Printer Friendly

Unified mathematical framework for slicing and symmetry reduction over event structures.

1. Introduction

Generally, to detect whether a finite execution trace of a distributed program satisfies a given predicate, namely, predicate detection (a kind of verification problems), is a fundamental problem in asynchronous distributed systems. It has applications in many domains such as testing, debugging, and monitoring of distributed programs and it is also a powerful runtime verification method.

Unfortunately, predicate detection is NP complete [1] and suffers from the excessive size of the state space and the state explosion problem--the number of possible global states of the program increases exponentially owing to simple combination.

To deal with this problem, several useful reduction techniques have been suggested in succession for reducing the state space in recent years, such as partial order reduction and symmetric reduction methods [2-4].

On the one hand, the basic observation is that many distributed or concurrent systems exhibit a certain degree of symmetry, for example, a system composed of identical or isomorphic components whose identities are interchangeable from a verification point of view. This kind of structural symmetry in the system is also reflected in the full state space of the system. The main idea behind the symmetry reduction method is to figure out this symmetry and obtain a condensed state space which is typically much smaller than the full state space, but from which the same kind of properties of the system can be derived without unfolding the condensed state space to the full state space. Thus, it can be used to verify any property of the original model.

On the other hand, a slice of a system with respect to a criterion is a subsystem that only contains all the states of the original system that satisfy this specification. The advantage of this technique lies in the fact that the detection is performed only on the small part of the global state space which is of interest. In many cases, the slice is exponentially smaller than the original. In order to tangle predicate detection problem, nonclassical slicing technique, named computation slicing, as an abstraction mechanism, inspired by the classical program slicing of Weiser [5, 6], was first proposed by Garg and Mittal [7].

For the majority predicate classes, the computation slicing algorithm has polynomial-time complexity and gains exponential reduction of state spaces. Computation slicing has been proved to be an efficient technique for pruning state space of predicate detection in distributed computation. Moreover, it has also been successfully applied to solve the problems of temporal properties verification in transaction level hardware descriptions such as PCI local bus protocol and the MSI (modified shared invalid) cache coherence protocol [6] in SoC (system on chip) systems and so forth.

Due to the restriction of partial order execution trace model [5, 8], this approach has some limitations. Firstly, it is a runtime checking method and only checks a single partial execution trace once. It is not easy to obtain 100% path coverage even though this detection is performed multiple times. Thus, it is not suitable for exhaustive analysis by reasoning about all possible execution of the system model. Secondly, its underlying model is partially ordered set and it is not expressive enough to handle these models with explicit choice structures or conflicts. Because all the runtime traces do not contain any conflict information, it is not convenient to analyze the system under construction statically.

In this paper, we extend the notion of computation slicing from partial order traces to prime event structures with conflict. We propose a more general event structure slicing notion and a complete mathematical theoretical framework for computing the event structure slices.

The main idea is that a prime event structure can be viewed as such a system model consisting of several conflict-free substructures. These substructures themselves are in mutual weak conflict. Any of such conflict-free event substructures of a prime event structure acts as a partial order execution trace which can be sliced by traditional computation slicing algorithm. Based on this idea, we propose a partition approach to decompose a prime event structure into a group of conflict-free substructures equivalently. Each of these substructures can be sliced with respect to a given slicing criterion by the existing slicing algorithm and we can get a set of the sliced substructures. We have proved that these sliced results can be composed together and yield a new prime event structure by a so-called weak choice composition operation. We have shown that the newly generated prime event structure is the slicing result of the original prime event structure. Meanwhile, based on above partition, we can detect structural symmetry property and make symmetric reduction on each substructure of the original system. In additional, we also investigate the relationship between the symmetric reduction model and the original one.

The main contribution of our work can be summarized as follows. We introduced the slicing notion into the area of event structure and extended nonclassical computation slicing with conflict. We also proposed a unified mathematical framework as a common theory basis for event structure slicing and symmetry reduction. We also made a comparison between our event structure slicing and the traditional computation slicing and demonstrated the mathematical aspects of this framework.

The rest of this paper is structured as follows. Related work is discussed in Section 2. Section 3 introduces the notion of event structure and other basic definitions. Section 4 describes two core operators over event strictures. Slicing reduction derived from computation slicing will be discussed in Section 5. Symmetry reduction theory based on permutation group is reported in Section 6. The overall mathematical framework for event structure slicing and symmetry reduction will be provided in Section 7. In the last section, we make a short summary of our work.

2. Related Work

Regarding the slicing technique, the work in [5, 6] proposed classical program slice idea firstly by Weiser. Given a program and a set of variables, a program slice consists of all statements in the program that may affect the value of the variables in the set at some given point.

During years after the program slice notion was proposed, a lot of work based on this notion had been performed. For example, in 1992, the notion of a slice has been also extended to distributed programs [9]. In 2000, the notion of a nonclassical computation slice, which is very similar to the concept of a program slice, has been proposed. In work [7,10], computation slice over partial order traces was firstly investigated by Garg and Mittal, de Bakker et al. This computation slice notion is based on partial order traces model, which is a special case of event structure without conflict.

Event structure, as an true concurrency model [1116], can be taken as an extension of partial order model. In concurrency theory, event structures constitute a major branch of concurrent models. These were initially developed as a link between Petri nets and Scott domain theory [17] and have since been extensively applied as a semantic model for process algebras, for example [18].

All the previous work [7,8,19,20] does not consider the case with conflict. Compared with them, our work is aimed to extend this slicing notion to the area of event structure.

On the other hand, as for symmetry reduction, the use of symmetry to reduce state space has been investigated widely by researchers. Technically speaking, symmetry in event structures [3, 4] is similar to symmetry in model checking [2, 21, 22]. In work [23], a category of event structures with symmetry was introduced and its categorical properties were investigated, while our work is relevant to the structural reduction via symmetry property over event structure model.

In our previous work [24], we have extended this technique to event structure area. In this paper, we will further investigate the common basis for both slicing and symmetry reduction over event structures and provide a unified framework.

3. Event Structure and Basic Definitions

In this section, we will introduce the notion of prime event structure [11, 17, 25, 26] and the basic definitions we use throughout the paper. The prime event structure is firstly defined and other related key notions are introduced. Moreover, we focus on finite prime event structures only.

Definition 1 (prime event structure). A prime event structure (over an alphabet A, a set of actions) is a 4-tuple structure (E, [??], #, l) with

(i) E, a finite set of events;

(ii) [??] [subset or equal to] E x E, a partial order, the causality relation, satisfying the principle of finite causes: for all e [member of] E : {e' [member of] E | e' [??] e} is finite and the inverse of [??] is denoted by [[??].sup.-1];

(iii) # [subset or equal to] E x E, the (irreflexive and symmetric) conflict relation, satisfying the principle of conflict inheritance: [for all]d, e, f [member of] E: d [??] e [conjunction] d#f [??] e#f;

(iv) l: E [right arrow] A, the action-labelling function.

A prime event structure (for short, an event structure) represents a system in the following way: the action names are activities which the system may perform, an event labelled a e A stands for a particular occurrence of an action, [e.sub.a] [??] [e.sub.b] indicates that a cannot occur before b has, and ecJed indicates that actions c and d can never occur together in one run.

The conflict inheritance property states that if an event e is in conflict with some event f, then it is in conflict with all causal successors of f.

From the causality relation, it is not difficult to derive a notion of causal independence:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. (1)

Let E denote the domain of prime event structures labelled over A and 0 = (0, 0, 0, 0) stand for the empty event structure. Generally, the components of an event structure E will be denoted by [E.sub.E], [[??].sub.E], [#.sub.E], and [l.sub.E], respectively. More specifically, E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]). If clear from the context, the index will be omitted; that is, E = (E, [??], #, l) is also a valid form.

Additionally, for X [subset or equal to] [E.sub.E], the restriction of E to X can be defined as E[|.sub.X] = (X, [[??].sub.E] [intersection] (X x X), [#.sub.E] [intersection] (X x X), [l.sub.E][|.sub.x]). Let Succ(e) denote all causal successors of an event e; that is, Succ(e) = {a [member of] [E.sub.E] | e[[??].sub.E]a, e [member of] [E.sub.E]}.

Definition 2 (event substructure). Let E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]) [member of] E and E' = ([E.sub.E'], [[??].sub.E'], [#.sub.E'], [l.sub.E']) [member of] E be event structures; E' is called a substructure of E (denoted by E' [??] E) if and only if

(i) [E.sub.E'] [subset or equal to] [E.sub.E];

(ii) for all e, e' [member of] [E.sub.E], e[#.sub.E']e [??] e, e [member of] [E.sub.E'] [conjunction] e[#.sub.E]e';

(iii) for all [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Definition 3 (conflict-free event structure). An event structure E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]) [member of] E is called conflict-free event structure (denoted by cfES, for short) if and only if its conflict relation is empty; that is, [#.sub.E] = 0.

Let F denote the domain of conflict-free prime event structures.

In order to characterize the conflict relationship between two conflict-free event structures (or substructures of a prime event structure), we introduce the following basic definitions: strong conflict, weak conflict, and weak conflict event structure set (for short, weak conflict set).

Definition 4 (strong conflict). Let [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. The conflict relation between [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is called strong conflict if and only if for all e [member of] [E.sub.1], f [member of] [E.sub.2]: e#f, denoted by [E.sub.1][#.sup.s][E.sub.2]. [F.sub.1] and [F.sub.2] are called strong conflict if and only if their event sets are in mutually strong conflict, that is, for all [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], denoted by [F.sub.1][#.sup.s][F.sub.2].

More generally, for any [E.sub.1] [member of] E and [E.sub.2] [member of] E, the relation between nonempty [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is called extended strong conflict if and only if for all e [member of] [E'.sub.1], f [member of] [E'.sub.2]: e#f, denoted by [E'.sub.1][#.sup.xs][E'.sub.2]. That is, each of [E'.sub.1] is in conflict with each of [E'.sub.2] and the existence of conflict relation in [E'.sub.1] or [E'.sub.2] is allowed.

Definition 5 (weak conflict). Let [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. The conflict relation between event sets [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is called weak conflict if and only if [there exists]e [member of] [E.sub.1], [there exists]f [member of] [E.sub.2]: e#f, denoted by [E.sub.1][#.sup.w][E.sub.2]. The conflict-free event structures, [F.sub.1] and [F.sub.2], are called weak conflict if and only if their event sets are in weak conflict; that is, for all [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], denoted by [F.sub.1][#.sup.w][F.sub.2].

Stated in words, it is not that each event of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is in conflict with each event of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], but there exists at least one conflicting event pair between [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Basically, according to the previous definitions, strong conflict relation is a special case of weak conflict relation.

Definition 6 (weak conflict set). Let [WF.sup.cfw.sub.n] = {[F.sub.i] [member of] F | i, n [member of] N, 1 [less than or equal to] i [less than or equal to] n} over event set [E.sub.WF], [WF.sup.cfw.sub.n] is called a weak conflict set if and only if [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. and for all [F.sub.i], [F.sub.j] [member of] [WF.sup.cfw.sub.n]: i [not equal to] j [??] [F.sub.i][#.sup.w][F.sup.j] (i, j [member of] N, l [less than or equal to] i [less than or equal to] n).

For convenience, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] denote the family of weak conflict event sets.

