Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Predicate Structure for Efficient Reachability Detection

Published byEmily Hunt Modified over 6 years ago

Similar presentations

Presentation on theme: "Exploiting Predicate Structure for Efficient Reachability Detection"— Presentation transcript:

1 Exploiting Predicate Structure for Efficient Reachability Detection
Sujatha Kashyap Dr. Vijay K. Garg Parallel and Distributed Systems Laboratory

2 Outline Problem Statement ( Motivation) Notation and Background
Overview of Technique Experimental Results comparison with SPIN Concluding Remarks

3 Complexity of Model Checking
Explicit state representation [Clarke, Emerson 1981] Labeled transition systems. CTL model checking in O(|M|.|f|) (Clarke, Emerson, Sistla 1986) |M| is very large (state space explosion). Implicit representation E.g., BDDs [McMillan 1991]. Model checking becomes PSPACE-complete in the size of the structure (Feigenbaum et al. 1999) Implicit representations, on average, result in a succint representation of the model (worst-case still exponential in the size of the circuit/program). BDD representation: Reachability checking is PSPACE-complete. Petri Net unfoldings of 1-safe net systems: Reachability is NP-complete. CTL formula checking is PSPACE complete. Motivation: To find a happy medium.

4 Concurrency and Partial Orders
Approaches exploiting the nature of concurrent events: Partial-order models Lamport 1978: “happened-before” relation Mazurkiewicz 1986: “traces” McMillan 1991: Petri net unfoldings Partial-order reduction Valmari 1990: stubborn sets Peled 1993: ample sets Godefroid 1996: persistent sets a1 a3 a2 a1 a3 a2 a2 a3 a1 Concurrency greatly contributes to state space explosion in explicit state representations. a2 a3 a1

5 Basic Notation s0 s3 s2 s1 w = α β γ states(w) = {s0, s1, s2}
Program P = (S, T, s0) S: Finite set of states T: Finite set of transitions s0: Initial state enabled(s)  T All transitions executable from state s s’ = α(s) Only deterministic transitions Event = occurrence of a transition Interleaving sequence, w states(w) δ γ α s3 s2 β s1 w = α β γ states(w) = {s0, s1, s2}

6 Independence of events
[Mazurkiewicz 1986] An independence relation I  T x T is an antireflexive, symmetric relation such that (α, β)  I iff for all s  S, if α  enabled(s) : Enabledness: β  enabled(s) β  enabled(α (s)). Commutativity: α, β  enabled(s) α(β(s)) = β(α(s)). The dependency relation D = (T X T) \ I. s α β s1 s2 β α r Note: We will assume that events belonging to the same process are always dependent.

7 Trace equivalence D  v D w
v can be transformed into w by commuting only adjacent independent events. Example: I = {(b, c), (b, d), (e, f) (b, f)} v = abcdef D acbdef D acdbef D acdbfe D acdfbe = w

8 Traces s2 s1 f e c d D partitions the interleaving sequences of a program P into equivalence classes, called traces. σE: Trace with event set E. States(σ) = v  σ states(v). f c d e d c b a a b s0 {abcde, abced, abdcf, abdfc, bacde, baced, badcf, badfc} I = {(a,b), (c,f), (d,e)} σ1 = {abcde, abced, bacde, baced} σ2 = {abdcf, abdfc, badcf, badfc}

9 Traces as Partial Orders
A trace corresponds to a partial order. s2 s1 e d c f f e c d f c d e c d d c b a a b a b σ1 σ2 a b s0 State  order ideal (down-set) σ1 = {abcde, abced, bacde, baced} σ2 = {abdcf, abdfc, badcf, badfc} Q is an order ideal of a poset (P, ) iff Q  P and: x  Q, y  P: y  x  y  Q.

10 “Happened-before” [Lamport 1978] The happened-before relation  on a trace σE = [w] is the smallest transitive relation that satisfies: (α, β)  D  (w = u α v β w’)  α  β where α, β  E. Note:  is antisymmetric (E, ) is the poset corresponding to σE. Given the dependency relation D and a representative interleaving sequence of a trace, we can obtain the corresponding partial order.

11 Model Checking with Traces
EFσ(φ)  “Some reachable state of the trace σ satisfies φ.” In general, NP-complete for boolean formulae φ [Chase, Garg 1993]. s2 Tractable predicate classes for EF: “Stable” predicates [Chandy, Lamport 1985] Once it turns true, it stays true. E.g., deadlock, termination. f c Stable f c d b a a b s0

12 Overload “order ideal” to mean “state”
Traces and Lattices {a, b, d, c, f} c f {a, b, d, f} {a, b, d, c} {a, b, d} f c d {a, b} f c {a} {b} a b d σ b a {} Trace as partial order O (σ) a b s0 Lattice of order ideals Interleaved representation Order ideals of a poset form a lattice under the subset relation. G and H are order ideals  G  H and G H are order ideals. Overload “order ideal” to mean “state”

13 Meet-closed predicates
[Chase, Garg 1995] G  φ and H  φ  G∩ H  φ. A meet-closed predicate φ has a “least” satisfying state “least” = reached by executing the fewest number of events. If some state G  φ, then there exists at least one “crucial event” e  G, such that it is necessary to execute e in order to reach any state (from G) that satisfies φ. “necessary”, but not “sufficient”. If the crucial event can be identified in polynomial time (O(|E|k) time, for some constant k), then φ is called a linear predicate. {a, b, d, c, f} G={a, b, d, f} H={a, b, d, c} GH={a, b, d} {a, b} {a} {b} {}

