Journal of Applied Mathematics

Volume 2014, Article ID 352152, 20 pages

http://dx.doi.org/10.1155/2014/352152

## Unified Mathematical Framework for Slicing and Symmetry Reduction over Event Structures

^{1}G&S Labs, School of Software, Dalian University of Technology, Dalian 116620, China^{2}School of Electronic and Information Engineering, Lanzhou Jiaotong University, Lanzhou 730070, China^{3}School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China

Received 28 January 2014; Accepted 27 April 2014; Published 12 June 2014

Academic Editor: Xiaoyu Song

Copyright © 2014 Xinyan Gao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Nonclassical slicing and symmetry reduction can act as efficient structural abstract methods for pruning state space when dealing with verification problems. In this paper, we mainly address theoretical and algorithmic aspects for nonclassical slicing and symmetry reduction over prime event structures. We propose sliced and symmetric quotient reduction models of event structures and present their corresponding algorithms. To construct the underlying foundation of the proposed methodologies, we introduce strong and weak conflict concepts and a pair of mutually inverse operators and extend permutation group based symmetry notion of event structures. We have established a unified mathematical framework for slicing and symmetry reduction, and further investigated the translation, isomorphism, and equivalence relationship and other related basic facts from a theoretical point of view. The framework may provide useful guidance and theoretical exploration for overcoming verification challenges. This paper also demonstrates their practical applications by two cases.

#### 1. Introduction

Generally, to detect whether a finite execution trace of a distributed program satisfies a given predicate, namely, predicate detection (a kind of verification problems), is a fundamental problem in asynchronous distributed systems. It has applications in many domains such as testing, debugging, and monitoring of distributed programs and it is also a powerful runtime verification method.

Unfortunately, predicate detection is NP complete [1] and suffers from the excessive size of the state space and the state explosion problem—the number of possible global states of the program increases exponentially owing to simple combination.

To deal with this problem, several useful reduction techniques have been suggested in succession for reducing the state space in recent years, such as partial order reduction and symmetric reduction methods [2–4].

On the one hand, the basic observation is that many distributed or concurrent systems exhibit a certain degree of symmetry, for example, a system composed of identical or isomorphic components whose identities are interchangeable from a verification point of view. This kind of structural symmetry in the system is also reflected in the full state space of the system. The main idea behind the symmetry reduction method is to figure out this symmetry and obtain a condensed state space which is typically much smaller than the full state space, but from which the same kind of properties of the system can be derived without unfolding the condensed state space to the full state space. Thus, it can be used to verify any property of the original model.

On the other hand, a slice of a system with respect to a criterion is a subsystem that only contains all the states of the original system that satisfy this specification. The advantage of this technique lies in the fact that the detection is performed only on the small part of the global state space which is of interest. In many cases, the slice is exponentially smaller than the original. In order to tangle predicate detection problem, nonclassical slicing technique, named computation slicing, as an abstraction mechanism, inspired by the classical program slicing of Weiser [5, 6], was first proposed by Garg and Mittal [7].

For the majority predicate classes, the computation slicing algorithm has polynomial-time complexity and gains exponential reduction of state spaces. Computation slicing has been proved to be an efficient technique for pruning state space of predicate detection in distributed computation. Moreover, it has also been successfully applied to solve the problems of temporal properties verification in transaction level hardware descriptions such as PCI local bus protocol and the MSI (modified shared invalid) cache coherence protocol [6] in SoC (system on chip) systems and so forth.

Due to the restriction of partial order execution trace model [5, 8], this approach has some limitations. Firstly, it is a runtime checking method and only checks a single partial execution trace once. It is not easy to obtain 100% path coverage even though this detection is performed multiple times. Thus, it is not suitable for exhaustive analysis by reasoning about all possible execution of the system model. Secondly, its underlying model is partially ordered set and it is not expressive enough to handle these models with explicit choice structures or conflicts. Because all the runtime traces do not contain any conflict information, it is not convenient to analyze the system under construction statically.

In this paper, we extend the notion of computation slicing from partial order traces to prime event structures with conflict. We propose a more general event structure slicing notion and a complete mathematical theoretical framework for computing the event structure slices.

The main idea is that a prime event structure can be viewed as such a system model consisting of several conflict-free substructures. These substructures themselves are in mutual weak conflict. Any of such conflict-free event substructures of a prime event structure acts as a partial order execution trace which can be sliced by traditional computation slicing algorithm. Based on this idea, we propose a partition approach to decompose a prime event structure into a group of conflict-free substructures equivalently. Each of these substructures can be sliced with respect to a given slicing criterion by the existing slicing algorithm and we can get a set of the sliced substructures. We have proved that these sliced results can be composed together and yield a new prime event structure by a so-called weak choice composition operation. We have shown that the newly generated prime event structure is the slicing result of the original prime event structure. Meanwhile, based on above partition, we can detect structural symmetry property and make symmetric reduction on each substructure of the original system. In additional, we also investigate the relationship between the symmetric reduction model and the original one.

The main contribution of our work can be summarized as follows. We introduced the slicing notion into the area of event structure and extended nonclassical computation slicing with conflict. We also proposed a unified mathematical framework as a common theory basis for event structure slicing and symmetry reduction. We also made a comparison between our event structure slicing and the traditional computation slicing and demonstrated the mathematical aspects of this framework.

The rest of this paper is structured as follows. Related work is discussed in Section 2. Section 3 introduces the notion of event structure and other basic definitions. Section 4 describes two core operators over event strictures. Slicing reduction derived from computation slicing will be discussed in Section 5. Symmetry reduction theory based on permutation group is reported in Section 6. The overall mathematical framework for event structure slicing and symmetry reduction will be provided in Section 7. In the last section, we make a short summary of our work.