Definition 7 (maximal conflict-free event substructure). Let E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]) [member of] E be an event structure; any event subset E' [subset or equal to] [E.sub.E] is called a maximal conflict-free event subset (for short, mcfset) of [E.sub.E] if and only if it satisfies the following:

(1) for all e, f [member of] E': [logical not](e#f);

(2) for all c [member of] ([E.sub.E] - E'): [there exists]d [member of] E' [??] c#d.

Its corresponding substructure E' is called maximal conflict-free event substructure of E; that is, E' = (E', [[??].sub.E] [intersection] (E' x E'), 0, [l.sub.E']).

4. Operators over Event Structure

In this section, a pair of mutually inverse operators, cfp (conflict-free partition) and wcc (weak conflict composition), will be introduced and discussed. For any prime event structure E, partition and composition operation over it can be associated via its family of configurations.

4.1. Maximal Conflict-Free Partition. In fact, a prime event structure can be viewed as a system consisting of several substructures, which are conflict-free themselves. Such a conflict-free event substructure of a prime event structure represents a specific possible partial order execution trace via branching or nondeterministic choices. For any prime event structure, it is a certainty that we can get its maximal conflict-free substructures by some kind of conflict-free partition operation according to the characteristics of its conflict relation.

First of all, we give the definition of maximal conflict pattern for an event structure. The notion of maximal conflict pattern can make great contributions to accelerate the process of partition by avoiding unnecessary partition steps. We then provide the key partition algorithm for a prime event structure.

Definition 8 (maximal conflict pattern). Let E = ([E.sub.e], [[??].sub.e], [#.sub.E], [l.sub.E]) [member of] E; for any A [subset or equal to] [E.sub.E] and B [member of] [E.sub.E], A[#.sup.xs]B is called a maximal conflict patternif and only if for all A' [subset or equal to] [E.sub.E], for all B' [subset or equal to] [E.sub.E]:(A [subset] A' [conjunction] B [subset] B') [??] [logical not](A'[#.sup.xs]B').

For any prime event structure, we can get these maximal conflict patterns by the following two steps:

(1) casual successors expanding;

(2) conflict pairs merging.

Firstly, due to the conflict inheritance property, we know that if event e is in conflict with event f then their casual successors are also in mutual conflict; that is, [for all]c [member of] Succ(e), [for all]d [member of] Succ(f): e#f [??] c#d.

Let [{e}.sub.j] = {e} [union] Succ(e) and [{f}.sub.#] = {f} [union] Succ(f); we have that [{e}.sub.#] and [{f}.sub.#] are in strong conflict if e[#.sub.E]f; namely, [for all]e, f [member of] [E.sub.E]: e[#.sub.g]f [??] [{e}.sub.#][#.sup.s][{f}.sub.#].

For example, for a prime event structure E, if c[#.sub.E]d and casual relations are c[[??].sub.E][e.sub.1], c[[??].sub.E][e.sub.2], d[[??].sub.E][f.sub.1], [f.sub.1][[??].sub.E][f.sub.2], and d[[??].sub.E][f.sub.3], we then have {c, [e.sub.1], [e.sub.2],}[#.sup.s]{d, [f.sub.1], [f.sub.2], [f.sub.3]}.

We also have that any nonempty subset of [{e}.sub.#] and any nonempty subset of [{e}.sub.#] are also in strong conflict.

Consider a prime event structure E [member of] E whose conflict relation has l(l [member of] N) conflict pairs. Expand each conflict relation with its successors according to the conflict inheritance property and we can get full conflict relation pairs: [{[e.sub.1]}.sub.#][#.sup.s][{[f.sub.1]}.sub.#], ..., [{[e.sub.l]}.sub.#][#.sup.s][{[f.sub.l]}.sub.#]; here [e.sub.i][#.sub.E][f.sub.i], [e.sub.i] [member of] [E.sub.E], [f.sub.i] [member of] [E.sub.E](i [member of] N, 1 [less than or equal to] i [less than or equal to] l).

Secondly, for such a group of full conflict relation pairs obtained by the above steps, there may exist common elements among some pairs that can be merged together and form a maximal conflict pattern. For example, events [e.sub.1], [e.sub.2], [e.sub.3], and [e.sub.4] are mutually in conflict; we have six immediate conflict relation pairs: {[e.sub.1]}[#.sup.s]{[e.sub.2]}, {[e.sub.1]}[#.sup.s]{[e.sub.3]}, {[e.sub.1]}[#.sup.s]{[e.sub.4]}, {[e.sub.2]}[#.sup.s]{[e.sub.3]}, {[e.sub.2]}[#.sup.s]{[e.sub.4]}, and {[e.sub.3]}[#.sup.s]{[e.sub.4]}.

From the principle of permutation, we then have three maximal conflict patterns by merging conflict pairs: {[e.sub.1]}[#.sup.xs]{[e.sub.2], [e.sub.3], [e.sub.4]}, {[e.sub.2]}[#.sup.xs]{[e.sub.3], [e.sub.4]}, and {[e.sub.3]}[#.sup.xs]{[e.sub.4]}. Equivalently, {[e.sub.4]}[#.sup.xs]{[e.sub.1], [e.sub.2], [e.sub.3]}, {[e.sub.3]}[#.sup.xs]{[e.sub.1], [e.sub.2]}, and {[e.sub.2]}[#.sup.xs]{[e.sub.1]} are also the valid maximal conflict patterns.

Assume that there are m [member of] N maximal conflict patterns after expanding and merging which are [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], respectively.

Here, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] denotes the ith pattern, and [for all]e [member of] [A.sub.i] [subset or equal to] [E.sub.E], [for all]f [member of] [B.sub.i] [subset or equal to] [E.sub.E]: e[#.sub.E]f(i [member of] N, 1 [less than or equal to] i [less than or equal to] m).

If [A.sub.i][#.sup.xs][B.sub.i], then any nonempty subset of [A.sub.i] and any nonempty subset of [B.sub.i] are also in extended strong conflict.

For any event set D, let [??] denote any nonempty subset of D(0 [not equal to] [??] [subset or equal to] D); correspondingly, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] denotes a conflict subpattern of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Formally, F: A'[#.sup.xs]B' is called a conflict subpattern of F: A[#.sup.xs]B if and only if (0 [not equal to] A' [subset or equal to] A) [conjunction] (0 [not equal to] B' [subset or equal to] B), denoted by F' [[subset or equal to].sub.pattern] F(or F [[contains or equal to].sub.pattern] F'. Otherwise F [[??].sub.pattern] F (or F' [[??].sub.pattern] F).

Let [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] denote the maximal conflict pattern set of an event structure E.

For any prime event structure, it is a certainty that we can get its maximal conflict-free substructures by some kind of conflict-free partition operation according to its conflict relation characteristics: maximal conflict patterns. Thus, we have the following theorem for partition.

Theorem 9. For any prime event structure, its maximal conflict-free partition exists and the partition result is unique.

Proof. (1) Existence. The proof is constructive.

If there is no conflict in [E.sub.E], then [E.sub.E] itself is the maximal conflict-free event subset of E. Otherwise, for any nonempty event subset E (E [subset or equal to] [E.sub.E] [conjunction] E [not equal to] 0), and there exists such maximal conflict pattern [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] that [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

In order to make a subset E' of E(E' [subset or equal to] E) become conflict-free with respect to the conflict relation: [A.sub.i][#.sup.xs][B.sub.i], that is, eliminate this conflict relation from its all subsets, we have known that if [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], then there should be [B.sub.i] [??] E'(or [A.sub.i] [??] E'); otherwise, the [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] conflict pattern will still exist in its subsets.

By greedy policy, let [A'.sub.i] and [B'.sub.i]. be both maximal inclusion subsets with respect to E calculated by [A'.sub.i] = maxincl([A.sub.i], E) and B' = maxincl([B.sub.i], E), respectively. This means the current event set E will be partitioned into two parts by this maximal conflict subpattern: one part is (E - [A'.sub.i]), and the other is (E - [B'.sub.i]). Certainly, there exists no [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] conflict relation between (E - [A'.sub.i]) and (E - [B'.sub.i]) any more. If there does not exist any conflict in (E - [B'.sub.i]) (or (E - [A'.sub.i]), then (E - [B'.sub.i]) (or (E - [A'.sub.i])) is one conflict-free event subset of [E.sub.E].

Otherwise, apply the next maximal conflict pattern [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] to all the previously obtained event subsets in the same manner. This partition process is continued until no conflict exists.

As we know, if each pattern of the maximal conflict patterns set has been applied just once by the above manner, then any consequent subset will be conflict-free and the partition process will stop. Meanwhile, there are [2.sup.m] conflict-free subsets at most.

Because intersection of [x.sub.i] and [y.sub.i](x, y [member of] {A, B}, i [not equal to] j, 1 [less than or equal to] i, j [less than or equal to] m) can be nonempty, thus the partition tree is not yet a full binary tree and set inclusion among these solution nodes is allowed. If some subsets are included by others, then they will be removed until every result subset cannot be included by others. It is not difficult to verify that every consequent subset is maximal and conflict-free. Exploiting these expanded fully conflict patterns to partition the event set [E.sub.E] step by step, we will eventually get all maximal conflict-free event subsets. That is, there exists a practical algorithm to implement the partition operation. Without loss of generality, let [[empty set].sub.A] denote such partition for the time being.

(2) Uniqueness. Assume we have [mcfsetN.sub.A](E) distinct maximal conflict-free event subsets in total by partition [[empty set].sub.A]. These subsets form a set of mcfsets, denoted by [R.sub.A] = {[A.sub.1], [A.sub.2], ..., [A.sub.n] | n = [mcfsetN.sub.A](E)}.

We might as well assume there is another partition [[empty set].sub.B] that generates the result set [R.sub.B] = {[B.sub.1], [B.sub.2], ..., [B.sub.m] | m = [mcfsetN.sub.B](E)} which is also a set of mcfsets.

Consider any element of [R.sub.B]; let [B.sub.i] (1 [less than or equal to] i [less than or equal to] m, i [member of] N) denote it. The relationship between an element [A.sub.j](1 [less than or equal to] j, k [less than or equal to] [mcfsetN.sub.A](E), j, k [member of] N) in [R.sub.A] and [B.sub.i] satisfies the following.

(1) [there exists][A.sub.j] [subset or equal to] [R.sub.A]: [A.sub.j] [subset] [B.sub.i] [subset or equal to] [E.sub.E].

Since [for all][A.sub.k] [member of] [R.sub.A], k [not equal to] j: [A.sub.j][#.sup.w][A.sub.k], then [for all][A.sub.k] [member of] [R.sub.A], k [not equal to] j: [B.sub.i][#.sup.w][A.sub.k]. We have known that [A.sub.j] [subset or equal to] [R.sub.A] is maximal, and now event subset Bt is also a subset of [E.sub.E] and is in weak conflict with other event subsets except A;. Moreover, [B.sub.i] includes [A.sub.i]. This case leads to a contradiction.

(2) [there exist][A.sub.j] [member of] [R.sub.A]: [B.sub.i] [subset] [A.sub.j] [subset or equal to] [E.sub.E].

The proof is similar to the above case (1). This case also leads to a contradiction.

