[PPT] - 0 Lecture 11: Safe Realisability Joost-Pieter Katoen Lehrstuhl fr PowerPoint Presentation

SLIDE 1

Theoretical Foundations of the UML

Lecture 11: Safe Realisability Joost-Pieter Katoen

Lehrstuhl für Informatik 2 Software Modeling and Verification Group

moves.rwth-aachen.de/teaching/ss-20/fuml/

May 25, 2020

Joost-Pieter Katoen Theoretical Foundations of the UML 1/18

SLIDE 2

Outline

1

Safe realisability

2

Closure and inference revisited

3

Characterisation and complexity of safe realisability

Joost-Pieter Katoen Theoretical Foundations of the UML 2/18

✓

set

f

MSG

L

t

w

Msc

t

sufficient and

necessary

condition

SLIDE 3

Overview

1

Safe realisability

2

Closure and inference revisited

3

Characterisation and complexity of safe realisability

Joost-Pieter Katoen Theoretical Foundations of the UML 3/18

SLIDE 4

From requirements to implementation

Realisability problem

Input: a set of MSCs Output: a CFM A such that L(A) equals the set of input MSCs. Questions:

1 Is this possible? (That is, is this decidable?) 2 If so, how complex is it to obtain such CFM? 3 If so, how do such algorithms work? Joost-Pieter Katoen Theoretical Foundations of the UML 4/18

I

r

? to check realise

bility

?

SLIDE 5

Problem variants (1)

Realisability problem

Input: a set of MSCs Output: a CFM A such that L(A) equals the set of input MSCs.

Different forms of requirements

Consider finite sets of MSCs, given as an enumerated set. Consider MSGs, that may describe an infinite set of MSCs. Consider MSCs whose set of linearisations is a regular word language. Consider MSGs that are non-local choice.

Joost-Pieter Katoen Theoretical Foundations of the UML 5/18

#

inputs

*

In

, , . . . . , Mk )

SLIDE 6

Problem variants (2)

Realisability problem

Input: a set of MSCs Output: a CFM A such that L(A) equals the set of input MSCs.

Different system models

Consider CFMs without synchronisation messages. Allow CFMs that may deadlock. Possibly, a realisation deadlocks. Forbid CFMs that deadlock. No realisation will ever deadlock. Consider CFMs that are deterministic. Consider CFMs that are bounded. . . . . . .

Joost-Pieter Katoen Theoretical Foundations of the UML 6/18

utputs

✓

tf

bounded

\ I

bounded

SLIDE 7

Today’s lecture

Today’s setting

Realisation of a finite set of MSCs by a deadlock-free weak CFM.

Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

(

no

sync data

+

simpler

acceptance

condition

F

=

IT

Fp

PGP

SLIDE 8

Today’s lecture

Today’s setting

Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM.

Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

SLIDE 9

Today’s lecture

Today’s setting

Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability.

Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

SLIDE 10

Today’s lecture

Today’s setting

Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability.

This is the setting of the previous lecture, but now focusing on deadlock-free CFMs

Results:

1 Conditions for realisability of a finite set of MSCs by a

deadlock-free weak CFM.

Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

(

so

safe

SLIDE 11

Today’s lecture

Today’s setting

Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability.

This is the setting of the previous lecture, but now focusing on deadlock-free CFMs

Results:

1 Conditions for realisability of a finite set of MSCs by a

deadlock-free weak CFM.

2 Checking safe realisability by deadlock-free CFMs is in P. Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

SLIDE 12

Today’s lecture

Today’s setting

Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability.

This is the setting of the previous lecture, but now focusing on deadlock-free CFMs

Results:

1 Conditions for realisability of a finite set of MSCs by a

deadlock-free weak CFM.

2 Checking safe realisability by deadlock-free CFMs is in P.

(Realisability for weak CFMs that may deadlock is co-NP complete.)

Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

SLIDE 13

Safe realisability

Possibly a set of MSCs is realisable only by a CFM that may deadlock

p q a a msc p q b b msc

process p and q have to agree on either a or b

Realisation of { M1, M2 } by a weak CFM:

!(p, q, a) !(p, q, b) ?(p, q, a) ?(p, q, b) !(q, p, a) !(q, p, b) ?(q, p, a) ?(q, p, b)

Deadlock occurs when, e.g., p sends a and q sends b

Joost-Pieter Katoen Theoretical Foundations of the UML 8/18 2 real is able

I

f

not

safe realise ble

.