14 Linear predicates “Local” predicates [Chase, Garg 1995]
 φ Examples of linear predicates: “Local” predicates Defined using only local variables from a single process. A conjunction of local predicates l1  l2  l3 …. If crucial event is identified in O(|E|k), then EF(φ) takes O(|E|k+1) time. Boolean formulae can be written as a disjunction of linear predicates! EF(φ1φ2 …φm) = EF(φ1)  EF(φ2) …  EF(φm)

15 Trace Cover s2 s1 s0 [Kashyap, Garg – ASE 2005]
A set of traces Δ of a program P is a trace cover for P iff σΔ States(σ) is exactly the reachable state space of P. σ1  σ2 : u  σ1, w  σ2, such that u is a prefix of w. Lemma: σ1  σ2  States(σ1)  States(σ2) Suffices to consider traces that are maximal under . s2 s1 f e c d f c d e d c b a a b s0 Trace Cover: σ1 = {abcde, abced, bacde, baced} σ2 = {abdcf, abdfc, badcf, badfc}

16 Generating representative interleavings
Persistent set [Godefroid, Pirottin 1993]: T  enabled(s) is persistent in s iff for any non-empty path starting from s in the full state space graph: s = s1 s2 s3 … sn  sn+1 where ti  T, 1  i  n, ti is independent of all transitions in T. t1 t2 t3 tn-1 tn b a s b a c c If {b, c} is persistent in s, then (a, b)  I, (a, c)  I. f

17 s2 s1 f e c d Theorem 4 [Peled 1994]: Exploring a persistent set of events at each state is sufficient to construct a representative interleaving for each trace of P that is maximal under . f c d e d c b a a b s0 abd f c a b abc e d

18 Obtaining (E, ) Theorem: α.v < β.v  α  β
Assign vector timestamps to events [Mattern 1989, Fidge 1991] Timestamp is an integer vector of dimension n (# of processes). α.v denotes the timestamp of event α. When α  Pi is concatenated to sequence τ: dep(α) = all events in τ on which α is dependent. For all j, initialize α.v[j] to the max jth component in dep(α). Increment α.v[i]. b2 a1, a2  P1 b1, b2  P2 (a2, b2)  D Theorem: α.v < β.v  α  β (22) a2 (02) a1 a2 b1 b2 a1 b1 (01) (10) Vector timestamps capture exactly the poset (E, )

19 Comparison with P.O. reduction
α p,q β p,¬q p,q β α p,q A transition is invisible w.r.t. a set of variables if it does not change the value of any of them. In p.o. reduction: If persistent(s)  enabled(s) then every α  persistent(s) must be invisible [Peled 1993]. Reduction highly dependent on the properties being checked [Gerth et al., 1995]. High expressibility: can check LTL-X, CTL-X [Peled and Wilke 1997]. Our approach: Don’t worry about invisibility. Size of representation is independent of properties being checked . Can check much more limited classes of predicates.

20 SPIN PROMELA Reduced transition graph

21 “Trace Cover” SPIN Trace cover algorithms PROMELA Trace Cover EFP(φ)  “Some reachable state of the program P satisfies φ.” Let Δ be a trace cover for P. EFP(φ) = σΔ EFσ(φ)

22 (a) No errors in protocols
Experimental Results Protocol Property SPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN Time (sec) Mem (MB) States Dining philosophers (N=6) [Chandy, Misra 1984] EF(eatingi  eating(i+1) mod N) *** 759 439 0.03 1.25 83 Leader election (N=6) [Dolev, Klawe, Rodeh 1982] EF(nr_leaders > 1) 777 64 238569 75 93 118971 Mutual exclusion (N=5) [Ricart, Agarwala 1981] EF(incs > 1) 25 349 652365 2.51 26 46880 0.05 2.65 187 (a) No errors in protocols

23 (a) Safety violations present in protocols
Experimental Results Protocol Property SPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN Time (sec) Mem (MB) States Dining philosophers (N=6) [Chandy, Misra 1984] EF(eatingi  eating(i+1) mod N) 42 257 10 43 170619 0.03 1.25 81 Leader election (N=6) [Dolev, Klawe, Rodeh 1982] EF(nr_leaders > 1) *** 547 44 159750 53 69 87435 Mutual exclusion (N=5) [Ricart, Agarwala 1981] EF(incs > 1) 19 276 510828 1.59 15 26126 0.05 2.65 181 (a) Safety violations present in protocols

24 Concluding Remarks Two-pronged approach:
Compact, implicit representation of state space. Polynomial algorithms for model checking on the representation. Main limitation: Expressibility Future work: Increase expressibility!

Download ppt "Exploiting Predicate Structure for Efficient Reachability Detection"

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.

Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.
Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.

Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.
A Technique for Parallel Reachability Analysis of Java Programs Raghuraman R. Sridhar Iyer G. Sajith.

A Technique for Parallel Reachability Analysis of Java Programs Raghuraman R. Sridhar Iyer G. Sajith.
Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.

Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.

Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Merged Processes of Petri nets Victor Khomenko Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler.

Merged Processes of Petri nets Victor Khomenko Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

Similar presentations

Ads by Google