1. I/O Efficient Directed Model Checking Shahid Jabbar and Stefan Edelkamp, Computer Science Department University of Dortmund, Germany

2. Shahid Jabbar (Dortmund)I/O Efficient Directed MC2 Problem  In explicit-state model checking, most real-world models require enormous amount of memory.  How to cope with this state space explosion problem ?

3. Shahid Jabbar (Dortmund)I/O Efficient Directed MC3 Directed Model Checking (Edelkamp, Leue, Lluch-Lafuente, 2004)  A guided search in the state space.  Usually by some heuristic estimate.  Only promising states are explored.  Under-certain conditions proved to be complete.

4. Shahid Jabbar (Dortmund)I/O Efficient Directed MC4 A Closer look at different strategies Depth first Breadth first A* Best first

5. Shahid Jabbar (Dortmund)I/O Efficient Directed MC5 Advantages of Directed Model Checking  Partial exploration of the state space.  Shorter error trails Better for human comprehension  Problem: The inevitable demands of the model.. Space, space and space.

6. Shahid Jabbar (Dortmund)I/O Efficient Directed MC6 Possible Solution  Use Virtual Memory. Assume a bigger address space divided into pages. Saved on the hard disk but are moved back to the main memory whenever they are “called” – Page Faults. Pages are mapped to physical locations within the main memory and the desired content is returned from the main memory location.

7. Shahid Jabbar (Dortmund)I/O Efficient Directed MC7 Problem with the Virtual Memory 0x000…000 0xFFF…FFF Virtual Address Space Memory Page

8. Shahid Jabbar (Dortmund)I/O Efficient Directed MC8 External Memory Model (Aggarwal and Vitter) Input of size N and N >> M M B Disk If the input size is very large, running time depends on the I/Os rather than on the number of instructions.

9. Shahid Jabbar (Dortmund)I/O Efficient Directed MC9 External Memory Graph Algorithms  External breadth first search [Munagala and Ranade, 2001]: Generated states flushed to the disk for every BFS level. No hash table. Duplicates are removed by sorting the nodes according to the indices and doing an scan and compaction phase. Before expanding a layer t, the nodes in the layer t-1 and t-2 are subtracted from t. O(|V| + sort(|V| + |E|)) I/Os. where sort(N) = O(N / B log M/B N / B) I/Os  [Korf, 2003] presented the breadth first search version for implicit graphs.

10. Shahid Jabbar (Dortmund)I/O Efficient Directed MC10 A* Algorithm  A.k.a Goal-directed Dijkstra  A heuristic estimate is used to guide the search. E.g. Straight line distance from the current node to the goal in case of a graph with a geometric layout.  Reweighing: w’(u,v) = w(u,v) – h(u) + h(v)  Problems: A* needs to store all the states during exploration. A* generates large amount of duplicates that can be removed using an internal hash table – only if it can fit in the main memory. A* do not exhibit any locality of expansion. For large state spaces, standard virtual memory management can result in excessive page faults.

11. Shahid Jabbar (Dortmund)I/O Efficient Directed MC11 Take a closer look  Implicit, unweighted, undirected graphs  Consistent heuristic estimates. => ∆h ={-1,0,1} g 0 1 2 3 4 5 0123456 h It’s a Bucket !!

12. Shahid Jabbar (Dortmund)I/O Efficient Directed MC12 Bucket  A Bucket is a set of states, residing on the disk, having the same (g, h) value, Where, g = number of transitions needed to transform the initial state to the states of the bucket, and h = Estimated distance of the bucket’s state to the goal  No state is inserted again in a bucket that is expanded.  If Active (being read or written), represented internally by a small buffer. File on disk Buffer in internal memory Insert stateFlush when full

13. Shahid Jabbar (Dortmund)I/O Efficient Directed MC13 External A* [Edelkamp, Jabbar, and Schroedl, 2004]  Buckets represent temporal locality – cache efficient order of expansion.  If we store the states in the same bucket together we can exploit the spatial locality.  Munagala and Ranade’s BFS and Korf’s delayed duplicate detection for implicit graphs. External A*

