An Efficient Simulation Algorithm based on Abstract Interpretation

An Efficient Simulation Algorithm based on Abstract Interpretation

Francesco Ranzato       Francesco Tapparo
Dipartimento di Matematica Pura ed Applicata, University of Padova, Italy
{ranzato,tapparo}math.unipd.it
Abstract

A number of algorithms for computing the simulation preorder are available. Let denote the state space, the transition relation and the partition of induced by simulation equivalence. The algorithms by Henzinger, Henzinger, Kopke and by Bloom and Paige run in -time and, as far as time-complexity is concerned, they are the best available algorithms. However, these algorithms have the drawback of a space complexity that is more than quadratic in the size of the state space. The algorithm by Gentilini, Piazza, Policriti — subsequently corrected by van Glabbeek and Ploeger — appears to provide the best compromise between time and space complexity. Gentilini et al.’s algorithm runs in -time while the space complexity is in . We present here a new efficient simulation algorithm that is obtained as a modification of Henzinger et al.’s algorithm and whose correctness is based on some techniques used in applications of abstract interpretation to model checking. Our algorithm runs in -time and -space. Thus, this algorithm improves the best known time bound while retaining an acceptable space complexity that is in general less than quadratic in the size of the state space. An experimental evaluation showed good comparative results with respect to Henzinger, Henzinger and Kopke’s algorithm.

\DefineVerbatimEnvironment

codeVerbatimcommandchars=

, codes=, frame=single \DefineVerbatimEnvironmentcodenumberVerbatimcommandchars=

, codes=, frame=lines, numbers=left

1 Introduction

Abstraction techniques are widely used in model checking to hide some properties of the concrete model in order to define a reduced abstract model where to run the verification algorithm [1, 9]. Abstraction provides an effective solution to deal with the state-explosion problem that arises in model checking systems with parallel components [7]. The reduced abstract structure is required at least to weakly preserve a specification language of interest: if a formula is satisfied by the reduced abstract model then must hold on the original unabstracted model as well. Ideally, the reduced model should be strongly preserving w.r.t. : holds on the concrete model if and only if is satisfied by the reduced abstract model. One common approach for abstracting a model consists in defining a logical equivalence or preorder on system states that weakly/strongly preserves a given temporal language. Moreover, this equivalence or preorder often arises as a behavioural relation in the context of process calculi [10]. Two well-known examples are bisimulation equivalence that strongly preserves expressive logics such as and the full -calculus [5] and the simulation preorder that ensures weak preservation of universal and existential fragments of the -calculus like and as well as of linear-time languages like  [22, 25]. Simulation equivalence, namely the equivalence relation obtained as symmetric reduction of the simulation preorder, is particularly interesting because it can provide a significantly better state space reduction than bisimulation equivalence while retaining the ability of strongly preserving expressive temporal languages like .

State of the Art.

