/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search Optimization

/ PSWLAB Introduction (1/1) In explicit model checking, verification problem is reduced to the reachability problem in a graph. The hard problem in explicit model checking to solve is finding effective ways to scale reachability checking algorithm to handle large to very large graph.  Approaches (1) Reduce the number of reachable states to check - Partial order reduction, Statement merging (2) Reduce the amount of memory that is needed to store visited states. - Loseless compression : Collapse compression, Minimized automaton - Lossy compression : Bitstate hashing, Hash compact SPIN Search Optimization2

/ PSWLAB Partial Order Reduction (1/9) SPIN Search Optimization L0L0 L1L1 L2L2 x=1g=g+2 L’ 0 L’ 1 L’ 2 y=1g=g*2 T1: T2: byte g = 0 ; active proctype T1() { byte x ; x = 1 ; g = g + 2 ; } active proctype T2() { byte y ; y = 1 ; g = g * 2 ; }

/ PSWLAB Partial Order Reduction (2/9) SPIN Search Optimization4 0,0,0 L 0, L’ 0 1,0,0 L 1,L’ 0 0,1,0 L 0,L’ 1 1,1,0 L 1,L’ 1 1,0,2 L 2,L’ 0 0,1,0 L 0,L’ 2 1,1,2 L 2,L’ 1 1,1,0 L 1,L’ 2 1,1,4 L 2,L’ 2 1,1,2 L 2,L’ 2 x=1 y=1 x=1 y=1 g=g*2 x=1 g=g+2g=g*2 y=1 g=g+2 g=g*2 x,y,g L, L’

/ PSWLAB Partial Order Reduction (3/9) For two statements a and b, if two interleavings of these statements from any state result different states or two interleavings are impossible, then a and b are dependent to each other. - Dependent statements pairs g=g*2 and g=g+2 because both touch same data object. x=1 and g=g+2 the order of statements are fixed. y=1 and g=g*2 the order of statements are fixed. - Independent statements pairs x=1 and y=1 x=1 and g=g*2 y=1 and g=g SPIN Search Optimization5

/ PSWLAB Partial Order Reduction (4/9) ¾ 1 ={ (0,0,0,L 0, L’ 0 ), (1,0,0,L 1, L’ 0 ), (1,0,2,L 2, L’ 0 ), (1,1,2,L 2,L’ 1 ), (1,1,4,L 2,L’ 2 ) } ¾ 2 ={ (0,0,0,L 0, L’ 0 ), (1,0,0,L 1, L’ 0 ), (1,1,0,L 1, L’ 1 ), (1,1,2,L 2,L’ 1 ), (1,1,4,L 2,L’ 2 ) } ¾ 3 ={ (0,0,0,L 0, L’ 0 ), (1,0,0,L 1, L’ 0 ), (1,1,0,L 1, L’ 1 ), (1,1,0,L 1,L’ 2 ), (1,1,2,L 2,L’ 2 ) } ¾ 4 ={ (0,0,0,L 0, L’ 0 ), (0,1,0,L 0, L’ 1 ), (0,1,0,L 0, L’ 2 ), (1,1,0,L 1,L’ 2 ), (1,1,2,L 2,L’ 2 ) } ¾ 5 ={ (0,0,0,L 0, L’ 0 ), (0,1,0,L 0, L’ 1 ), (1,1,0,L 1, L’ 1 ), (1,1,0,L 1,L’ 2 ), (1,1,2,L 2,L’ 2 ) } ¾ 6 ={ (0,0,0,L 0, L’ 0 ), (0,1,0,L 0, L’ 1 ), (1,1,0,L 1, L’ 1 ), (1,1,2,L 2,L’ 1 ), (1,1,4,L 2,L’ 2 ) } These runs can be classified into two groups according to the end state.  { ¾ 1, ¾ 2, ¾ 6 }, { ¾ 3, ¾ 4, ¾ 5 } SPIN Search Optimization6

/ PSWLAB Partial Order Reduction (5/9) ¼ 1 = { x=1 ; g=g+2 ; y=1 ; g=g*2;} ¼ 2 = { x=1 ; y=1 ; g=g+2 ; g=g*2;} ¼ 6 = { y=1 ; x=1 ; g=g+2 ; g=g*2;} ¼ 3 = { x=1 ; y=1 ; g=g*2 ; g=g+2;} ¼ 5 = { y=1 ; x=1 ; g=g*2 ; g=g+2;} ¼ 4 = { y=1 ; g=g*2 ; x=1 ; g=g+2;} SPIN Search Optimization7 Independent statements pairs x=1 and y=1 x=1 and g=g*2 y=1 and g=g+2 Within each class, each run can be obtained from the other runs by one or more permutations of adjacent independent transitions. The eventual outcome of a computation remains unchanged under such permutations. For verification, it therefore would suffice to consider just one run from each class.

