Compact and efficiently verifiable models for concurrent systems by Ponce de León H & Mokhov A
 
 
 
 
 
 
 
 
 
 
 
 
 
 
This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License 
 
 
Newcastle University ePrints - eprint.ncl.ac.uk 
 
Ponce de León H, Mokhov A. Compact and efficiently verifiable models for 
concurrent systems. Formal Methods in System Design 2018. DOI: 
10.1007/s10703-018-0316-0 
 
 
Copyright: 
The final publication is available at Springer via https://doi.org/10.1007/s10703-018-0316-0  
DOI link to article: 
https://doi.org/10.1007/s10703-018-0316-0  
Date deposited:   
08/10/2017 
Embargo release date: 
19 February 2019  
Formal Methods in System Design manuscript No.
(will be inserted by the editor)
Compact and Efficiently Verifiable Models for Concurrent1
Systems2
Herna´n Ponce-de-Leo´n · Andrey Mokhov3
4
Received: date / Accepted: date5
Abstract Partial orders are a fundamental mathematical structure capable of rep-6
resenting concurrency and causality on a set of atomic events. In many applications7
it is essential to consider multiple partial orders, each representing a particular be-8
havioral scenario or an operating mode of a system. With the exploding growth9
of the complexity of systems that software and hardware engineers design today,10
it is no longer feasible to represent each partial order of a large system explicitly,11
therefore compressed representations of sets of partial orders become essential for12
improving the scalability of design automation tools. In this paper we study two13
well known mathematical formalisms capable of the compressed representation14
of sets of partial orders: Labeled Event Structures and Conditional Partial Or-15
der Graphs. We discuss their advantages and disadvantages and propose efficient16
algorithms for transforming a set of partial orders from a given compressed repre-17
sentation in one formalism into an equivalent representation in another formalism18
without the explicit enumeration of each partial order. The proposed algorithms19
make use of an intermediate mathematical formalism which we call Conditional20
Labeled Event Structures and combines the advantages of both structures. Finally,21
we compare these structures on a number of benchmarks coming from concurrent22
software and hardware domains.23
Keywords Concurrency · Graph transformation · Partial orders · Evens structures24
1 Introduction25
Concurrent systems, which comprise multiple components that can operate and in-26
teract simultaneously, are notoriously difficult to design, control and reason about.27
Herna´n Ponce-de-Leo´n
Aalto University, Department of Computer Science, P.O.Box 15400, FI-00076 Aalto, Finland
Tel.: +358 (0) 50 911 8088
E-mail: hernan.poncedeleon@aalto.fi
Andrey Mokhov
School of Electrical and Electronic Engineering, Merz Court, Newcastle University, Newcastle
upon Tyne, NE1 7RU, UK Tel.: +44 (0) 191 208 7727 Fax: +44 (0) 191 208 8180 E-mail:
andrey.mokhov@ncl.ac.uk
2 Herna´n Ponce-de-Leo´n, Andrey Mokhov
a:=5
b:=5 c:=5
b:=1
a:=5
c:=5
c:=1
a:=5
b:=5 a:=5
b:=1 c:=1
Fig. 1: Executions of a multithreaded program represented as partial orders.
The complexity of concurrent systems grows exponentially with the number of1
constituent components and a lot of research effort is currently being invested in2
finding new methods for conquering the complexity by both industry and academia.3
Potential impact of this research is truly ubiquitous since concurrent systems are4
everywhere around, inside and above us: from common electronic gadgets like mo-5
bile phones, to biological and biomedical systems, to planetary exploration robots.6
Our society’s sustainability is increasingly dependent on concurrent systems and7
the goal of concurrency theory is to lay foundations for the design of correct and8
efficient concurrent systems.9
Partial orders – the protagonists of this paper – play a fundamental role in the10
concurrency theory. The concept has a very simple definition: a partial order is11
a reflexive, antisymmetric and transitive relation ≤ on a set of elements S. Two12
distinct elements a, b ∈ S can be either ordered (a ≤ b or b ≤ a) or concurrent13
(a 6≤ b and b 6≤ a). Partial orders arise in numerous application areas such as14
model checking, analysis of concurrent programs and VLSI design to name but a15
few. In this paper we do not focus on a particular application area, however, we use16
examples and benchmarks where partial orders represent possible execution paths17
of multithreaded programs and concurrent activations of hardware components in18
a microprocessor.19
Consider a multithreaded program where different threads access some shared20
variables; direct representation of all its possible execution paths is infeasible even21
for very small programs due to the well-known state space explosion problem [24]. If22
one intends, for example, to detect errors such as assertion violations or deadlocks,23
it is sufficient to analyse only one representative for each Mazurkiewicz trace [6],24
whereby the independence between some instructions is taken into account (e.g.,25
two concurrent read instructions accessing the same shared variable). Each execu-26
tion path can therefore be represented as a partial order. Consider the following27
program with three threads accessing a shared variable a:28
int a = 1; Thread 1: Thread 2: Thread 3:29
local b = a; a = 5; local c = a;30
The values of local variables b and c depend on whether Thread 1 and Thread 331
are executed before or after Thread 2 modifies the value of the shared variable. The32
three instructions can be executed in six different orders; however, since consecu-33
tive reads of the same variable do not alter the final values of the local variables,34
they can be considered as independent thereby reducing the number of possible35
executions to four. These executions are represented by the partial orders in Fig. 1.36
A partial order can capture a single Mazurkiewicz trace of a concurrent system,37
however, real-life systems rarely consist of only one such a trace. Modern concur-38
rent programs targeted for many-core hardware platforms often exhibit millions39
Compact and Efficiently Verifiable Models for Concurrent Systems 3
of different possible executions that can be represented as partial orders defined1
on a set of instructions the program may perform. How do we represent all of2
those partial orders? One can, of course, simply list them explicitly as we just did3
in Fig. 1, but this is clearly not a scalable solution – 6.6 trillion different partial4
orders can be defined on just 10 actions! This motivated computer scientists to5
search for compact representations for families of partial orders. Petri Nets [7] and6
numerous process algebras [12] provide the most compact representations; however,7
their compactness comes at the price of high computational complexity of the as-8
sociated problems. Almost any interesting question1 about a Petri Net is at least9
PSPACE-hard [7].10
Petri Net unfoldings [11] and later more condensed merged processes [10] were11
introduced to address this issue: they are less compact but the associated questions12
are ‘merely’ NP-complete and hence can be efficiently resolved in practice by mod-13
ern SAT-solvers. The advances in Boolean satisfiability (SAT) solving technology14
have made it possible to handle concurrent systems of real-life size, thereby moti-15
vating the continued research focus on models whose properties are NP-complete.16
For example, Petri Net unfoldings and event structures have recently been em-17
ployed as a compact representation for execution paths of multithreaded programs18
to apply partial order reduction techniques [9,21].19
In this paper we study two mathematical formalisms that compactly represent20
sets of partial orders2 while still allowing efficient verification techniques: Labeled21
Event Structures (LESs) and Conditional Partial Order Graphs (CPOGs). We in-22
troduce the formalisms in Sections 2.1 and 2.2 respectively and show how to syn-23
thesize them from sets of partial orders. We also demonstrate that both formalisms24
are compositional, that is, one can combine compressed sets of partial orders into25
bigger sets without uncompressing them. Even though these formalisms are not26
the most compact ones to represent concurrent behaviors (as mentioned above,27
Petri nets or process algebras are more compact in general), they are supported28
by a rich collection of theoretical and software automation tools, making them29
convenient for the representation and verification of concurrent systems.30
The two formalisms are significantly different from each other, hence one can-31
not directly use them together: conversion from one formalism to another without32
an intermediate uncompression step is non-trivial. As will be demonstrated in33
Section 4, different formalisms may be preferable in different application domains.34
For example, LESs can typically be obtained from Petri Net specifications via35
unfolding or from concurrent programs as explained in [9,21]. CPOGs naturally36
come from hardware specifications and implementations, where partial orders are37
pre-encoded with Boolean vectors (low-level signals, instruction opcodes, etc).38
There are several algorithms and tools that allow to reason about either LESs39
or CPOGs, each of them having advantages due to the properties of a particular40
formalism (e.g. the acyclicity of LESs). In order to allow the end user to exploit the41
trade-off between their compactness and efficiency, we believe that it is crucial to42
have efficient transformation algorithms that allow to go from one representation43
of partial orders to another, therefore integrating into multi-formalism design au-44
tomation tools such as Workcraft [1][18]. For example, to translate a given CPOG45
1 Examples of interesting questions about a concurrent system are: Can the system reach
this dangerous state? Will it work indefinitely or eventually terminate? Are these two systems
equivalent?