@

.

Ap AE

SLIDE 14

Safe realisability

Definition (Safe realisability)

1 MSC M is safely realisable whenever {M} = L(A) for some

deadlock-free CFM A.

2 A finite set {M1, . . . , Mn} of MSCs is safely realisable whenever

{ M1, . . . , Mn} = L(A) for some deadlock-free CFM A.

3 MSG G is safely realisable whenever L(G) = L(A) for some

deadlock-free CFM A.

Phrased using linearisations

L ⊆ Act∗ is safely realisable if L = Lin(A) for some deadlock-free CFM A.

Note:

Safe realisability implies realisability, but the converse does not hold.

Joost-Pieter Katoen Theoretical Foundations of the UML 9/18

SLIDE 15

Overview

1

Safe realisability

2

Closure and inference revisited

3

Characterisation and complexity of safe realisability

Joost-Pieter Katoen Theoretical Foundations of the UML 10/18

SLIDE 16

Weak closure

Definition (Inference relation and closure)

For well-formed L ⊆ Act∗, and well-formed word w ∈ Act∗, let: L | = w iff (∀p ∈ P. ∃v ∈ L. wp = vp) Language L is closed under | = whenever for every w ∈ Act∗, it holds: L | = w implies w ∈ L.

Joost-Pieter Katoen Theoretical Foundations of the UML 11/18

↳?

sure

,

urn

*

Pz

i w Tpz = urp ,

SLIDE 17

Weak closure

Definition (Inference relation and closure)

For well-formed L ⊆ Act∗, and well-formed word w ∈ Act∗, let: L | = w iff (∀p ∈ P. ∃v ∈ L. wp = vp) Language L is closed under | = whenever for every w ∈ Act∗, it holds: L | = w implies w ∈ L.

Definition (Weak closure)

Language L is weakly closed under | = whenever for every well-formed prefix w of some word in L, it holds L | = w implies w ∈ L.

Weak closure thus restricts closure under | = to well-formed prefixes in L only. So far, closure was required for all w ∈ Act∗.

Joost-Pieter Katoen Theoretical Foundations of the UML 11/18

*

L

is

closed

under

f

→

L

is

weekly

closed under f " "

SLIDE 18

Deadlock-free closure

For language L, let pref(L) = {w | ∃u. w·u ∈ L} the set of prefixes of L.

Definition ((Deadlock-free) Inference relation)

For well-formed L ⊆ Act∗, and proper word w ∈ Act∗, i.e., w is a prefix

f a well-formed word, let:

L | =d

f w

iff (∀p ∈ P. ∃v ∈ pref(L). wp is a prefix of vp)

Joost-Pieter Katoen Theoretical Foundations of the UML 12/18

(

proper word

u

SLIDE 19

Deadlock-free closure

For language L, let pref(L) = {w | ∃u. w·u ∈ L} the set of prefixes of L.

Definition ((Deadlock-free) Inference relation)

For well-formed L ⊆ Act∗, and proper word w ∈ Act∗, i.e., w is a prefix

f a well-formed word, let:

L | =d

f w

iff (∀p ∈ P. ∃v ∈ pref(L). wp is a prefix of vp)

Definition (Closure under | =d

f)

Language L is closed under | =d

f whenever L |

=d

f w implies w ∈ pref(L).

Joost-Pieter Katoen Theoretical Foundations of the UML 12/18 .

SLIDE 20

p

9-

p I

a

→

b

← be

←

p

Partial

MSC

SLIDE 21

Deadlock-free closure

For language L, let pref(L) = {w | 9u. w·u 2 L} the set of prefixes of L.

Definition ((Deadlock-free) Inference relation)

For well-formed L ✓ Act∗, and proper word w 2 Act∗, i.e., w is a prefix

f a well-formed word, let:

L | =d

f w

iff (8p 2 P. 9v 2 pref(L). wp is a prefix of vp)

Definition (Closure under | =d

f)

Language L is closed under | =d

f whenever L |

=d

f w implies w 2 pref(L).