(3) [for all][A.sub.j] [member of] [R.sub.A]: [A.sub.j] [not equal to] [B.sub.i].

(3.1) [for all][A.sub.j] [member of] [R.sub.A]: [A.sub.j][#.sup.w][B.sub.i].

Since Bt is also a subset of [E.sub.E], thus, [R'.sub.A] = {[A.sub.1], [A.sub.2], ..., [A.sub.n], [B.sub.i] | n = [mcfsetN.sub.A](E)} is a valid set of mcfsets. There are n+ 1 subsets in this partition [[empty set].sub.A]. This is in contradiction with that there are n(n = [mcfsetN.sub.A](E)) subsets in [R.sub.A].

(3.2) [there exists][A.sub.j] [member of] [R.sub.A]: [there exist]([A.sub.j][#.sup.w][B.sub.i]).

Since [for all][A.sub.k] [subset or equal to] [R.sub.A], k [not equal to] j: [A.sub.j][#.sup.w][A.sub.k], then [for all][A.sub.k] [member of] [R.sub.A], k [not equal to] j: ([A.sub.j] [union] [B.sub.j])[#.sup.w][A.sub.k]; that is, [R".sub.A] = {[A.sub.1], [A.sub.2], ..., {[A.sub.j] [union] [B.sub.i]}, ..., [A.sub.n], | n = [mcfsetN.sub.A](E)} is a valid set of mcfsets. [A.sub.j]([A.sub.j] [member of] [R.sub.A]) is maximal; moreover, [A.sub.j] [subset] ([A.sub.j] [union] [B.sub.i]) [member of] [R".sub.A] is maximal too. This leads to a contradiction.

(3.3) [for all][A.sub.j] [member of] [R.sub.A]: [logical not]([A.sub.j][#.sup.w][B.sub.i]).

The proof is similar to the above case (3.2). This case also leads to a contradiction.

Therefore, we are forced to have only [there exists][A.sub.j] [subset or equal to] [R.sub.A]: [A.sub.j] = [B.sub.i]; that is, any element in [R.sub.B] is also an element in [R.sub.A]; we get [R.sub.B] [subset or equal to] [R.sub.A]; in the same manner, we will get [R.sub.A] [subset or equal to] [R.sub.B]. Thus, we have [R.sub.B] = [R.sub.A].

This establishes the uniqueness and also implies the partition result is independent of partition order or conflict pattern.

Therefore, we have the conclusion.

Assume E [member of] E has mcfsetN(E) [member of] N mcfESs in total. Here, let [N.sub.E] = mcfsetN(E) ([N.sub.E], for short) denote total amount of mcfESs, [E.sup.max.sub.i] (i [member of] N, 1 [less than or equal to] i [less than or equal to] NE) denote the ith maximal conflict-free event substructure, and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] denote the event set of [E.sup.max.sub.i].

Then the result set can be represented as [B.sup.mcfES](E) = {[E.sup.max.sub.i] | i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]}.

In fact, every [E.sup.max.sub.i] (i [member of], 1 [less than or equal to] i [less than or equal to] mcfsetN(E)) of the original prime event structure represents a specific possible execution choice in a system run. We might as well let cfp denote such an operator. Then, we have the following definition of this partition operator.

Definition 10 (conflict-free partition). An operator cfp is called conflict-free partition operator for E [member of] E if and only if [B.sup.mcfES](E) = cfp(E).

According to our previous discussion, we have C-like pseudocode descriptions: Algorithm 1 for cfp.

4.2. Family of Configurations. In general, the behavior of an event structure is described by its configurations which are sets of events with certain properties. In other words, a configuration is a set of events that have happened during a specific run of the event structure.

We will review the basic definition of configuration in the following section. More detailed information can be found in [26].

Definitionh (configuration). Let X beasubsetof X [subset or equal to] [E.sub.E] of a prime event structure E [member of] E; then X is called a configuration of E if and only if

(1) X is left-closed if and only if [for all]c, d [member of] E, d [member of] X [conjunction] c [less than or equal to] d [??] c [member of] X.

(2) X is conflict-free if and only if [for all]e, f [member of] X: [logical not](e[#.sub.E]f).

A configuration can also be viewed as a global state where all events in the configuration have occurred. The configuration of the event structure should be conflict-free because conflicting events can never happen in a system run. In addition, all casual predecessors of an event in a configuration should be contained in this configuration too; that is, configuration should be downwards closed; otherwise this event could not have happened at all.

ALGORITHM 1: Conflict-free partition: cfp.

Input: a prime event structure: E;
Output: the set of mcfESs: [B.sup.mcfes](E);
BEGIN
(1)  C = 0; int i = 1; int n = 0; R = 0;
(2)  SQ  EnterQueue([E.sub.E], 1);
     /* Initialize the Queue */
(3)  if(IsConflictFree([E.sub.E])){
(5)  C = [union]{B};
(6)  Goto BUILDES;
(7)  } /* end if; */
     /* Expand and merge each conflict pair and build maximal
       conflict patterns: {[MATHEMATICAL EXPRESSION NOT
       REPRODUCIBLE IN ASCII]}; */
(8)  for (i = 1; i [less than or equal to] m; i++) {/* do * /
(9)  Select a partition pattern: [MATHEMATICAL EXPRESSION NOT
       REPRODUCIBLE IN ASCII];
(10) /* Current level is i, apply [MATHEMATICAL EXPRESSION NOT
       REPRODUCIBLE IN ASCII], otherwise, skip while loop to
       the next one: i++; */
(11)     while (\EmptyQueue(SQ) &&
         1 == VarQueue(SQ, LEVEL)) {
     /* Get the head of the Queue: event set */
(12)       E = OutQueue(SQ, EVENT);
(13)       [A'.sub.i] = maxincl([A.sub.i], E);
(14)       [B'.sub.i] = maxincl([B.sub.i], E);
(15)       [E.sub.1] = (E - [A'.sub.i]);
(16)       [E.sub.2] = (E - [B'.sub.i]);
     /* [E.sup.1] is a conflict-free subset; */
(17)    if (IsConflictFree([E.sub.1])) {
(18) C = C [union] {[E.sub.1]};
     /* Remove these elements included in others; */
(19)       RemoveIncludedElement(C);
(20)    }else{
     /* Continue next partition by the conflict pattern:
       [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]; */
(21)       SQ = EnterQueue([E.sub.1], i + 1);
(22)    } /* end if */
(23)    if (IsConflictFree([E.sub.2])) {
(24)       C = Cu{[E.sub.2]};
(25)       RemoveIncludedElement(C);
(26)    }else{
(27)       SQ = EnterQueue([E.sub.2], i + 1);
(28)     } /* end if * /
(29)   } /* end while */
(30) } /* end for*/
(31) BUILDES: /* Build the sub-structure: F = ([E.sub.F],
       [[??].sub.F], [#.sub.F], [l.sub.F]) */
(32) while ([logical not]IsEmpty(C)) {
(33)   Select a conflict-free event subset [A.sub.1#] from C;
(34)   [E.sub.F] = [A.sub.1#];
(35)   [#.sub.F] = 0;
(36)   [[??].sub.F] = [[??].sub.E] [intersection] ([A.sub.1#]
         x [A.sub.1#]);
(37)   [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];
(38)   C = C - {[A.sub.1#]};
(39)   R = R [union] F; n++;
(40)   } /* end while */
(41) mcfsetN(E) = n;
(42) return R;
END;


That is, a subset X is a (finite) configuration of E if and only if it is finite, left-closed, and conflict-free.

The semantics of a prime event structure is defined as the family of its configurations ordered by set inclusion. Let ConfF(E) denote the family of all configurations of event structure E, which forms an ordered set (called prime algebraic coherent partial order; see [16]) by inclusion; that is, (ConfF(E), [subset or equal to]) is partial order.

Definition 12. A configuration X [member of] ConfF(E) is called complete or (successfully) terminated if and only if [for all]d [member of] E: d [not member of] X [??] [there exists]e [member of] X: e#d. A configuration X [member of] ConfF(E) is called maximal if and only if [for all]Y [member of] ConfF(E): X [??] Y.

For any prime event structure E, a configuration of E is maximal if and only if it is complete. Obviously, for any maximal configuration of a prime event structure, there exists a corresponding maximal conflict-free substructure set. An empty or initial configuration, denoted by [0.sub.ConfF] [member of] ConfF(E), represents the initial state in which there is no event happened.

In general, initial configuration and complete configuration are also called trivial configurations, while others are called nontrivial configurations.

Similarly, we have the following configuration definition for conflict-free event structure.

Definition 13 (configuration of cfES). Let F = ([E.sub.F], [[??].sub.F], 0, [l.sub.F]) be a cfES and let Z be a subset of [E.sub.F](Z [subset or equal to] [E.sub.F]); then Z is called a configuration of F if and only if Z is left-closed; that is, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Since F [member of] F, its event subset is evidently conflict-free.

Let cfConfF(F) denote the family of all configurations of conflict-free event structure F. Clearly, when F is the ith mcfES: [E.sup.max.sub.i] (i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]) of prime event structure E [member of] E, its family of all configurations is denoted by mcfConfF([E.sup.max.sub.i]).

Definition 14 (subfamily of configurations). Let F [member of] be a cfES and let [OMEGA](0 [not equal to] [OMEGA] [subset or equal to] [E.sub.F]) be a nonempty event subset; a subfamily of configurations of F with respect to event subset [OMEGA] is the family of configurations of its event substructure F[|.sub.[OMEGA]] = ([OMEGA], [[less than or equal to].sub.F] [intersection] ([OMEGA] x [OMEGA]), 0, [l.sub.[OMEGA]]) restricted by event subset [OMEGA]; that is, cf subConfF(F, [OMEGA]) [??] cfConfF(([OMEGA], [[less than or equal to].sub.F] [intersection] ([OMEGA] x [OMEGA]), 0, [l.sub.[OMEGA]])).

Clearly, for any [mcfESE.sup.max.sub.i](i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]) of event structure E [member of] E, its subfamily of configurations with respect to event subset [OMEGA](0 [not equal to] [OMEGA] [member of] [E.sup.max.sub.E,i]) is denoted by [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] for convenience.

Lemma 15. The relation between the family of configurations of a prime event structure and that of its mcfESs can be described by [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Proof. To prove the result of this lemma, we will show that

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (2)

both hold.

(1) "[subset or equal to]" For any configuration X [member of] ConfF(E), since X is a configuration, by definition, X should be conflict-free. Thus X should be the subset of one of the maximal configurations. Otherwise, if X is greater than any maximal configuration, then X must contain mutual conflicting events; that is impossible.

Therefore, we have that there must exist a maximal configuration which contains X. Such a maximal configuration corresponds to a maximal conflict-free event subset: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]; that is, X must be the element of mcfConfF([E.sup.max.sub.i]); that is, X [member of] mcfConfF([E.sup.max.sub.i]). We have [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

(2) "[contains or equal to]". For any configuration X [member of] mcfConfF([E.sup.max.sub.i]) (i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]), of course, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]; this implies [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]; therefore, we get X [subset or equal to] [E.sub.E]. Since X is a configuration, it is also a configuration of E; that is, X [member of] ConfF(E).

We have [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Therefore, from (1) and (2), we have the result.

