# IIPF for the relation the-sum-is pair in Example 4.2.1

Dans le document Symbolic model-checking with Set Rewriting (Page 52-0)

## A.2 Kanban Petri net as an optimized Set Rewrite System

### 4.1 IIPF for the relation the-sum-is pair in Example 4.2.1

0 , 1

0 1

A

{1,3} B

{2,4} B

{1,3}

{2} C

{2} C

1 {1}

{2}

Figure4.1 – IIPFfor the relation the-sum-is pair inExample4.2.1

However, there is an open question: is the encoding unique? A unique encoding greatly improves the performance of the implementation. Luckily, the answer to this question is yes. In Theorem4.2.1we state that the encoding intoIIPFsis unique.

Theorem 4.2.1 (Unicity of IIPF encoding) Let f,g ∈∆D1,...,Dn andR ⊆ D1× · · ·Dn

an n-ary relation. If f and g encodeR, then f = g.

Proof 4.2.1 (Unicity of IIPF encoding) Let us prove the theorem by induction over n, the length of the n-ary relation. The set ofIIPFscontains by definition only IPFs that encode a n-ary relation. If the unicity condition is true, then encoding is a lattice isomorphism.

Base case For n= 1we have just a set. The functions being injective (because they areIPFs) with only one possible image (by Example4.2.1) there is only one possible value in the domain: the set being encoded. Thus, f = g.

34 Chapter 4. ΣDecision Diagrams Inductive step We suppose the theorem is true for n≤ m−1and prove it for n=m.

Since the theorem is true for n≤m−1(by the induction hypothesis), it is true for the co-domain. The co-domain is then isomorphic to the power set of D2×· · ·×Dn. Know-ing that, we can use the same argument that we used in the proof of Theorem 4.1.1.

Corollary 4.2.1 IIPFencoding is a lattice isomorphism.

TheIIPFsare also a lattice since they are just plainIPFs. Based on the injective partitioned functions, we can formalize and strongly type theHierarchical Set Deci-sion Diagrams[CTM05].

As inSDDswe can also introduce a graphical notation for theIIPFs. Graphically, we represent an IIPFby a DAG (Directed Acyclic Graph). Each node of the graph and its outgoing edges represent a function. The node is labeled with the encoded relation’s domain name, and each outgoing edge is labeled with an element of the domain of the function, i.e., a subset of encoded relation’s domain. We can see an example of this notation in Section4.2.

Now, we have defined the latticeIIPFs, but as they are defined in Def.4.1.5their expressivity is limited. In fact, the lattice is only defined given a profile,i.e.,we cannot have IIPFs encode sets of heterogeneous n-ary relations, e.g., encode a n-ary and a (n+1)-ary relation in the sameIIPF. But this problem is easily solvable, we just have to create the union of the lattices, in a way that they stay lattices. In definition Def.4.2.3 we define such an union.

Definition 4.2.3 (Union of twoIIPFlattices) Given two IIPFlattices ∆D1,...,Dn(= L)

and ∆D01,...,D0m(= K) s.t. D1 ∩D01 = ∅and ∆D2,...,Dn ∩∆D02,...,D0m = ∅. The lattice of the

union of the two, noted L]K(= M), is the lattice defined ashM,∪M,∩M, 0 M, 1

Mi.

The operations are defined as follows. Let L (resp. K) the carrier set ofL(resp. K), and f, f0 ∈L and g,g0 ∈K

• f ∪M f0 = f ∪ f0and g∪Mg0 =g∪g0, respectively for the∩M.

• f ∪Mg(x)=





f(x) ,if x ∈D1 g(x) ,if x ∈D01

• (f ∪Mg)∪M(f0Mg0)=(f ∪ f0)](g∪g0).