Intuition

The closure condition asserts that the set of partial MSCs (i.e., prefixes

f L) can be constructed from the projections of the MSCs in L onto

individual processes.

Joost-Pieter Katoen Theoretical Foundations of the UML 12/18 I . I #

partial

MS C

PIE TE

SLIDE 22

Example

p q a a msc p q b b msc

Example

L = Lin({M1, M2}) is not closed under | =d

f:

w = !(p, q, a)!(q, p, b) 62 pref(L) But: L | =d

f w since w is a proper prefix of a well-formed word, and

for process p, there exists u 2 L with wp = !(p, q, a) 2 pref({up}), and for process q, there exists v 2 L with wq = !(q, p, b) 2 pref({vq}). Note that L is closed under | =. So this shows that closure under | = does not imply closure under | =d

f.

Joost-Pieter Katoen Theoretical Foundations of the UML 13/18

M

not

µ

t

safe

2 real is able , realise ble

L

Edf

w but

w Cf pref

CL ) u= ! Cp , E. a) !

Carp , a)

?

Coe

, p , a ) ? fee , a) imply closure under

Edf

/

SLIDE 23

Deadlock-free weak CFM are closed under | =d

f

Lemma:

For every deadlock-free weak CFM A, Lin(A) is closed under | =d

f.

Proof.

Similar proof strategy as for the closure of weak CFMs under | = (see previous lecture).

Joost-Pieter Katoen Theoretical Foundations of the UML 14/18 =

I

g

SLIDE 24

Deadlock-free weak CFM are closed under | =d

f

Lemma:

For every deadlock-free weak CFM A, Lin(A) is closed under | =d

f.

Proof.

Similar proof strategy as for the closure of weak CFMs under | = (see previous lecture). Basic intuition is that if wp is a prefix of vp p, then from the point of view of process p, w can be prolonged with a word u, say, such that w·u = vp. This applies to all processes, and as the weak CFM is deadlock-free, such continuation is always possible.

Joost-Pieter Katoen Theoretical Foundations of the UML 14/18

SLIDE 25

Overview

1

Safe realisability

2

Closure and inference revisited

3

Characterisation and complexity of safe realisability

Joost-Pieter Katoen Theoretical Foundations of the UML 15/18

SLIDE 26

Characterisation of safe realisability

Theorem:

[Alur et al., 2001]

L ✓ Act∗ is safely realisable iff L is weakly closed under | = and closed under | =d

f.

Joost-Pieter Katoen Theoretical Foundations of the UML 16/18

I

① ②

sufficient t

|

closure under

necessary

condition

1= for

all well

formed

prefixes

f

L

SLIDE 27

Characterisation of safe realisability

Theorem:

[Alur et al., 2001]

L ✓ Act∗ is safely realisable iff L is weakly closed under | = and closed under | =d

f.

Proof

On the black board.

Joost-Pieter Katoen Theoretical Foundations of the UML 16/18

SLIDE 28

theorem

.

L

is

safely

reali

sable

if

and

nly

if

G)

L

is

weakly

closed under F

,

and

(2)

I

is

closed under

. fed ?

Root

"

⇒

" .

Assume

L

is

safely

real

,

sable

.

Then

a .

L

is

real

is

able

,

and

by

the

theorem

f

lecture g

,

it

follows

L

is

closed

under

t

.

This

implies

L

is

weakly

closed

under

t

.

b

.

There

is some

deadlock

free

CFM A

s . t .

Lin

(A)

=L

.

As

A

is

deadlock

free

and

weak

,

it

follows

by

the

lemma

in

this

lecture

that

Lin

(A)

=L

is

closed

under

Kd?

SLIDE 29

⇐

"

i

Assume

L

is

weekly

closed

.

under

F

,

and

L

is

closed

under

Fdf

.

Let

Lp

=

{

Wrp I

we

L }

,

for

any

process

p

.

Since L

is

finite

,

Lp

is

a

regular

word

language

.

let

Ap

be

a

DFA with

state

set

Qp

,

initial state

sin

and

accept

states

Fp

,

with

Llap )=Lp

V.

to

.g

. assume

that

all

states

in

Ap

are

productive

,

i

. e

,

for

any

state I

E Qp

it

is

possible

to

reach

some

state

in

Fp

.

