Presentation is loading. Please wait.

Presentation is loading. Please wait.

4 March 2005, NVTI day, UtrechtGraph-Based State Spaces1 Arend Rensink University of Twente.

Published byRoland Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "4 March 2005, NVTI day, UtrechtGraph-Based State Spaces1 Arend Rensink University of Twente."— Presentation transcript:

1 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces1 Arend Rensink University of Twente

2 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces2 Context: States as graphs Objects & method frames as nodes Relations & variables as (labelled) edges BufferCell next last first Object val heapstack no method frames in this presentation

3 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces3 Graph formalism Graphs in this presentation: – flat (i.e., not hierarchical), untyped – directed, edge-labelled, no parallel edges – self-edges depicted as node labels Formally: G = (L,N,E) with – L set of labels – N finite set of nodes – E  N  L  N finite set of labelled edges Partial morphisms – structure-preserving node mappings

4 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces4 Graphs as states BufferCell next first, last Object val BufferCell next last first Object val Object val BufferCell next last first Object val Object val Object val BufferCell next first last BufferCell next last first Object val

5 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces5 forbidden Graph Productions Production rule source graph matching Graph transition src(t)tgt(t) morph(t) target graph pushout NAC NACs (SPO = Single Pushout Approach) LHSRHS rule morphism (partial)

6 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces6 Example production rule Alternative single-graph representation: Buffer Cell Object next val last Object blue = eraser: LHS, not RHS; to be matched and deleted green = creator: RHS, not LHS; to be added black = reader: LHS and RHS; to be matched and preserved public void put(Object val) { if (last.next.val == null) { last = last.next; last.val = val; } red = embargo: NAC, not LHS; forbidden

7 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces7 Example rule application Buffer Cell first | last next Object val Buffer Cell last first next Object val Object val Buffer Cell Object next val last Object matching transition

8 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces8 Graphs as states BufferCell next first, last Object val BufferCell next last first Object val Object val BufferCell next last first Object val Object val Object val transitions carry partial morphisms BufferCell next first last BufferCell next last first Object val not inverse!

9 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces9 Aim: software model checking Construct graph production system from – UML diagrams / other specifications – Programs to be checked Generate state space – States=graphs, transitions=transformations Formulate properties – invariants/reachability (safety) – liveness – full temporal logic Check properties on the model

10 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces10 Envisaged tool chain = planned = implemented

11 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces11 Example cases [GraBaTs 2004] List append: highly dynamic, hardly symmetric Philosophers: not at all dynamic, highly symmetric Ring mutex: somewhat dynamic, rather symmetric

12 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces12 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

13 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces13 Time consumption (1) Graph matching – Needed to find production rule matchings – Complexity: NP-complete Alleviating circumstances: – Graphs to be matched are LHSs typically small – Host graphs are software models mostly deterministic transformations only at “locus of control”

14 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces14 Time consumption (2) Graph isomorphism – Used to collapse states – Complexity: between P and NP (!) Approximation techniques – Over-approximation: graph certificates Excellent precision (> 99%) Still requires isomorphism check afterwards – Under-approximation: equality Mediocre precision (10-50%) Very fast; useful as initial filter

15 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces15 Time consumption List append: Relatively large graphs Philosophers: Many symmetries Mutex: Many states & transitions

16 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces16 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs)? Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

17 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces17 Space consumption Symbolic methods (BDDs) not suitable – No fixed state vector – Idea: Store “deltas” between graphs – Average delta: 2-7 elements Transition storage also expensive – Idea: Store “boundaries” of LHS matching – Average boundary: 2-3 elements Current implementation: – Overhead per state/transition > 75% – Java quite memory generous

18 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces18 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

19 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces19 State space reduction (1) Existing techniques: – Symmetry recognition – Partial order reduction – Abstraction, e.g. slicing (property-driven) Symmetry recognition: here automatic – Implied by isomorphism check – Dining philosophers: linear reduction – Expectation: little symmetry in real life

20 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces20 State space reduction (2) Partial order reduction – Linearization of confluent rule applications – Theory: Exponential “best case” improvement Restricted applicability, especially with NACs – Practice: ??? Abstraction – Approximative results (false negatives) – Very promising, not just for this purpose

21 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces21 Experimentation (1) Dining philosophers – get hungry – get left fork, get right fork (in sequence) – drop both forks (atomically) and think #phils#states#transspace (MB)time (s) 51174810.11 83,26121,5362.919 1032,903271,63424,8199 12347,3373,440,980267.03,712