It is known that computing simulation is harder than computing bisimulation [24]. Let denote a Kripke structure on the state space , with transition relation and labeling function , for a given set of atomic propositions. Bisimulation equivalence can be computed by the well-known Paige and Tarjan’s [26] algorithm that runs in -time. A number of algorithms for computing simulation equivalence exist, the most well known are by Henzinger, Henzinger and Kopke [23], Bloom and Paige [2], Bustan and Grumberg [6], Tan and Cleaveland [29] and Gentilini, Piazza and Policriti [18], this latter subsequently corrected by van Glabbeek and Ploeger [21]. The algorithms by Henzinger, Henzinger, Kopke and by Bloom and Paige run in -time and, as far as time-complexity is concerned, they are the best available algorithms. However, both these algorithms have the drawback of a space complexity that is bounded from below by . This is due to the fact that the simulation preorder is computed in an explicit way, i.e., for any state , the set of states that simulate is explicitly given as output. This quadratic lower bound in the size of the state space is clearly a critical issue in model checking. There is therefore a strong motivation for designing simulation algorithms that are less demanding on space requirements. Bustan and Grumberg [6] provide a first solution in this direction. Let denote the partition corresponding to simulation equivalence on so that is the number of simulation equivalence classes. Then, Bustan and Grumberg’s algorithm has a space complexity in , although the time complexity in remains a serious drawback. The simulation algorithm by Tan and Cleaveland [29] simultaneously computes also the state partition corresponding to bisimulation equivalence. Under the simplifying assumption of dealing with a total transition relation, this procedure has a time complexity in and a space complexity in (the latter factor does not appear in [29] and takes into account the relation that maps each state into its bisimulation equivalence class). The algorithm by Gentilini, Piazza and Policriti [18] appears to provide the best compromise between time and space complexity. Gentilini et al.’s algorithm runs in -time, namely it remarkably improves on Bustan and Grumberg’s algorithm and is not directly comparable with Tan and Cleaveland’s algorithm, while the space complexity is the same of Bustan and Grumberg’s algorithm and improves on Tan and Cleaveland’s algorithm. Moreover, Gentilini et al. show experimentally that in most cases their procedure improves on Tan and Cleaveland’s algorithm both in time and space.

Main Contributions.

This work presents a new efficient simulation algorithm, called , that runs in -time and -space. Thus, while retaining an acceptable space complexity that is in general less than quadratic in the size of the state space, our algorithm improves the best known time bound.
Let us recall that a relation between states is a simulation if for any such that , and for any such that , there exists such that and . Then, simulates , namely the pair belongs to the simulation preorder , if there exists a simulation relation such . Also, and are simulation equivalent, namely they belong to the same block of the simulation partition , if simulates and vice versa.
Our simulation algorithm is designed as a modification of Henzinger, Henzinger and Kopke’s [23] algorithm, here denoted by . The space complexity of is in . This is a consequence of the fact that computes explicitly the simulation preorder, namely it maintains for any state a set of states , called the simulator set of , which stores states that are currently candidates for simulating . Our algorithm computes instead a symbolic representation of the simulation preorder, namely it maintains: (i) a partition of the state space that is always coarser than the final simulation partition and (ii) a relation on the current partition that encodes the simulation relation between blocks of simulation equivalent states. This symbolic representation is the key both for obtaining the time bound and for limiting the space complexity of in , so that memory requirements may be lower than quadratic in the size of the state space.
The basic idea of our approach is to investigate whether the logical structure of the algorithm may be preserved by replacing the family of sets of states with the following state partition induced by : two states and are equivalent in iff for all , . Additionally, we store and maintain a preorder relation on the partition that gives rise to a so-called partition-relation pair . The logical meaning of this data structure is that if and then any state in is currently candidate to simulate each state in , while two states and in the same block are currently candidates to be simulation equivalent. Hence, a partition-relation pair represents the current approximation of the simulation preorder and in particular represents the current approximation of simulation equivalence. It turns out that the information encoded by a partition-relation pair is enough for preserving the logical structure of . In fact, analogously to the stepwise design of the procedure, this approach leads us to design a basic procedure based on partition-relation pairs which is then refined twice in order to obtain the final simulation algorithm . The correctness of is proved w.r.t. the basic algorithm and relies on abstract interpretation techniques [12, 13]. More specifically, we exploit some previous results [27] that show how standard strong preservation of temporal languages in abstract Kripke structures can be generalized by abstract interpretation and cast as a so-called completeness property of abstract domains. On the other hand, the simulation algorithm is designed as an efficient implementation of the basic procedure where the symbolic representation based on partition-relation pairs allows us to replace the size of the state space in the time and space bounds of with the size of the simulation partition in the corresponding bounds for .
Both and have been implemented in C++. This practical evaluation considered benchmarks from the VLTS (Very Large Transition Systems) suite [30] and some publicly available Esterel programs. The experimental results showed that outperforms .

2 Background

2.1 Preliminaries

Notations.