/ PSWLAB Partial Order Reduction (6/9) SPIN Search Optimization8 0,0,0 L 0, L’ 0 1,0,0 L 1,L’ 0 0,1,0 L 0,L’ 1 1,1,0 L 1,L’ 1 1,0,2 L 2,L’ 0 0,1,0 L 0,L’ 2 1,1,2 L 2,L’ 1 1,1,0 L 1,L’ 2 1,1,4 L 2,L’ 2 1,1,2 L 2,L’ 2 x,y,g L, L’ x=1 y=1 x=1 y=1 g=g*2 x=1 g=g+2g=g*2 y=1 g=g+2 g=g*2

/ PSWLAB Partial Order Reduction (7/9) For previous example, it would be suffice to consider only runs ¾ 2 and ¾ 3. to accurately prove LTL formulae such as – Always( g = 0) – Eventually(2 · g ) SPIN Search Optimization9

/ PSWLAB Partial Order Reduction (8/9) ¼ 1 = { x=1 ; g=g+2 ; y=1 ; g=g*2;} ¼ 2 = { x=1 ; y=1 ; g=g+2 ; g=g*2;} ¼ 6 = { y=1 ; x=1 ; g=g+2 ; g=g*2;} ¼ 3 = { x=1 ; y=1 ; g=g*2 ; g=g+2;} ¼ 5 = { y=1 ; x=1 ; g=g*2 ; g=g+2;} ¼ 4 = { y=1 ; g=g*2 ; x=1 ; g=g+2;} SPIN Search Optimization10 Independent statements pairs x=1 and g=g*2 y=1 and g=g+2 What if “Always( y · x )” ? → The formula secretly introduces dependency between x=1 and y=1.

/ PSWLAB Partial Order Reduction (9/9) S PIN constructs global reachability graph on the fly. S PIN uses a static reduction method for partial order reduction. – The dependency relations are computed offline. Pre-evaluated dependency relations are used to decide which successors to search at each state exploration in S PIN SPIN Search Optimization11

/ PSWLAB Statement Merging (1/5) Merge sequences of transitions within a process into a single step to avoid the creation of unnecessary intermediate system states. Automatically add d_step constructs into a specification whenever a sequence of statements meets merging condition SPIN Search Optimization12

/ PSWLAB Statement Merging (2/5) Merging can be safely done if a sequence of statements in a process (1) accesses only local data. (2) does not have any guarded condition ( if or do statements). Statement merging is enabled in default. And this can be disabled by –o3 option SPIN Search Optimization13

/ PSWLAB Statement Merging (3/5) active proctype merging() { byte c ; if :: c = 0 ; :: c = 1 ; :: c = 2 ; fi ; do :: c c++ ; :: c > 0 -> c-- ; od ; } SPIN Search Optimization14 L0L0 L1L1 L2L2 L3L3 c=2 c=0 c=1 [c<2][c>0] c++ c--

/ PSWLAB Statement Merging (4/5) SPIN Search Optimization15 0,L 0 0,L 1 1,L 1 2,L 1 0,L 2 1,L 2 1,L 3 2,L 3 c=0c=1c=2 [c<2] [c>0] c++ c-- c, L

/ PSWLAB Statement Merging (5/5) SPIN Search Optimization16 L0L0 L1L1 c=2 c=0 c=1 [c<2] c++ [c>0] c-- 0,L 0 0,L 1 1,L 1 2,L 1 c=0c=1c=2 [c<2] c++ [c>0] c-- active proctype merging() { byte c ; if :: c = 0 ; :: c = 1 ; :: c = 2 ; fi ; do :: d_step {c c++ ; } :: d_step {c > 0 -> c-- ; } od ; }

/ PSWLAB Collapse Compression (1/3) Replicating a complete description of all local component of the system state in each global state that is stored is wasteful technique. Collapse compression mode tries to store smaller state components separately while assigning small unique index numbers to each one SPIN Search Optimization17

/ PSWLAB Collapse Compression (2/3) Def. System State (gvars, procs, chans, exclusive, handshake, timeout, else, stutter) gvars : a finite set of variables with global scope procs : a finite set of processes chans : a finite set of message channels exclusive, handshake are integers timeout, else, stutter are booleans Def. Process (pid, lvars, lstates, initial, curstate, trans) lvars : a finite set of local variables lstates : a finite set of integer initial : an element of lstates trans : a finite set of transitions on lstates. 22:18PROMELA Semantics18