2 We call a representation ‘compact’ when it does not list all partial orders explicitly.
4 Herna´n Ponce-de-Leo´n, Andrey Mokhov
to a Petri net, one can first convert a CPOG into a LES using the algorithm pre-1
sented in this paper and then apply an existing transformation algorithm from2
LESs to Petri nets, e.g. from [20].3
We present two direct transformation algorithms (Section 5) for converting4
compressed sets of partial orders from LESs to CPOGs and from CPOGs to LESs5
without an intermediate uncompression. The presented transformations reveal the6
superior expressive power of CPOGs as well as the cost of this expressive power:7
CPOGs are often more demanding from the algorithmic complexity point of view.8
The proposed algorithms make use of a new mathematical formalism called Con-9
ditional Labeled Event Structures (CLESs) that combines the advantages of LESs10
and CPOGs. The CLES formalism makes it possible to directly combine sets of11
partial orders represented in LESs and CPOGs, thereby improving their interop-12
erability and compositionality.13
This paper extends our previous work [19]; the new contributions are: (i) a14
synthesis algorithm for LES given a set of partial orders; (ii) a merging algorithm15
to reduce the complexity of a LES while preserving the partial orders it represents;16
(iii) complete proofs of the correctness, optimality and compositionality results of17
the transformation algorithms; (iv) optimization techniques for one of the trans-18
formation algorithms; (v) experimental evaluation of the presented algorithms on19
a realistic set of examples including benchmarks coming from the domains of mul-20
tithreaded programming and microprocessor design.21
2 Preliminaries22
This section introduces two well-known formalisms that represent partial orders:23
Labeled Event Structures and Conditional Partial Order Graphs.24
2.1 Labeled Event Structures25
Event Structures3 [17] can be seen as a generalization of trees where each branch is a26
partial order. They represent multiple scenarios of a concurrent system by means27
of so-called configurations. We study their widely-used extension, called Labeled28
Event Structures, whose events are labeled with actions from a fixed alphabet L.29
Definition 1 A labeled event structure over alphabet L is a tuple E = (E,≤,#, λ)30
where E is a set of events; ≤ ⊆ E×E is a partial order (called causality) satisfying31
the property of finite causes, i.e. ∀e ∈ E : |{e′ ∈ E | e′ ≤ e}| < ∞; # ⊆ E ×32
E is an irreflexive symmetric relation (called conflict) satisfying the property of33
conflict heredity, i.e. ∀e, e′, e′′ ∈ E : e # e′ ∧ e′ ≤ e′′ ⇒ e # e′′; and λ : E → L is a34
labeling function.35
Notice that in most cases one only needs to consider reduced versions of rela-36
tions ≤ and #, which we will denote ≤r and #r, respectively. Formally, ≤r, which37
we call direct causality, is the transitive reduction of ≤, and #r, which we call direct38
conflict is the smallest relation inducing # through the property of conflict hered-39
ity. In practice |≤r| and |#r| are often a lot smaller than |≤| and |#|, however,40
3 In this article, we restricts to prime event structures.
Compact and Efficiently Verifiable Models for Concurrent Systems 5
C1
C2C3
C4
a := 5
b := 5 c := 5
b := 1
a := 5
c := 5
c := 1
a := 5
b := 5
b := 1 c := 1
a := 5
E1
Fig. 2: A Labeled Event Structure and its maximal configurations.
in the worst case |≤r| = Θ(|≤|) and |#r| = Θ(|#|), therefore the speed up gained1
by using the reduced relations does not affect the worst case performance of the2
presented algorithms.3
A configuration is a computation state of a LES. It is represented by a set of4
events that have occurred in the computation. If an event is present in a config-5
uration, then so must all the events on which it causally depends. Moreover, a6
configuration does not contain conflicting events.7
Definition 2 A configuration of a LES E = (E,≤,#, λ) is a set C ⊆ E that is8
causally closed, i.e. e ∈ C ⇒ ∀e′ ≤ e : e′ ∈ C, and conflict-free, i.e. e ∈ C and9
e#e′ imply e′ 6∈ C. The set of maximal (w.r.t. set inclusion) configurations of E is10
denoted by Ω(E).11
In this paper we only deal with LESs whose configurations do not contain two12
events with the same label. With such a restriction one can associate to every13
configuration C a partial order whose elements are λ(C) (where λ is lifted to sets)14
and causality is inherited from ≤. We will denote such partial order as pi(C) and15
lift pi to sets of configurations. Since configurations together with the causality16
relation (restricted to those events) form partial orders, one can consider a LES E17
as a compressed representation of the set of partial orders induced by the maximal18
configurations Ω(E). The local configuration [e] of an event e is a set of events on19
which it causality depends, i.e. [e] , {e′ ∈ E | e′ ≤ e}.20
Fig. 2 shows an example of a LES defined over the alphabet {a := 5, b :=21
1, b := 5, c := 1, c := 5} and representing the partial orders of Fig. 1. This LES22
contains four maximal configurations C1-C4. Notice that throughout this paper23
we only show direct causality (by arrows) and direct conflicts (by dashed lines)24
on diagrams for clarity: events that belong to different configurations C1-C4 are25
all in conflict pairwise, and showing all these conflicts would make the diagram26
unreadable. An alert reader may notice that not much compression is achieved by27
the LES shown in Fig. 2. Indeed, this can be significantly improved as discussed28
below.29
6 Herna´n Ponce-de-Leo´n, Andrey Mokhov
Algorithm 1 LES optimization
Require: E = (E,≤,#, λ)
Ensure: E ′ such that pi(Ω(E)) = pi(Ω(E ′))
1: while ∃e1, e2 ∈ E : e1 # e2 ∧ λ(e1) = λ(e2) ∧ [e1] = [e2] do
2: E = E\{e1, e2} ∪ {e} for e 6∈ E
3: λ(e) = λ(e1)
4: for e′ ∈ E do
5: if e′ ≤ e1 ∨ e′ ≤ e2 then
6: set e ≤ e′
7: if e1 ≤ e′ ∨ e2 ≤ e′ then
8: set e′ ≤ e
9: if e′ # e1 ∧ e′ # e2 then
10: set e # e′
11: return E = (E,≤,#, λ)
Synthesis and Optimization of LESs. Given a set of partial orders, the ob-1
jective is to synthesize a compact LES that represents them. The idea behind the2
synthesis approach presented below is to start by putting events of each partial or-3
der in conflict as shown in Fig. 2, and then to compress the LES by merging events4
with the same label that also have the same local configuration – see Algorithm 1.5
Remark 1 Merging events as described above may lead to a situation, when a6
previously maximal configuration ceases to be maximal. For example, if we start7
with two partial orders po1 = ({a}, ∅) and po2 = ({a, b}, {a ≤ b}), each repre-8
sented by a corresponding maximal configuration, and then merge events a, then9
configuration {a} ceases to be maximal being superseded by configuration {a, b},10
thereby leading to removal of po1 from the set of partial orders. To avoid this11
we add a maximal event > to each partial order: po′1 = ({a,>}, {a ≤ >}) and12
po′2 = ({a, b}, {a ≤ b, a ≤ >, b ≤ >}). Now configuration {a,>} will remain maxi-13
mal because the events labeled by > will never get merged since they have different14
local configurations. In the rest of the paper we assume all partial orders to be15
augmented with >, which we will usually omit in the diagrams.16
Fig. 3 illustrates the application of Algorithm 1 to the LES from Fig. 2. One17
can see that the compressed LESs at each step are smaller. In fact, the resulting18
LES is the smallest that can represent this set of partial orders.19
The way events are merged in Algorithm 1 can be seen as defining equivalence20
classes between events (two events are equivalent if they have the same past and21
the same label) and generating an event structure with one event per equivalence22
class. Two classes are related by causality if there is at least one representative23
event in each equivalence class for which the relation holds; two classes are related24
by conflict if there are representatives for both classes where the relation holds.25
Algorithm 1 is correct in the sense that the resulting LES represents the same set26
of partial orders as the original LES.27
Theorem 1 Let E and E ′ be the input and output event structures of the Algorithm 1,28
respectively, then pi(Ω(E)) = pi(Ω(E ′)).29
Proof As explained above, our algorithm defines an equivalence relation between
events with the same past and the same label, and equivalent events are merged.
It has been shown in [3] that maximal configurations of the event structure having
Compact and Efficiently Verifiable Models for Concurrent Systems 7
a := 5
b := 5 c := 5
b := 1
a := 5
c := 5
c := 1
a := 5
b := 5
b := 1 c := 1
a := 5
E1
a := 5
b := 5 c := 5
a := 5
c := 5
c := 1
a := 5
b := 5
b := 1 c := 1
a := 5
E2 = (E1 after merging b := 1)
a := 5
b := 5 c := 5
a := 5
c := 5
a := 5
b := 5
b := 1 c := 1
a := 5
E3 = (E2 after merging c := 1)
Fig. 3: Compressing a LES by merging events.