Let and be sets. If and is understood as a universe set then . If then the image of is denoted by . When writing a set of subsets of a given set of integers, e.g. a partition, is often written in a compact form like or that stands for . If is any relation then denotes the reflexive and transitive closure of . Also, if then .

Orders.

Let be a poset, that may also be denoted by . We use the symbol to denote pointwise ordering between functions: If is any set and then if for all , . If then denotes the set of maximal elements of in . A complete lattice is also denoted by where , , and denote, respectively, lub, glb, greatest element and least element in . A function between complete lattices is additive when preserves least upper bounds. Let us recall that a reflexive and transitive relation on a set is called a preorder on .

Partitions.

A partition of a set is a set of nonempty subsets of , called blocks, that are pairwise disjoint and whose union gives . denotes the set of partitions of . If and then denotes the block of that contains . is endowed with the following standard partial order : , i.e.  is coarser than (or refines ) iff . If , and then (when clear from the context the subscript may be omitted) denotes the unique block in that contains . For a given nonempty subset called splitter, we denote by the partition obtained from by replacing each block with the nonempty sets and , where we also allow no splitting, namely (this happens exactly when is a union of some blocks of ).

Kripke Structures.

A transition system consists of a set of states and a transition relation . The relation is total when for any there exists some such that . The predecessor/successor transformers (when clear from the context the subscript may be omitted) are defined as usual:

  • ;

  • .

Let us remark that and are additive operators on the complete lattice . If then iff there exist and such that .

Given a set of atomic propositions (of some specification language), a Kripke structure over consists of a transition system together with a state labeling function . A Kripke structure is called total when its transition relation is total. We use the following notation: for any , denotes the equivalence class of a state w.r.t. the labeling , while is the partition induced by .

2.2 Simulation Preorder and Equivalence

Recall that a relation is a simulation on a Kripke structure over a set of atomic propositions if for any such that :

  • ;

  • For any such that , there exists such that and .

If then we say that simulates . The empty relation is a simulation and simulation relations are closed under union, so that the largest simulation relation exists. It turns out that the largest simulation is a preorder relation called simulation preorder (on ) and denoted by . Simulation equivalence is the symmetric reduction of , namely . denotes the partition corresponding to and is called simulation partition.

It is a well known result in model checking [14, 22, 25] that the reduction of w.r.t. simulation equivalence allows us to define an abstract Kripke structure that strongly preserves the temporal language , where: is the abstract state space, is the abstract transition relation between simulation equivalence classes, while for any block , for any representative . It turns out that strongly preserves , i.e., for any , and , we have that if and only if .

2.3 Abstract Interpretation

Abstract Domains as Closures.

In standard abstract interpretation, abstract domains can be equivalently specified either by Galois connections/insertions or by (upper) closure operators (uco’s) [13]. These two approaches are equivalent, modulo isomorphic representations of domain’s objects. We follow here the closure operator approach: this has the advantage of being independent from the representation of domain’s objects and is therefore appropriate for reasoning on abstract domains independently from their representation.

Given a state space , the complete lattice plays the role of concrete domain. Let us recall that an operator is a uco on , that is an abstract domain of , when is monotone, idempotent and extensive (viz., ). It is well known that the set of all uco’s on , endowed with the pointwise ordering , gives rise to the complete lattice of all the abstract domains of . The pointwise ordering on is the standard order for comparing abstract domains with regard to their precision: means that the domain is a more precise abstraction of than , or, equivalently, that the abstract domain is a refinement of .

A closure is uniquely determined by its image , which coincides with its set of fixpoints, as follows: . Also, a set of subsets is the image of some closure operator iff is a Moore-family of , i.e., (where ). In other terms, is a Moore-family (or Moore-closed) when is closed under arbitrary intersections. In this case, is the corresponding closure operator. For any , is called the Moore-closure of , i.e., is the least set of subsets of which contains all the subsets in and is Moore-closed. Moreover, it turns out that for any and any Moore-family , and . Thus, closure operators on are in bijection with Moore-families of . This allows us to consider a closure operator both as a function and as a Moore-family . This is particularly useful and does not give rise to ambiguity since one can distinguish the use of a closure as function or set according to the context.