4.3. Domains of Configurations. In this section, we will discuss the concept of domain from the point of view that computation states are taken as such subsets and progress in a computation is measured by the occurrence of more events.

Firstly, we will recall some related conceptions regarding domain [16,27]. Then, some important facts will be discussed.

Definition 16 (least upper bound). Let D = (D, [subset or equal to]) be a partial order; an element d [member of] D is called least upper bound of subset X(X [subset or equal to] D), denoted by d = UX, if and only if ([for all]x [member of] X: x [subset or equal to] d) [conjunction] ([for all]d' [member of] D: ([for all]x [member of] X: x [subset or equal to] d') [??] d [subset or equal to] d!).

Definition 17 (coherent). Let D = (D, [subset or equal to]) be a partial order; two elements x, y [member of] D are called consistent (denoted by x [up arrow] y) if and only if [there exists]z [member of] D: x [subset or equal to] z [conjunction] y [subset or equal to] z; a subset X [subset or equal to] D is pairwise consistent if and only if any two of its element have an upper bound in D; that is, [for all]x, y [member of] X: x [up arrow] y; (D, [subset or equal to]) is called coherent if and only if every pairwise consistent subset X(X [subset or equal to] D) has a least upper bound UX.

The consistency relation of x and y is denoted by x [up arrow] y; conversely, inconsistency is denoted by x [??] y.

Definition 18 (complete prime). A partial order D = (D, [subset or equal to]); an element is a complete prime if and only if for every finite subset X [subset or equal to] D, if UX exists and p [subset or equal to] UX then there exists an x [member of] X such that p [subset or equal to] x (i.e., p [subset or equal to] UX [??] [there exists]x [member of] X. p [subset or equal to] x).

Let P(D) denote the set of complete prime of (D, [subset or equal to]).

Definition 19 (prime algebraic). A partial order D = (D, [subset or equal to]) is called finitary if and only if [for all]p, d [member of] P(D): {d [member of] D | d [subset or equal to] p} is finite. (D, [subset or equal to]) is called prime algebraic if and only if P(D) is countable and [for all]d [member of] D: d = u[p [member of] P(D) | p [member of] d}.

Namely, D is called prime algebraic if and only if, for every element d [member of] D, U[D.sub.d] exists (define U[D.sub.d] = [p [subset or equal to] d | p is a complete prime}), and d = U[D.sub.d].

Definition 20 (domain). A coherent, prime algebraic, and finitary partial order is called a Scott domain (or simply a domain).

Definition 21. Let D = (D, [subset or equal to]) be a coherent, finitary prime algebraic domain. Define [P.sub.r][D] = (P(D), [??], #), where P(D) consists of the complete primes of D:

(1) [for all]p, p' [member of] P(D): p [??] p' & p [subset or equal to] p';

(2) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Definition 22. Let D = (D, [subset or equal to]) be a prime algebraic complete lattice. Define [P.sub.r][D] = (P(D), [??]), where P(D) consists of the complete primes of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Theorem 23. Let E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]) [member of] E; then (ConfF(E), [subset or equal to]) is a finitary coherent prime algebraic domain; the complete primes are the set {a [member of] [E.sub.E] | a [??] e, e [member of] [E.sub.E]} (see [25]).

Theorem 24. Let (D, [subset or equal to]) be a finitary coherent prime algebraic domain. Then, [P.sub.r][D] = (P(D), [??], #) is a prime event structure, with [phi]: (D, [subset or equal to]) = (ConfF([P.sub.r][D]), [subset or equal to]) giving an isomorphism of partial orders where [phi](d) = {p [subset or equal to] d | p is a complete prime} with inverse [lambda]: ConfF([P.sub.r][D]) [right arrow] (D, [subset or equal to]) given by [lambda](x) = Ux (see [16]).

Evidently, event structures and coherent, finitary prime algebraic domains are equivalent; one can be used to represent the other.

The following theorem describes the important property of family of configurations of a prime event structure.

Theorem 25. For any nonempty mcfES: [E.sup.max.sub.i] (i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]) of event structure E [member of] E, its family of configurations (mcfConfF([E.sup.max.sub.i]), [subset or equal to]) is prime algebraic complete lattice. Its complete primes are those elements of the form [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Proof. The proof is straightforward.

Thus prime event structure and finitary coherent prime algebraic domain are equivalent; this implies that there is a one-to-one correspondence between a prime event structure and its family of configurations; one can be used to represent the other.

4.4. Weak Choice Composition. Theorem 23 describes an important property between the domains of configurations of prime event structures and the prime event structures themselves.

We can obtain a full set of mcfESs from a prime event structure by applying cfp operator over it. Conversely, given a full set of mcfESs of an event structure, we can certainly recover the original event structure that generates this set of mcfESs by some kind of composition operation.

Further, for any weak conflict set, we give the constraint conditions, under which this weak conflict set can be composed together and form a prime event structure that can generate this set by conflict-free partition operation.

The following theorem discusses the constraint conditions for composition.

Theorem 26 (necessary and sufficient condition for composition). For any weak conflict set [WF.sup.cnf.sub.w] = {[F.sub.i] [member of] F | i, n [member of] N, 1 [less than or equal to] i [less than or equal to] n}, if it satisfies the following conditions: (1) and (2), then there exists a unique prime event structure E [member of] [E.sub.prime] that can generate this set by cfp partition operation; that is, [WF.sup.cfw.sub.n] = cfp(E).

(1) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

(2) ([U.sup.n.sub.i=1] cf ConfF([F.sub.i]), [subset or equal to]) is a finitary coherent prime algebraic domain.

Proof. On one hand, the intersection of event sets of any two cfESs is nonempty meaning that common events have happened from both event structures. By definition, if these events represent common global states in runs of a system described by the same prime event structure with multiple choices, they should behave identically. That is, their configurations with respect to the intersection of event set should be identical.

In addition, from Theorems 23 and 24, the family of configurations of a prime event structure ordered by set inclusion should be a finitary coherent prime algebraic domain.

Thus, we have the necessary condition for composition.

On the other hand, from Theorems 23 and 24, we have that there is a one-to-one correspondence between a prime event structure and its family of configurations. Given a valid family of configurations for prime event structure, then there should exist a corresponding prime event structure.

For any weak conflict set: [WF.sup.cfw.sub.n] = {[F.sub.i] [member of] F | i, n [member of], 1 [less than or equal to] i [less than or equal to] n}, if all cfConfF([F.sub.i]) by joining can form a valid family of configurations for a prime event structure, that is, [U.sub.1[less than or equal to]i[less than or equal to]n] cfConfF([F.sub.i]) forms a ordered by set inclusion, then there should exist such a unique prime event structure E that ConfF(E) = [U.sub.i[less than or equal to]i[less than or equal to]n] cfConfF([F.sub.i]).

Therefore, we get the necessary and sufficient condition for composition.

Obviously, the set [B.sup.mcfES](E) of a prime event structure satisfies the above condition. Clearly, this implies that there must exists a composition operation which can construct the target event structure E from a weak conflict set that satisfies the constraint conditions. We may as well let wcc denote the operator. Thus, we have the following definition.

Definition 27 (weak choice composition (wcc operator)). Let [WF.sup.cfw.sub.n] be a weak conflict set, which satisfies necessary and sufficient conditions for composition; an operator wcc is called weak choice composition operator if and only if the result event structure R = wcc([WF.sup.cfw.sub.n]) and R satisfies the following:

(1) ConfF(R) = ([[union].sup.n.sub.i=1]cfConF([F.sub.i]), [subset or equal to]);

(2) [WF.sup.cnf.sub.w] = cfp(R).

The following theorem states that the operator wcc and cfp are mutually inverse for a prime event structure.

Theorem 28. For any E [member of] E, E = wcc(cfp(E)) holds.

Proof. The proof is straightforward.

Obviously, it is not difficult to derive an algorithm for weak conflict composition operator from Definition 27 and Theorem 28.

5. Slicing Reduction

In this section, we will discuss slicing reduction technique for partial order trace or prime event structure. Slicing is often taken as an effective abstract technique to combat the state explosion problem. A slicing algorithm for event structure with respect to predicates in a subset of temporal logic formulas is studied. Specially, we focus on statically analyzing rather than online detecting over event structure model.

First of all, we will retrospect the classical notion of computation slicing for partial order traces. Then, we will extend the idea from partial order traces to prime event structures with conflict relations. Additionally, all related definitions and theorems [18, 19, 28] for our theory will be discussed.

5.1. Partial Order Trace Slicing. Computation slicing was introduced in [7] as an abstraction technique for analyzing partial order traces of distributed programs or distributed computations.

Generally, for classical program slicing, programs are sliced with respect to a slicing criterion that is an interested point for analyzing. In static program slicing, for example, "a program line number" can be taken as a valid slicing criterion. Thus, in order to compute a slice, we need to firstly define the slicing criterion.

Intuitively, a slice of a trace with respect to a temporal logic specification or a predicate (slicing criterion) [phi] is a subtrace that contains all the states of the trace that satisfy [phi]. A slice contains all the states that satisfy [phi] such that it can be computed efficiently and is often much smaller than the original model.

We can use directed graphs to model partial order (execution) traces (POTs, for short) as well as slices. Thus, a notion named graph ideal (or order ideal) of directed graph [29] is introduced to specify partial order traces and slices pictorially. Formally, its definition is given as follows.

Definition 29 (order ideal). Given a poset (X, <), (< denotes an order relation) a subset S of X is an order ideal if it satisfies [for all]x, y : x, y [member of] X : (x [member of] S) [conjunction] (y [less than or equal to] x) [??] (y [member of] S).

Definition 30 (graph ideal). Given a directed graph G = (V, [GAMMA]), let V(G) and [GAMMA](G) denote the set of vertices with event labels and directed edges, respectively. A subgraph H of G is a graph ideal if it satisfies [for all]u, v [member of] V(G), H [subset or equal to] V(G), v [member of] H [conjunction] (u, v) [member of] [GAMMA](G) [??] u [member of] H.

It is more convenient to use directed graphs to represent partially ordered sets and prime event structures for slicing computation. It satisfies the following.

(1) For any event e and f of E, if e [??] f, then there is directed edge from the vertex [v.sub.e] labelled with e to the vertex [v.sub.f] labelled with f.

(2) For any event e and f of E, if e#f, then there is dash line between the vertex [v.sub.e] labelled with e to the vertex [v.sub.f] labelled with f.

For example, as shown in Figure 1, a partial order trace or a mcfES is demonstrated pictorially. The corresponding event structure for Figure 1 is as follows.

(i) E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]), (Act = {a, b, c, d}).

(1) [E.sub.E] = {[e.sub.1], [e.sub.2], [e.sub.3], [e.sub.4]}.

(2) [[??].sub.E] = {[e.sub.1] [??] [e.sub.2], [e.sub.1] [??] [e.sub.4], [e.sub.3] [??] [e.sub.4]}.

(3) l([e.sub.1]) = a, l([e.sub.2]) = b, l([e.sub.3]) = c, l([e.sub.4]) = d.

(4) [#.sub.E] = 0.

In addition, when attempting to construct the graph representation of mcfES, as Figure 1 shows, two specific vertexes T and [perpendicular to] will be added as initial state and terminal state corresponding to initial configuration and maximal configuration, respectively.