#### 2. Related Work

Regarding the slicing technique, the work in [5, 6] proposed classical program slice idea firstly by Weiser. Given a program and a set of variables, a program slice consists of all statements in the program that may affect the value of the variables in the set at some given point.

During years after the program slice notion was proposed, a lot of work based on this notion had been performed. For example, in 1992, the notion of a slice has been also extended to distributed programs [9]. In 2000, the notion of a nonclassical computation slice, which is very similar to the concept of a program slice, has been proposed. In work [7, 10], computation slice over partial order traces was firstly investigated by Garg and Mittal, de Bakker et al. This computation slice notion is based on partial order traces model, which is a special case of event structure without conflict.

Event structure, as an true concurrency model [11–16], can be taken as an extension of partial order model. In concurrency theory, event structures constitute a major branch of concurrent models. These were initially developed as a link between Petri nets and Scott domain theory [17] and have since been extensively applied as a semantic model for process algebras, for example [18].

All the previous work [7, 8, 19, 20] does not consider the case with conflict. Compared with them, our work is aimed to extend this slicing notion to the area of event structure.

On the other hand, as for symmetry reduction, the use of symmetry to reduce state space has been investigated widely by researchers. Technically speaking, symmetry in event structures [3, 4] is similar to symmetry in model checking [2, 21, 22]. In work [23], a category of event structures with symmetry was introduced and its categorical properties were investigated, while our work is relevant to the structural reduction via symmetry property over event structure model.

In our previous work [24], we have extended this technique to event structure area. In this paper, we will further investigate the common basis for both slicing and symmetry reduction over event structures and provide a unified framework.

#### 3. Event Structure and Basic Definitions

In this section, we will introduce the notion of prime event structure [11, 17, 25, 26] and the basic definitions we use throughout the paper. The prime event structure is firstly defined and other related key notions are introduced. Moreover, we focus on finite prime event structures only.

*Definition 1 (prime event structure). *A* prime event structure* (over an alphabet , a set of actions) is a 4-tuple structure with (i), a finite set of events;(ii), a partial order, the causality relation, satisfying the principle of finite causes: for all is finite and the inverse of is denoted by ;(iii), the (irreflexive and symmetric) conflict relation, satisfying the principle of conflict inheritance: ;(iv), the action-labelling function.

A prime event structure (for short, an event structure) represents a system in the following way: the action names are activities which the system may perform, an event labelled stands for a particular occurrence of an action, indicates that cannot occur before has, and indicates that actions and can never occur together in one run.

The conflict inheritance property states that if an event is in conflict with some event , then it is in conflict with all causal successors of .

From the causality relation, it is not difficult to derive a notion of* causal independence:*

Let denote the domain of prime event structures labelled over and stand for the empty event structure. Generally, the components of an event structure will be denoted by , and , respectively. More specifically, . If clear from the context, the index will be omitted; that is, is also a valid form.

Additionally, for , the restriction of to can be defined as . Let denote all causal successors of an event ; that is, .

*Definition 2 (event substructure). *Let and be event structures; is called a* substructure* of (denoted by ) if and only if (i);(ii)for all ;(iii)for all .

*Definition 3 (conflict-free event structure). *An event structure is called* conflict-free event structure* (denoted by , for short) if and only if its conflict relation is empty; that is, .

Let denote the domain of conflict-free prime event structures.

In order to characterize the conflict relationship between two conflict-free event structures (or substructures of a prime event structure), we introduce the following basic definitions: strong conflict, weak conflict, and weak conflict event structure set (for short, weak conflict set).

*Definition 4 (strong conflict). *Let and . The conflict relation between and and and is called* strong conflict *if and only if for all , , denoted by . and are called* strong conflict* if and only if their event sets are in mutually strong conflict, that is, for all , denoted by .

More generally, for any and , the relation between nonempty and is called* extended strong conflict* if and only if for all , , denoted by . That is, each of is in conflict with each of and the existence of conflict relation in or is allowed.

*Definition 5 (weak conflict). *Let and . The conflict relation between event sets and and and is called* weak conflict* if and only if , denoted by . The conflict-free event structures, and , are called* weak conflict* if and only if their event sets are in weak conflict; that is, for all , denoted by .

Stated in words, it is not that each event of is in conflict with each event of , but there exists at least one conflicting event pair between and .

Basically, according to the previous definitions, strong conflict relation is a special case of weak conflict relation.

*Definition 6 (weak conflict set). *Let over event set , is called a* weak conflict set* if and only if and for all .

For convenience, let denote the family of weak conflict event sets.

*Definition 7 (maximal conflict-free event substructure). *Let be an event structure; any event subset is called a* maximal conflict-free event subset* (for short, mcfset) of if and only if it satisfies the following: (1)for all ;(2)for all .

Its corresponding substructure is called* maximal conflict-free event substructure* of ; that is, .

#### 4. Operators over Event Structure

In this section, a pair of mutually inverse operators, (conflict-free partition) and (weak conflict composition), will be introduced and discussed. For any prime event structure , partition and composition operation over it can be associated via its family of configurations.

##### 4.1. Maximal Conflict-Free Partition

In fact, a prime event structure can be viewed as a system consisting of several substructures, which are conflict-free themselves. Such a conflict-free event substructure of a prime event structure represents a specific possible partial order execution trace via branching or nondeterministic choices. For any prime event structure, it is a certainty that we can get its maximal conflict-free substructures by some kind of conflict-free partition operation according to the characteristics of its conflict relation.

First of all, we give the definition of maximal conflict pattern for an event structure. The notion of maximal conflict pattern can make great contributions to accelerate the process of partition by avoiding unnecessary partition steps. We then provide the key partition algorithm for a prime event structure.

*Definition 8 (maximal conflict pattern). *Let ; for any and , is called a* maximal conflict pattern*if and only if for all , for all .