• f ∩M f0 = 0M, if f ∩ f0 = 0K, and g∩Mg0 = 0M, if g∩g0 = 0L

• f ∩Mg= 0M

• The carrier set is M = L\n

0L

o∪K\n

0K

o∪ {f ∪Mg| f ∈K and g∈L} ∪n

0M

o

The result of the the] operation is not an IIPFlattice to which we can assign a profile. For example, if we say that the type of the result is∆(P(D1∪D01),∆D2,...,Dn ]

D0

2,...,D0m) we would be losing the association between domains and images, since we

4.3. Encoding Terms 35 could have functions with domain in P(D1) mapping to values in the set ∆D02,...,D0m, which is not possible in the original setting. The goal of this union is to preserve typ-ing,i.e.,preserve the association of domains with images. The association of domains and images allow to know the profile of the branch of theIIPF just by knowing the value that takes we to that branch (remember thatIIPFscreated with Def.4.2.3might not have a unique profile.) It is worth noting that this new structure is also a Boolean lattice which is isomorphic to the powersetP(X) for some set X. We note also, that the new carrier set has taken away the bottom elements of the two initial lattices, since the new lattice has a new unique bottom element 0

M.

The union of two IIPF lattices can be easily extended to do the union of several IIPF lattices, as long as the conditions stated in definition Def. 4.2.3 are met. In particular all the domains (resp. co-domains) must be pairwise disjoint, the other details are left as exercise to the reader.

### 4.3 Encoding Terms

Terms and term rewriting are widely used in model checking. Model checkers ma-nipulate billions of terms to describe the states and transitions of systems. We plan to leverage the efficient encoding that we have for n-ary relations to encode terms.

In Section 4.2, we have seen a framework that helps defining functions that are canonical and injective up to the partitioning of their domain. These functions char-acterized well the strong typing of operations in terms. Then we defined in Def.4.2.3 a union ofIIPFslattices to allow us to have a new set of functions that keep the strong typing while allowing us to have different profiles. Now, using theIIPFwe can define theΣDDs.

The line of reasoning for this sections is as follows. We first use the notion of Order-Sorted Algebra (OSA)to define a structure based onIPFsandIIPFs: theΣDDs.

OSAis defined in detail in Section3.2. Subsequently, we prove that the set of ΣDDs is a lattice. Then we proceed with terms as we did withIPFsandIIPFs, we first define an encoding and then prove that this encoding is unique.

The idea behindΣDDsis to encode set of terms. In the first place, we define them basing ourselves on the same signature that we used to define terms. We later explain the link between sets of terms andΣDDs. AΣDDis a pair composed by a sorts∈S ort and anIIPFthat we noteσ. We define it inductively in Def.4.3.1.

Definition 4.3.1 (ΣDD) LetΣ =hS,≤,Fibe a signature defined in Def.3.2.1and X be a set of variables. The set ofΣDDconsists of a family noted(ΣDDΣ,X s)s∈S overΣ and X. Each setΣDDs is defined as the limit ofΣDDns when n → ∞, whereΣDDns is defined by:

• ∀n∈N : ∀s∈S : – ΣDDns = S

s0≤s

Sn

i=0SIGDDis0, with – SIGDD0s = ∆F,s∪Xs

– SIGDDns =U

Fs

1,...,sn,s

∈F

∆(P(Fs1,...,sn,s),∆ΣDDn−1s

1 ,...,ΣDDn−1sn )

36 Chapter 4. ΣDecision Diagrams Remark 4.3.1 Similarly to terms, a ΣDD in which a variable occurs at most (resp.

more that) one time is said to be (resp. non) linear.

By using the Boolean signature example of Section3.2let us generate someΣDDs from the definition to understand it better. We suppose that the set of variables is empty. We present theΣDDsderiving from this signature up ton=1.

ΣDD0bool =SIGDD0bool = ∆F,bool∪Xbool =

bool {true}|{f alse}|{true,f alse} 1

, bool{true,f alse}0

To compress the representation we use the following notation: The edges’ labels con-tain the separator “|” like in {true}|{f alse}|{true, f alse}to denote that the arc can be labeled with one of those three elements. For the latter example that means that the first element represents three elements of the set. The last element of the set is the lower bound (encodes the empty relation). Forn=1 the set ofΣDDsis the following:

ΣDD1bool =

bool) is left as exercise to the reader (Hint: It contains 3 elements as the setΣDD0bool.) The set∆({and},∆ΣDD0bool,ΣDD0bool) contains 16 elements. We present 15 elements here (we omit the lower bound):

∆({and},∆ΣDD0

The set created by the union plus is too big to be represented here. The elements of that set are the elements of all previous sets and all the possible unions among them.