A subset of elements forms an order ideal if whenever an element is contained in the subset then all its preceding elements are also contained in the subset. Intuitively, order ideals or left-closed subsets can be graphically represented by graph ideals. Generally, independency relation will not be represented explicitly. It is not difficult to have that partial order trace is only a special case of prime event structure with no conflict relations. Here, graph ideal is a notion equivalent to the configuration of an event structure. Empty set and the set of all vertices are called trivial ideal. Similarly, initial configuration and complete configuration are also called trivial configurations.

Definition 31 (predicate on configuration). Intuitively, a logic formula or predicate is a Boolean-valued function defined on the set of configurations: [phi]: ConfF(E) [right arrow] {0, 1}. It actually represents a subset of configurations in which the Boolean function evaluates to 1.

The predicate detection problem is to decide whether the initial configuration of an event structure satisfies a predicate. More formally, we have the following definition.

Definition 32 (predicate detection). For any prime event structure E and any predicate [phi], predicate detection is to decide whether ConfF(E), {[perpendicular]} [??] [phi] holds or not.

Predicates are used to specify system behaviors and properties such as safety and liveness. Properties expressed by a CTL (computational tree logic, introduced in [30]) formula are beyond the scope of this paper. For evaluating the value of a predicate efficiently, various predicate classes [28] such as conjunctive, stable, observer-independent, linear, relational, and nontemporal regular [7] predicates have been defined.

Generally, predicate on configurations will act as the slicing criterion for POTs slicing.

Definition 33 (slice of mcfES(POTs)). A slice of a mcfES(POTs): [E.sup.max.sub.i] (i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]) of prime event structure E with respect to a formula [phi], denoted by mcfFSslice([E.sup.max.sub.i], [phi]), is such an event structure that satisfies the following.

(i) Its family of configurations contains all the configurations that satisfy [phi].

(ii) Its family of configurations has the least number of configurations and still forms a sublattice.

This formal definition is derived from computation slice notion [7] given by Garg and Mittal. Meanwhile, existence and uniqueness of the mcfES slice have also been discussed; that is, the following theorem holds.

Theorem 34. For any [E.sup.max.sub.i](i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]) of a prime event structure and any predicate p, the slice of with respect to predicate p, that is, mcfESslice([E.sup.max.sub.i], [phi]) exists and is unique.

Proof. The proof is straightforward; see [8, 20, 31].

In general, the family of configurations for a mcfES forms a distributed lattice, and its slice with respect to a predicate is a sublattice. Sometimes a slice may contain those configurations that do not satisfy the predicate for completing sublattice.

In the next section, we will discuss the slicing definition and model for prime event structure.

5.2. Sliced Model over Event Structure. Generally, predicate on configurations acts as the slicing criterion for prime event structure slicing. Temporal regular predicate, such as a regular subset of CTL called RCTL [7, 8, 29], which contains four temporal operators EF, AG, EG, and EX[j], and nontemporal regular predicates both can also be taken as the slicing criterions.

Compared with the definition of slice of mcfES, we have a similar case for prime event structure.

Definition 35 (slice of prime event structure). A slice of a prime event structure with respect to a formula p, denoted by SliceES(E, [phi]), is such an event structure that satisfies the following.

(i) Its family of configurations contains all the configurations that satisfy [phi].

(ii) Its family of configurations has the least number of configurations.

Generally, a slice may contain configurations that do not satisfy the given predicate. The slice of an event structure with respect to a predicate is called lean [32] if every configuration of the slice satisfies the predicate.

Theorem 36. For any E [member of] E and any predicate p, SliceES(E,p) exists and is unique, and SliceES(E, [phi]) = wcc(mcfESslice(cfp(E), [phi])) holds.

Proof. (1) Existence and Uniqueness. From Theorem 34, we have that, for any [E.sup.max.sub.i] (i [member of] N, 1 [less than or equal to] i [less than or equal to] [N.sub.E]) of a prime event structure E and any predicate p, its slice with respect to predicate p exists and is unique.

For any mcfES, the family of configuration of mcfESslice([E.sup.max.sub.i], [phi]) is a distributed lattice and is unique.

Further, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]; [[union].sup.C.sub.E] is also unique and ([[union].sup.C.sub.G], C) is a finitary coherent prime algebraic domain.

Next, we show that the slicing operation will keep the second part of necessary and sufficient condition for composition.

For any [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], we then have that cfsubConfF([E.sup.max.sub.i], D) = cfsubConfF([E.sup.max.sub.i], D); that is, for any nonempty event subset D' (D' [subset or equal to] D) and any predicate [phi], if any configuration of D' satisfies [phi], that is, D' is the common part of both slices of [E.sup.max.sub.i] and [E.sup.max.sub.j]. We still get that cfsubConfF([E.sup.max.sub.i], D') = cfsubConfF([E.sup.max.sub.j], D').

This means that, for any two mcfESs, if their intersection is nonempty, no matter which part of the intersection belongs to the slice, after slicing, the necessary and sufficient condition for composition will be still satisfied.

Thus, we get that [U.sup.C.sub.E] is a valid family of configurations for prime event structures; there should exist such a unique prime event structure Re E that satisfies ConfF(F) = [U.sup.C.sub.E]. We can get R by applying wcc to the corresponding event structures of [U.sup.C.sub.E].

Therefore, the existence and uniqueness for event structure slicing have been established. We will then prove that the prime event structure R is the ultimate result of slicing.

(2) Satisfactoriness and Minimality. On the one hand, for any configuration X of event structure E that makes predicate [phi] hold, that is, X [member of] ConfF(SliceES(E, [phi])), there must be a mcfES: [E.sup.max.sub.i] so that X [member of] ConfF(SliceES(E, [phi])); let [C.sub.i] = mcfConfF(mcfESslice([E.sup.max.sub.i], [phi])), because [C.sub.i] contains all the configurations of event structure [E.sup.max.sub.j] that make predicate [phi] hold. We have that X must be contained by [C.sub.i]; that is, X [member of] C;.

We get X [member of] ConfF(SliceES(E, [phi])) [??] X [member of] [U.sup.C.sub.E].

Further, we get ConfF(SliceES(E, [phi])) [subset or equal to] [U.sup.C.sub.E].

On the other hand, for any configuration X [member of] [[union].sup.C.sub.E], we get X [member of] ConfF(E) and X can make predicate [phi] hold; then X [member of] ConfF(SliceES(E)) must hold. Thus, we get X [member of] [[union].sup.C.sub.E] [??] X [member of] ConfF(SliceES(E, [phi])).

That is, [U.sup.C.sub.E] [subset or equal to] ConfF(SliceES(E, [phi])).

Therefore, we have [[union].sup.C.sub.E] = ConfF(SliceES(E, [phi])).

Thus, we get that SliceES(E, [phi]) = R.

Moreover, by the definition of slice of maximal conflict-free event substructure, we have that, for any [E.sup.max.sub.i] (i [member of] N, 1 [less than or equal to] i < XE), the corresponding mcfESslice([E.sup.max.sub.i], [phi]) contains the least number of configurations that satisfy the given predicate [phi]; we then have that [[union].sup.C.sub.E] = ConfF(SliceES(E, [phi])) also contains the least number of configurations satisfying this specification. Thus, satisfactoriness and minimality both hold.

Consequently, from both (1) and (2), we conclude that the theorem holds.

5.3. Slicing Reduction Algorithm. In this section, we will present an approach for event structure slice computing. The slicing algorithm for a prime event structure or its mcfESs with respect to regular predicates is based on the Adding Edges Theorem (see [8, 20, 31, 33]).

In fact, by the following theorem, these lattices will never be actually constructed in the slicing process for efficiency.

The configurations do not satisfy the predicate but still can be included to complete the sublattice.

Given a distributive lattice L generated by a graph G, every sublattice of L can be generated by a graph obtained by adding edges to G. The following theorem holds.

Theorem 37 (Adding Edges Theorem). Let L' be any sublattice of a finite distributive lattice L generated by the directed graph G. Then, there exists a graph G' that can be obtained by adding edges to (removing vertices from) G that generates L'.

For any prime event structure, we can get the slices of its mcfESs by applying the Adding Edges Theorem. These slices can be composed by wcc to form a new prime event structure which is the target slice of the original event structure. This approach is less general but results in more efficient detection algorithms for a special class of predicates. Note that we will never actually construct the lattice or family of configurations of the event structure due to efficiency.

Garg and Mittal have presented an efficient algorithm slice(G, [phi]) [8, 28] based on graphical representation G to compute the slice of POTs (or conflict-free event structures) with respect to a predicate [phi]. The algorithm adopts the principle of the Adding Edges Theorem and can produce a sliced graph representation. Especially, we have G = slice(G, true) for predicate [phi] = true itself.

We extend the idea and algorithm to more general models and provide an algorithm for slicing the mcfESs and the original prime event structure. Thus, we have Algorithm 2 to compute the slice of conflict-free event structure.

For a prime event structure with conflict relations, we have to apply c/p operator to get mcfsetX(E) maximal conflict-free event substructures and each of them can be sliced by mc/ESslice. Then, the set consisting of each sliced result can be composed together by wcc to construct a new event structure. This new event structure will be the sliced result.

Thus, we can derive Algorithm 3 to compute the slice of a prime event structure.

Because the set of the slices of mcfESs may no longer keep the weak conflict relation which exists in the original mcfESs.

Therefore, after mcfESslice (mcfES(E), [phi]) operation is performed, the relation among these slices can be one of the following cases:

(1) strong conflict;

(2) conflict-free;

(3) weak conflict;

(4) hybrid of weak conflict and conflict-free;

(5) hybrid of weak conflict and strong conflict;

(6) hybrid of strong conflict, weak conflict, and conflict-free.

In case of (1), (3), and (5), the operation wcc can be performed directly. But in case of (2), (4), and (6), we have to add some events in order to make the result set of slices still be able to form a valid weak conflict set at the end of process.

For temporal predicates [8], such as FF, EG and AG can be computed by slice(G,EF([phi])), slice(G, EG([phi])), and slice(G, AG([phi])), respectively. From the definition of a slice, we know that every configuration of a slice sliceES(E, [phi]) is also a configuration of E.

Clearly, the following two corollaries hold.

Corollary 38. (1) For any prime event structure E [member of] E, ConfF(sliceES(E, EG([phi]))) [subset or equal to] ConfF(sliceES(E, [phi])) [subset or equal to] ConfE(E).

Similarly for AG, the following holds.

(2) For any prime event structure E e E, ConjF(sliceES(E, AG([phi]))) [subset or equal to] ConjF(sliceES(E, [phi])) [subset or equal to] ConjE(E).

Corollary 39. For any prime event structure E [member of] E, ConjF(sliceES(E, EF([phi]))) [subset or equal to] ConjF(E).

5.4. Case Study for Slicing Reduction. In this section, we will give an example to illustrate the prime event structure slice notion and its computing process.