14. Shahid Jabbar (Dortmund)I/O Efficient Directed MC14 Complexity Analysis  Internal A* => Each edge is looked at most once.  Duplicates Removal: Sorting the green bucket having one state for every edge from the 3 black buckets. Scanning and compaction.  O(sort(|E|))  Subtraction: Removing states of orange buckets (duplicates free) from the green one.  O(scan(|V|) + scan(|E|))

15. Shahid Jabbar (Dortmund)I/O Efficient Directed MC15 I/O Performance of External A* Theorem: The complexity of External A* in an implicit unweighted and undirected graph with a consistent estimate is bounded by O(sort(|E|) + scan(|V|)) I/Os.

16. Shahid Jabbar (Dortmund)I/O Efficient Directed MC16 Directed Graphs in Model Checking  In undirected graphs, we are required to look at only two layers for duplicate detection.  But in model checking, we are mainly concerned with directed graphs.  Result by [Zhou & Hansen, 2004] Duplicate detection scope = Locality of the search  Locality = max{\delta(s,u)-\delta(s,v), 0} for all edges (u, v) \delta denotes the shortest path.  In directed graphs, scope corresponds to the largest cycle in the graph.  Largest cycle ≤ Sum of the largest cycles in individual processes.

17. Shahid Jabbar (Dortmund)I/O Efficient Directed MC17 From SPIN to HSF-SPIN to IO-HSF-SPIN  SPIN: A well-known model checker.  HSF-SPIN (Edelkamp, Leue, Lluch-Lafuente): Directed Model Checking Extension of SPIN.  IO-HSF-SPIN: External HSF-SPIN. Incorporates External A* in HSF-SPIN. Successfully implemented for deadlock detection. Active process heuristic is used to guide the search.

18. Shahid Jabbar (Dortmund)I/O Efficient Directed MC18 Experimental Results -1  Deadlock Detection in Dining Philosophers # Philoso- phers Solution Depth #stored sates # expanded states # transitions Space 100402980,00319,503999,5042.29 GB 1506033,330,00344,2533,374,25410.4 GB

19. Shahid Jabbar (Dortmund)I/O Efficient Directed MC19 Experimental Results -2  Deadlock Detection in Optical Telegraph # Sta- tions Solution Depth #stored sates# expanded states # transitionsSpace 53310,8744,94524,5833.85 MB 745333,848115,631820,319137 MB 850420,498103,667917,011186 MB 9579,293,2032,534,51723,499,5194.29 GB

20. Shahid Jabbar (Dortmund)I/O Efficient Directed MC20 Experimental Results -3  CORBA GIOP – 1 Server, N Clients # Clients Solution Depth #stored sates# expanded states # transitionsSpace 25848,00939,260126,47833.5 MB 370825,789670,6792,416,8230.57 GB 4757,343,3585,727,90922,809,2785.17 GB

21. Shahid Jabbar (Dortmund)I/O Efficient Directed MC21 Experimental Results -4  CORBA GIOP – 2 Servers, N Clients # Clients Solution Depth #stored sates# expanded states # transitionsSpace 264158,561125,514466,3390.12 GB 3762,705,7662,134,7248,705,5882.1 GB 48126,340,41720,861,60988,030,77420.7 GB

22. Shahid Jabbar (Dortmund)I/O Efficient Directed MC22 Pause and Resume  What if even your harddisk becomes full ?  Solution: Since the states are stored on the disk, the algorithm can be stopped at any time and resumed from the last working diagonal.

23. Shahid Jabbar (Dortmund)I/O Efficient Directed MC23 Summary  State space explosion problem can be circumvented by Directed Model Checking.  But even Directed Model Checking can fail for the state spaces that cannot fit into the main memory.  External A* helps in overcoming this problem.  Extended for directed graphs as appear in Model checking.  First external directed model checker IO-HSF-SPIN.  Problem having a state space size of 20.7 GB is successfully solved.