4 March 2005, NVTI day, UtrechtGraph-Based State Spaces1 Arend Rensink University of Twente.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Recipes for State Space Reduction Arend Rensink, University of Twente Dutch Model Checking Day, May 2014.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
Verification of Graph Transformation Systems Arman Sheikholeslami
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Merged Processes of Petri nets Victor Khomenko Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
ISBN Chapter 3 Describing Syntax and Semantics.
Model checking dynamic states in GROOVE Arend Rensink Formal Methods and Tools University of Twente.
International Workshop on Computer Vision - Institute for Studies in Theoretical Physics and Mathematics, April , Tehran 1 IV COMPUTING SIZE.
30 March 2005, IPA lentedagen, BredaGraph-Based State Spaces1 Graph Transformation for Model Transformation Arend Rensink University of Twente.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
Handling non-determinism and incompleteness. Problems, Solutions, Success Measures: 3 orthogonal dimensions  Incompleteness in the initial state  Un.
Describing Syntax and Semantics
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Behaviour-Preserving Model Transformation Arend Rensink, University of Twente IPA Spring Days, 18 April 2012.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: BDD BDDs applied in equivalence checking.
Binary Decision Diagrams (BDDs)
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
APPLICATIONS OF CONTEXT FREE GRAMMARS BY, BRAMARA MANJEERA THOGARCHETI.
Theory of Computing Lecture 17 MAS 714 Hartmut Klauck.
CS6133 Software Specification and Verification
Introduction to Graph Grammars Fulvio D’Antonio LEKS, IASI-CNR Rome,
Pattern-directed inference systems
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
1 Bisimulations as a Technique for State Space Reductions.
1 Graph-Based State Spaces Arend Rensink, University of Twente CamPaM 2012 April 2012Graph-Based State Spaces.
Rewriting Logic Model of Compositional Abstraction of Aspect-Oriented Software FOAL '10Mar. 15, 2010 Yasuyuki Tahara, Akihiko Ohsuga The University of.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
I-Neighbourhood Abstraction in Graph Transformation Arend Rensink University of Twente Based on work with: Jörg Bauer, Iovka Boneva, Dino Distefano, Marcus.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Chapter 3 Part II Describing Syntax and Semantics.
CS6133 Software Specification and Verification
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Ukrprog Formal requirement language and its applications A.Letichevsky Glushkov Institute of Cybernetics.
Author: Haoyu Song, Murali Kodialam, Fang Hao and T.V. Lakshman Publisher/Conf. : IEEE International Conference on Network Protocols (ICNP), 2009 Speaker:
Onlinedeeneislam.blogspot.com1 Design and Analysis of Algorithms Slide # 1 Download From
SPLST'20098/26/ Good to Know about the Efficiency of State Space Methods Mikko Tiusanen & Antti Valmari Tampere University of Technology Department.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
CSE 20: Discrete Mathematics for Computer Science Prof. Shachar Lovett.
Data Structure Interview Question and Answers
Data Structures Interview / VIVA Questions and Answers
Graph-Based Operational Semantics
CSCI1600: Embedded and Real Time Software
Over-Approximating Boolean Programs with Unbounded Thread Creation
Generating Optimal Linear Temporal Logic Monitors by Coinduction
Isomorphism Checking in GROOVE
CSCI1600: Embedded and Real Time Software
Discrete Controller Synthesis
Introduction to Graph Transformation
Model Checking Graph Grammars
Presentation transcript:

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces1 Arend Rensink University of Twente

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces2 Context: States as graphs Objects & method frames as nodes Relations & variables as (labelled) edges BufferCell next last first Object val heapstack no method frames in this presentation

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces3 Graph formalism Graphs in this presentation: – flat (i.e., not hierarchical), untyped – directed, edge-labelled, no parallel edges – self-edges depicted as node labels Formally: G = (L,N,E) with – L set of labels – N finite set of nodes – E  N  L  N finite set of labelled edges Partial morphisms – structure-preserving node mappings

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces4 Graphs as states BufferCell next first, last Object val BufferCell next last first Object val Object val BufferCell next last first Object val Object val Object val BufferCell next first last BufferCell next last first Object val

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces5 forbidden Graph Productions Production rule source graph matching Graph transition src(t)tgt(t) morph(t) target graph pushout NAC NACs (SPO = Single Pushout Approach) LHSRHS rule morphism (partial)

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces6 Example production rule Alternative single-graph representation: Buffer Cell Object next val last Object blue = eraser: LHS, not RHS; to be matched and deleted green = creator: RHS, not LHS; to be added black = reader: LHS and RHS; to be matched and preserved public void put(Object val) { if (last.next.val == null) { last = last.next; last.val = val; } red = embargo: NAC, not LHS; forbidden

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces7 Example rule application Buffer Cell first | last next Object val Buffer Cell last first next Object val Object val Buffer Cell Object next val last Object matching transition

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces8 Graphs as states BufferCell next first, last Object val BufferCell next last first Object val Object val BufferCell next last first Object val Object val Object val transitions carry partial morphisms BufferCell next first last BufferCell next last first Object val not inverse!