For the sake of the example, an element of∆F,bool∪XboolU∆({and},∆ΣDD0

bool,ΣDD0bool) can be seen in Fig.4.2.

To make the link betweenΣDDsand terms we need to develop a theory to encode set of terms. A naive approach is to use IIPFs directly to encode n-relations where the domain is the set of terms. However, this approach does not solve the problem of encoding sets of terms, since the domain of the IIPFs is the power set of terms itself. At this point we need an encoding that efficiently encodes sets of terms and

4.3. Encoding Terms 37 not n-ary relations. Let us suppose that such an encoding exists. Using this encoding its very easy to reuse our IIPFs framework to have an efficient encoding for n-ary relations of terms, we just encode the domain elements of theIIPFusing this encoding.

In Def.4.3.2we define an encoding for n-ary relations of terms where f is an encoding for sets of terms.

Definition 4.3.2 (Encoded relation of terms) Let L a lattice s.t. L P(TΣ,X), f : P(TΣ,X)→ L a lattice morphism,Ran n-ary relation of terms and h anIIPFencoding R. Theencoded relation using f for R (noted hf) is the IIPF hf : L → ∆L,...,L s.t.

Def.4.3.2is very general and puts all the load of the encoding on a function f that is not yet defined. In Def. 4.3.3 we define a specific encoding for sets of terms. It defines clearly what does it mean for a set of terms to be encoded by someΣDD. As terms are defined sively, the encoding is also defined recur-sively. The recursivity of the encoding is explicited by the functionhenc. The func-tion hencodes a n-ary relation of terms using the same encoding being defined. The base case is the case of constants and variables. To ease the understanding of the notion the definition is followed by an example showing the encoding (Example4.3.1).

Notation For ΣDD we also use the graphical notation that we introduced in Sec-tion4.2for theIIPFs. The name of the set on the nodes are however replaced by the name of the sort.

To draw ΣDDswe use the same DD-like graphical notation that we used in Sec-tion 4.2. In this case the nodes are labeled with the sort of the given ΣDD and the arcs are labeled either with a set of function symbols or with aΣDD. Example4.3.1 illustrates clearly the representation and the notation.

38 Chapter 4. ΣDecision Diagrams Example 4.3.1 Let a,b,c be constants of sort t, let also f : t×t → s be a function and s,t be two sorts such that : s ≤ t. Let us encode the following set of terms:

{a,b, f(a, f(a,b)), f(b, f(a,b)), f(c, f(a,b))}usingσaΣDD. Let us write the mapping forσ:

σ :{f} 7→δ1 δ11 7→δ2 δ22 7→ 1

:{a,b} 7→ 1 σ1 :{a,b,c} 7→ 1 σ2 :{f} 7→δ3 δ317→ δ4 δ43 7→ 1 σ3 :{b} 7→ 1

It is much easier to follow the representation in graphical notation in Fig.4.3. In the figure, it is also easier to see the sharing. We can see not only the recursive nature of the structure (some arcs are labeled by ΣDDs) but also the sub-sorting relation.

TheΣDDlabeling an arc of a given sort can be of any of its sub-sorts.

s {f} t t

t {a,b,c} 1

s t t 1

{a,b}

{f}

t {b}

Figure4.3 – Example of aΣDDsencoding five terms

Since we need to manipulate sets of terms that are encoded, it is of vital importance to define a union and intersection operation for ΣDDs. We define such an union and intersection in Def.4.3.4. The union and intersection are crafted to take into account the sub-sorting. Both operations are based on the union of theIIPFs. It is worth noting that the lower bound of the set {s: s≥ s2ands≥ s2}is guaranteed by the regularity of the signature [GM92].

Definition 4.3.4 (Union and intersection ofΣDDs) Letσ1 ∈ΣDDs1, σ2 ∈ΣDDs2 be twoΣDDsand s3the lower bound of the set{s: s≥ s2and s ≥ s2}

The unionσ1ΣDDσ2is defined by:

σ1ΣDDσ21σ2 ∈ΣDDs3

The intersectionσ1ΣDDσ2is defined by:

σ1ΣDDσ21σ2 ∈ΣDDs3

4.4. Operations 39 As we did earlier, we need to prove that the encoding that we defined is unique.

This is done in Theorem4.3.1. The structure of the theorem is the same as that of The-orem4.1.1and Theorem4.2.1. The proof of Theorem4.3.1goes one step further and states that the lattice formed byΣDDsand its operations is isomorphic to the lattice of the power set of terms. This conclusion is stated in Corollary4.3.1.