22 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces22 #phils#states#transspace(MB)exec(s)prep(s) 83,26121,5362.919 1032,903271,63424.8199 12347,3373,440,980267.03,712 #phils#states#transspace(MB)exec(s)prep(s) 83,26121,5362.919 25,961171,0588.817 1032,903271,63424.8199 328,5032,711,20090.0129 347,3373,440,980267.03,712 4,165,71041,267,30 0 419.854510 Comparison [ICGT 2004] CheckVML (Varró) – Encode graphs in SPIN – Choose fixed node identities – Predict rule applications reduction = degree of symmetry

23 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces23 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

24 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces24 Property specification State-based properties – Invariants, liveness properties – Expressible by graph predicates – Mechanism: graph embedding (+ NACs) Temporal logic properties – Existing MC logics are propositional (L/CTL) – Graph properties are FOL formulae – Dynamic allocation/deallocation

25 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces25 Graph Temporal Logic Navigation using regular expressions path ::= a | path.path | path+path | path*. Second-order expressions for node sets set ::= Z | x | set.path | All. Linear temporal logic with predicates form::= x  set |  form | form  form |  x: form | let Z=set in form | X form | form U form. abbreviation: set for  x: x  set

26 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces26 Example properties The buffer is circular  n  Cell: n  n.next + Cell values are unchanged until consumed G(  n  Cell:  x  n.val: x  n.val U  x) Values are consumed in-order G(  n  Cell: n.next.val  (n.next.val U ! n.val)) New values are created all the time G(let Z=val in F(  x  val: x  Z)) second-order property node identity traced through run connectivity already second-order

27 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces27 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

28 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces28 Model checking algorithms More expressiveness means less decidability/higher complexity Initial ideas: [FSTTCS 2004] – With Distefano & Katoen – No edges (multisets of entities) – Single outgoing edge

29 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces29 Issues to be addressed Time consumption (complexity) – graph matching – isomorphism Space consumption (memory usage) – state and transition storage – symbolic techniques (BDDs) not applicable Problem size – state size not a priori fixed (generally unbounded) – state spaces generally infinite Propositional logic not suitable Model checking algorithms not suitable Verification not generic (problem size 4, 5, …) 

30 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces30 Abstract interpretation Method consists of: – Concrete TS: (S c, ,i c ) – Abstract TS: (S a, ,i a ) – Abstraction function α : S c  S a with α (i c )=i a that is Sound: s c  s c ’ implies α (s c )  α (s c ’) Weakly complete: s a  s a ’ implies s c  s c ’ for some s c  α -1 (s a ), s c ’  α -1 (s a ’) ( α is a surjective simulation/homomorphism) Property reflecting: –α (s c )  a φ implies s c  c φ for φ in an appropriate logic – not vice versa: verification is approximative infinite state computable, finite state false negatives

31 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces31 Abstraction research programme Define graph abstraction – Automatically computable – Property reflecting Lift graph transformations – Define effect directly on abstract graphs Develop general theory – Basic principles to apply to any GT approach – Wanted: Algebraic justification

32 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces32 Graph abstraction [ESOP 2004] ListCell nxt fst Object val Object val Cell nxt Cell nxt Object first shared no nxt unused unshared nxt shared no nxt

33 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces33 Enriching abstract graphs The following information is added: – The (potential) number of node instances – The (potential) degree of sharing (in+out) Both can be expressed as multiplicities Strongly inspired by shape graphs – Sagiv, Reps, Wilhelm, Benedikt

34 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces34 Pictorial representation Write edge multiplicities at “ports” nxt fst val nxt Object ListCell Object 1 >1 1 1 1 1 11 1 1 1 111 1 Node multiplicities Outgoing edges Incoming edges Object >1

35 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces35 Abstract graph transformation Materialization – Matching of left hand side made concrete – Result: partially concrete graph Transformation – Partially concrete graph treated as fully concrete Normalization – Transformation result is partially concrete – Re-apply abstraction principle

36 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces36 Abstract circular buffer transition system

37 4 March 2005, NVTI day, UtrechtGraph-Based State Spaces37 What you should take home Graphs as states: promising model Some inherent benefits – Captures dynamic behaviour – Implicit symmetries – Allows structural abstraction Some inherent disadvantages – Infinite state space – Increased complexity in several issues A lot of open issues

Download ppt "4 March 2005, NVTI day, UtrechtGraph-Based State Spaces1 Arend Rensink University of Twente."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Recipes for State Space Reduction Arend Rensink, University of Twente Dutch Model Checking Day, May 2014.

Recipes for State Space Reduction Arend Rensink, University of Twente Dutch Model Checking Day, May 2014.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
Verification of Graph Transformation Systems Arman Sheikholeslami

Verification of Graph Transformation Systems Arman Sheikholeslami
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Merged Processes of Petri nets Victor Khomenko Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler.

Merged Processes of Petri nets Victor Khomenko Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

Similar presentations

Ads by Google