/ PSWLAB Collapse Compression (3/3) Break down a global state into separate components – first component: the set of all global data objects such as global variables and all message channels. – one component for each active process: its control state and local states of the process SPIN Search Optimization19

/ PSWLAB Minimized Automaton (1/4) Use a minimized deterministic automaton for storage of statespace instead of conventional lookup table. If a state descriptor is accepted by the minimized deterministic automaton, then that state was visited. Lookup and update operation has a time complexity of O( S ) where S is the maximum length of a state descriptor. – Both minimized automaton and lookup table have same order time complexity for the operations, minimized automaton takes much more time for the operations. The user should provide an initial estimate of the maximum depth of the graph that is constructed for the minimized automaton representation using –DMA option for pan SPIN Search Optimization20

/ PSWLAB Minimized Automaton (2/4) SPIN Search Optimization21 Automaton Structure After Storing {000, 001, 101} 1 0

/ PSWLAB Minimized Automaton (3/4) SPIN Search Optimization22 Automaton Structure After Storing {000, 001, 101, 100} 1 0

/ PSWLAB Minimized Automaton (4/4) In verification of SM_ReadSector() model where SECT_PER_U is 4, NUM_LS_USED is 6, and MAX_VUN is 5. SPIN result with –DSAFETY –DCOLLAPSE options - memory: total actual memory usage - time: 0m17.509s SPIN result with –DSAFETY –DCOLLAPSE –DMA option - memory: total actual memory usage - time: 13m55.321s SPIN Search Optimization23

/ PSWLAB Bitstate Hashing (1/4) S PIN uses standard hash table as statespace storage. - Each slot in hash table has a sorted linked list of states of the same hash value SPIN Search Optimization24

/ PSWLAB Bitstate Hashing (2/4) R : the number of states stored in hash table H : the number of slots in hash table. when R > H, - The hash function computes the same value for different states(hash collision). - The average number of comparisons for a lookup or update operation is R/2H. when H >> R, - Each state can be stored in a different slot. - The lists stored in each slot will either be empty or contains one single states SPIN Search Optimization25

/ PSWLAB Bitstate Hashing (3/4) R : the number of reachable states M : the memory size that hash table can use S : the memory size that each state holds H : the number of slots in hash table In standard hash table, H = M/S and If R*S >> M, only (M/S*R) of system state can be covered. If M >> R, assume that hash table has M slots. → Then we can assume that there is either no state or one state in each slot. → Therefore only one bit is enough to represent each slot SPIN Search Optimization26

/ PSWLAB Bitstate Hashing (4/4) In bitstate hashing, it is possible to cover at most M states where M is the memory size for statespace in bits. Using a hash function hash ( state s) that maps a state descriptor to a value in range of 0.. M -1. For a state s, if slot ( hash ( s )) is true then state s was visited during the searching. But this method can not guarantee exhaustive search.  For a state s where k = hash ( s ), if slots ( k ) = true, it is impossible to distinguish whether s was visited or some other state s ’ where hash ( s ’)= k was visited.  But this method does not report false error SPIN Search Optimization27

/ PSWLAB Hash Compact (1/2) If M · R*S, then we can assign b M/R c bits for each reachable state. In hash compact, the hash function hash ( state s) returns values in range of 0..2 b M/R c -1 SPIN stores these hash values instead of state descriptor. The hash compact method can be enabled by compiling a verifier with –DHC4. For example, M=10 9 and R=10 7 In bitstate hashing, R/M=1/10 2 In hash compact, R/2 M/R = 10 7 /2 100 ~ 1/ SPIN Search Optimization28

/ PSWLAB Hash Compact (2/2) SPIN Search Optimization29 Measured Coverage of Double Bitstate Hashing(k=2) compared with Hash- Compact(hc), and Exhaustive Search Problem size: reachable states, state descriptor size 1376 bits

/ PSWLAB Further Study Partial Order Reduction – Static reduction technique used in S PIN SPIN Search Optimization30

/ PSWLAB References [1]“THE SPIN MODEL CHECKER” by G. J. Holzmann. [2]The Engineering of a Model Checker: the Gnu i-Protocol Case Study Revisited, G. J. Holzmann. [3]An Improvement in Formal Verification, G.J. Holzmann and Doron Peled SPIN Search Optimization31