For any prime event structure, we can get these maximal conflict patterns by the following two steps:(1)casual successors expanding;(2)conflict pairs merging.

Firstly, due to the conflict inheritance property, we know that if event is in conflict with event then their casual successors are also in mutual conflict; that is, .

Let and ; we have that and are in strong conflict if ; namely, .

For example, for a prime event structure , if and casual relations are ,, and , we then have .

We also have that any nonempty subset of and any nonempty subset of are also in strong conflict.

Consider a prime event structure whose conflict relation has conflict pairs. Expand each conflict relation with its successors according to the conflict inheritance property and we can get full conflict relation pairs: ; here, .

Secondly, for such a group of full conflict relation pairs obtained by the above steps, there may exist common elements among some pairs that can be merged together and form a maximal conflict pattern. For example, events , and are mutually in conflict; we have six immediate conflict relation pairs: , , , , , and .

From the principle of permutation, we then have three maximal conflict patterns by merging conflict pairs: , , and . Equivalently, , , and are also the valid maximal conflict patterns.

Assume that there are maximal conflict patterns after expanding and merging which are , respectively.

Here, denotes the th pattern, and .

If , then any nonempty subset of and any nonempty subset of are also in extended strong conflict.

For any event set , let denote any nonempty subset of ; correspondingly, denotes a conflict subpattern of .

Formally, is called a* conflict subpattern* of if and only if , denoted by (or ). Otherwise, (or ).

Let denote the maximal conflict pattern set of an event structure .

For any prime event structure, it is a certainty that we can get its maximal conflict-free substructures by some kind of conflict-free partition operation according to its conflict relation characteristics:* maximal conflict patterns*. Thus, we have the following theorem for partition.

Theorem 9. *For any prime event structure, its maximal conflict-free partition exists and the partition result is unique.*

*Proof. (1) Existence.* The proof is constructive.

If there is no conflict in , then itself is the maximal conflict-free event subset of . Otherwise, for any nonempty event subset , and there exists such maximal conflict pattern that .

In order to make a subset of become conflict-free with respect to the conflict relation: , that is, eliminate this conflict relation from its all subsets, we have known that if (or ), then there should be (or ); otherwise, the conflict pattern will still exist in its subsets.

By greedy policy, let and be both maximal inclusion subsets with respect to calculated by and , respectively. This means the current event set will be partitioned into two parts by this maximal conflict subpattern: one part is , and the other is . Certainly, there exists no conflict relation between and any more. If there does not exist any conflict in (or ), then (or ) is one conflict-free event subset of .

Otherwise, apply the next maximal conflict pattern to all the previously obtained event subsets in the same manner. This partition process is continued until no conflict exists.

As we know, if each pattern of the maximal conflict patterns set has been applied just once by the above manner, then any consequent subset will be conflict-free and the partition process will stop. Meanwhile, there are conflict-free subsets at most.

Because intersection of and can be nonempty, thus the partition tree is not yet a full binary tree and set inclusion among these solution nodes is allowed. If some subsets are included by others, then they will be removed until every result subset cannot be included by others. It is not difficult to verify that every consequent subset is maximal and conflict-free. Exploiting these expanded fully conflict patterns to partition the event set step by step, we will eventually get all maximal conflict-free event subsets. That is, there exists a practical algorithm to implement the partition operation. Without loss of generality, let denote such partition for the time being.

*(2) Uniqueness.* Assume we have distinct maximal conflict-free event subsets in total by partition . These subsets form a set of , denoted by .

We might as well assume there is another partition that generates the result set which is also a set of .

Consider any element of ; let denote it. The relationship between an element in and satisfies the following.(1). Since , then . We have known that is maximal, and now event subset is also a subset of and is in weak conflict with other event subsets except . Moreover, includes . This case leads to a contradiction.(2). The proof is similar to the above case (1). This case also leads to a contradiction.(3).(3.1). Since is also a subset of , thus, is a valid set of . There are subsets in this partition . This is in contradiction with that there are subsets in .(3.2). Since , then ; that is, is a valid set of . is maximal; moreover, is maximal too. This leads to a contradiction.(3.3). The proof is similar to the above case (3.2). This case also leads to a contradiction.

Therefore, we are forced to have only ; that is, any element in is also an element in ; we get ; in the same manner, we will get . Thus, we have .

This establishes the uniqueness and also implies the partition result is independent of partition order or conflict pattern.

Therefore, we have the conclusion.

Assume has in total. Here, let (, for short) denote total amount of , denote the th maximal conflict-free event substructure, and denote the event set of .

Then the result set can be represented as .

In fact, every of the original prime event structure represents a specific possible execution choice in a system run. We might as well let denote such an operator. Then, we have the following definition of this partition operator.

*Definition 10 (conflict-free partition). *An operator is called* conflict-free partition* operator for if and only if .

According to our previous discussion, we have C-like pseudocode descriptions: Algorithm 1 for .

##### 4.2. Family of Configurations

In general, the behavior of an event structure is described by its configurations which are sets of events with certain properties. In other words, a configuration is a set of events that have happened during a specific run of the event structure.

We will review the basic definition of configuration in the following section. More detailed information can be found in [26].

*Definition 11 (configuration). *Let be a subset of of a prime event structure ; then is called a* configuration* of if and only if (1) is left-closed if and only if .(2) is conflict-free if and only if .

A configuration can also be viewed as a global state where all events in the configuration have occurred. The configuration of the event structure should be conflict-free because conflicting events can never happen in a system run. In addition, all casual predecessors of an event in a configuration should be contained in this configuration too; that is, configuration should be downwards closed; otherwise this event could not have happened at all.

That is, a subset is a (finite) configuration of if and only if it is finite, left-closed, and conflict-free.