as events such equivalence classes coincide with the original set of partial orders
when one assumes that each partial order has a maximal > event. uunionsq
One can use the same approach for combining two sets of partial orders S11
and S2 represented by LESs. This is done by putting the events of both LESs in2
conflict and compressing the result with Algorithm 1. The resulting LES represents3
partial orders in S1 ∪ S2 (duplicates are removed automatically). Notice that it is4
not required to uncompress the set of partial orders, hence we argue that LESs5
have good compositionality.6
2.2 Conditional Partial Order Graphs7
Conditional Partial Order Graphs [16] were introduced for the compact specifica-8
tion of concurrent systems comprising multiple behavioral scenarios.9
Definition 3 A Conditional Partial Order Graph is a tuple H = (V,A,X, φ, ρ),10
where V is a set of vertices, A is a set of arcs between them, and X is a set11
of Boolean variables. An opcode is an assignment (x1, x2, . . . , x|X|) ∈ {0, 1}|X| of12
these variables; X can be assigned only those opcodes which satisfy the restriction13
function ρ of the graph, i.e., ρ(x1, x2, . . . , x|X|) = 1. Function φ assigns a Boolean14
condition φz to every vertex and arc z ∈ V unionmultiA of the graph.15
8 Herna´n Ponce-de-Leo´n, Andrey Mokhov
a := 5
b := 1
x
b := 5
x
c := 1
y
c := 5
y
x = 0
y = 0
a := 5
b := 1
c := 1
x = 1
y = 0
a := 5
b := 5
c := 1
x = 0
y = 1a := 5
b := 1
c = 5
x = 1
y = 1a := 5
b := 5
c = 5
Fig. 4: Conditional Partial Order Graph and the corresponding set of partial orders
Fig. 4 (top) shows an example of a CPOG which contains |V | = 5 vertices and1
|A| = 4 arcs; there are two variables x and y; the restriction function is ρ = 1, hence,2
four opcodes x, y ∈ {0, 1} are allowed. Vertices and arcs labeled by 1 are called3
unconditional (conditions equal to 1 are not depicted in the graph); conditions are4
shown next to vertices and are highlighted with blue colour.5
The purpose of vertex and arc conditions is to ‘switch off’ some vertices and/or6
arcs in the graph according to the given opcode. This makes CPOGs capable of7
containing multiple projections as shown in Fig. 4. If we keep in the graph only8
those vertices and arcs whose conditions evaluate to Boolean 1 after substitution9
of the operational variables x and y with Boolean 0, vertices b := 5 and c := 510
disappear. The arcs a := 5 → b := 5 and a := 5 → c := 5 also disappear because11
some of their vertices are not part of the remaining graph. Each projection is12
treated as a partial order specifying a behavioral scenario of a modeled system.13
Potentially, a CPOG H = (V,A,X, φ, ρ) can specify an exponential number of14
different partial orders on vertices V according to 2|X| possible opcodes.15
We will use notation H|ψ to denote a projection of a CPOG H under opcode16
ψ = (x1, x2, . . . x|X|). A projection H|ψ is called valid if opcode ψ is allowed by the17
restriction function, i.e. ρ(x1, x2, . . . x|X|) = 1, and the resulting graph is acyclic.18
The latter requirement guarantees that the graph defines a partial order. A CPOG19
H is well-formed if every allowed opcode produces a valid projection. The graph20
H in Fig. 4 is well-formed, because H|x,y=0, H|x=0,y=1, H|x=1,y=0 and H|x,y=1 are21
valid. A well-formed graph H defines a set of partial orders P (H).22
Compact and Efficiently Verifiable Models for Concurrent Systems 9
a
b
c
cd
d
e
a
b : x ∨ ye : x ∧ y
c : x ∨ y d : x ∨ y
x
y
y x
Fig. 5: A LES and a CPOG representing the same scenarios.
CPOGs have good compositionality: two given graphs H1 = (V1, A1, X1, ρ1, φ1)1
and H2 = (V2, A2, X2, ρ2, φ2) can be combined using the sum in the algebra of2
graphs [15] into H = (V1 ∪ V2, A1 ∪ A2, X1 ∪ X2, ρ1 + ρ2, φ), where conditions are3
defined as ∀z ∈ V1∪V2∪A1∪A2 : φz , ρ1φ1z+ρ2φ2z. The result contains the union4
of the sets of partial orders defined by H1 and H2, i.e. P (H) = P (H1) ∪ P (H2).5
For further details, see [14].6
Complexity. The original definition of CPOG complexity [16] is simply the7
total count of literals used in all the conditions:
∑
e∈V unionmultiA |φe|, where |φ| denotes8
the count of literals in condition φ, e.g., |x ∧ y| = 2 and |1| = 0. The complexity9
of the CPOG shown in Fig. 5 is thus equal to 12 according to this definition. We10
argue that this definition is not very useful in practice, because it does not take11
into account the fact that some of the conditions coincide and can therefore be12
shared. Intuitively, since φb = φc = φd = x∨y we can compute condition x∨y only13
once and reuse the result three times. Furthermore, one can notice that conditions14
φb = x∨ y and φe = x∧ y are not very different from each other; in fact φb = ¬φe,15
therefore having computed φe we can efficiently compute φb by a single inversion16
operation. In Section 4 we introduce an improved measure of complexity (based on17
Boolean circuits) which is free from the above shortcomings. The new complexity18
measure more adequately reflects how CPOG conditions are used in practice: in19
hardware design, CPOG conditions are eventually synthesised into circuits that20
share intermediate terms; in software, CPOG conditions are represented either by21
using Binary Decision Diagrams or by encoding them into a CNF Boolean formula,22
both of which also permit sharing of intermediate terms [25].23
3 Enriched and Conditional LES24
A LES can represent several partial orders by means of its maximal configura-25
tions. CPOGs provide an additional mapping between partial orders and the cor-26
responding opcodes, that is, given an opcode ψ satisfying the restriction function27
of a well-formed CPOG H, one can obtain the corresponding partial order as a28
projection H|ψ. In order to compare LESs into CPOGs we therefore need to enrich29
the definition of a LES with additional information.30
10 Herna´n Ponce-de-Leo´n, Andrey Mokhov
e7
e9 e10
e3
e6
e5
e8
e1 e2
e4
L = [(e1, e5), (e1, e7), (e2, e3), (e2, e7), (e3, e7), (e5, e7))]
V = {0000−−, 001− 0−, 1− 00− 0,−1− 111}
x = 0
y = 1
a
b
c d
x = 1
y = 0
a
b
c d
x = 1
y = 1
a
e
x = 0
y = 0
a
b
c d
Fig. 6: An ELES and its conflict solvers
3.1 Enriched Labeled Event Structures1
Partial orders are represented by maximal configurations of a LES, therefore, in2
order to extract a partial order from it, one needs to resolve conflicts in a certain3
way. We enrich LESs with a total order on the conflicts and restrict the way4
conflicts can be resolved, leading to Enriched Labeled Event Structures.5
Definition 4 An Enriched Labeled Event Structure (ELES) over an alphabet L6
is a tuple E = (E,≤,#, λ,L,V) where (E,≤,#, λ) is a labeled event structure over7
alphabet L, L is a total order on #r4 and V is a set of vectors {v | v ∈ {0, 1}|L|}.8
A conflict solver is a vector v ∈ {0, 1}|L| that determines which event is chosen9
in each pair of conflicting events. Let L[i] represents the ith element (which is a10
pair) in the total order and L[i][j] with j ∈ {0, 1} one of the elements of the pair.11
Then conflict L[i] is resolved by the value v[i]. Notice that not every conflict solver12
is acceptable as illustrated in Fig. 6: any solver that chooses e3 over e7 and e213
must also choose e1 because e5 is in future of e2 and cannot be chosen. This is not14
the only restriction to take into account: if an event is a part of more than one15
conflict, whenever we choose it w.r.t. one conflict, we must also choose it w.r.t.16
to the others. For example if e3 is chosen in the conflict (e2, e3), it should also be17
chosen in (e3, e7). Let E denote events that are not selected by a conflict solver18
v, i.e. E = {e ∈ E | ∃i, j : v[i] = j ∧ L[i][1 − j] = e}, then the conflict solver is19
valid if it generates a maximal configuration, i.e. E\bEc ∈ Ω(E). The set V in the20
definition of ELESs contains all valid conflict solvers.21
4 Notice that it is enough to consider direct conflicts only.
Compact and Efficiently Verifiable Models for Concurrent Systems 11
Proposition 1 Let E = (E,≤,#, λ,L,V) be an ELES such that for every v ∈ V, if1
v[i] = j and L[i][j] = e, then ∀h, k : L[h][k] = e implies v[h] = k and ∀e′ ∈ [e], h, k :2
L[h][k] = e′ implies v[h] = k. Then V is a set of valid conflict solvers.3
Proof Consider V satisfying the hypothesis of the proposition and suppose there
exists v′ ∈ V which is not valid. We have then that E\bEc 6∈ Ω(E) meaning that
either (i) the set is not causally closed; (ii) it is not conflict free; or (iii) it is a
configuration, but not a maximal one. If (i) holds, it means an event was removed
but not its future which is not possible as for every event in E, its future is also
removed. If we have (ii), a conflict e1#e2 was not resolved which is not possible
as |v′| = |L|. Finally, if (iii) holds, the configuration can be extended by an event
e′ from bEc. From the definition of E, we know that e′ is in conflict with the
events of E\bEc and then the extended set can not be a configuration, leading to
a contradiction. uunionsq
The above result shows how to compute a set of valid conflicts solvers for a LES4
and therefore each LES can be easily extended into the corresponding ELES. This5
means that both ELESs and CPOGs can be used when one needs to store partial6
orders in a compressed form and access them by providing the corresponding7
conflict-solver/opcode. In the rest of the paper we will focus on LESs; however, all8
presented results also hold for their enriched counterparts.9
3.2 Conditional Labeled Event Structures10
The acyclicity of LESs often introduces redundancy in events, e.g. vertex a := 511
from the CPOG in Fig. 4 needs to be represented by four events in the LESs12
from Fig. 3. In order to avoid this redundancy, we follow ideas of CPOGs and13
label elements of a LES (events and relations) by Boolean conditions in order14
to represent several LESs with one Conditional Labeled Event Structure. Section 515
shows that CLESs are of particular interest when transforming LESs into CPOGs16
and vice versa.17
Definition 5 A Conditional Labeled Event Structure over alphabet L is a tu-18
ple H = (E,≤,#, λ,X, φ, ρ) where E are events; ≤ is a set of arcs; # represents19
conflicts; λ labels events; X is a set of operational variables; φ assigns Boolean20
conditions to E,≤ and #; and ρ is the restriction function.21
A well-formed CLES is such that its projection on a valid opcode (allowed by22
the restriction function) generates a LES, i.e. ≤ becomes acyclic. CLESs general-23
ize both CPOGs and LESs: if conflicts are dropped we get a CPOG, and if the24
structure is acyclic and conditions are dropped, we get a LES.25
4 Parameterized Structures26
The formalisms we presented in the previous sections can be used for the com-27
pressed representation of sets of partial orders. The key feature of these formalisms28
is the support for conditional elements, i.e. elements labeled with Boolean condi-29
tions.30
12 Herna´n Ponce-de-Leo´n, Andrey Mokhov
x
x
y x ∧ y
x ∨ y
y
Fig. 7: Circuits computing conditions for the CPOG in Fig. 4.
