Modelling Concurrent Systems

Definition 2.10. Reachable States

2.1.2 Modeling Hardware and Software Systems

This section illustrates the use of transition systems by elaborating on the modeling of (synchronous) hardware circuits and sequential data-dependent systems – a kind of simple sequential computer programs. For both cases, the basic concept is that states represent possible storage configurations (i.e., evaluations of relevant “variables”), and state changes (i.e., transitions) represent changes of “variables”. Here, the term “variable” has to be understood in the broadest sense. For computer programs a variable can be a control variable (like a program counter) or a program variable. For circuits a variable can, e.g, stand for either a register or an input bit.

Sequential Hardware Circuits

Before presenting a general recipe for modeling sequential hardware circuits as transition systems we consider a simple example to clarify the basic concepts.

Example 2.11. A Simple Sequential Hardware Circuit

Consider the circuit diagram of the sequential circuit with input variablex, output variable y, and register r (see left part of Figure 2.2). The control function for output variabley is given by

λy = ¬(x⊕r)

Transition Systems 27

XOR

OR

y NOT

x

r x r y

x 0 r 0

x 0 r 1

x 1 r 0

x 1 r 1 r

x y

Figure 2.2: Transition system representation of a simple hardware circuit.

where⊕stands for exclusive or (XOR, or parity function). The register evaluation changes according to the circuit function

δr = x∨r .

Note that once the register evaluation is [r = 1], r keeps that value. Under the initial register evaluation [r = 0], the circuit behavior is modeled by the transition system TS with state space

S = Eval(x, r)

where Eval(x, r) stands for the set of evaluations of input variable xand register variable r. The initial states of TS are I ={ x= 0, r= 0,x = 1, r= 0 }. Note that there are two initial states as we do not make any assumption about the initial value of the input bit x.

The set of actions is irrelevant and omitted here. The transitions result directly from the functions λy and δr. For instance, x = 0, r = 1 −→ x = 0, r = 1 if the next input bit equals 0, and x= 0, r= 1 −→ x= 1, r= 1 if the next input bit is 1.

It remains to consider the labelingL. Using the set of atomic propositionsAP={x, y, r}, then, e.g., the state x = 0, r = 1 is labeled with{r}. It is not labeled with y since the circuit function ¬(x⊕r) results in the value 0 for this state. For state x= 1, r= 1 we obtain L(x = 1, r = 1) = {x, r, y}, as λy yields the value 1. Accordingly, we obtain:

L(x = 0, r= 0) ={y}, and L(x = 1, r = 0) = {x}. The resulting transition system (with this labeling) is depicted in the right part of Figure 2.2.

Alternatively, using the set of propositions AP = {x, y} – the register evaluations are assumed to be “invisible” – one obtains:

L(x= 0, r= 0) = {y} L(x= 0, r= 1) = ∅ L(x= 1, r= 0) = {x} L(x= 1, r= 1) = {x, y}

The propositions in AP suffice to formalize, e.g., the property “the output bit y is set infinitely often”. Properties that refer to the register r are not expressible.

The approach taken in this example can be generalized toward arbitrary sequential hard- ware circuits (without “don’t cares”) withninput bitsx1, . . . , xn,moutput bitsy1, . . . , ym, andkregistersr1, . . . , rkas follows. The states of the transition system represent the eval- uations of the n+kinput and register bits x1, . . . , xn, r1, . . . , r_k. The evaluation of output bits depends on the evaluations of input bits and registers and can be derived from the states. Transitions represent the behavior, whereas it is assumed that the values of in- put bits are nondeterministically provided (by the circuit environment). Furthermore, we assume a given initial register evaluation

[r1 =c0,1, . . . , r_k=c0,k]

where c0,i denotes the initial value of register i for 0 < i k. Alternatively, a set of possible initial register evaluations may be given.

The transition systemTS= (S,Act,→, I,AP, L) modeling this sequential hardware circuit has the following components. The state space S is determined by

S = Eval(x1, . . . , xn, r1, . . . , rk).

Here,Eval(x1, . . . , xn, r1, . . . , rk) stands for the set of evaluations of input variablesxi and registers rj and can be identified with the set {0,1}^n+k.² Initial states are of the form (. . . , c0,1, . . . , c_0,k) where the k registers are evaluated with their initial value. The first n components prescribing the values of input bits are arbitrary. Thus, the set of initial states is

I =

(a1, . . . , a_n, c0,1, . . . , c_0,k)|a1, . . . , a_n∈ {0,1} .

The set Actof actions is irrelevant, and we choose Act={τ}. For simplicity, let the set of atomic propositions be

AP = {x1, . . . , xn, y1, . . . , ym, r1, . . . , rk} .

(In practice, this could be defined as any subset of this AP). Thus, any register, any input bit, and any output bit can be used as an atomic proposition. The labeling function assigns to any state s∈ Eval(x1, . . . , xn, r1, . . . , rk) exactly those atomic propositions xi, rj which are evaluated to 1 under s. If for state s, output bit yi is evaluated to 1, then (and only then) the atomic proposition yi is part of L(s). Thus,

L(a1, . . . , an, c1, . . . , ck) = {xi|ai = 1} ∪ {rj |cj = 1}

∪ {yi|s|=λy_i(a1, . . . , an, c1, . . . , c_k) = 1}

2An evaluation s ∈ Eval(·) is a mapping which assigns a value s(x_i) ∈ {0,1}to any input bit x_i. Similarly, every register r_j is mapped onto a values(r_j)∈ {0,1}. To simplify matters, we assume every element s ∈ S to be a bit-tuple of length n+k. The ith bit is set if and only if x_i is evaluated to 1 (0< in). Accordingly, then+jth bit indicates the evaluation ofr_j(0< jk).