Now

let

CFM

A

=

(

C Ap)p←p

,

Smit

, F)

with

Smit

=

IT

sine

and F=

IT

Fp

.

PEP PEP

Claim

.

①

Lin

(A)

=L

and

①

CFM A is

deadlock

free

. # s

( Obviously

,

then

L

is

safe

realise

ble )

.

Proof

. # →

①

"

Z

" ,

let WEL

.

Then

for

every

p

,

Wrp

C- Lp

.

Thus DFA

Ap

has

an

accepting

run

n

Wrp

,

end

as

Fe IT

Fp

,

CFM A

has

an

accepting

run

n

W

.

pep

SLIDE 30

I

" :

let

WE

Lin

CA )

.

As

Lin

(A)

is

well

formed

,

U is

well

formed

.

Since F=

IT

Fp

,

it

follows

Wfp

E

Lp

p

for

each

.

process

p

.

Thus

L

Fw

.

Since L

is

weakly

closed

under

t

,

and

w

is

well

formed

,

it

follows

WE

L

.

②

A-

is

deadlock free

.

This

is

proven

as

follows

.

Assume

A

has

read

the

input

word

WE

Act

* . w

may be either

accepted

r

not

.

If

it

is

accepted

,

there

is

nothing

to

prove

.

Assume

w

is

not

accepted

.

As

CFM

A- has

successfully

read

w

,

it

follows

Wrp

is

a

prefix

f

a

word

in

Lp

,

for

every

process

p

.

since L

is

closed

under

Hdf

,

it

follows

that

WE

pref

CL )

.

Let

w

.

UEL for

u -4

c

.

As

Ap

Is

deterministic

,

it has

a

unique (

local

,)

accepting

run

for

( w

. u ) Tp .

This

applies

to

every

process

p

.

As

F=

PIT

tf

,

it

follows

that

CFM A

has

a

unique

accepting

run

for

w

u

.

As

this

applies

to

every

W

,

it

follows

that

A

is

deadlock

free

XD

SLIDE 31

Characterisation of safe realisability

Theorem:

[Alur et al., 2001]

L ⊆ Act∗ is safely realisable iff L is weakly closed under | = and closed under | =d

f.

Proof

On the black board.

Corollary

The finite set of MSCs {M1, . . . , Mn} is safely realisable iff Sn

i=1 Lin(Mi) is closed under |

= and | =d

f.

Joost-Pieter Katoen Theoretical Foundations of the UML 16/18

x

weakly

closed under

f

, closed under

fedf

SLIDE 32

Characterisation of safe realisability

Theorem

For any well-formed L ⊆ Act∗: L is regular and closed under | = if and only if L = Lin(A) for some ∀-bounded weak CFM A.

Theorem

For any well-formed L ⊆ Act∗: L is regular, weakly closed under | = and closed under | =d

f

if and only if L = Lin(A) for some ∀-bounded deadlock-free weak CFM A.

Joost-Pieter Katoen Theoretical Foundations of the UML 17/18

reali

's ability

safe

realisability

SLIDE 33

Complexity of safe realisability

Theorem:

[Alur et al., 2001]

The decision problem “is a given set of MSCs safely realisable?” is in P.

Joost-Pieter Katoen Theoretical Foundations of the UML 18/18

y

finite

①

set

f

HSCs is weakly closed under

t

set

f

MSCS is

closed

under

Fdf

SLIDE 34

Complexity of safe realisability

Theorem:

[Alur et al., 2001]

The decision problem “is a given set of MSCs safely realisable?” is in P.

Proof

1 For a given finite set of MSCs, safe realisability can be checked in

time O((n2 + r)·k) where k is the number of processes, n the number of MSCs, and r the number of events in all MSCs together.

2 If the MSCs are not safely realisable, the algorithm returns an

MSC which is implied, but not included in the input set of MSCs. (We skip the details in this lecture.)

Joost-Pieter Katoen Theoretical Foundations of the UML 18/18

(

checking

Kalis

ability is co

NP-complete

.

(

sketch

)

.

.

(

is

inferred