Definition 6 A mathematical structure over a set of elements S is called a param-1
eterized structure if the elements are labeled with Boolean conditions φ : S → Φ,2
where Φ is a set of predicates (Boolean functions) on X, that is Φ ⊆ X → {0, 1}.3
A CPOG is a parameterized structure whose elements are vertices and arcs.4
Events and causality/conflict relations are elements of both LESs and CLESs,5
but every LES element is labeled by 1, while CLES elements can be labeled by6
arbitrary conditions. Below we define a complexity measure for parameterized7
structures that we will use to compare compactness of CPOGs, LESs and CLESs.8
Complexity measure. Instead of treating each predicate in Φ separately let us9
construct a Boolean circuit [25] that computes all of them together and makes use10
of shared intermediate terms. This is exactly what happens in practice regardless11
of whether a parameterized structure is used for verification purposes (when it is12
typically converted into a Circuit-SAT instance) or in hardware synthesis (when13
conditions are evaluated by a circuit comprised of logic gates). The decoding com-14
plexity of a predicate set Φ is the number of variables in Φ plus the number of gates15
in the smallest circuit5 computing all predicates.16
Definition 7 The Complexity of a parameterized structure with predicate set Φ17
on a set of elements S is the decoding complexity of Φ plus the total number of18
elements in S.19
A simple circuit with two negation gates can compute the predicates in Fig. 4.20
We do not need a circuit to compute conditions of a LES which are always 1.21
The complexity of the CPOG in Fig. 4 is equal to 13 (2 variables + 2 gates + 522
vertices + 4 arcs) and the complexity of E3 in Fig. 3 is 22 (10 events + 8 direct23
causality arcs + 4 direct conflicts). Fig. 7 shows a circuit that computes predicates24
in Φ = {x, y, x ∧ y, x ∨ y} required for the CPOG shown in Fig. 5. If one compares25
the complexity of the structures in Fig. 5, the LES has complexity 16 (7 events +26
6 direct causality arcs + 3 direct conflicts) while the CPOG has complexity 17 (227
variables + 4 gates + 5 vertices + 6 arcs).28
Comparison of Parameterized Structures. We present three synthetic ex-29
amples to compare the complexity of the corresponding LESs, CPOGs and CLESs.30
We observed that a CPOG often has a lower complexity than a corresponding LES,31
5 In our experiments we restrict the number of inputs of each gate to 2. Since finding
the smallest circuit is a very hard problem, we use approximation of the circuit complexity
measure [4].
Compact and Efficiently Verifiable Models for Concurrent Systems 13
b
a c
x
xy
y
z
z
a
b c
bc
b
a
c a
c
c
a
b a
b
Fig. 8: Phase encoder for n = 3 represented by a CPOG (left) and a LES (right).
however, the opposite can also be true. Since every CPOG is a CLES with # = ∅1
and every LES is a CLES with φ = 1, CLESs have at most the same complexity2
as CPOGs and LESs.3
Example 1 Phase encoders [5] are communication controllers capable of generating4
all permutations of n events. They are very badly handled by acyclic structures5
as can be seen in Fig. 8 (right). The LES for a phase encoder with n = 3 has6
complexity 33 while the corresponding CPOG has complexity 15. The complexity7
of CPOGs for phase encoders grows quadratically with n, while the complexity of8
LESs grows exponentially: one can see that the LES for a phase encoder of size n9
must have n! events on its lowest level. In fact, a LES requires at least as many10
events as there are partial orders in a given set.11
Example 2 Decision trees [23] are binary trees that can be used to model choices12
and their consequences. The LESs for encoding decision trees are smaller than the13
corresponding CPOGs as the number of direct conflicts is smaller than the decod-14
ing complexity for conditions needed to encode such decisions. This is illustrated in15
Fig. 9 where the LES has complexity 16, while the complexity of the CPOG is 21.16
Asymptotically the complexity of both LESs and CPOGs grows linearly with the17
size of decision trees, so in this example LESs are better by just a constant factor.18
In general, as we will demonstrate in Section 5, the complexity of a CPOG never19
exceeds the complexity of the corresponding LES by more than just a constant20
factor.21
Example 3 Trees of phase encoders are a combination of decision trees of height22
h and phase encoders with n actions: after h choices are made, all permutations23
of n events are possible. For this example, CLESs are strictly smaller than both24
CPOGs and LESs as demonstrated in Fig. 10 (where h = 2, n = 2): the CPOG25
has complexity 35, the LES has complexity 52, and the CLES has complexity 30.26
5 Transformations27
This section presents two algorithms (l2c and c2l) for transforming LESs into28
CPOGs and vice versa without performing an intermediate uncompression step.29
Both algorithms make use of CLESs as an intermediate representation. Avoiding30
such uncompression is highly desirable since the number of represented partial or-31
ders may be exponential w.r.t the size of the structure (e.g. see the phase encoders32
14 Herna´n Ponce-de-Leo´n, Andrey Mokhov
a
b : x c : x
d : x ∧ y e : x ∧ y f : x ∧ y g : x ∧ y
a
b c
d e f g
Fig. 9: A decision tree represented by a CPOG (above) and a LES (below).
a1
a2 : x a3 : x
a4 : x ∧ y a5 : x ∧ y a6 : x ∧ y a7 : x ∧ y
b c
z
z
a1
a2
a4 a5
b c b c
c b c b
a3
a6 a7
b c b c
c b c b
a1
a2
a4 a5
b
a3
a6 a7
c
z z z z
z z z z
z
z
Fig. 10: A tree of phase encoders represented by a CPOG, an LES and a CLESs.
example). Such transformations allow us to study how compact both formalisms1
are in different application domains, and also allow to reuse synthesis and verifi-2
cation techniques developed for only one of the formalisms.3
5.1 From LESs to CPOGs: l2c4
Every LES can be seen as an acyclic CLES where vertices and arcs are labeled5
by 1. If conflicts are removed from the CLES, an acyclic CPOG with redundant6
vertices (i.e. repeated labels) is obtained which can then be folded to remove such7
redundancy. In order to preserve the information about conflicts, conflicting events8
need to be labeled by Boolean conditions in such a way that they cannot belong9
to the same projection. Proposition 1 shows that whenever an event is selected in10
one conflict, it must be selected in all other conflicts it participates in, along with11
all of its causal predecessors. This can be encoded in the restriction function of12
Compact and Efficiently Verifiable Models for Concurrent Systems 15
the resulting CPOG as follows6:1
ρ = (
∧
e#f
¬φe ∨ ¬φf ) ∧ (
∧
e≤f
φf ⇒ φe) (1)
For the example shown in Fig. 5 this generates the following restriction function:2
(φb ⇒ φa) ∧ (φe ⇒ φa) ∧ (φc1 ⇒ φb) ∧ (φd1 ⇒ φb) ∧
(φd2 ⇒ φc1) ∧ (φc2 ⇒ φd1) ∧ (¬φe ∨ ¬φb) ∧
(¬φc1 ∨ ¬φc2) ∧ (¬φd1 ∨ ¬φd2)
By employing a SAT solver one can easily check that the above is satisfied by the3
following assignments which correspond to maximal configurations of the LES:4
φa = φb = φc1 = φd1 = 1, φc2 = φd2 = φe = 0
φa = φb = φd1 = φc2 = 1, φc1 = φd2 = φe = 0
φa = φb = φc1 = φd2 = 1, φc2 = φd1 = φe = 0
φa = φe = 1, φb = φc1 = φc2 = φd1 = φd2 = 0
Alas, not only maximal configurations satisfy the function, for example, the empty5
configuration clearly satisfies it too: φa = φb = φc1 = φc2 = φd1 = φd2 = φe = 0.6
Since we do not want such non-maximal configurations to be allowed by the7
restriction function, we need to further elaborate it. A configuration is maximal if8
for every event e ∈ E one of the following conditions holds: (i) event e belongs to9
the configuration; or (ii) there exist an event f which belongs to the configuration10
and prevents e. An event preventing e is called a spoiler [8]. Any event e spoils11
itself as the event can not occurs twice. The set of spoilers of an event e is defined12
as spoilers(e) , {e} ∪ {f ∈ E | f#e}. The restriction function (1) can be now13
refined to allow only maximal configurations:14
ρ = (
∧
e#f
¬φe ∨ ¬φf ) ∧ (
∧
e≤f
φf ⇒ φe) ∧ (
∧
e∈E
(φe ∨
∨
e#f
φf )) (2)
Coming back to the example in Fig. 5, the additional constraint is:15
φa ∧ (φb ∨ φe) ∧ (φc1 ∨ φc2) ∧ (φd1 ∨ φd2)
The refined restriction function has only four satisfying assignments that represent16
the four maximal configurations of the LES.17
Once conditions are assigned to events, arcs also need to be labeled before18
folding the result into a CPOG. We label each arc by the conjunction of the19
conditions of the events it connects to make sure an arc appears only if both20
of the events do. The resulting CLES may contain several events labeled by the21
same action, which is redundant for CPOGs. Such events can be merged and22
the resulting condition is the disjunction of conditions of the original events. See23
Algorithm 2 for the pseudocode of the folding algorithm l2c.24
The set of partial orders represented by the CPOG obtained by the l2c algo-25
rithm coincides with the set of maximal configurations of the original LES.26
6 Optimization techniques presented below allow to consider only direct causality and direct
conflicts. We make use of this observation in our further examples.