Consider a prime event structure: E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]), as shown in Figure 2. The components are described as follows:

(1) event set: [E.sub.E] = {[e.sub.a], [e.sub.b], [e.sub.c], [e.sub.1], [e.sub.2], [e.sub.3], [e.sub.4]};

(2) conflict relation: #E = |efo#e1};

(3) casual relation: [[??].sub.E] = {[e.sub.b] [??] [e.sub.a], [e.sub.c] [??] [e.sub.a], [e.sub.1] [??] [e.sub.2], [e.sub.1] [??] [e.sub.4], [e.sub.3] [??] [e.sub.4], [e.sub.c] < [e.sub.3]};

(4) action labels: [l.sub.E]([e.sub.a]) = a, [l.sub.E]([e.sub.b]) = b, [l.sub.E]([e.sub.c]) = c, [l.sub.E]([e.sub.1]) = [a.sub.1], [l.sub.E]([e.sub.2]) = [a.sub.2], [l.sub.E]([e.sub.3]) = [a.sub.3], [l.sub.E]([e.sub.4]) = [a.sub.4];

(5) action functions:

(i) action([a.sub.1]): {x = x + 1};

(ii) action([a.sub.2]): {x = x + 3};

(iii) action([a.sub.3]): {y = y + 3};

(iv) action([a.sub.4]): {y = y + 2};

(v) action(a): {z = z + 2};

(vi) action(b): {z = z + 1};

(vii) action(c): {y = y - 1};

(viii) initValue: {x = 1; y = 1; z = 0};

(6) slice criterion: {[phi] = -2 [less than or equal to] (y - x + z) < 2}.

ALGORITHM 2: Slicing algorithm: mcfESslice(mcfES(E), [phi]).

Input:
(1) a conflict-free event structure: mcfES(E),
(2) a regular predicate: [phi]
    Output: the slice of mcfES: [E.sup.max.sub.islice]
    BEGIN
(1) K = 0;
(2)   generate graph representation G for [E.sup.max.sub.i];
(3)   computing slice: K = slice(G, [phi]);
(4)   generate event structure [E.sup.max.sub.i slice] from
        graph representation K;
(5)   return [E.sup.max.sub.i slice]
    END

ALGORITHM 3: Slicing algorithm: sliceES(E, [phi]).

Input:

(1)  an event structure: E
(2)  a regular predicate: [phi]
     Output: the slice: [E.sub.slice]
     BEGIN
(1)  int n = 0, C = 0;
(2)  R = 0;
(3)  [B.sup.mcfES](E) = cfp(E)
(4)  n = mcfsetN(E);
(5)  for (int i = 0; i < n; i++) {
(6)    get the ith mcfES: [E.sup.max.sub.i] from [B.sup.mcfES];
(7)    C = C [union] mcfESslice([E.sup.max.sub.i], [phi]);
(8)  }
(9)  if(C [not equal to] 0){
(10)   R = wcc(C);
(11) }
(12) return R;
END


In this example, the system global states will be updated after an action function executes. Figure 2 depicts all the events conflict (for simplicity, only immediate conflict relation is shown) and casual relation. Figure 3 shows its corresponding family of configurations.

There is one conflict relation between event b and [e.sub.1]; due to the conflict inheritance property of prime event structures, we have [e.sub.b]#[e.sub.1], [e.sub.b]#[e.sub.2], [e.sub.b]#[e.sub.4] and [e.sub.a]#[e.sub.1], [e.sub.a]#[e.sub.2], [e.sub.a]#[e.sub.4]; that is, each of {[e.sub.a], [e.sub.b]} is in conflict with each of {[e.sub.1], [e.sub.2], [e.sub.4]}. Obviously, according to this conflict relation, apply cfp operation to the prime event structure E and we get that this event structure has only two mcfESs: they are [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] depicted by Figures 4(1) and 4(2), respectively, and Figures 5(1) and 5(2) show their corresponding families of configurations.

The configurations that satisfy the predicate are labelled with frames. In fact, these configurations are only used to describe relationship between original event structure and its slice graphically; in general, they will never be actually constructed in the slicing algorithm for efficiency.

The families of configurations of the slices of [E.sub.1] and [E.sub.2] with respect to the predicate {[phi] = -2 [less than or equal to] (y - x + z) < 2} are shown in Figures 6(1) and 6(2), respectively. It can be verified that both mcfConf([E.sub.1]) and mcfConf([E.sub.2]) form distributed lattices.

These configurations of the slices are exactly the ones that satisfy the given predicate in the family of configurations of the original event structure. Figure 7 shows the family of configurations constructed by applying U operation to the families of configurations of all slices.

Finally, in Figure 8, the slice of [E.sub.1] and the slice of [E.sub.2] are combined into the slice of E by wcc operator, as expected.

To illustrate the benefit of predicate detection by using slicing reduction as shown in above example, consider the states in Figure 3 again.

Let {[phi] = -2 [less than or equal to] (y - x + z) < 2} be the predicate to be checked, and suppose we want to detect whether EF([phi]) holds or not; that is, there exists a global state that satisfies [phi]. Without slicing reduction applied, we are forced to examine all global states, 15 states in total as shown in Figure 3, to decide whether the traces satisfy the predicate.

Alternatively, we can compute the slice via slicing reduction technique with respect to the regular temporal predicate and use this slice for predicate detection.

For this purpose, firstly, we compute the slice with respect to [phi] and the slice is shown in Figure 7.

Finally, we check whether the initial state is the same as the initial state of the slice and decide whether the predicate is satisfied or not.

The slice contains only 9 states and has much fewer states than the original traces itself. Generally, it is exponentially smaller in many cases and this can result in substantial savings.

6. Symmetry Reduction

Finite state systems frequently exhibit symmetry which can be found in memories, caches, register files, bus protocols, and anything that has a lot of replicated structures. The use of symmetry to reduce state space has been investigated widely by researchers [2, 3,15, 22, 23].

In this section, we will discuss symmetry properties over prime event structures. Symmetry in an event structure implies the existence of nontrivial permutation groups that preserve both the events labelling and all relations of causal dependence and independence that exist between events. We start by introducing some notions of group theory.

6.1. Automorphism Groups. We know that the set of all permutation on a set forms a permutation group under functional composition. A permutation group over a finite set X consists of bijections, X [right arrow] X, and their compositions as the binary operations.

Definition 40 (permutation group). Let X be a finite set; a permutation of X is a bijection from X to itself. Then, [S.sub.X] := {f: X [right arrow] X | f is abijection}; that is, the family of all the permutations of the set X, denoted by [S.sub.X], forms a group called the symmetric group on X. For any bijection f [member of] [S.sub.X] is called a permutation. Any subgroup of is called a permutation group on X.

Obviously, a symmetric group is a special permutation group. A permutation group over a set has good properties; specially, it can induce an equivalence relation. The equivalence classes of an equivalence relation on a set can form a partition of this set. Thus, for a set X, if there exists a permutation group on the set X, the permutation group can induce a partition of the set X. We can easily check this property.

In this paper, permutation groups are used to partition the set of events in an event structure so that we use equivalence classes (orbits) of events to investigate symmetry in this event structure.

Definition 41 (automorphism). Let E = (E, [??], #, 1) [member of] E and let G be a permutation group on the event set E of E. A permutation f [member of] G is said to be an automorphism of E if and only if f satisfies the following conditions:

(1) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

(2) l([e.sub.1]) = l(f([e.sub.2])).

Definition 42 (automorphism group). A permutation group G is called an automorphism group for the event structure E(E = (E, [??], #, l) [member of] E) if and only if every permutation f [member of] G is an automorphism of E.

Notice that every f [member of] G has an inverse, which is also an automorphism; our definition of an automorphism group can prove that f e G is an automorphism for an event structure E if and only if f satisfies the following condition: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

6.2. Quotient Model of an Event Structure. The symmetric quotient model for an event structure is a structural reduced model.

Let G be a permutation group acting on the set E and e [member of] E; then the orbit of e is the set [theta](e) = {d | [there exists]g [member of] G : f(e) = d}. From each orbit [theta](e) we pick a representative that is called rep([theta](e)). Intuitively, the quotient model can be obtained by collapsing all the events to orbits.

Definition 43 (symmetric quotient model). Let E = (E, [??], #, l) [member of] E and let G be an automorphism group on the event set E of the event structure E. The symmetric quotient model [E.sub.G] = ([E.sub.G], [[??].sub.G], [#.sub.G], [l.sub.G]) is defined as follows.

(1) The event set is [E.sub.G] = {[theta](e) | e [member of] E}, the set of orbits of the events in E.

(2) The causality relation [[??].sub.G] is given by [[??].sub.G] = {([theta]([e.sub.1]), [theta]([e.sub.2])) | ([e.sub.1], [e.sub.2]) [member of] [??]} and the inverse of [[??].sub.G] is denoted by [[??].sub.G].

(3) The conflict relation [#.sub.G] is given by [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], where [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

(4) The labelling function [l.sub.G] is given by [l.sub.G]([theta](e)) = l(rep([theta](e))).

An automorphism group G of an event structure E = (E, [??], #, l) is an invariance group for an action a [member of] Act if and only if the following condition holds: [for all]f [member of] G, e [member of] E : 1(9) = a [??] l(f([theta])) = a.

We then say that a is an invariant under G. Thus, if G is an invariance group for all actions in the action set Act of E and [E.sub.G] is the symmetric quotient model for E; we can directly have [for all][alpha] [member of] Act, 1([theta]) [??] lG([theta](e)) = Z(rep([theta](e)) = a.

From the above definition, we have that the symmetric quotient model is still a prime event structure and preserves all the causal dependence and independence relations of the original, but the conflict relations are reduced. Note that every two different events in an orbit are exactly in conflict with each other. The quotient model can preserve all the behavior of the original one.

6.3. Symmetry Reduction Algorithm. Based on previous discussion, we have Algorithm 4 for symmetry reduction. In this algorithm, replicated substructure will be removed and only one copy will be kept.

Firstly, cfp operator will be applied on a given event structure to get a set of conflict-free substructures.

Then, for any two elements of them, a checking procedure will be performed to remove the redundant one.

Finally, wee will be applied on the substructure set to get the reduced model. Detailed pseudocode description is shown in Algorithm 4.

6.4. An Example for Symmetry Reduction. In this section, an example will be discussed to demonstrate the reduction process based on Algorithm 4.

The example of a prime event structure E with five events ([e.sub.1], [e.sub.2], [e.sub.3], [e.sub.4], and [e.sub.5]) and its semantics in terms of families of configurations is given in Figures 9(1) and 9(2), respectively.

The action-labelling (action set: Act = {a, b, c, d}) function is defined as follows: l([e.sub.1]) = a, l([e.sub.2]) = b, l([e.sub.3]) = c, l([e.sub.4]) = b, and l([e.sub.5]) = d.

In this structure, we have [e.sub.3] [??] [e.sub.5], [e.sub.2]#[e.sub.4], [e.sub.3]#[e.sub.2], and [e.sub.3]#[e.sub.4]. We also have [e.sub.5]#[e.sub.2], [e.sub.5]#[e.sub.1], and [e.sub.5]#[e.sub.4] (due to conflict inheritance).

Then event set is [E.sub.G] = {[e.sub.1], [e.sub.2], [e.sub.3], [e.sub.4], [e.sub.5]} and we can construct a permutation group G on the set EG where two permutations are as follows:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. (3)

Obviously, the group G is an invariance group for all actions in Act = {a, b, c, d}. We then have the orbits of events in being [theta]([e.sub.2] = [theta]([e.sub.4]) = {[e.sub.2], [e.sub.4]}, [theta]([e.sub.1]) = {[e.sub.1]}, [theta]{[e.sub.3]) = {63}, and [theta]([e.sub.5]) = {[e.sub.5]}. Thus, the symmetric quotient model can be described as shown in Figure 10.