Abstract Domains and Partitions.

As shown in [27], it turns out that partitions can be viewed as particular abstract domains. Let us recall here that any abstract domain induces a partition that corresponds to the following equivalence relation on :

Example 2.1.

Let and consider the following abstract domains in that are given as intersection-closed subsets of : , , . These abstract domains all induce the same partition . For example, , so that . ∎

Forward Completeness.

Let us consider an abstract domain , a concrete semantic function and a corresponding abstract semantic function (for simplicity of notation, we consider 1-ary functions). It is well known that the abstract interpretation is sound when holds: this means that a concrete computation on an abstract object is correctly approximated in by , that is, . Forward completeness corresponds to require the following strengthening of soundness: is forward complete when : The intuition here is that the abstract function is able to mimic on the abstract domain with no loss of precision. This is called forward completeness because a dual and more standard notion of backward completeness may also be considered (see e.g. [19]).

Example 2.2.

As a toy example, let us consider the following abstract domain for representing the sign of an integer variable: . The concrete pointwise addition on sets of integers, that is , is approximated in by the abstract addition that is defined as expected by the following table:

It turns out that is forward complete, i.e., for any , . ∎

It turns out that the possibility of defining a forward complete abstract interpretation on a given abstract domain does not depend on the choice of the abstract function but depends only on the abstract domain . This means that if is forward complete then the abstract function indeed coincides with the best correct approximation of the concrete function on the abstract domain . Hence, for any abstract domain and abstract function , it turns out that is forward complete if and only if is forward complete. This allows us to define the notion of forward completeness independently of abstract functions as follows: an abstract domain is forward complete for (or forward -complete) iff . Let us remark that is forward -complete iff the image is closed under applications of the concrete function . If is a set of concrete functions then is forward complete for when is forward complete for all .

Forward Complete Shells.

It turns out [19, 27] that any abstract domain can be refined to its forward -complete shell, namely to the most abstract domain that is forward complete for and refines . This forward -complete shell of is thus defined as

Forward complete shells admit a constructive fixpoint characterization. Given , consider the operator defined by

Thus, refines the abstract domain by adding the images of for all the functions in . It turns out that is monotone and therefore admits the greatest fixpoint, denoted by , which provides the forward -complete shell of : .

Disjunctive Abstract Domains.

An abstract domain is disjunctive (or additive) when is additive and this happens exactly when the image is closed under arbitrary unions. Hence, a disjunctive abstract domain is completely determined by the image of on singletons because for any , . The intuition is that a disjunctive abstract domain does not lose precision in approximating concrete set unions. We denote by the set of disjunctive abstract domains.

Given any abstract domain , it turns out [13, 20] that can be refined to its disjunctive completion : this is the most abstract disjunctive domain that refines . The disjunctive completion can be obtained by closing the image under arbitrary unions, namely , where .

It turns out that an abstract domain is disjunctive iff is forward complete for arbitrary concrete set unions, namely, is disjunctive iff for any , . Thus, when is finite, the disjunctive completion of coincides with the forward -complete shell of . Also, since the predecessor transformer preserves set unions, it turns out that the forward complete shell for can be obtained by iteratively closing the image of under and then by taking the disjunctive completion, i.e., .

Example 2.3.

Let us consider the abstract domain in Example 2.1. We have that is not disjunctive because while . The disjunctive completion is obtained by closing under unions: . ∎

Some Properties of Abstract Domains.

Let us summarize some easy properties of abstract domains that will be used in later proofs.

Lemma 2.4.

Let , , such that and .

  • For any , .

  • For any , .

  • For any , .

  • .

Proof.