16 Herna´n Ponce-de-Leo´n, Andrey Mokhov
Algorithm 2 l2c
Require: E = (E,≤,#, λ) and a set of Boolean variables {x1, . . . , x|E|}
Ensure: H = (V,A,X, φ, ρ) such that P (H) = Ω(E)
1: V = E,A = ≤
2: for v ∈ V do
3: φv = xv
4: for v1 → v2 ∈ A do
5: φv1→v2 = φv1 ∧ φv2
6: while ∃v1, v2 ∈ V : λ(v1) = λ(v2) do
7: V = V \{v1, v2} ∪ {v} for v 6∈ V
8: for v′ ∈ V do
9: if v′ ≤ v1 ∨ v′ ≤ v2 then
10: add v′ → v to A and set φv′→v = φv′→v1 ∨ φv′→v2
11: if v1 ≤ v′ ∨ v2 ≤ v′ then
12: add v → v′ to A and set φv→v′ = φv1→v′ ∨ φv2→v′
13: φv = φv1 ∨ φv2
14: ρ = (
∧
e#f
¬φe ∨ ¬φf ) ∧ (
∧
e≤f
φf ⇒ φe) ∧ (
∧
e∈E
φe ∨
∨
e#f
φf )
15: return H = (V,A,X, φ, ρ)
Theorem 2 Given a LES E = (E,≤,#, λ) and a set of Boolean variables, algorithm1
l2c constructs a CPOG H = (V,A,X, φ, ρ) such that P (H) = pi(Ω(E)).2
Proof The first steps of the algorithm (lines 1-5) add conditions to events and3
arcs, i.e. they transform the LES into a CLES. We proceed by showing that i) all4
the projections of such a CLES over every valid opcode coincide with its maximal5
configurations; and ii) P (H) = P (H ′) where H is the CLES before merging events6
(lines 6-13) and H ′ the CLES obtained by merging them.7
i) Let H be the CLES obtained after steeps 1-5; ψ is a valid opcode8
⇔ ψ |= ( ∧
e#f
¬φe ∨ ¬φf ) ∧ (
∧
e≤f
φf ⇒ φe) ∧ (
∧
e∈E
φe ∨
∨
e#f
φf )
⇔ H|ψ is conflict free, causally closed and maximal
⇔ H|ψ form a maximal configuration of the CLES
⇔ H|ψ form a maximal configuration of the LES
ii) Let e1, e2 be the events of H which are replaced by e in H
′. Since φe = φe1∨φe2 ,9
for every valid opcode ψ such that e ∈ H|ψ we have e1 ∈ H ′|ψ or e2 ∈ H ′|ψ, but10
since we are only interested in the label of the events in the partial order11
and λ(e) = λ(e1) = λ(e2), we can conclude λ(e) ∈ H ′|ψ iff λ(e1) ∈ H|ψ ; for12
every v ∈ V we have v ≤ e1 or v ≤ e2 iff v ≤ e (analogously for e1 ≤ v or13
e2 ≤ v). Since labels and causal dependences are preserved, we can conclude14
that P (H) = P (H ′).15
uunionsq
The complexity of the CPOG constructed by l2c is linear w.r.t. the size of the16
original LES.17
Theorem 3 Given a LES E = (E,≤,#, λ), algorithm l2c constructs a CPOG H =18
(V,A,X, φ, ρ) of complexity Θ(|E|).19
Compact and Efficiently Verifiable Models for Concurrent Systems 17
Proof By Definition 7 we need to consider the number of vertices, arcs and the
decoding complexity of φ and ρ. Clearly |V | ≤ |E| as some events are merged. For
every event e obtained by merging two events e1, e2 and any other event f , we have
e→ f ⇔ e1 ≤ f ∨ e2 ≤ f , therefore we can conclude |A| ≤ |≤|. We label each event
with a different variable (|X| = |E|), hence the decoding circuit is trivial. The
condition of each arc is the conjunction of the conditions of the events it connects,
which requires |≤| AND gates to compute φ. To compute ρ as explained in (2), a
NAND gate is needed for each conflict to assure that only one event is selected;
an implication (a NOT and a OR gate) for each arc in ≤; each conflict is listed
exactly two times in the maximality encoding (once for each event in the conflict),
thus we need 2 ∗ |#|+ |E| gates to compute it. Finally, we need |≤|+ |#|+ |E| − 1
AND gates to join all constraints together. The overall size of the ρ function is
therefore 4 ∗ |#|+ 3 ∗ |≤|+ 2 ∗ |E| − 1 ≤ 4 ∗ |E|. To conclude, the complexity of the
resulting CPOG is Θ(|E|). uunionsq
Algorithm l2c is optimal w.r.t. the size of the underlying graph.1
Theorem 4 Given a LES, algorithm l2c constructs a CPOG H = (V,A, , , ) such2
that no smaller graph H ′ = (V ′, A′, , , ) with |V ′| < |V | or |A′| < |A| can represent3
the same set of partial orders.4
Proof The while statement, line 6 of Algorithm 2, terminates only after every pair
of equally labeled nodes have been merged. Therefore, there is exactly one vertex
in the resulting V for every possible LES label, and any V ′ such that |V ′| < |V |
cannot represent the same set of partial orders as the original LES. We thereby
assume that V = V ′ and |A′| < |A|. There exist two vertices a, b ∈ V such that
a → b ∈ A, but a → b 6∈ A′. Any partial order represented by H ′ does not relate
labels a and b because the edge does not belong to A′. Since this edge belongs
to A, there exists at least one partial order (obtained by any projection where
φa→b = 1) represented by H where a and b are related, which shows that H and
H ′ cannot represent the same set of partial orders. uunionsq
Notice that even if the transformation algorithm is optimal w.r.t the the graph5
size, it might not be optimal w.r.t its complexity which also considers the com-6
plexity of Boolean predicates. Finding an optimal CPOG encoding is still an open7
research question with ongoing research [13]. Our algorithm uses the simplest en-8
coding approach where each event is initially labeled by a unique variable.9
Optimization techniques. Below we describe several important optimization10
techniques that improve l2c.11
1. Arc reduction: the proof of Theorem 4 uses |≤| AND gates to compute φ. This12
is because each arc e ≤ f is labeled by φe ∧ φf . However, as we know from (2),13
φf ⇒ φe and therefore the arc conditions can be simplified to just φf and no14
gates are needed.15
2. Transitive reduction: the relation ≤ is causally closed, that is, it contains tran-16
sitive arcs a ≤ c whenever a ≤ b and b ≤ c. The clauses corresponding to tran-17
sitive arc (φc ⇒ φa) are clearly redundant in presence of (φc ⇒ φb)(φb ⇒ φa)18
and can be dropped. Therefore, in the transformation algorithm we can use19
the transitively reduced relation ≤r instead of ≤.20
18 Herna´n Ponce-de-Leo´n, Andrey Mokhov
3. Conflict inheritance reduction: consider two events a and b in direct conflict1
and two events in their future, i.e. a ≤ c and b ≤ d. Clearly c#d, but this2
conflict does not need to be encoded by ¬φc ∨ ¬φd. If the conflict a#b and3
both a ≤ c, b ≤ d are encoded, we have φa ⇒ ¬φb, φc ⇒ φa and φd ⇒ φb, thus4
φc ⇒ φa ⇒ ¬φb ⇒ ¬φd which prevents to select both c and d. Therefore, we5
only need to consider #r.6
4. Spoilers reduction: consider the example from Fig. 6 and the spoiler sets of7
events c1 and c2. These sets generate the clauses Φ1 = φc1 ∧ φc2 ∧ φe and Φ2 =8
φc2∧φc1∧φd2∧φe. Clearly Φ1 ⇒ Φ2 and the information about the spoilers of c29
is redundant. For every pair of events e, f such that spoilers(e) ⊆ spoilers(f),10
the constraints generated for f are redundant and can be dropped.11
5. Multiway conflicts: notice that if several events {e1, · · · , ek} are pairwise in con-12
flict (i.e., the conflict subgraph induced by them is a clique), Algorithm 2 will13
generate a quadratic number of constraints
∧
ei#ej
(¬φei ∨ ¬φej ). This can be14
simplified into (
∑
i ei ≤ 1) which can be encoded by a set of constraints of15
linear size [7].16
5.2 From CPOGs to LESs: c2l17
To transform a CPOG into a LES, the former needs to be unfolded (in order
to obtain an acyclic structure) while keeping conditions that will be replaced by
conflicts in the final LES. For this, a CLES is constructed as an intermediate
structure. We start from an empty CLES (i.e. one with E = ∅) and at each
iteration, we compute the set of possible extensions. To decide if an instance of
vertex a ∈ V is a possible extension, we need to find a set of predecessor events
P ⊆ E such that (i) the vertex is active; (ii) instances of its predecessors and their
corresponding arcs are active; (iii) if an event is not a predecessor, then either it is
not active or its corresponding arc is not active; (iv) the instance of the vertex is
different to any other in the prefix. This is captured by the formula (3) displayed
below where each conjunction corresponds to one of the points mentioned above.