Transition Systems 29 whereλy_i :S→ {0,1}is the switching function corresponding to output bityithat results from the gates of the circuit.

Transitions exactly represent the behavior. In the following, let δr_j denote the transition function for register rj resulting from the circuit diagram. Then:

(a 1, . . . , an

input evaluation

, c 1, . . . , ck

register evaluation

) −→^τ (a₁, . . . , a_n, c₁, . . . , c_k)

if and only if c_j =δr_j(a1, . . . , an, c1, . . . , ck). Assuming that the evaluation of input bits changes nondeterministically, no restrictions on the bits a₁, . . . , a_n are imposed.

It is left to the reader to check that applying this recipe to the example circuit in the left part of Figure 2.2 indeed results in the transition system depicted in the right part of that figure.

Data-Dependent Systems

The executable actions of a data-dependent system typically result from conditional branch- ing, as in

if x%2 = 1then x:=x+ 1else x:= 2·x fi.

In principle, when modeling this program fragment as a transition system, the conditions of transitions could be omitted and conditional branchings could be replaced by nonde- terminism; but, generally speaking, this results in a very abstract transition system for which only a few relevant properties can be verified. Alternatively, conditional transitions can be used and the resulting graph (labeled with conditions) can be unfolded into a tran- sition system that subsequently can be subject to verification. This unfolding approach is detailed out below. We first illustrate this by means of an example.

Example 2.12. Beverage Vending Machine Revisited

Consider an extension of the beverage vending machine described earlier in Example 2.2 (page 21) which counts the number of soda and beer bottles and returns inserted coins if the vending machine is empty. For the sake of simplicity, the vending machine is represented by the two locations start andselect. The following conditional transitions

start true : coin

→select and start true : refill

→start

model the insertion of a coin and refilling the vending machine. Labels of conditional transitions are of the form g :α where g is a Boolean condition (called guard), and α is an action that is possible once g holds. As the condition for both conditional transitions

above always holds, the action coin is always enabled in the starting location. To keep things simple, we assume that by refill both storages are entirely refilled. Conditional transitions

select →^{nsoda>0 : sget} start and select →^{nbeer>0 : bget} start model that soda (or beer) can be obtained if there is some soda (or beer) left in the vending machine. The variablesnsodaandnbeerrecord the number of soda and beer bottles in the machine, respectively. Finally, the vending machine automatically switches to the initial start location while returning the inserted coin once there are no bottles left:

select ^{nsoda = 0∧}nbeer = 0: ret coin

→start

Let the maximum capacity of both bottle repositories be max. The insertion of a coin (by action coin) leaves the number of bottles unchanged. The same applies when a coin is returned (by action ret coin). The effect of the other actions is as follows:

Action Effect

refill nsoda :=max;nbeer :=max sget nsoda :=nsoda−1

bget nbeer :=nbeer −1

The graph consisting of locations as nodes and conditional transitions as edges is not a transition system, since the edges are provided with conditions. A transition system, however, can be obtained by “unfolding” this graph. For instance, Figure 2.3 on page 31 depicts this unfolded transition system when max equals 2. The states of the transition system keep track of the current location in the graph described above and of the number of soda- and beer bottles in the vending machine (as indicated by the gray and black dots, respectively, inside the nodes of the graph).

The ideas outlined in the previous example are formalized by using so-called program graphs over a setVar of typed variables such as nsodaand nbeer in the example. Essen- tially, this means that a standardized type (e.g., boolean,integer, orchar) is associated with each variable. The type of variablexis called the domaindom(x) ofx. LetEval(Var) denote the set of (variable) evaluations that assign values to variables. Cond(Var) is the set of Boolean conditions over Var, i.e., propositional logic formulae whose propositional symbols are of the form “x ∈D” wherex= (x1, . . . , xn) is a tuple consisting of pairwise distinct variables in Var andD is a subset ofdom(x1)×. . .×dom(xn). The proposition

(−3< x−x 5) ∧ (x2·x) ∧ (y =green),

for instance, is a legal Boolean condition for integer variables x and x, and y a variable with, e.g.,dom(y) ={red,green}. Here and in the sequel, we often use simplified notations

Transition Systems 31

start

select

start start

select select

start

start start

select select

select

start start

select select

start

select coin

coin coin

bget sget

coin coin coin

bget

sget

coin coin

sget

bget beer soda

bget

sget

bget sget

ret coin coin refill

refill refill

Figure 2.3: Transition system modeling the extended beverage vending machine.

for the propositional symbols such as “3 < x−x 5” instead of “(x, x) ∈ {(n, m) ∈ IN²|3< n−m5}”.

Initially, we do not restrict the domains. dom(x) can be an arbitrary, possibly infinite, set. Even if in real computer systems all domains are finite (e.g., the type integer only includes integersnof a finite domain, like−2¹⁶< n <2¹⁶), then the logical or algorithmic structure of a program is often based on infinite domains. The decision which restrictions on domains are useful for implementation, e.g., how many bits should be provided for representation of variables of type integer is delayed until a later design stage and is ignored here.

A program graph over a set of typed variables is a digraph whose edges are labeled with conditions on these variables and actions. The effect of the actions is formalized by means of a mapping

Effect:Act×Eval(Var)→Eval(Var)

which indicates how the evaluation η of variables is changed by performing an action. If, e.g., α denotes the action x := y+5, where x and y are integer variables, and η is the evaluation with η(x) = 17 andη(y) =−2, then

Effect(α, η)(x) = η(y) + 5 = −2 + 5 = 3, and Effect(α, η)(y) =η(y) = −2.

Effect(α, η) is thus the evaluation that assigns 3 to x and −2 to y. The nodes of a program graph are called locations and have a control function since they specify which of the conditional transitions are possible.