Theorem 4.3.1 (Unicity ofΣDDencoding) LetΣ = hS,≤,Fibe a signature defined in Def.3.2.1and X be a set of variables. Letτ∈ P((TΣ,X)s)a set of terms of sorts si

s.t. si ≤ s. Ifσ1, σ2∈ΣDDsencodeτ, thenσ12.

Proof 4.3.1 (Unicity ofΣDDencoding) To prove unicity we prove a stronger result, that the encoding from the power set of terms toΣDDsis a lattice isomorphism, i.e., for each set of termsτof sort s there is exactly oneσ∈ΣDDss.t. enc(τ) = σ. Let us proceed by induction using the definition of theΣDDs:

Base case Let n= 0, we have:

ΣDD0s =[

s0≤s

SIGDD0s0 = [

s0≤s

F,s0∪Xs0

By Corollary4.2.1it is isomorphic to the set F,s0∪Xs0.

Induction step Let us suppose the theorem true for all n ≤ m−1. We prove it for n= m. Let us consider the expression∆(P(Fs1,...,sn,s),∆ΣDDn−1s

1 ,...,ΣDDn−1sn )from Def.4.3.1.

By the induction hypothesis and Corollary4.2.1we can say that the set∆ΣDDns1

1 ,...,ΣDDnsn1

is isomorphic to the power set of a n-ary relation of terms. By Theorem 4.1.1 and the fact thatIPFsby definition encode some binary relation, the whole expression is isomorphic to lattice of the power set of terms. Since theU

operation preserves the lattice structure, the whole set ofΣDDsis isomorphic toP(TΣ,X s).

Corollary 4.3.1 The lattice ofΣDDsis isomorphic toP(TΣ,X s).

### 4.4 Operations

Hostettler [Hos11] presents an homomorphic operation to describe rewriting of sets.

We have found that being homomorphic is not a necessary condition. Thus, we present here simpler operation to rewrite sets of terms encoded asΣDDs.

The goal of our operation is to have an efficient way to rewrite the sets of terms of aΣDD. To do this we exploit the sharing in the structure. The main idea is that instead of rewriting one term at a time we rewrite several at the same time. For ex-ample, sometimes several terms are all subterms of another term (or several terms).

In the structure, this sharing is made explicit. Also, the shared subterms are easily manipulable because they are encoded by the instance of the same structure. Thus, one can do a substitution on several terms at the same time. Our goal is to create an operation that uses that property and that also resembles some existing operation on terms.

40 Chapter 4. ΣDecision Diagrams Our operation simulates the application of a rewrite rule on a set of terms. We propose an operation parametrized by a rewrite rule. However, the nature of ΣDDs imposes an important restriction on the rules we can treat efficiently. Indeed, the rules handled by our ΣDD operation are only linear rewrite rules, i.e., rules where each variable appears at most once on each side. The problem with non linear rules is that they force to break theΣDD. As we have seen earlier, the compression ofΣDDsis in the encoding of Cartesian products which are represented just by the sets that compose them. Non linear rules force the rewriting algorithm to break that compression and recreate it again.

To simplify the definitions of the rewrite operations we split it in two. First we present the matching operation in Def.4.4.1, then the rewrite step in Def.4.4.2.

Definition 4.4.1 (Match operation) LetΣDDthe set of ΣDDsgenerated by the sig-nature Σ, Θis the set of all possible substitutions and each substitution is a function θ : X →ΣDD, X a set of variables, and t ∈ TΣ,X. We formally define the semantics of the match function using the following mutually recursive functions.

matcht :ΣDD 7→ P(Θ) matchx :σ7→ {{x7→ σ}}

matchf(t1,...,tn) :σ7→ mIIPFt1,...,tn(σ(k)) , if k∩ {f}, ∅ ∧k∈Dom(σ) matchf(t1,...,tn) :σ7→ f ail , otherwise

mIIPFt1,...,tn : ]