For each vertex a ∈ V we have:
φ = φa ∧ (
∧
eb∈P
b→a∈A
φeb ∧ φb→a) ∧ (
∧
eb∈E\P
b→a∈A
¬φeb ∨ ¬φb→a) ∧ (
∧
ea∈E
¬φea)
(3)
If the formula is unsatisfiable (i.e. it simplifies to False), then there exists no possi-18
ble extension representing vertex a. If the formula accepts a satisfiable assignment,19
we add the event to the unfolding, appropriately connecting it to P and labeling20
by φ. The unfolding procedure is finished when (3) is no longer satisfiable; this21
is always the case since the CPOG is well-formed and thus any cycle comprises22
arcs with mutually exclusive conditions and the predicate φb→a in the second23
conjunction eventually makes the formula unsatisfiable.24
Remark 2 In the resulting unfolding an event e is labeled by the conjunction of the25
conditions of the vertex it represents and the conditions of vertices and arcs on the26
path from a minimal vertex to e. For example, if a CPOG contains a, b ∈ V, a →27
b ∈ A with φa = x, φb = y and φa→b = z, then event eb is labeled by x ∧ y ∧ z.28
Proposition 2 Given a CPOG and a prefix of its unfolding, deciding if an instance29
of a vertex is a possible extension is NP-hard.30
Compact and Efficiently Verifiable Models for Concurrent Systems 19
Proof Consider a CPOG containing a single vertex v with condition φv. As ex-
plained by Remark 1, there exists an event > such that v → > and ψ> = 1. We
need to be able to decide if φv is equal to 0 or 1. If φv = 0, then the unfolding
should only contain >; if φv = 1, the unfolding should contain v and > with v ≤ >;
otherwise, it has three events v,>1,>2 with v ≤ >1 and v#>2 (that is, v either
happens or not). Deciding if φv is equal to 0 or 1 is an NP-hard problem. uunionsq
We use a SAT-solver to ‘guess’ a combination of a predecessor set P satisfying1
(3). Finally, Boolean conditions are replaced by conflicts: for every pair of mutually2
exclusive events ea, eb, their Boolean conditions are removed and conflict ea#eb is3
added instead. As the set V does not depend on the graph, it can be constructed4
from the LES itself using Proposition 1, while L is obtained as a linearization of5
#r. We refer to the unfolding procedure followed by adding the conflict relations6
as the c2l algorithm.7
The final LES resulting from the unfolding does not depend on the order in8
which events are added, i.e. c2l is deterministic.9
Proposition 3 Let E be the current set of events of the unfolding and ea 6= eb two10
possible extensions, then eb is a possible extension of E ∪ {ea}.11
Proof We need to prove that (3) is still satisfiable for vertex b when ea is added
to the unfolding: i) as eb is a possible extension from E, φb = 1 and this is also
true from E ∪ {ea}; ii-iii) since P ⊆ E ⊆ E ∪ {e} the second and third conjunction
of (3) are still satisfied; iv) since ea 6= eb and there was not an instance of b in E,
there is neither in E ∪ {ea}. uunionsq
e0a1
e0b x ∨ ye0ex ∧ y
e0cy e
0
d x
e1c x ∧ ye1dx ∧ y
Fig. 11: Transformation of a CPOG into an LES.
Example 4 Consider the CPOG shown in Fig. 5. The unfolding procedure starts12
with E = ∅ and keeps checking vertices of the CPOG for possible extensions (see13
Fig. 11). At start, only vertex a can be added. For example, the constraint imposed14
by non-predecessors in (3) will include ¬φa→b = ¬1 = 0 for vertex b, hence it is15
not a possible extension at start. We proceed by adding event e0a to the unfolding16
with φe0a = 1. When we recompute the possible extensions, formula (3) reduces to17
x ∨ y and x ∧ y for vertices b and e, respectively, therefore events e0b and e0e are18
added with e0a as their predecessor and with φe0b = x ∨ y and φe0e = x ∧ y.19
20 Herna´n Ponce-de-Leo´n, Andrey Mokhov
At this point E = {e0a, e0b , e0e} and we find that c and d are possible exten-1
sions adding events e0c and e
0
d with event e
0
b as the predecessor and conditions2
φe0c = y and φe0d = x. Now E = {e
0
a, e
0
b , e
0
c , e
0
d, e
0
e} and we find that c and d are3
possible extensions again. Two new events e1c and e
1
d are added. Finally, as E4
grows to {e0a, e0b , e0c , e1c , e0d, e1d, e0e}, formula (3) becomes unsatisfiable and the unfold-5
ing procedure is finished. Conditions of events e0b and e
0
e are mutually exclusive:6
(x ∧ y) ∧ (x ∨ y) = 0, therefore we add conflict e0b#e0e. Conflicts e0c#e1c and e0d#e1d7
are added following the same reasoning. Finally, when all Boolean conditions are8
removed from the CLES, we obtain a LES.9
As one can see, c2l is significantly more computationally intensive than l2c:10
unravelling CPOGs requires the use of a SAT solver. Fortunately, the SAT in-11
stances that need to be solved are similar to each other, therefore one can use12
incremental SAT solving techniques [26] to speed up the algorithm.13
Below we show that c2l is correct, i.e. it preserves the set of partial orders.14
Theorem 5 Let H = (V,A,X, φ, ρ) be a well-formed CPOG and E = (E,≤,#, λ) the15
LES obtained by c2l, then pi(Ω(E)) = P (H).16
Proof We first show that the intermediate CLES preserves the set of partial orders17
and then that Boolean conditions can be safely replaced by conflicts.18
i) Let H be a well formed CPOG, G the CLES obtained by the unfolding proce-19
dure before conditions are removed and ψ a valid opcode. We prove that the20
actions and dependences of H|ψ and G|ψ coincide:21
⇐) If an event ev belongs to G|ψ then ψ |= ev and since (3) implies φev ⇒ φv, we22
know that ψ |= φv and v belongs to the events of H|ψ. If in addition ev′ ≤ ev23
is part of the causality of G|ψ , using again (3) we have ψ |= φv′ ∧φv′→v and24
then both the vertex v′ and the edge v′ → v are part of H|ψ. Suppose there25
are vertices of H|ψ that do not have a corresponding event in G|ψ. If such26
vertices exist, we can always find one (lets call it v) such that there exist27
instances of its predecessors (which can be empty if it has no predecessors)28
in the CLES and the corresponding arcs are active. Then event ev does not29
belong to the CLES if there is another instance of vertex v in G|ψ which30
leads to a contradiction.31
⇒) Suppose there are vertices of H|ψ that are not represented by an event in32
G|ψ and consider a minimal one w.r.t → (H|ψ is acyclic). By Remark 2 we33
know that if the vertex is not there then the conjunction of the vertices and34
edges in the path of H|ψ is unsatisfiable which leads to a contradiction since35
ψ is a valid assignment. Clearly there is no events in the CLES that are not36
instances of a vertex and (3) imposes that there are not two instances of a37
vertex in H|ψ. Since the events of H|ψ and G|ψ coincide and the unfolding38
algorithm appropriately connects the events with its set of predecessors,39
causality imposed by → is preserved by ≤.40
ii) Let G be the CLES defined above and E be the LES obtained when Boolean41
conditions are replaced by conflicts. We show that the projections of G coin-42
cide with the maximal configurations of E. Two events e1, e2 belong to some43
projection if there exists some ψ such that ψ |= ψe1 ∧ ψe1 , but then e1 and e244
are not mutually exclusive and therefore they are not in conflict in E. Since45
two events belong to a maximal configuration if they are not in conflict, e1, e246
belong to the same set of maximal configurations.47
Compact and Efficiently Verifiable Models for Concurrent Systems 21
uunionsq
The LES constructed by c2l can have at most exponential size w.r.t. to the1
size of the original CPOG (to fit an exponential number of partial orders), and it2
is optimal: no smaller LES can represent the same set of partial orders.3
Theorem 6 The algorithm c2l constructs a LES E = (E, , , ) such that no smaller4
LES E ′ = (E′, , , ) with |E′| < |E| can represent the same set of partial orders.5
Proof Let E = (E, , , ) and E ′ = (E′, , , ) be two LES representing the same set
of partial orders with |E′| < |E|. Since both LESs represent the same partial orders,
there must be two maximal configurations of E representing the same partial order