The semantics of a prime event structure is defined as the family of its configurations ordered by set inclusion. Let denote the family of all configurations of event structure , which forms an ordered set (called prime algebraic coherent partial order; see [16]) by inclusion; that is, is partial order.

*Definition 12. *A configuration is called* complete* or (successfully)* terminated* if and only if . A configuration is called* maximal* if and only if .

For any prime event structure , a configuration of is maximal if and only if it is complete. Obviously, for any maximal configuration of a prime event structure, there exists a corresponding maximal conflict-free substructure set. An empty or initial configuration, denoted by , represents the initial state in which there is no event happened.

In general, initial configuration and complete configuration are also called trivial configurations, while others are called nontrivial configurations.

Similarly, we have the following configuration definition for conflict-free event structure.

*Definition 13 (configuration of ). *Let be a and let be a subset of ; then is called a configuration of if and only if is left-closed; that is, .

Since , its event subset is evidently conflict-free.

Let denote the family of all configurations of conflict-free event structure . Clearly, when is the th : of prime event structure , its family of all configurations is denoted by .

*Definition 14 (subfamily of configurations). *Let be a and let be a nonempty event subset; a subfamily of configurations of with respect to event subset is the family of configurations of its event substructure restricted by event subset ; that is, .

Clearly, for any of event structure , its subfamily of configurations with respect to event subset is denoted by for convenience.

Lemma 15. *The relation between the family of configurations of a prime event structure and that of its can be described by .*

*Proof.* To prove the result of this lemma, we will show that
both hold.

*(1) *“”. For any configuration , since is a configuration, by definition, should be conflict-free. Thus should be the subset of one of the maximal configurations. Otherwise, if is greater than any maximal configuration, then must contain mutual conflicting events; that is impossible.

Therefore, we have that there must exist a maximal configuration which contains . Such a maximal configuration corresponds to a maximal conflict-free event subset: ; that is, must be the element of ; that is, . We have .

*(2) *“”. For any configuration , of course, ; this implies and ; therefore, we get . Since is a configuration, it is also a configuration of ; that is, .

We have .

Therefore, from (1) and (2), we have the result.

##### 4.3. Domains of Configurations

In this section, we will discuss the concept of domain from the point of view that computation states are taken as such subsets and progress in a computation is measured by the occurrence of more events.

Firstly, we will recall some related conceptions regarding domain [16, 27]. Then, some important facts will be discussed.

*Definition 16 (least upper bound). *Let be a partial order; an element is called* least upper bound* of subset (), denoted by , if and only if .

*Definition 17 (coherent). *Let be a partial order; two elements are called* consistent* (denoted by ) if and only if ; a subset is* pairwise consistent* if and only if any two of its element have an upper bound in ; that is, ; is called* coherent* if and only if every pairwise consistent subset () has a least upper bound .

The* consistency* relation of and is denoted by ; conversely,* inconsistency* is denoted by .

*Definition 18 (complete prime). *A partial order ; an element is a* complete prime* if and only if for every finite subset , if exists and then there exists an such that (i.e., .

Let denote the set of complete prime of .

*Definition 19 (prime algebraic). *A partial order is called* finitary* if and only if is finite. is called* prime algebraic* if and only if is countable and .

Namely, is called* prime algebraic* if and only if, for every element , exists define , and .

*Definition 20 (domain). *A coherent, prime algebraic, and finitary partial order is called a* Scott domain* (or simply a* domain*).

*Definition 21. *Let be a* coherent, finitary prime algebraic domain.* Define , where consists of the complete primes of :(1);(2).

*Definition 22. *Let be a* prime algebraic complete lattice.* Define , where consists of the complete primes of , .

Theorem 23. *Let ; then is a finitary coherent prime algebraic domain; the complete primes are the set (see [25]).*

Theorem 24. *Let be a finitary coherent prime algebraic domain. Then, is a prime event structure, with giving an isomorphism of partial orders where with inverse given by (see [16]).*

Evidently, event structures and coherent, finitary prime algebraic domains are equivalent; one can be used to represent the other.

The following theorem describes the important property of family of configurations of a prime event structure.

Theorem 25. *For any nonempty : of event structure , its family of configurations is prime algebraic complete lattice. Its complete primes are those elements of the form .*

*Proof.* The proof is straightforward.

Thus prime event structure and finitary coherent prime algebraic domain are equivalent; this implies that there is a one-to-one correspondence between a prime event structure and its family of configurations; one can be used to represent the other.

##### 4.4. Weak Choice Composition

Theorem 23 describes an important property between the domains of configurations of prime event structures and the prime event structures themselves.

We can obtain a full set of from a prime event structure by applying operator over it. Conversely, given a full set of of an event structure, we can certainly recover the original event structure that generates this set of by some kind of composition operation.

Further, for any weak conflict set, we give the constraint conditions, under which this weak conflict set can be composed together and form a prime event structure that can generate this set by conflict-free partition operation.

The following theorem discusses the constraint conditions for composition.

Theorem 26 (necessary and sufficient condition for composition). *For any weak conflict set , if it satisfies the following conditions: (1) and (2), then there exists a unique prime event structure that can generate this set by partition operation; that is, .*(1)* .*(2)* is a finitary coherent prime algebraic domain.*

*Proof.* On one hand, the intersection of event sets of any two is nonempty meaning that common events have happened from both event structures. By definition, if these events represent common global states in runs of a system described by the same prime event structure with multiple choices, they should behave identically. That is, their configurations with respect to the intersection of event set should be identical.

In addition, from Theorems 23 and 24, the family of configurations of a prime event structure ordered by set inclusion should be a finitary coherent prime algebraic domain.

Thus, we have the necessary condition for composition.

On the other hand, from Theorems 23 and 24, we have that there is a one-to-one correspondence between a prime event structure and its family of configurations. Given a valid family of configurations for prime event structure, then there should exist a corresponding prime event structure.