We can get weak conflict set of the event structure E by cfp operator as follows: cfp(E) = {[E.sub.1], [E.sub.2], [E.sub.3]}, where

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. (4)

Thus, we have [E.sub.1][#.sup.w][E.sub.2], [E.sub.1][#.sup.w][E.sub.3], and [E.sub.3][#.sup.w][E.sub.2] (or, [E.sub.1][#.sup.w][E.sub.2], [E.sub.1][#.sup.w][E.sub.3], and [E.sub.3][#.sup.w][E.sub.2]).

By definition, we have that [E.sub.1] and [E.sub.2] are symmetric. According to the symmetry reduction algorithm, we will remove replicated events but keep the common or representation ones. The substructure [E.sub.2] is removed. The resulted substructure set consists of two elements: [E.sub.1] and [E.sub.3], because [E.sub.1] and [E.sub.3] are weak conflict sets of E and wcc operator can be applied on them to construct a new event structure: E' = wcc([E.sub.1], [E.sub.3]). Thus, the symmetric reduced event structure can be described by Figure 11.

To illustrate the advantage for properties checking by using symmetry reduction as shown in the above example, consider the states in Figure 9, 9 states in total.

Suppose we want to check whether a property EF(p) holds or not; that is, there exists a global state that satisfies [phi]. Without symmetry reduction applied, we have to examine all global states, 9 states in total. But with symmetry reduction, as shown in Figure 11 or Figure 10 to decide whether the property holds, only 7 states should be checked and a considerable saving can be achieved.

7. Mathematical Framework

In this section, we will provide a unified mathematical framework for slicing and symmetry reduction based on cfp and wcc operators.

Firstly, we will review some basic definitions in this section. Here, we refer the reader to [14] for details. Next, we will introduce the single action transitions [3] for event structures. Finally, we will discuss the related theories for slicing and symmetric reduction and establish the unified framework.

7.1. Basic Definitions

Definition 44. For any event structure E = ([E.sub.E], [[??].sub.e], [#.sub.E], [l.sub.E]) [member of] E, define L[E] = (ConfF(E), [subset or equal to]). Especially, for any conflict-free event structure F = ([E.sub.F], [[??].sub.F], [#.sub.F], [l.sub.F]) [member of] F, define L[F] = (ConfF(F), [subset or equal to]).

In fact, L[F] is the partial order of left-closed and conflict-free subsets of [E.sub.E] ordered by set inclusion.

L[E] is the partial order of left-closed subsets of [E.sub.F] ordered by set inclusion.

Definition 45 (single action transition). Let E [member of] E. A transition X [[??].sub.E] X' is called a single action transition if and only if a e Act, X, X' [member of] ConfF(E), X [subset or equal to] X' and there exists an event e such that X' - X = e with [l.sub.E](e) = a.

Here, X [[??].sub.E] X' indicates that in the event structure the state represented by the configuration X may evolve into a state represented by the configuration by performing the action a. This transition relation associates a labelled system based on single action transitions with each event structure.

ALGORITHM 4: Symmetry reduction: sr(E).

Input: a prime event structure E;
Output: the reduced model of the event structure: [E.sub.sr];
BEGIN
(1)  C = 0; i = 1; n = 0; B = 0; B = 0;
     /* Step One: partition via cfp operator, we will get all
       maximal conflict-free sub-structure of an event
       structure * /
(2)  B = [B.sup.mcfES](E) = cfp(E);
(3)  n = mcfsetN(E);
     /* Step Two: automorphism checking for sub-structure */
(4)  for (i = 0; i [less than or equal to] n; i++) {
(5)  for (j = 0; i [less than or equal to] i; j++) {
     /* Step Two-1: get action set of each maximal
       conflict-free sub-structure from B */
(6)  [L.sub.Act]([E.sub.i]) = {a [member of] Act | [there exists]e
       [member of] [E.sub.i]: 1(e) = a}
(7)  [L.sub.Act]([E.sub.j]) = {a [member of] Act | [there exists]e
       [member of] [E.sub.j]: 1(e) = a}
     /* IsNotldentical: checking two sets are are identical or
       not */
     /* [absolute value of S]: the element amount of the set S */
     /* Step Two-2: checking their action sets are identical or
       not */
(8)  if [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]
         IsNotIdentical([L.sub.Act]([E.sub.i]), [L.sub.Act]
           ([E.sub.j])) {
(9)      break;}
     /* Step Two-3: checking their causal relations are identical
       or not */
(10) if [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]
     IsNotIdentical([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE
       IN ASCII]{
(11) break; }
     /* Step Two-4: checking their conflict relations are identical
       or not */
(12) if [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]
         IsNotIdentiCal [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE
           IN ASCII] {
(13) break; }
     /* Step Three: automorphism exists, remove the duplicated one
       and merge for reduction */
(14)       B = B - [E.sup.max.sub.j];
(15)       n = n - 1;
(16)       } /* end for j */
(17)     } /* end for i */
(18) return [E.sub.sr] = wcc(B);
END;


Definition 46 (trace). Let E [member of] E. A word w = [a.sub.1] ... [a.sub.n] [member of] [Act.sup.*] is called trace of E if and only if [there exists][X.sub.0], ..., [X.sub.n] [member of] ConfF(E):

[X.sub.0] = 0 and [X.sub.i-1] [??] [X.sub.i], i = 1, ..., n.

Here, let Trs(E) denote the set of all traces of E.

Definition 47 (interleave trace equivalence). Let [E.sub.1], [E.sub.2] [member of] E. [E.sub.1] and [E.sub.2] are called interleave trace equivalence ([E.sub.1] [[approximately equal to].sub.it] [E.sub.2]) if and only if Trs([E.sub.1]) = Trs([E.sub.2]).

Definition 48 (interleaving bisimulation). Let [E.sub.1], [E.sub.2] [member of] E. A relation R [member of] C([E.sub.1]) x C([E.sub.2]) is called interleaving bisimulation between E1 and E2 if and only if (0,0) e R and (X, Y) e R; then

(1) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

(2) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Definition 49 (interleaving bisimulation equivalent). Let [E.sub.1], [E.sub.2] [member of] E. [E.sub.1] and [E.sub.2] are called interleaving bisimulation equivalent ([E.sub.1] [[approximately equal to].sub.ib] [E.sub.2]) if and only if there exists an interleaving bisimulation between [E.sub.1] and [E.sub.2].

7.2. Unified Framework. The unified framework for slicing and symmetry reduction we have set up can be pictured as in Figure 12.

(1) Isomorphism and Equivalence. We are concerned with the translation of concepts and ideas from one side to the other. The following theorems hold.

Theorem 50. Let F be a conflict-free event structure, F = ([E.sub.F], [[??].sub.F], 0, [l.sub.F]) [member of] F; then F [congruent to] [L[F]]. Similarly, let P = (D, [subset or equal to]) be a prime algebraic complete lattice; then P [congruent to] L[p[P]].

Theorem 51. Let E be a prime event structure, E = ([E.sub.E], [[??].sub.E], [#.sub.E], [l.sub.E]) [member of] E; then E = p[L[E]]. Similarly, let P = (D, [subset or equal to]) be a prime algebraic coherent domain; then P = L[p[P]].

Clearly, from Theorems 50 and 51, we have the following.

(1) For any prime event structure E, we have that E [congruent to] p[L[E]].

(2) Similarly, for any partial order P = (D, [subset or equal to]), P is a prime algebraic complete lattice or a finitary coherent prime algebraic domain; we have that P [congruent to] L[p[P]].

From Theorems 23, 24, and 25, we have that conflict-free event structures and prime algebraic complete lattices are equivalent; this implies that there is a one-to-one correspondence between a prime event structure and its family of configurations. Similarly, prime event structures and finitary coherent prime algebraic domains are also equivalent; one can be used to represent the other.

(2) Mutual Inverse Operation. For any prime event structure, cfp and wcc are mutually inverse operators.

We can get the full set of maximal conflict-free substructures of a prime event structure by cfp operator.

Conversely, given the full set of maximal conflict-free substructures of the prime event structure, we can recover the original prime event structure by wcc operator.

(3) Slicing Reduction. Firstly, compared with traditional computation slicing, Figure 12 demonstrates the translation between a conflict-free event structure (or its slice) and prime algebraic complete lattice. This forms the theoretical basis of computation slicing technique proposed by Garg and Mittal, Sen [7, 20].

Secondly, Figure 12 also demonstrates the translation between a prime event structure (or its slice) and finitary coherent prime algebraic domain, which serves as the theoretical basis of our event structure slicing with conflict. A pair of mutually inverse operators, cfp and wcc, act as a link between the two parts.

Thirdly, the slice of a prime event structure can be computed by the following steps:

(1) applying cfp operator to partition the original prime event structure into a full set of maximal conflict-free substructures;

(2) for each maximal conflict-free substructure, applying traditional computation slicing algorithm based on Adding Edges Theorem [7, 8, 20] over its directed graph representation to compute the slice with respect to the given predicate;

(3) applying wcc operator to compose the resulted slices in above step (2) and form a new prime event structure, while the generated event structure is the slice of the original prime event structure.

(4) Symmetry Reduction. Operators cfp and wcc can also play an important role in symmetry reduction.

Symmetry reduction of a prime event structure can be performed by the following steps:

(1) applying cfp operator to partition the original prime event structure into a full set of maximal conflict-free substructures;

(2) checking automorphism among the produced substructures and checking causal relation and action set;

(3) removing duplicated substructure and applying wcc operator to compose the resulted structure to form a newly generated prime event structure, which will be symmetry reduced prime event structure.

(5) Trace Equivalence. The relation between original event structure and its quotient model can be specified by Theorems 52 and 53 (See [3]).

Theorem 52. Let E [member of] E and [E.sub.G] be quotient structure of E; then [E.sub.G] [[approximately equal to].sub.it] E.

Theorem 53. Let E [member of] E and let [E.sub.G] be the symmetric quotient model for E. Then E [[equivalent].sub.ib] [E.sub.G].

Generally, given an event structure E, in fact, its behavior is exhibited by the labelled transition system (LTS, for short) [LTS.sub.E] = (ConfF(E), [Act.sub.E], [T.sub.E], 0}, where

(1) the configurations ConfF(E) are states;

(2) the set of labels is the set of actions [Act.sub.E];

(3) the transitions [T.sub.E] are single action transitions between every two configurations of E; namely, [T.sub.E] [subset or equal to] ConfF(E) x [Act.sub.E] x ConfF(E);

(4) the initial configuration (the empty set 0) is the initial state.

The above equivalence is based on labelled transition systems whose transitions are single action transitions. As shown in Figure 12, we construct labelled transition system for prime event structure and its quotient model, we will have that their LTSs are interleaving bisimulation and interleave trace equivalence also. Therefore, the following corollary holds.

Corollary 54. Let E [member of] E and [E.sub.G] let be the symmetric quotient model for E. If LTS = (ConfF(E), Act, [[right arrow].sub.E], 0) and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] are induced from E and [E.sub.E], respectively, then LTS [[approximately equal to].sub.it] [LTS.sub.G] and LTS [[approximately equal to].sub.ib] [LTS.sub.G] hold.