as a single configuration of E ′. Let e1, e2 be two conflicting events representing the
same label in the two configurations of E; it follows that the predecessors of e1, e2
are equally labeled. Let e′1, e′2 be the ≤-minimal such events, then they are in
direct conflict. Call P the predecessors of e′1 and P ′ the predecessors of e′2; it
follows that P and P ′ are not in conflict, if not the conflict between e′1, e′2 would
not be direct. This implies that the predicate conditions of the events in P and
P ′ before transforming conditions into conflicts were not mutually exclusive. Since
the predicates of φe′1 and φe′2 only differ on the parts
∧
eb∈P
φeb and
∧
e′b∈P ′
φe′b , it
follows that φe′1 and φe′2 cannot be mutually exclusive and then e
′
1, e
′
2 cannot be
in conflict, leading to a contradiction. uunionsq
5.3 Composition of algorithms l2c and c2l6
In programming languages (particularly in functional ones), fusion or deforesta-7
tion is a technique that avoids constructing a data structure if the structure will8
eventually be consumed in a subsequent computation. A hylomorphism is a trans-9
formation formed by an unfolding followed by a fold function; its counterpart,10
a metamorphism, first folds and then unfolds. In this section we study the com-11
position of the presented transformation algorithms l2c and c2l that, in essense,12
perform folding and unfolding, respectively. We show that the unfolding algorithm13
reverts the effects of the folding one, i.e. the initial and resulting LESs after ap-14
plying both algorithms are the same. However, applying the transformations in15
the opposite order does not guarantee to obtain the initial CPOG since Boolean16
conditions are reintroduced in a naive way, by using one variable per event. The17
structure of the underlying graph is still preserved. These notions are formalized18
by the following results.19
Theorem 7 Consider l2c and c2l as functions between parametrized structures, then20
l2c ◦ c2l = id.21
Proof The proof is by induction on the number of events of E.22
Base case: n = 0; this case is trivial since E = ∅ implies V = ∅ and the unfolding23
algorithm returns the empty LES.24
Inductive case: assume the result holds for a LES with at most n events. Let25
e be any maximal event of E (one with no successors) and denote as E\e the26
LES resulting by removing e. Clearly E\e satisfies the inductive hypothesis27
22 Herna´n Ponce-de-Leo´n, Andrey Mokhov
and l2c(E\e) = H\e and c2l(H\e) = E\e where H\e is the CPOG constructed1
by Algorithm 2. Let H be the CPOG obtained by folding E, i.e. l2c(E) = H,2
we will show that E\e has a possible extension representing e and computed3
from H. Notice that H and H\e may differ only on a vertex (if e is the only4
event labeled by λ(e)) or one of its arcs.5
Assume λ(e) = a and this label is different from any other label in H\e (i.e.6
the folding algorithm will not merge e with any other vertex). Call P the pre-7
decessor of e in E; every event in P belongs to E\e. We need to show that there8
exists a satisfying assignment of (3). We use individual variables as conditions9
for each event, hence φe cannot be mutually exclusive with any other predi-10
cate; also since there is no other event labeled with the same action as e the11
last conjunction of (3) is trivially satisfiable. There cannot be conflicts between12
events in P and e (since they were its predecessors) and thus the restriction13
function ρ of Algorithm 2 does not impose that their conditions are mutually14
exclusive. Any event eb 6∈ P and labeled by b was either in conflict with e (and15
by the restriction function ¬φeb holds) or concurrent with it, meaning that the16
there was no edge between b and a and thus ¬φb→a. We can conclude that (3)17
has a satisfiable assignment and e can be added to E\e.18
If e shares the same label with another vertex in H\e, all the above also holds19
except the fact that the last conjunction is trivially satisfiable. Since there are20
other events with the same label, we need to prove that the instance of the21
vertex is different to any other in the prefix. Let ea be another event with the22
same label, then it holds that e#ea since two equally labeled events cannot23
belong to the same configuration (if not the partial order it represents would24
have two occurrences of label a) and then φe and φea are mutually exclusive by25
the restriction function. Observe that the path from ⊥ to any event has been26
labeled by the conjunction of the predicates of the events in the path. Thus27
the paths from ⊥ to e and from ⊥ to ea are also labeled by mutually exclusive28
predicates. Since the predicate assigned to any possible extension consider the29
entering arcs (see the second conjunction of (3)) it can be concluded that ¬φea30
holds and the instance of the vertex corresponding to e is different to any other31
in E\e.32
uunionsq
Applying l2c to the result produced by c2l preserves the structure of the under-33
lying graph, but in general does not preserve the conditions.34
Theorem 8 Let H = (V,A, , , ) and H ′ = (V ′, A′, , , ) be two CPOGs such that H35
does not contain vertices or arcs with False condition, c2l(H) = E and l2c(E) = H ′,36
then V = V ′ and A = A′.37
Proof Since a vertex is uniquely identify by its label, to prove that V = V ′ we
only need to show that the unfolding algorithm adds to the LES at least one event
for each label (assuming no vertex has False condition – such redundant events
are not added to the LES); since c2l folds every pair of equally labeled events,
the preservation on folding step is trivial. We have already proved in Theorem 5
that the partial orders represented by the LES and the CPOG are the same,
therefore for each label there must be at least one event representing it and we
can conclude V = V ′. For proving the preservation of arcs, assume there exists
some arc b→ a ∈ A such that b→ a 6∈ A′ and let ψ be any opcode reducing φb→a
to True, i.e. the arc is part of the partial order represented by the opcode ψ (such
Compact and Efficiently Verifiable Models for Concurrent Systems 23
an opcode must exist since φb→a cannot be False). Since the unfolding algorithm
is guaranteed to preserve the represented partial orders (see Theorem 5), there
must exist some configuration representing the same partial order than Hψ (which
includes arc b → a) and thus we can assume the existence of events eb, ea with
eb ≤ ea and λ(ea) = a, λ(eb) = b. The merging algorithm will transform those
event into vertices b and a and since they are related according to ≤, the edge
b → a will be added to A′ by line 10 or line 12 in Algorithm 2, contradicting out
initial assumption. uunionsq
Corollary 1 The transformation algorithms c2l and l2c are adjoint functors, that1
is: c2l ◦ l2c ◦ c2l = c2l and l2c ◦ c2l ◦ l2c = l2c.2
Proof Immediate from Theorem 7 and Theorem 8. uunionsq
6 Experiments3
In this section we compare the complexity of LESs and CPOGs on a number4
of benchmarks. Besides the synthetic examples introduced in Section 4, we use5
benchmarks coming from Java and C code for multithreaded programs [9,21]6
(FileSystem, ParallelPi, Synth, Ssb, Stf and Ccnf) and the VLSI design do-7
main, in particular, on-chip communication controllers [5] and processor micro-8
architectures [14] (ARM Cortex M0 and Intel 8051). The processor benchmarks9
come from the instruction sets available in [2] and [22], respectively.10
Benchmark POs CPOG LES LPO
24 24 158 168
PhaseEnc 120 35 825 1080
720 48 5001 7920
8 44 36 56
DecTree 16 97 76 144
32 195 156 352
16 70 92 176
TreePhaseEnc 24 43 160 264
48 136 324 624
9 28 46 54
ARM Cortex M0 10 29 46 64
11 30 50 67
9 46 71 138
Intel 8051 10 47 81 158
11 51 90 177
2 2952 457 -
FileSystem 8 4188 1065 -
32 5520 1485 -
ParallelPi 720 3273 2129 -
5040 15769 26678 -
Synth 1316 43961 54589 -
Ssb 4 3201 3180 -
Stf 6 16064 21003 -
1024 40 30 10240
Ccnf 2048 44 33 22528
4096 48 36 49152
Table 1: Experimental results on the complexity of CPOGs and LESs.