For any weak conflict set: , if all by joining can form a valid family of configurations for a prime event structure, that is, forms a ordered by set inclusion, then there should exist such a unique prime event structure that .

Therefore, we get the necessary and sufficient condition for composition.

Obviously, the set of a prime event structure satisfies the above condition. Clearly, this implies that there must exists a composition operation which can construct the target event structure from a weak conflict set that satisfies the constraint conditions. We may as well let denote the operator. Thus, we have the following definition.

*Definition 27 (weak choice composition ( operator)). *Let be a weak conflict set, which satisfies necessary and sufficient conditions for composition; an operator is called* weak choice composition* operator if and only if the result event structure and satisfies the following: (1);(2).

The following theorem states that the operator and are mutually inverse for a prime event structure.

Theorem 28. *For any holds.*

*Proof.* The proof is straightforward.

Obviously, it is not difficult to derive an algorithm for weak conflict composition operator from Definition 27 and Theorem 28.

#### 5. Slicing Reduction

In this section, we will discuss slicing reduction technique for partial order trace or prime event structure. Slicing is often taken as an effective abstract technique to combat the state explosion problem. A slicing algorithm for event structure with respect to predicates in a subset of temporal logic formulas is studied. Specially, we focus on statically analyzing rather than online detecting over event structure model.

First of all, we will retrospect the classical notion of computation slicing for partial order traces. Then, we will extend the idea from partial order traces to prime event structures with conflict relations. Additionally, all related definitions and theorems [18, 19, 28] for our theory will be discussed.

##### 5.1. Partial Order Trace Slicing

Computation slicing was introduced in [7] as an abstraction technique for analyzing partial order traces of distributed programs or distributed computations.

Generally, for classical program slicing, programs are sliced with respect to a slicing criterion that is an interested point for analyzing. In static program slicing, for example, “a program line number” can be taken as a valid slicing criterion. Thus, in order to compute a slice, we need to firstly define the slicing criterion.

Intuitively, a slice of a trace with respect to a temporal logic specification or a predicate (slicing criterion) is a subtrace that contains all the states of the trace that satisfy . A slice contains all the states that satisfy such that it can be computed efficiently and is often much smaller than the original model.

We can use directed graphs to model partial order (execution) traces (POTs, for short) as well as slices. Thus, a notion named* graph ideal* (or* order ideal*) of directed graph [29] is introduced to specify partial order traces and slices pictorially. Formally, its definition is given as follows.

*Definition 29 (order ideal). *Given a poset , denotes an order relation a subset of is an* order ideal* if it satisfies .

*Definition 30 (graph ideal). *Given a directed graph , let and denote the set of vertices with event labels and directed edges, respectively. A subgraph of is a* graph ideal* if it satisfies .

It is more convenient to use directed graphs to represent partially ordered sets and prime event structures for slicing computation. It satisfies the following.(1)For any event and of , if , then there is directed edge from the vertex labelled with to the vertex labelled with .(2)For any event and of , if , then there is dash line between the vertex labelled with to the vertex labelled with .

For example, as shown in Figure 1, a partial order trace or a is demonstrated pictorially. The corresponding event structure for Figure 1 is as follows.(i).(1).(2).(3).(4).

In addition, when attempting to construct the graph representation of , as Figure 1 shows, two specific vertexes and will be added as initial state and terminal state corresponding to initial configuration and maximal configuration, respectively.

A subset of elements forms an order ideal if whenever an element is contained in the subset then all its preceding elements are also contained in the subset. Intuitively, order ideals or left-closed subsets can be graphically represented by graph ideals. Generally, independency relation will not be represented explicitly. It is not difficult to have that partial order trace is only a special case of prime event structure with no conflict relations. Here, graph ideal is a notion equivalent to the configuration of an event structure. Empty set and the set of all vertices are called trivial ideal. Similarly, initial configuration and complete configuration are also called trivial configurations.

*Definition 31 (predicate on configuration). *Intuitively, a logic formula or predicate is a Boolean-valued function defined on the set of configurations: . It actually represents a subset of configurations in which the Boolean function evaluates to 1.

The predicate detection problem is to decide whether the initial configuration of an event structure satisfies a predicate. More formally, we have the following definition.

*Definition 32 (predicate detection). *For any prime event structure and any predicate , predicate detection is to decide whether holds or not.

Predicates are used to specify system behaviors and properties such as safety and liveness. Properties expressed by a CTL (computational tree logic, introduced in [30]) formula are beyond the scope of this paper. For evaluating the value of a predicate efficiently, various predicate classes [28] such as conjunctive, stable, observer-independent, linear, relational, and nontemporal regular [7] predicates have been defined.

Generally, predicate on configurations will act as the slicing criterion for POTs slicing.

*Definition 33 (slice of (POTs)). *A* slice* of a (POTs): of prime event structure with respect to a formula , denoted by , is such an event structure that satisfies the following. (i)Its family of configurations contains all the configurations that satisfy .(ii)Its family of configurations has the least number of configurations and still forms a sublattice.

This formal definition is derived from computation slice notion [7] given by Garg and Mittal. Meanwhile, existence and uniqueness of the slice have also been discussed; that is, the following theorem holds.

Theorem 34. *
For any of a prime event structure and any predicate , the slice of with respect to predicate , that is, exists and is unique.*

*Proof.* The proof is straightforward; see [8, 20, 31].

In general, the family of configurations for a forms a distributed lattice, and its slice with respect to a predicate is a sublattice. Sometimes a slice may contain those configurations that do not satisfy the predicate for completing sublattice.

In the next section, we will discuss the slicing definition and model for prime event structure.

