checking BANK-PERMUTATION-RULES ||- two-dollars => O two-dollars ...
Proof obligations generated: 2
For non discharged proof obligations
Proof obligations discharged: 2 For non discharged proof obligations
Success!
one can use the Maude ITP tool
one can use the Maude ITP tool

44. modules and checks
BANK
BANK-RULES (R)
BANK-AP BANK-PERMUTATION (R∼)
check (iii)
BANK-C (Rc)
BANK-PERMUTATION-RULES (R∼)
BANK-C-REDUCTION (Rc)

45. (iii) Checking that ∼ and R commute
R
u v
R
u' v'
For all equivalent states u, u' and for all R-transitions from u to v.

46. (iii) Checking that ∼ and R commute
R
u v
R∼ R∼
* R *
u' v'
For all R∼reachable pairs of states u->u' and for all R-transitions from u to v.

47. (iii) Checking that ∼ and R commute
R
u v
R∼ R∼
R *
u1' v1'
R∼ R∼
R
*
u2' v2'
R
u' v'
For all R∼-transitions u->u' and for all R-transitions from u to v.

48. Consider:
 Each R-rules from l => r
 Each R∼-rules l' => r'
R
θ'(l') ≡A θ(l) θ(r)
R∼
R∼
R *
θ'(r') w

49. (iii) Checking that ∼ and R commute
R For all R∼-transitions u → u' and
u v
R∼ for all R-transitions from u to v.
R∼
*
R
u' v'
R
θ(l) θ(r)
For all R∼-rules l' => r' and
for all R-rules from l => r.
R∼ R∼ Similar functionalities (e.g. critical pair generation)
Similar functionalities (e.g. critical pair generation)
are already available in some Maude tools
R * are already available in some Maude tools
θ'(r') v' (e.g. in the Coherence Checker).
(e.g. in the Coherence Checker).

50. (iii) Checking that ∼ and R commute
IDEA: Show joinability of critical pairs (R rules vs R∼)
Theorem: If all such pairs are joinable, ∼ is a bisimulation

51. modules and checks
BANK
BANK-RULES (R)
BANK-AP BANK-PERMUTATION (R∼)
check (iv)
BANK-C (Rc)
BANK-PERMUTATION-RULES (R∼)
BANK-C-REDUCTION (Rc)

52. (iv) checking that c is a ∼-canonizer
IDEA: Exploit the form of typical reduction strategies:
Local strategies
c({t}) = c([[g]]({t})) if [[g]]({t})<{t}
c({t}) = {t} [owise]
Enumeration strategies
c({t}) = min{[[f]]({t})}

53. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

54. typical space reduction
states
explored
no reduction
strong reduction
weak reduction
size of the
system

55. typical time reduction
runtime
no reduction
strong reduction
weak reduction
size of the
system

56. will we have the same in Maude?
Full symmetries in Maude [D.Rodriguez@WRLA'08]

57. will we have the same in Maude?
Q1. Overhead of meta-level based c-reductions?
Q2. Similar performance gains as model checkers?
Q3. Performance for c-reductions not based
on full permutations (e.g. rotations)?

58. Q1. meta-level vs ad-hoc?
runtime
(seconds)
90
80
meta-level
70
60
50
40
30
20 ad-hoc
10
0
1 2 3 4 5 6 7 8
size of the system
(instance parameter)

60. Q2. Maude vs SymmSPIN?
relative time
reduction factor
2
no reduction
symmSPIN
1.5
strong c-reduction
weak c-reduction
1
0.5
0
size of the system
2 3 4
(instance parameter)
-0.5
-1

61. Q3. space reduction in dining philosophers?

62. Dining philosophers (rotational symmetries)
~ ~
= philosopher eating
= philosopher resting

63. Dining philosophers (msg. id's)
1 2 3 4 4 3
~
msg id reuse ~
msg id
permutation
~
msg id abstraction

64. Q3. space reduction in dining philosophers
states
msg id reuse
explored
600000
msg abstraction
msg id reuse & permutations
msg abstraction + philosopher rotation
500000
400000
300000
200000
100000
size of the system
0
2 3 4 5 6 7 8 9 (instance parameter)

65. Q3. time reduction in dining philosophers
states msg reuse&permutation
msg abstraction
explored msg abstraction + philosopher rotation
7 8 9
size of the system
(instance parameter)

66. Q1. Overhead of meta-level based c-reductions?
✔ Significant improvement
when not resorting to the meta-level.
Q2.Performance against model checkers?
✔ Similar in space reduction;
✔ Comparable time reduction.
Q3. Performance for c-reductions not based
on full permutations (e.g. Rotations)?
✔ Significant space gains in rotational.

67. conclusion

68. Can we use rewriting logic to...
(i) generalize symmetry reduction techniques?
✔ Define the c-reduction of a Kripke structure;
✔ C-reductions subsume typical symmetry reductions.
(ii) provide some advantages?
✔ Define c-reductions using equations (not in the engine);
✔ Provide a tool supported verification methodology.
(iii) provide a faster state space exploration?
✔ Many experiments.

69. Related work (Maude)
 Full symmetries in Maude [D.Rodriguez@WRLA'08]
✔ Full object permutations, meta-representation order;
✭ More symmetries and examples, no meta-representation order,
verification methodology.
 Equational abstractions [Palomino et al.@JLAP'10]
✔ Identify states to reduce state space;
✭ Bisimulation, reduction application control.

70. Related work (ii)
 SymmSPIN et al. [Bosnacki et al.@SPIN'01]
✔ Heuristics for canonizers;
✭ No extension needed, object references allowed, formal checks;
 Groove [Rensink@GRABATS'06]
✔ Up-to-isomorphism GTS;
✭ Programmable reductions, not just iso.
 HD-automata [Montanari et al.@TCS'05]
✔ Name reuse techniques;
✭ On-the-fly reduction, algebraic state structure.

71. Current and Future Work
 Better integration in Maude
 Conciliate with other state space reduction techniques
(equational abstractions, partial order reduction);
 Tool support and its integration in MFE.
 Beyond group theoretic symmetries
 Abstractions that yield bisimulations?
 Exploit axiomatisations of bisimulation for process algebras?
 Beyond bisimulation
 Weak bisimulation?
 Trace equivalence (for LTL)?

72. http://sysma.lab.imtlucca.it/tools/c-reducer/

73. thanks!

74. alberto.lluch@imtlucca.it
linkedin.com/in/albertolluch