Table 1 provides a summary of our experimental comparison. Column ‘POs’11
reports the number of partial orders in the benchmark; we additionally report12
24 Herna´n Ponce-de-Leo´n, Andrey Mokhov
on the complexity of both CPOGs and LESs. Where the scenarios were known1
a priori, we also report the size of their uncompressed representation as a list2
of partial orders (column ‘LPO’). For the phase encoders, decision trees, trees3
of phase encoders and processor instructions (i.e. benchmarks where the scenarios4
were known a priori), the CPOGs where synthesized using the synthesis procedure5
introduced in [13] and LESs were constructed using the synthesis and optimization6
introduced in Section 2.1. For the multithreaded programs benchmarks, the inputs7
were programs written in Java or C code. The LESs were extracted from programs8
using the multithreaded testing approaches from [9] and [21], and the CPOGs were9
obtained by transforming the LESs using Algorithm 2.10
The table shows that CPOGs handle permutations of activities very well11
(PhaseEnc and TreePhaseEnc benchmarks), while LESs can represent branch-12
ing (DecTree example) with lower complexity. This is coherent with the results13
of Section 4 where the examples were introduced. For processors instructions, the14
compactness obtained by CPOGs is better than the one obtained by LESs. This15
is not surprising since CPOGs were designed for compact representation of micro-16
processor instructions. For the benchmarks coming from multithreaded programs,17
the results are more balanced since the CPOG was obtained by the transforma-18
tion algorithm and not using a synthesis algorithm (since the scenarios were not19
known a priori); this is consistent with Theorem 4 guaranteeing that the size of20
the CPOG obtained using our translation procedure is linear w.r.t the LES.21
For the cases where LESs have higher complexity, this is due to an explosion22
in the number of events or causalities (the LESs have 100× more events or de-23
pendencies than the corresponding numbers of CPOG vertices or arcs). For the24
multithreaded programs, since the CPOGs were computed by the transformation25
algorithm introduced in this article, we believe that better reductions could be26
achieved if the algorithm for direct synthesis of CPOGs was applied instead. This27
is due to the fact that the transformation algorithm may introduce redundant lit-28
erals in the computation of the ρ function. A possible solution to this is suggested29
by an observation below.30
Original Java benchmarks were first transformed into Petri Net unfoldings (i.e.31
occurrence nets) using the approach from [9] and then converted into isomorphic32
LESs. The LESs obtained from C code by the approach from [21] could also be33
transformed into saturated occurrence nets [17] by adding one condition between34
each causal pair of events and one condition consumed by each conflicting pair.35
We measured the complexity of the resulting occurrence nets (number of events,36
conditions and the size of the flow relation) and in several examples they provided37
a better compression than the corresponding CPOGs and LESs. This occured in38
particular in examples where LESs had lower complexity than CPOGs and the39
number of conditions in the corresponding occurrence nets was smaller than the40
number of dependencies and conflicts (see for example Fig. 12). Further reductions41
can be still obtained if one uses the conversion of [20] instead of the saturated oc-42
currence net mentioned above. We conjecture that a direct conversion algorithm43
from Petri Net unfoldings or occurrence nets to CPOGs, which avoids the inter-44
mediate LES construction, would be able to achieve a better compression. This is45
a topic of our future work.46
Finally, it can be concluded that for the cases where the number of scenarios47
is exponential w.r.t one of the formalisms (PhaseEnc or Ccnf) the use of the48
Compact and Efficiently Verifiable Models for Concurrent Systems 25
Fig. 12: A LES with complexity 10 and the corresponding occurrence net from [20]
with complexity 9.
transformation algorithms presented in the article is highly desirable to avoid the1
memory allocation for all the partial orders in an uncompressed form.2
7 Conclusion3
The paper discusses the use of two models (LESs and CPOGs) for a compact4
representation of sets of partial orders. We show that LESs work well on practical5
examples coming from multithreaded programs, however, due to their acyclic na-6
ture they cannot efficiently handle the cases where sets of partial orders contain7
many permutations defined on the same set of events. These cases are very well8
handled by CPOGs, however, the use of Boolean conditions for resolving conflicts9
makes them less intuitive and more demanding from the algorithmic complexity10
point of view, in particular, most interesting questions about CPOGs are NP-hard.11
The advantages of both models are combined by CLESs which are used as an in-12
termediate formalism by the presented algorithms, which can transform a set of13
partial orders from a given compressed representation in a LES or a CPOG into an14
equivalent compressed representation in the other formalism without the explicit15
enumeration of all partial orders.16
Our future work includes further optimization of the presented algorithms,17
their integration with Workcraft modeling and verification framework [1][18], and18
the validation on larger case studies. As mentioned above, direct transformations19
from occurrence nets and merged processes into CPOGs will be studied.20
Acknowledgements This work was partially supported by EPSRC research grants A4A21
(EP/L025507/1) and UNCOVER (EP/K001698/1) and by the Academy of Finland projects22
139402 and 277522.23
References24
1. Workcraft webpage (2016). www.workcraft.org25
2. ARM Ltd.: ARMv6-M Architecture Reference Manual. (2010)26
3. van Beest, N.R.T.P., Dumas, M., Garc´ıa-Ban˜uelos, L., Rosa, M.L.: Log delta analysis:27
Interpretable differencing of business process event logs. In: Business Process Management28
- 13th International Conference, BPM 2015, Innsbruck, Austria, August 31 - September29
3, 2015, Proceedings, pp. 386–405 (2015)30
4. Berkeley Logic Synthesis and Verification Group: ABC: A System for Sequential Synthesis31
and Verification, Release 70930. http://www.eecs.berkeley.edu/~alanmi/abc/32
26 Herna´n Ponce-de-Leo´n, Andrey Mokhov
5. D’Alessandro, C., Mokhov, A., Bystrov, A.V., Yakovlev, A.: Delay/phase regeneration1
circuits. In: 13th IEEE International Symposium on Asynchronous Circuits and Systems2
(ASYNC 2007), 12-14 March 2006, Berkeley, California, USA, pp. 105–116. IEEE Com-3
puter Society (2007). DOI 10.1109/ASYNC.2007.144
6. Diekert, V., Rozenberg, G. (eds.): The Book of Traces. World Scientific Publishing Co.,5
Inc. (1995)6
7. Esparza, J.: Decidability and complexity of petri net problem – an introduction. In:7
Lectures on Petri Nets I: Basic Models, pp. 374–428. Springer (1998)8
8. Haar, S., Rodr´ıguez, C., Schwoon, S.: Reveal your faults: It’s only fair! In: ACSD, pp.9
120–129 (2013)10
9. Ka¨hko¨nen, K., Heljanko, K.: Testing multithreaded programs with contextual unfoldings11
and dynamic symbolic execution. In: 14th International Conference on Application of12
Concurrency to System Design, pp. 142–151 (2014). DOI 10.1109/ACSD.2014.2013
10. Khomenko, V., Kondratyev, A., Koutny, M., Vogler, W.: Merged processes: a new con-14
densed representation of petri net behaviour. Acta Informatica 43(5), 307–330 (2006)15
11. McMillan, K.: Using unfoldings to avoid the state explosion problem in the verification of16
asynchronous circuits. In: Computer Aided Verification, pp. 164–177. Springer (1993)17
12. Milner, R.: A calculus of communicating systems, vol. 92. Springer Verlag Berlin (1980)18
13. Mokhov, A., Alekseyev, A., Yakovlev, A.: Encoding of processor instruction sets with19
explicit concurrency control. IET computers & digital techniques 5(6), 427–439 (2011)20
14. Mokhov, A., Iliasov, A., Sokolov, D., Rykunov, M., Yakovlev, A., Romanovsky, A.: Synthe-21
sis of processor instruction sets from high-level ISA specifications. IEEE Trans. Computers22
63(6), 1552–1566 (2014). DOI 10.1109/TC.2013.3723
15. Mokhov, A., Khomenko, V.: Algebra of parameterised graphs. ACM Transactions on24
Embedded Computing Systems 13(4s) (2014)25
16. Mokhov, A., Yakovlev, A.: Conditional partial order graphs: Model, synthesis, and appli-26
cation. IEEE Trans. Computers 59(11), 1480–1493 (2010)27
17. Nielsen, M., Plotkin, G.D., Winskel, G.: Petri nets, event structures and domains, part I.28
Theoretical Computer Science 13, 85–108 (1981)29
18. Poliakov, I., Sokolov, D., Mokhov, A.: Workcraft: a static data flow structure editing,30
visualisation and analysis tool. In: Petri Nets and Other Models of Concurrency, pp.31
505–514. Springer (2007)32
19. Ponce de Leo´n, H., Mokhov, A.: Building bridges between sets of partial orders. In:33
Language and Automata Theory and Applications - 9th International Conference, LATA34
2015, Nice, France, March 2-6, 2015, Proceedings, pp. 145–160 (2015)35
20. Ponce de Leo´n, H., Rodr´ıguez, C., Carmona, J., Heljanko, K., Haar, S.: Unfolding-based36
process discovery. In: Automated Technology for Verification and Analysis - 13th Inter-37
national Symposium, ATVA 2015, Shanghai, China, October 12-15, 2015, Proceedings,38
Lecture Notes in Computer Science, vol. 9364, pp. 31–47. Springer (2015)39
21. Rodr´ıguez, C., Sousa, M., Sharma, S., Kroening, D.: Unfolding-based partial order reduc-40
tion. In: 26th International Conference on Concurrency Theory, CONCUR 2015, Madrid,41
Spain, September 1.4, 2015, pp. 456–469 (2015)42
22. Rykunov, M.: Design of asynchronous microprocessor for power proportionality. Ph.D.43
thesis, Newcastle University (2013)44
23. Sung-hyuk, C.: A genetic algorithm for constructing compact binary decision trees. In:45
International Journal of Information Security and Privacy, pp. 32–60 (2010)46
24. Valmari, A.: The state explosion problem. In: Lectures on Petri nets I: Basic models, pp.47
429–528. Springer (1998)48
25. Wegener, I.: The Complexity of Boolean Functions. Johann Wolfgang Goethe-Universitat49
(1987)50
26. Zhang, L., Malik, S.: The quest for efficient boolean satisfiability solvers. In: Computer51
Aided Verification, pp. 17–36. Springer (2002)52