##### 5.2. Sliced Model over Event Structure

Generally, predicate on configurations acts as the slicing criterion for prime event structure slicing. Temporal regular predicate, such as a regular subset of CTL called RCTL [7, 8, 29], which contains four temporal operators EF, AG, EG, and EX[j], and nontemporal regular predicates both can also be taken as the slicing criterions.

Compared with the definition of slice of , we have a similar case for prime event structure.

*Definition 35 (slice of prime event structure). *A slice of a prime event structure with respect to a formula , denoted by , is such an event structure that satisfies the following. (i)Its family of configurations contains all the configurations that satisfy .(ii)Its family of configurations has the least number of configurations.

Generally, a slice may contain configurations that do not satisfy the given predicate. The slice of an event structure with respect to a predicate is called* lean* [32] if every configuration of the slice satisfies the predicate.

Theorem 36. *For any and any predicate , exists and is unique, and holds.*

*Proof. (1) Existence and Uniqueness.* From Theorem 34, we have that, for any of a prime event structure and any predicate , its slice with respect to predicate exists and is unique.

For any , the family of configuration of is a distributed lattice and is unique.

Further, let ; is also unique and is a finitary coherent prime algebraic domain.

Next, we show that the slicing operation will keep the second part of necessary and sufficient condition for composition.

For any and , if and , we then have that ; that is, for any nonempty event subset and any predicate , if any configuration of satisfies , that is, is the common part of both slices of and . We still get that .

This means that, for any two , if their intersection is nonempty, no matter which part of the intersection belongs to the slice, after slicing, the necessary and sufficient condition for composition will be still satisfied.

Thus, we get that is a valid family of configurations for prime event structures; there should exist such a unique prime event structure that satisfies . We can get by applying to the corresponding event structures of .

Therefore, the existence and uniqueness for event structure slicing have been established. We will then prove that the prime event structure is the ultimate result of slicing.

*(2) Satisfactoriness and Minimality*. On the one hand, for any configuration of event structure that makes predicate hold, that is, , there must be a : so that ; let , because contains all the configurations of event structure that make predicate hold. We have that must be contained by ; that is, .

We get .

Further, we get .

On the other hand, for any configuration , we get and can make predicate hold; then must hold. Thus, we get .

That is, .

Therefore, we have .

Thus, we get that .

Moreover, by the definition of slice of maximal conflict-free event substructure, we have that, for any , the corresponding contains the least number of configurations that satisfy the given predicate ; we then have that also contains the least number of configurations satisfying this specification. Thus, satisfactoriness and minimality both hold.

Consequently, from both and , we conclude that the theorem holds.

##### 5.3. Slicing Reduction Algorithm

In this section, we will present an approach for event structure slice computing. The slicing algorithm for a prime event structure or its with respect to regular predicates is based on the* Adding Edges Theorem* (see [8, 20, 31, 33]).

In fact, by the following theorem, these lattices will never be actually constructed in the slicing process for efficiency.

The configurations do not satisfy the predicate but still can be included to complete the sublattice.

Given a distributive lattice generated by a graph , every sublattice of can be generated by a graph obtained by adding edges to . The following theorem holds.

Theorem 37 (Adding Edges Theorem). *Let be any sublattice of a finite distributive lattice generated by the directed graph . Then, there exists a graph that can be obtained by adding edges to (removing vertices from) that generates .*

For any prime event structure, we can get the slices of its by applying the Adding Edges Theorem. These slices can be composed by to form a new prime event structure which is the target slice of the original event structure. This approach is less general but results in more efficient detection algorithms for a special class of predicates. Note that we will never actually construct the lattice or family of configurations of the event structure due to efficiency.

Garg and Mittal have presented an efficient algorithm [8, 28] based on graphical representation to compute the slice of POTs (or conflict-free event structures) with respect to a predicate . The algorithm adopts the principle of the Adding Edges Theorem and can produce a sliced graph representation. Especially, we have for predicate itself.

We extend the idea and algorithm to more general models and provide an algorithm for slicing the and the original prime event structure. Thus, we have Algorithm 2 to compute the slice of conflict-free event structure.

For a prime event structure with conflict relations, we have to apply operator to get maximal conflict-free event substructures and each of them can be sliced by . Then, the set consisting of each sliced result can be composed together by to construct a new event structure. This new event structure will be the sliced result.

Thus, we can derive Algorithm 3 to compute the slice of a prime event structure.

Because the set of the slices of may no longer keep the weak conflict relation which exists in the original .

Therefore, after operation is performed, the relation among these slices can be one of the following cases:(1)strong conflict;(2)conflict-free;(3)weak conflict;(4)hybrid of weak conflict and conflict-free;(5)hybrid of weak conflict and strong conflict;(6)hybrid of strong conflict, weak conflict, and conflict-free.

In case of (1), (3), and (5), the operation can be performed directly. But in case of (2), (4), and (6), we have to add some events in order to make the result set of slices still be able to form a valid weak conflict set at the end of process.

For temporal predicates [8], such as , and can be computed by , , and , respectively. From the definition of a slice, we know that every configuration of a slice is also a configuration of .

Clearly, the following two corollaries hold.

Corollary 38. *(1) For any prime event structure , .**Similarly for , the following holds.**(2) For any prime event structure , .*

Corollary 39. *For any prime event structure , .*

##### 5.4. Case Study for Slicing Reduction

In this section, we will give an example to illustrate the prime event structure slice notion and its computing process.

Consider a prime event structure: , as shown in Figure 2. The components are described as follows:(1)event set: ;(2)conflict relation: ;(3)casual relation: ;(4)action labels: ,;(5)action functions:(i)(ii); (iii); (iv); (v); (vi); (vii); (viii); (6)slice criterion: .

In this example, the system global states will be updated after an action function executes. Figure 2 depicts all the events conflict (for simplicity, only immediate conflict relation is shown) and casual relation. Figure 3 shows its corresponding family of configurations.

