Modelling Concurrent Systems
Definition 2.42. Synchronous Product
2.3 The State-Space Explosion Problem
The previous two sections have shown that various kinds of systems can be modeled using transition systems. This applies to program graphs representing data-dependent systems, and hardware circuits. Different communication mechanisms can be modeled in terms of appropriate operators on transition systems. This section considers the cardinality of the resulting transition systems, i.e., the number of states in these models. Verification techniques are based on systematically analyzing these transition systems. The runtimes of such verification algorithms are mainly determined by the number of states of the transition system to be analyzed. For many practical systems, the state space may be extremely large, and this is a major limitation for state-space search algorithms such as model checking. Chapter 8, Section 6.7, and Chapter 7 introduce a number of techniques to combat this problem.
Program Graph Representation Transition systems generated by means of “un- folding” a program graph may be extremely large, and in some cases—e.g., if there are infinitely many program locations or variables with infinite domains—even have infinitely many states. Consider a program graph over the set of variables Var with x ∈ V ar.
Recall that states of the unfolded transition system are of the form , η with location and variable evaluation η. In case all variables in Var have a finite domain, like bits, or bounded integers, and the number of locations is finite, the number of states in the transition system is
|Loc| ·
x∈Var
|dom(x)|.
The number of states thus growsexponentially in the number of variables in the program graph: for N variables with a domain of kpossible values, the number of states grows up to kN. This exponential growth is also known as the state-space explosion problem.
It is important to realize that for even simple program graphs with just a small number of variables, this bound may already be rather excessive. For instance, a program graph with ten locations, three Boolean variables and five bounded integers (with domain in {0, . . . ,9}) has 10·23·105 = 8,000,000 states. If a single bit array of 50 bits is added to this program graph, for example, this bound grows even to 800,000·250! This observation clearly shows why the verification of data-intensive systems (with many variables or com- plex domains) is extremely hard. Even if there are only a few variables in a program, the state space that must be analyzed may be very large.
If dom(x) is infinite for some x ∈ Var, as for reals or integers, the underlying transition system has infinitely many states as there are infinitely many values for x. Such pro- gram graphs usually yield undecidable verification problems. This is not to say that the verification of all transition systems with an infinite state space is undecidable, however.
It should be remarked that not only the state space of a transition system, but also the number of atomic propositions to represent program graphs (see Definition 2.15, page 34) may in principle be extremely large. Besides, any location, any condition on the variables in the program graph is allowed as an atomic proposition. However, in practice, only a small fragment of the possible atomic propositions is needed. An explicit representation of the labeling function is mostly not necessary, as the truth-values of the atomic formulae are typically derived from the state information. For these reasons, the number of atomic propositions plays only a secondary role.
For sequential hardware circuits (see page 26), states in the transition system are deter- mined by the possible evaluations of the input variables and the registers. The size of the transition system thus grows exponentially in the number of registers and input variables.
For N input variables andK registers, the total state space consists of 2N+K states.
Parallelism In all variants of parallel operators for transition systems and program graphs, the state space of the complete system is built as the Cartesian product of the local state spaces Si of the components. For example, for state space S of transition system
TS=TS1|||. . . |||TSn
we have S = S1×. . .×Sn where Si denotes the state space of transition system TSi. The state space of the parallel composition of a system with nstates and a system with
The State-Space Explosion Problem 79 k states yieldsn·kstates. The total state space S is thus
|S1| ·. . .· |Sn|.
The number of states inSis growing (at most)exponentiallyin the number of components:
the parallel composition of N components of size k each yields kN states. Even for small parallel systems this may easily run out of control.
Additionally, the variables (and their domains) represented in the transition system essen- tially influence the size of the state space. If one of the domains is infinite, then the state space is infinitely large. If the domains are finite, then the size of the state space grows exponentially in the number of variables (as we have seen before for program graphs).
The “exponential blowup” in the number of parallel components and the number of vari- ables explains the enormous size of the state space of practically relevant systems. This observation is known under the heading state explosion and is another evidence for the fact that verification problems are particularly space-critical.
Channel Systems For the size of transition systems of channel systems, similar observa- tions can be made as for the representation of program graphs. An important additional component for these systems is the size of the channels, i.e., their capacity. Clearly, if one of these channels has an infinite capacity, this may yield infinitely many states in the transition system. If all channels have finite capacity, however, the number of states is bound in the following way. Let CS = [PG1 |. . .|PGn] be a channel system over Var=Var1∪. . .∪Varn and channels Chan. The state space of CSis of cardinality
n i=1
|PGi| ·
c∈Chan
|dom(c)|cp(c),
which can be rewritten as n i=1
⎛
⎝|Loci| ·
x∈Vari
|dom(x)|
⎞
⎠·
c∈Chan
|dom(c)|cp(c).
ForLlocations per component, Kbit channels of capacitykeach, andM variablesxwith
|dom(x)|mtotally, the total number of states in the transition system isLn·mM·2K·k. This is typically enormous.
Example 2.44. State-Space Size of the Alternating Bit Protocol
Consider a variant of the alternating bit protocol (see Example 2.32, page 57) where the
channelscanddhave a fixed capacity, 10 say. Recall that along channeld, control bits are sent, and along channelc, data together with a control bit. Let us assume that data items are also simply bits. The timer has two locations, the sender eight, and the receiver six.
As there are no further variables, we obtain that the total number of states is 2·8·6·410·210, which equals 3·235. This is around 1011 states.