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces9 Aim: software model checking Construct graph production system from – UML diagrams / other specifications – Programs to be checked Generate state space – States=graphs, transitions=transformations Formulate properties – invariants/reachability (safety) – liveness – full temporal logic Check properties on the model

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces10 Envisaged tool chain = planned = implemented

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces11 Example cases [GraBaTs 2004] List append: highly dynamic, hardly symmetric Philosophers: not at all dynamic, highly symmetric Ring mutex: somewhat dynamic, rather symmetric

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces12 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces13 Time consumption (1) Graph matching – Needed to find production rule matchings – Complexity: NP-complete Alleviating circumstances: – Graphs to be matched are LHSs typically small – Host graphs are software models mostly deterministic transformations only at “locus of control”

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces14 Time consumption (2) Graph isomorphism – Used to collapse states – Complexity: between P and NP (!) Approximation techniques – Over-approximation: graph certificates Excellent precision (> 99%) Still requires isomorphism check afterwards – Under-approximation: equality Mediocre precision (10-50%) Very fast; useful as initial filter

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces15 Time consumption List append: Relatively large graphs Philosophers: Many symmetries Mutex: Many states & transitions

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces16 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs)? Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces17 Space consumption Symbolic methods (BDDs) not suitable – No fixed state vector – Idea: Store “deltas” between graphs – Average delta: 2-7 elements Transition storage also expensive – Idea: Store “boundaries” of LHS matching – Average boundary: 2-3 elements Current implementation: – Overhead per state/transition > 75% – Java quite memory generous

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces18 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces19 State space reduction (1) Existing techniques: – Symmetry recognition – Partial order reduction – Abstraction, e.g. slicing (property-driven) Symmetry recognition: here automatic – Implied by isomorphism check – Dining philosophers: linear reduction – Expectation: little symmetry in real life

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces20 State space reduction (2) Partial order reduction – Linearization of confluent rule applications – Theory: Exponential “best case” improvement Restricted applicability, especially with NACs – Practice: ??? Abstraction – Approximative results (false negatives) – Very promising, not just for this purpose

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces21 Experimentation (1) Dining philosophers – get hungry – get left fork, get right fork (in sequence) – drop both forks (atomically) and think #phils#states#transspace (MB)time (s) ,26121, ,903271,63424, ,3373,440, ,712

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces22 #phils#states#transspace(MB)exec(s)prep(s) 83,26121, ,903271, ,3373,440, ,712 #phils#states#transspace(MB)exec(s)prep(s) 83,26121, ,961171, ,903271, ,5032,711, ,3373,440, ,712 4,165,71041,267, Comparison [ICGT 2004] CheckVML (Varró) – Encode graphs in SPIN – Choose fixed node identities – Predict rule applications reduction = degree of symmetry

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces23 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces24 Property specification State-based properties – Invariants, liveness properties – Expressible by graph predicates – Mechanism: graph embedding (+ NACs) Temporal logic properties – Existing MC logics are propositional (L/CTL) – Graph properties are FOL formulae – Dynamic allocation/deallocation

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces25 Graph Temporal Logic Navigation using regular expressions path ::= a | path.path | path+path | path*. Second-order expressions for node sets set ::= Z | x | set.path | All. Linear temporal logic with predicates form::= x  set |  form | form  form |  x: form | let Z=set in form | X form | form U form. abbreviation: set for  x: x  set

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces26 Example properties The buffer is circular  n  Cell: n  n.next + Cell values are unchanged until consumed G(  n  Cell:  x  n.val: x  n.val U  x) Values are consumed in-order G(  n  Cell: n.next.val  (n.next.val U ! n.val)) New values are created all the time G(let Z=val in F(  x  val: x  Z)) second-order property node identity traced through run connectivity already second-order

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces27 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces28 Model checking algorithms More expressiveness means less decidability/higher complexity Initial ideas: [FSTTCS 2004] – With Distefano & Katoen – No edges (multisets of entities) – Single outgoing edge

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces29 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces30 Abstract interpretation Method consists of: – Concrete TS: (S c, ,i c ) – Abstract TS: (S a, ,i a ) – Abstraction function α : S c  S a with α (i c )=i a that is Sound: s c  s c ’ implies α (s c )  α (s c ’) Weakly complete: s a  s a ’ implies s c  s c ’ for some s c  α -1 (s a ), s c ’  α -1 (s a ’) ( α is a surjective simulation/homomorphism) Property reflecting: –α (s c )  a φ implies s c  c φ for φ in an appropriate logic – not vice versa: verification is approximative infinite state computable, finite state false negatives

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces31 Abstraction research programme Define graph abstraction – Automatically computable – Property reflecting Lift graph transformations – Define effect directly on abstract graphs Develop general theory – Basic principles to apply to any GT approach – Wanted: Algebraic justification

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces32 Graph abstraction [ESOP 2004] ListCell nxt fst Object val Object val Cell nxt Cell nxt Object first shared no nxt unused unshared nxt shared no nxt

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces33 Enriching abstract graphs The following information is added: – The (potential) number of node instances – The (potential) degree of sharing (in+out) Both can be expressed as multiplicities Strongly inspired by shape graphs – Sagiv, Reps, Wilhelm, Benedikt

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces34 Pictorial representation Write edge multiplicities at “ports” nxt fst val nxt Object ListCell Object 1 > Node multiplicities Outgoing edges Incoming edges Object >1

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces35 Abstract graph transformation Materialization – Matching of left hand side made concrete – Result: partially concrete graph Transformation – Partially concrete graph treated as fully concrete Normalization – Transformation result is partially concrete – Re-apply abstraction principle

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces36 Abstract circular buffer transition system

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces37 What you should take home Graphs as states: promising model Some inherent benefits – Captures dynamic behaviour – Implicit symmetries – Allows structural abstraction Some inherent disadvantages – Infinite state space – Increased complexity in several issues A lot of open issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.