The design of Saturation for the LTSmin toolset as presented in the previous section is implemented in the tool, but in practice the presented design has to address some implementation-specific details as well. These issues will be discussed for the algorithm itself and for the LTSmin toolset in sections 4.3.1 and 4.3.2, respectively. When dealing with issues inside MDD libraries, the focus lies on the ATermDD library.
4.3.1
Implementation-specific adjustments for Saturation
In addition to the design of the Saturation algorithm, some issues related to the LTSmin toolset and especially inside the ATermDD library need to be addressed to be able to let the algorithm function properly.
In the LTSmin toolset the level numbers of an MDD tree are traversed in reverse order: the level with the root node is considered as level 0 and when traversing down the MDD tree, the level number increases until the terminal nodes, which occurs at level number
K
+ 1. The algorithm can be easily adjusted to cope with this issue, simply by starting the Saturation process at level number 0 and every time when the level number is decreased by 1 in the original algorithm, one can change it into an increase by 1.Another issue for consideration is the usage of the global lookup table for storing intermediate state space results during computation of the relational product. This lookup table uses an (MDD tree, MDD tree)- tuple as key and a single MDD tree as value. Storing a tuple of MDD trees as key is not possible, but this issue can be resolved quite easily by constructing a new data object containing the level number, the transition group ID, and furthermore two links pointing to the two separate MDD trees (see Figure 4.6 below). The newly constructed MDD tree will now function as the key for the lookup table.
In this case it is important to store both the level number and transition group ID in an MDD node, because one of the MDD trees being stored as part of the composite key is the MDD tree for parts of a particular transition group. Since the MDD encodings use fully-reduced MDDs for the transition groups, this can cause mismatches in the lookup table when for another event and same level number, a value is retrieved. When only using the level number in the composite key, there is the possibility that a match is found in the lookup table because of similar MDD parts for different transition groups (and causes the algorithm to think it has computed this partial result before). This issue is visualized in Figure 4.7. Further consequences of using the transition
group ID for the lookup table belonging to the relational product computations, is that the transition group ID itself needs to be known during these computations. Unfortunately the available functions in the MDD library do not keep up which transition group ID is currently being used and this has been resolved by introducing an extra parameter to the affected functions to keep a reference to the transition group ID (e.g. parameter grp in function
startRelProd).
Figure 4.6: Visualization of the key and value used in the lookup table from the relational product.
67
Figure 4.7: Pictorial overview of using a bad key for the lookup table from the relational product.
When using the lookup tables as they are now, for the General Prebuilt Saturation algorithm inside the option sat-ddd it is important that the lookup tables are reset when the Saturation loop (in
vset_least_fixpoint in spec-reach.c) is re-entered. This is due to the chance that parts of the state space so far have already been stored in the lookup table (and also due to the usage of incomplete keys). The algorithm thinks it has encountered a certain part of the state space before and will not revisit it, although its transition groups may have been updated with new transitions (outside the Saturation loop). Finally some initialization and clean-up operations need to be added before and after the Saturation process in the MDD library. For the initialization a number of global lookup tables need to be created which are empty at the beginning. Also references to the transition groups that are passed to the function
vset_least_fixpoint (in spec-reach.c) need to be stored and hereby a global variable is used. It is possible to pass it as a parameter when calling the functions related to the Saturation algorithm and use it inside the function performing the start of the fix-point computation, but this does not make the functions better readable.
And after the Saturation process is finished, some clean-up operations are performed by freeing allocated memory (which does not happen automatically in C).
A summary of the initialization and clean-up operations inside the MDD library is depicted using pseudo code in Figure 4.8. The functions reach_sat_ddd and reach_sat_ciardo represent the concrete implementation of options sat-ddd and sat-ciardo, respectively (more about this in the next section).
68
Figure 4.8: Passing on calls of vset_least_fixpoint in spec-reach.c to atermdd.c.
4.3.2
Implementation-specific adjustments for LTSmin toolset
The LTSmin toolset itself cannot cope with the Saturation algorithm unless some additional implementation-specific issues are resolved.
First of all a new reachability option should be introduced in spec-reach.c and for this purpose the option is given the name sat-ciardo. The available reachability options of the LTSmin toolset are extended with this new option to make sure it considers the option as legitimate when the user provides it.
Also a new high-level reachability function is added in spec-reach.c, named reach_sat_ciardo. Basically it has a simplified version of the function reach_sat_ddd, in which it calls the function
vset_least_fixpoint only once, because the update process of the transition groups is handled within this function (also see Figure 4.8).
Another major issue is dealing with the update process of the transition groups. At a high level in spec- reach.c there already exists a function which is capable of updating the transition groups, namely
expand_group_next. Unfortunately this function can only handle MDD sets in which all levels are present, but this is not the case when using the Saturation process in which transition groups are updated using the latest MDD tree that can start at a certain intermediate level. To be able to reuse the function
expand_group_next and leave it intact as it is, some modifications have been made in the projection function inside the MDD library itself. An additional global variable is introduced indicating at which MDD level to start projecting and this variable is set at the point just before the expand_group_next function is called (this would happen between lines 27 and 28 in Listing 4.1, which is not shown in the pseudo code). When the projection function inside expand_group_next is called, it will use the set global variable to start projecting from a certain MDD level. This global variable is reset to 0 (indicating top level of MDD tree) at the end of the projection function to prevent miscomputations with the projection later on. The advantage of using such a construct is that spec-reach.c is left unchanged. But a disadvantage is that between the call to expand_group_next and the first call to the projection function, no calls to this projection function can be made. Currently this is not the case in expand_group_next, but in future modifications of this function it may become a problem if it involves the projection function.
69
To be able to call the function expand_group_next from within Saturation inside the MDD library, a function pointer to this function type is added in the vector relation structure. Together with this adjustment, a new vector set operation called vrel_set_expand_relation is introduced which initializes this function pointer for a certain transition group (for which also the vector domain is adjusted). The initialization of this function pointer occurs during the initialization phase of calling the reachability tool (in spec-reach.c).
Storage of the function pointer per transition group creates the possibility of storing different types of update functions per transition group, allowing more flexibility in future extensions of the tool.
Also since both option sat-ddd and sat-ciardo use the same Saturation algorithm implemented in the MDD library, additional checks inside the Saturation algorithm are inserted that check if the aforementioned function pointer for the transition groups is set. If this is the case, then the algorithm knows that option sat-ciardo is currently performing (where transition groups are updated within Saturation) and otherwise it is certain that option sat-ddd is running (where transition groups are updated outside Saturation). A visualization of the discussed issues using pseudo code is depicted in Figure 4.9.
Figure 4.9: Passing on calls related to update process of transition groups between spec-reach.c and atermdd.c.
Most low-level MDD operations in the ATermDD library depend on a single global lookup table for storing intermediate calculated results. This global lookup table is immediately reset after performing one of such MDD operations to prevent causing mismatches when using other MDD operations that rely on the same global lookup table as well. One such MDD operation is the union operator for taking the union of two MDDs (at a certain level). For General Prebuilt Saturation the usage of the global lookup table is not interrupted by other MDD operations which use this lookup table too. But for General On-the-fly Saturation this does happen, due to the usage of the update process of the transition groups, where for instance the projection operator comes into play. To cope with this issue, the union operator has been copied and renamed and this copy is only used by the Saturation process. Inside the copy of the union
70
operator, it uses a newly introduced lookup table, especially for the purpose of storing intermediate calculated results obtained during the union operation. Although this solution is far from perfect (due to copying a function), this avoids tampering with the original union operator which is called by other functions in the MDD library.