There is one conflict relation between event and ; due to the conflict inheritance property of prime event structures, we have and ; that is, each of is in conflict with each of . Obviously, according to this conflict relation, apply operation to the prime event structure and we get that this event structure has only two : they are and depicted by Figures 4(1) and 4(2), respectively, and Figures 5(1) and 5(2) show their corresponding families of configurations.

The configurations that satisfy the predicate are labelled with frames. In fact, these configurations are only used to describe relationship between original event structure and its slice graphically; in general, they will never be actually constructed in the slicing algorithm for efficiency.

The families of configurations of the slices of and with respect to the predicate are shown in Figures 6(1) and 6(2), respectively. It can be verified that both and form distributed lattices.

These configurations of the slices are exactly the ones that satisfy the given predicate in the family of configurations of the original event structure. Figure 7 shows the family of configurations constructed by applying operation to the families of configurations of all slices.

Finally, in Figure 8, the slice of and the slice of are combined into the slice of by operator, as expected.

To illustrate the benefit of predicate detection by using slicing reduction as shown in above example, consider the states in Figure 3 again.

Let be the predicate to be checked, and suppose we want to detect whether holds or not; that is, there exists a global state that satisfies . Without slicing reduction applied, we are forced to examine all global states, 15 states in total as shown in Figure 3, to decide whether the traces satisfy the predicate.

Alternatively, we can compute the slice via slicing reduction technique with respect to the regular temporal predicate and use this slice for predicate detection.

For this purpose, firstly, we compute the slice with respect to and the slice is shown in Figure 7.

Finally, we check whether the initial state is the same as the initial state of the slice and decide whether the predicate is satisfied or not.

The slice contains only 9 states and has much fewer states than the original traces itself. Generally, it is exponentially smaller in many cases and this can result in substantial savings.

#### 6. Symmetry Reduction

Finite state systems frequently exhibit symmetry which can be found in memories, caches, register files, bus protocols, and anything that has a lot of replicated structures. The use of symmetry to reduce state space has been investigated widely by researchers [2, 3, 15, 22, 23].

In this section, we will discuss symmetry properties over prime event structures. Symmetry in an event structure implies the existence of nontrivial permutation groups that preserve both the events labelling and all relations of causal dependence and independence that exist between events. We start by introducing some notions of group theory.

##### 6.1. Automorphism Groups

We know that the set of all permutation on a set forms a permutation group under functional composition. A permutation group over a finite set consists of bijections, , and their compositions as the binary operations.

*Definition 40 (permutation group). *Let be a finite set; a* permutation* of is a bijection from to itself. Then, ; that is, the family of all the permutations of the set , denoted by , forms a group called the* symmetric group* on . For any bijection is called a* permutation.* Any subgroup of is called a permutation group on .

Obviously, a symmetric group is a special permutation group. A permutation group over a set has good properties; specially, it can induce an equivalence relation. The equivalence classes of an equivalence relation on a set can form a partition of this set. Thus, for a set , if there exists a permutation group on the set , the permutation group can induce a partition of the set . We can easily check this property.

In this paper, permutation groups are used to partition the set of events in an event structure so that we use equivalence classes (orbits) of events to investigate symmetry in this event structure.

*Definition 41 (automorphism). *Let and let be a permutation group on the event set of . A permutation is said to be an* automorphism* of if and only if satisfies the following conditions: (1);(2).

*Definition 42 (automorphism group). *A permutation group is called an* automorphism group* for the event structure if and only if every permutation is an automorphism of .

Notice that every has an inverse, which is also an automorphism; our definition of an automorphism group can prove that is an automorphism for an event structure if and only if satisfies the following condition: .

##### 6.2. Quotient Model of an Event Structure

The symmetric quotient model for an event structure is a structural reduced model.

Let be a permutation group acting on the set and ; then the orbit of is the set . From each orbit we pick a representative that is called . Intuitively, the quotient model can be obtained by collapsing all the events to orbits.

*Definition 43 (symmetric quotient model). *Let and let be an automorphism group on the event set of the event structure . The* symmetric quotient model * is defined as follows. (1)The event set is , the set of orbits of the events in .(2)The causality relation is given by and the inverse of is denoted by .(3)The conflict relation is given by , where .(4)The labelling function is given by .

An automorphism group of an event structure is an invariance group for an action if and only if the following condition holds: .

We then say that is an invariant under . Thus, if is an invariance group for all actions in the action set of and is the symmetric quotient model for ; we can directly have .

From the above definition, we have that the symmetric quotient model is still a prime event structure and preserves all the causal dependence and independence relations of the original, but the conflict relations are reduced. Note that every two different events in an orbit are exactly in conflict with each other. The quotient model can preserve all the behavior of the original one.

##### 6.3. Symmetry Reduction Algorithm

Based on previous discussion, we have Algorithm 4 for symmetry reduction. In this algorithm, replicated substructure will be removed and only one copy will be kept.

Firstly, operator will be applied on a given event structure to get a set of conflict-free substructures.

Then, for any two elements of them, a checking procedure will be performed to remove the redundant one.

Finally, will be applied on the substructure set to get the reduced model. Detailed pseudocode description is shown in Algorithm 4.

##### 6.4. An Example for Symmetry Reduction

In this section, an example will be discussed to demonstrate the reduction process based on Algorithm 4.

The example of a prime event structure with five events (, , , , and ) and its semantics in terms of families of configurations is given in Figures 9(1) and 9(2), respectively.

The action-labelling (action set: ) function is defined as follows: , , , , and .

In this structure, we have , , , and . We also have , , and (due to conflict inheritance).

Then event set is and we can construct a permutation group on the set where two permutations are as follows:

Obviously, the group is an invariance group for all actions in . We then have the orbits of events in being , , , and . Thus, the symmetric quotient model can be described as shown in Figure 10.