(i)  In general, by definition of , for any and , . Hence, since we have that .
(ii)  Clearly, . On the other hand, given , let be the block in that contains . Then, , so that .
(iii)

(iv)  Since , we have that . On the other hand, if then for all , , so that . ∎

3 Simulation Preorder as a Forward Complete Shell

Ranzato and Tapparo [27] showed how strong preservation of specification languages in standard abstract models like abstract Kripke structures can be generalized by abstract interpretation and cast as a forward completeness property of generic abstract domains that play the role of abstract models. We rely here on this framework in order to show that the simulation preorder can be characterized as a forward complete shell for set union and the predecessor transformer. Let be a Kripke structure. Recall that the labeling function induces the state partition . This partition can be made an abstract domain by considering the Moore-closure of that simply adds to the empty set and the whole state space, namely .

Theorem 3.1.

Let be the forward -complete shell of . Then, and .

Proof.

Given a disjunctive abstract domain , define . We prove the following three preliminary facts:

  • is forward complete for iff satisfies the following property: for any such that and there exists such that and . Observe that the disjunctive closure is forward complete for iff for any , if then , and this happens iff for any , if then . This latter statement is equivalent to the fact that for any such that and , there exists such that , namely, for any such that and , there exists such that and .

  • iff satisfies the property that for any , if then : In fact, .

  • Clearly, given , iff .

Let us show that . By definition, is the most abstract disjunctive closure that is forward complete for and refines . Thus, by the above points (1) and (2), it turns out that is a simulation on . Consider now any simulation on and the function . Let us notice that and . Also, the relation is a simulation because is a simulation. Since is a simulation, we have that satisfies the conditions of the above points (1) and (2) so that is forward complete for and . Moreover, is disjunctive so that is also forward complete for . Thus, . Hence, by point (3) above, so that . We have therefore shown that is the largest simulation on .

The fact that comes as a direct consequence because for any , iff and . From we obtain that iff and iff . This holds iff and belong to the same block in . ∎

Thus, the simulation preorder is characterized as the forward complete shell of an initial abstract domain induced by the labeling w.r.t. set union and the predecessor transformer while simulation equivalence is the partition induced by this forward complete shell. Let us observe that set union and the predecessor provide the semantics of, respectively, logical disjunction and the existential next operator . As shown in [27], simulation equivalence can be also characterized in a precise meaning as the most abstract domain that strongly preserves the language

Example 3.2.

Let us consider the Kripke structure depicted below where the atoms and determine the labeling function .

\xymatrix@R=8pt *++[o][F]1 \ar@(dl,ul)[] \ar[r]^(0.3)p & *++[o][F]3 \ar[r]^(0.3)p^(0.7)q & *++[o][F]4 \ar@(dr,ur)[]
*++[o][F]2\ar[ru] ^(0.25)p & &

It is simple to observe that because: (i) while we have that so that and are not simulation equivalent to ; (ii) while we have that so that is not simulation equivalent to .

The abstract domain induced by the labeling is . As observed above, the forward complete shell so that this domain can be obtained by iteratively closing the image of under and then by taking the disjunctive completion:

  • ;

  • ;

  • ;

  •    (fixpoint).

is thus given by the disjunctive completion of , i.e., . Note that , , and . Hence, by Theorem 3.1, the simulation preorder is , while . ∎

Theorem 3.1 is one key result for proving the correctness of our simulation algorithm while it is not needed for understanding how works and how to implement it efficiently.

4 Partition-Relation Pairs

Let and be any relation on the partition . One such pair is called a partition-relation pair. A partition-relation pair induces a disjunctive closure as follows: for any ,

It is easily shown that is indeed a disjunctive uco. Note that, for any and ,

This correspondence is a key logical point for proving the correctness of our simulation algorithm. In fact, our algorithm maintains a partition-relation pair, where the relation is a preorder, and our proof of correctness depends on the fact that this partition-relation pair logically represents a corresponding disjunctive abstract domain.

Example 4.1.

Let , and . Note that . The disjunctive abstract domain