Fs

1,...,sn,s

∈F

ΣDDs1,...,ΣDDsn 7→ P(Θ)

mIIPFt1,...,tn :ψ7→θ|k∈Dom(ψ)∧θ1∈matcht1(k)∧θ2 ∈mIIPFt2,...,tn(ψ(k))∧ θ1, f ail∧θ2, f ail∧θ=θ1∪θ2}

The match operation is equivalent to the match operation in term rewriting. The main difference is that the simple term rewriting matching returns one substitution, while ours, returns a set of matching ΣDDssubstitutions. We return a set of substi-tutions instead of just one big substitution because each substitution corresponds to a matching path in the ΣDD. ΣDDsubstitutions are also different from standard sub-stitutions. Standard substitutions are a mapping from variables to terms, ΣDDs are mappings from variables toΣDDs. Another big difference is the standard match oper-ation returns substitutions that can be applied to different positions in the terms. Our matching operation only matches the rule on the root term of theΣDD.

Definition 4.4.2 (Rewrite Step) We formally define the semantics of a ΣDD rewrite step as the following partial function:

rewl{r:ΣDD 7→ ΣDD

rewl{r:σ 7→





Sθ∈matchl(σ)enc(r)θ , ifθ,∅

f ail , otherwise

4.4. Operations 41 Given the matching, the definition of aΣDDrewrite step is straightforward. In Def.4.4.2, the rewrite step is presented as a partial function. We use partial functions because they naturally model a transition that cannot be fired in a transition system.

We conclude this section by showing two examples of the application of the rewrite step partial function to a set of terms.

Example 4.4.1 Rewriting a set of terms with the rew operation.

rewnot(true){f alse

Example 4.4.1 illustrates the main characteristics of our rewrite step operation.

First, the two terms that use the functorand disappear. Although this effect may seem strange, it is completely normal. Indeed, our goal is to simplify the rewrite operation as much as possible and in the next chapter we propose a rich framework based on this simple operation. Second, the subtermnot(false) of the last term was not rewritten.

This is because we only rewrite at the root. It is also worth noting that this example returns a set containing only the empty substitution. This is because the rule does not contain any variables.

For our second example, we apply another rule to the same set presented in Exam-ple4.4.1.

Example 4.4.2 Rewriting a set of terms with the rew operation with the substitution returning a set of terms. In Example4.4.2the match operation returns the a set containing only the following substitutionθ={x7→ { false, not(false)}}. This is because thisΣDDonly has one branch where the rule matches.

Finally, we present an example where we return more than one substitution.

Example 4.4.3 Rewriting a set of terms with the rew operation and the substitution returning a set of substitutions. In Example 4.4.3, we have a rule that exchanges both subterms. The ΣDD is rep-resented earlier in Section 4.3 and it has two branches. Thus, the resulting set of substitutions is{{x7→ {true},y7→ {f alse}},{x7→ {f alse},y7→ {true}}}.

42 Chapter 4. ΣDecision Diagrams

### 4.5 Summary

In this chapter we have introduced the basic encoding ofΣDDs. We started by defining an encoding for binary relations,IPFs. This encoded was enriched to encode n-ary re-lations. For both encodings we provided the necessary proofs and theorems to ensure that their encodings were sound and completes.

Based on the encodings for n-ary relations we redefinedΣDDs. We defined what it means for a set of terms to be encoded by aΣDDand defined operations to manipulate this sets of terms. We also provided a way to apply rewrite rules to sets of terms encoded as ΣDDs, the rew operation. We described in detail the rewl{r operation.

Our variant of the rewl{r operation is simpler than the one presented in [Hos11]. In particular, our operation is not homomorphic.

## Chapter 5

### Set rewriting

Set Rewriting (SR) is the core of our approach. Thanks to SR it is possible to use ΣDDsas a set of terms instead of as aDD. As we showed in Chapter 2,DDsare too low level and defining operations onΣDDscan be a daunting task (cf. Def.4.4.1).

The problem is that the original term rewriting approach is not designed around sets of terms, but just terms. Thus, we propose a framework to work on sets of terms using the available tooling from the term rewriting approach.

OurSRframework serves as a complete interface to ΣDDs. Using it one can

OurSRframework serves as a complete interface to ΣDDs. Using it one can

Dans le document Symbolic model-checking with Set Rewriting (Page 52-0)