We can get weak conflict set of the event structure by operator as follows: , where

Thus, we have , , and (or, , , and ).

By definition, we have that and are symmetric. According to the symmetry reduction algorithm, we will remove replicated events but keep the common or representation ones. The substructure is removed. The resulted substructure set consists of two elements: and , because and are weak conflict sets of and operator can be applied on them to construct a new event structure: . Thus, the symmetric reduced event structure can be described by Figure 11.

To illustrate the advantage for properties checking by using symmetry reduction as shown in the above example, consider the states in Figure 9, 9 states in total.

Suppose we want to check whether a property holds or not; that is, there exists a global state that satisfies . Without symmetry reduction applied, we have to examine all global states, 9 states in total. But with symmetry reduction, as shown in Figure 11 or Figure 10 to decide whether the property holds, only 7 states should be checked and a considerable saving can be achieved.

#### 7. Mathematical Framework

In this section, we will provide a unified mathematical framework for slicing and symmetry reduction based on and operators.

Firstly, we will review some basic definitions in this section. Here, we refer the reader to [14] for details. Next, we will introduce the single action transitions [3] for event structures. Finally, we will discuss the related theories for slicing and symmetric reduction and establish the unified framework.

##### 7.1. Basic Definitions

*Definition 44. *For any event structure , define . Especially, for any conflict-free event structure , define .

In fact, is the partial order of left-closed and conflict-free subsets of ordered by set inclusion.

is the partial order of left-closed subsets of ordered by set inclusion.

*Definition 45 (single action transition). *Let . A transition is called a* single action transition* if and only if and there exists an event such that with .

Here, indicates that in the event structure the state represented by the configuration may evolve into a state represented by the configuration by performing the action . This transition relation associates a labelled system based on single action transitions with each event structure.

*Definition 46 (trace). *Let . A word is called* trace* of if and only if and .

Here, let denote the set of all traces of .

*Definition 47 (interleave trace equivalence). *Let . and are called* interleave trace equivalence * if and only if .

*Definition 48 (interleaving bisimulation). *Let . A relation is called * interleaving bisimulation* between and if and only if and ; then (1);(2).

*Definition 49 (interleaving bisimulation equivalent). *Let . and are called * interleaving bisimulation equivalent * if and only if there exists an interleaving bisimulation between and .

##### 7.2. Unified Framework

The unified framework for slicing and symmetry reduction we have set up can be pictured as in Figure 12.

*(1) Isomorphism and Equivalence.* We are concerned with the translation of concepts and ideas from one side to the other. The following theorems hold.

Theorem 50. *Let be a conflict-free event structure, ; then . Similarly, let be a prime algebraic complete lattice; then .*

Theorem 51. *Let be a prime event structure, ; then . Similarly, let be a prime algebraic coherent domain; then .*

Clearly, from Theorems 50 and 51, we have the following.(1)For any prime event structure , we have that .(2)Similarly, for any partial order , is a prime algebraic complete lattice or a finitary coherent prime algebraic domain; we have that .

From Theorems 23, 24, and 25, we have that conflict-free event structures and prime algebraic complete lattices are equivalent; this implies that there is a one-to-one correspondence between a prime event structure and its family of configurations. Similarly, prime event structures and finitary coherent prime algebraic domains are also equivalent; one can be used to represent the other.

*(2) Mutual Inverse Operation*. For any prime event structure, and are mutually inverse operators.

We can get the full set of maximal conflict-free substructures of a prime event structure by operator.

Conversely, given the full set of maximal conflict-free substructures of the prime event structure, we can recover the original prime event structure by operator.

*(3) Slicing Reduction*. Firstly, compared with traditional computation slicing, Figure 12 demonstrates the translation between a conflict-free event structure (or its slice) and prime algebraic complete lattice. This forms the theoretical basis of computation slicing technique proposed by Garg and Mittal, Sen [7, 20].

Secondly, Figure 12 also demonstrates the translation between a prime event structure (or its slice) and finitary coherent prime algebraic domain, which serves as the theoretical basis of our event structure slicing with conflict. A pair of mutually inverse operators, and , act as a link between the two parts.

Thirdly, the slice of a prime event structure can be computed by the following steps:(1)applying operator to partition the original prime event structure into a full set of maximal conflict-free substructures;(2)for each maximal conflict-free substructure, applying traditional computation slicing algorithm based on Adding Edges Theorem [7, 8, 20] over its directed graph representation to compute the slice with respect to the given predicate;(3)applying operator to compose the resulted slices in above step (2) and form a new prime event structure, while the generated event structure is the slice of the original prime event structure.

*(4) Symmetry Reduction*. Operators and can also play an important role in symmetry reduction.

Symmetry reduction of a prime event structure can be performed by the following steps:(1)applying operator to partition the original prime event structure into a full set of maximal conflict-free substructures;(2)checking automorphism among the produced substructures and checking causal relation and action set;(3)removing duplicated substructure and applying operator to compose the resulted structure to form a newly generated prime event structure, which will be symmetry reduced prime event structure.

*(5) Trace Equivalence*. The relation between original event structure and its quotient model can be specified by Theorems 52 and 53 (See [3]).

Theorem 52. *Let and be quotient structure of ; then .*

Theorem 53. *Let and let be the symmetric quotient model for . Then .*

Generally, given an event structure , in fact, its behavior is exhibited by the labelled transition system (LTS, for short) , , where(1)the configurations are states;(2)the set of labels is the set of actions ;(3)the transitions are single action transitions between every two configurations of ; namely, ;(4)the initial configuration (the empty set ) is the initial state.

The above equivalence is based on labelled transition systems whose transitions are single action transitions. As shown in Figure 12, we construct labelled transition system for prime event structure and its quotient model, we will have that their LTSs are interleaving bisimulation and interleave trace equivalence al