Evidently, we have the following theorems.

Theorem 55. For any E [member of] E, its symmetric quotient model [E.sub.G] and symmetric reduced model E' are isomorphism; that is, [E.sub.G] [congruent to] E'.

Proof. It is not difficult to prove it by constructing a bijection between the events and their orbits.

Theorem 56. For any E [member of] E, its symmetric reduced model E' is a substructure of E; that is, E' [??] E.

Proof. The proof is straightforward.

(6) Technique Combination. Symmetry reduction technique is orthogonal to slicing reduction and can be used in conjunction with slicing. Thus, it is easy to have the following result.

Theorem 57. For any E [member of] E, let cp be a regular predicate; then the following statements hold: sr(SHceES(E, [phi])) = wcc(mcfESslice(cfp(sr(E)), [phi])) and sr(SliceES(E, [phi])) = SliceES(sr(E), [phi]).

Proof. The proof is straightforward.

8. Conclusion

In this paper, we presented a unified mathematical framework for event structure slicing and symmetric reduction. We described the equivalent relationship between original event structure and its maximal conflict-free event substructures. We proposed two mutually inverse operators: conflict-free partition operator and weak choice composition operator. Both symmetry reduction and slicing reduction can be performed by this pair of operators. We also investigated the related properties, translations, and correspondences between event structures and domains. Essentially, slicing over event structure is a high level extension to the traditional computation slicing based on the model with conflict.

Slicing technique can make the verification of program behavior easier by reducing the size of the state space to be analyzed. Symmetry reduce is another powerful structural reduction technique that can also be applied to narrow down state space. Both quotient model and sliced model produced by reduction are often much smaller than the original model. The consequential model can be used to significantly improve the effectiveness of property verification of the original model.

In future work, on the one hand, we will extend our work to other more complicated event structure models, such as flow event structure [34] and bundle event structure [35, 36]. On the other hand, we hope to implement and test our approach on various verification tools in practice. In addition, we would like to exploit more possible applications and theories.

http://dx.doi.org/10.1155/2014/352152

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The project is supported by the Fundamental Research Funds for the Central Universities (DUT14QY05) (1600-851025). The authors would like to thank their colleagues for participating in the research. They also appreciate the anonymous reviewers for their helpful comments.

References

[1] S. Alagar and S. Venkatesan, "Techniques to tackle state explosion in global predicate detection," IEEE Transactions on Software Engineering, vol. 27, no. 8, pp. 704-714, 2001.

[2] E. M. Clarke, R. Enders, T. Filkorn, and S. Jha, "Exploiting symmetry in temporal logic model checking," Formal Methods in System Design, vol. 9, pp. 77-104, 1996.

[3] J. Jiang and J. Wu, "Symmetry and autobisimulation," in Proceedings of the 6th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT '05), pp. 866-870, IEEE Computer Society Press, December 2005.

[4] J.-Z. Wu and H. Fecher, "Symmetric structure in logic programming," Journal of Computer Science and Technology, vol. 19, no. 6, pp. 803-811, 2004.

[5] M. Weiser, Program slices: formal, psychological, and practical investigations of an automatic program abstraction method [Ph.D. thesis], University of Michigan, 1979.

[6] M. Weiser, "Programmers use slices when debugging," Communications of the ACM, vol. 25, no. 7, pp. 446-452, 1982.

[7] V. K. Garg and N. Mittal, "On slicing a distributed computation," in Proceedings of the 21st IEEE International Conference on Distributed Computing Systems (ICDCS '01), D. Harel, D. Kozen, and J. Tiuryn, Eds., Dynamic Logic, pp. 322-329, MIT Press, Phoenix, Ariz, USA, 2001.

[8] A. Sen and V. K. Garg, "Formal verification of simulation traces using computation slicing," IEEE Transactions on Computers, vol. 56, no. 4, pp. 511-527, 2007.

[9] E. Duesterwald, R. Gupta, and M. L. Soffa, "Distributed slicing and partial re-execution for distributed programs," in Proceedings of the 5th Workshop on Language and Compilers for Parallel Computing, pp. 329-337, 1992.

[10] J. W. de Bakker, W. P. de Roever, and G. Rozenberg, Eds., Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, vol. 354 of Lecture Notes in Computer Science, Springer, Berlin, Germany, 1989.

[11] G. Winskel, "Event structures," in Petri Nets: Applications and Relationships to Other Models of Concurrency, Advances in Petri Nets 1986, Part II; Proceedings of an Advanced Course, Bad Honnef, September 1986, W. Brauer, W. Reisig, and G. Rozenberg, Eds., vol. 255 of Lecture Notes in Computer Science, pp. 325-392, Springer, Berlin, Germany, 1987.

[12] P. Madhusudan, "Model-checking trace event structures," in Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science (LICS '03), pp. 371-380, June 2003.

[13] M. Mukund and P. S. Thiagarajan, "An axiomatization of event structures," in Foundations of Software Technology and Theoretical Computer Science (Bangalore, 1989), vol. 405 of Lecture Notes in Computer Science, pp. 143-160, Springer, Berlin, Germany, 1989.

[14] R. J. van Glabbeek and U. Goltz, "Refinement of actions and equivalence notions for concurrent systems," Hildesheimer Informatik-Bericht 6/98, University of Hildesheim, 1998.

[15] H. Hermanns and M. Ribaudo, "Exploiting symmetries in stochastic process algebras," in Proceedings of the European Simulation Multiconference (ESM '98), pp. 763-770, SCS Europe, 1998.

[16] M. Nielsen, G. Plotkin, and G. Winskel, "Petri nets, event structures and domains. I," Theoretical Computer Science, vol. 13, no. 1, pp. 85-108, 1981.

[17] M. Nielsen, G. Plotkin, and G. Winskel, "Petri nets, event structures and domains. I," Theoretical Computer Science, vol. 13, no. 1, pp. 85-108, 1981.

[18] R. Loogen and U. Goltz, "Modelling nondeterministic concurrent processes with event structures," Fundamenta Informaticae, vol. 14, no. 1, pp. 39-73, 1991.

[19] A. Sen, J. Bhadra, V. K. Garg, and J. A. Abraham, "Formal verification of a system-on-chip using computation slicing," in Proceedings of the International Test Conference (ITC '04), pp. 810-819, October 2004.

[20] A. Sen, Techniques for formal verification of concurrent and distributed program traces [Ph.D. thesis], The University of Texas at Austin, Austin, Tex, USA, 2004, http://www.library. utexas.edu/etd/d/2004/senma042/senma042.pdf.

[21] E. A. Emerson and A. P. Sistla, "Symmetry and model checking," in Computer Aided Verification (Elounda, 1993), vol. 697 of Lecture Notes in Computer Science, pp. 463-478, Springer, Berlin, Germany, 1993.

[22] A. Miller, A. Donaldson, and M. Calder, "Symmetryin temporal logic model checking," ACM Computing Surveys, vol. 38, no. 3, article 8, 2006.

[23] G. Winskel, "Event structures with symmetry," in Computation, Meaning, and Logic: Articles Dedicated to Gordon Plotkin, vol. 172 of Electronic Notes in Theoretical Computer Science, pp. 611-652, Elsevier, Amsterdam, The Netherlands, 2007.

[24] X. Gao, J. Wu, R. Qiao, and J. Chen, "Theory framework for event structure slicing," in Proceedings of the 13th IEEE Symposium on Computers and Communications (ISCC '08), pp. 714-721, IEEE, Marrakech, Morocco, July 2008.

[25] G. Winskel, "An introduction to event structures," in Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency (Noordwijkerhout, 1988), J. W. de Bakker, W. P. de Roever, and G. Rozenberg, Eds., vol. 354 of Lecture Notes in Computer Science, pp. 364-397, Springer, Berlin, Germany, 1989.

[26] G. Winskel, "An introduction to event structures," in Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency (Noordwijkerhout, 1988), vol. 354 of Lecture Notes in Computer Science, pp. 364-397, Springer, Berlin, Germany, 1989.

[27] G. Winskel and M. Nielsen, "Models for concurrency," in Handbook of Logic in Computer Science, vol. 4, pp. 1-148, Oxford University Press, New York, NY, USA, 1995.

[28] N. Mittal and V K. Garg, "On detecting global predicates in distributed computations," in Proceedings of the 21st IEEE International Conference on Distributed Computing Systems, pp. 3-10, Phoenix, Ariz, USA, April 2001.

[29] V. K. Garg, "Algorithmic combinatorics based on slicing posets," Theoretical Computer Science, vol. 359, no. 1-3, pp. 200-213, 2006.

[30] E. M. Clarke, E. A. Emerson, and A. P. Sistla, "Automatic verification of finite state concurrent systems using temporal logic," ACM Transactions on ProgrammingLanguages and Systems, vol. 8, no. 2, pp. 244-263, 1986.

[31] B. A. Davey and H. A. Priestley, Introduction to Lattices and Order, Cambridge Mathematical Textbooks, Cambridge University Press, Cambridge, UK, 1990.

[32] A. Sen and V. K. Garg, "Detecting temporal logic predicates in distributed programs using computation slicing," in Proceedings of the 7th International Conference on Principles of Distributed Systems (OPODIS '03), December 2003.

[33] N. Mittal, A. Sen, V. K. Garg, and R. Atreya, "Finding satisfying global states: all for one and one for all," in Proceedings of the 18th International Parallel and Distributed Processing Symposium (IPDPS '04), Santa Fe, NM, USA, April 2004.

[34] G. Boudol, "Flow event structures and flow nets," in Semantics of Systems of Concurrent Processes (La Roche Posay, 1990), vol. 469 of Lecture Notes in Computer Science, pp. 62-95, Springer, Berlin, Germany, 1990.

[35] H. Fecher, M. Majster-Cederbaum, and J. Wu, "Bundle event structures: a revised cpo approach," Information Processing Letters, vol. 83, no. 1, pp. 7-12, 2002.

[36] R. Langerak, "Bundle event structures: a non-interleaving semantics for LOTOS," in Formal Description Techniques V, M. Diaz and R. Groz, Eds., pp. 331-346, 1992.

Xinyan Gao, (1) Yingcai Ding, (1) Wenbo Liu, (1) Kaidi Zheng, (1) Siyu Huang, (1) Ning Zhou, (2,3) and Dakui Li (1)

(1) G&S Labs, School of Software, Dalian University of Technology, Dalian 116620, China

(2) School of Electronic and Information Engineering, Lanzhou Jiaotong University, Lanzhou 730070, China

(3) School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China

Correspondence should be addressed to Dakui Li; ldk@dlut.edu.cn

Received 28 January 2014; Accepted 27 April 2014; Published 12 June 2014

Academic Editor: Xiaoyu Song
COPYRIGHT 2014 Hindawi Limited
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Research Article
Author:Gao, Xinyan; Ding, Yingcai; Liu, Wenbo; Zheng, Kaidi; Huang, Siyu; Zhou, Ning; Li, Dakui
Publication:Journal of Applied Mathematics
Article Type:Report
Date:Jan 1, 2014
Words:16691
Previous Article:An extended cellular automaton model for train traffic flow on the dedicated passenger lines.
Next Article:Detecting runoff variation of the mainstream in Weihe River.
Topics:

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters