1 / 24

Exploiting Predicate Structure for Efficient Reachability Detection

Exploiting Predicate Structure for Efficient Reachability Detection. Sujatha Kashyap Dr. Vijay K. Garg. Parallel and Distributed Systems Laboratory. Outline. Problem Statement ( Motivation) Notation and Background Overview of Technique Experimental Results comparison with SPIN

kimi
Download Presentation

Exploiting Predicate Structure for Efficient Reachability Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploiting Predicate Structure for Efficient Reachability Detection Sujatha Kashyap Dr. Vijay K. Garg Parallel and Distributed Systems Laboratory

  2. Outline • Problem Statement ( Motivation) • Notation and Background • Overview of Technique • Experimental Results • comparison with SPIN • Concluding Remarks

  3. Complexity of Model Checking • Explicit state representation [Clarke, Emerson 1981] • Labeled transition systems. • CTL model checking in O(|M|.|f|) (Clarke, Emerson, Sistla 1986) • |M| is very large (state space explosion). • Implicit representation • E.g., BDDs [McMillan 1991]. • Model checking becomes PSPACE-complete in the size of the structure (Feigenbaum et al. 1999) Motivation: To find a happy medium.

  4. Concurrency and Partial Orders • Approaches exploiting the nature of concurrent events: • Partial-order models • Lamport 1978: “happened-before” relation • Mazurkiewicz 1986: “traces” • McMillan 1991: Petri net unfoldings • Partial-order reduction • Valmari 1990: stubborn sets • Peled 1993: ample sets • Godefroid 1996: persistent sets a1 a3 a2 a1 a3 a2 a2 a3 a1 a2 a3 a1

  5. Basic Notation s0 • Program P = (S, T, s0) • S: Finite set of states • T: Finite set of transitions • s0: Initial state • enabled(s)  T • All transitions executable from state s • s’ = α(s) • Only deterministic transitions • Event = occurrence of a transition • Interleaving sequence, w • states(w) δ α γ s3 β s2 s1 w = αβγ states(w) = {s0, s1, s2}

  6. Independence of events [Mazurkiewicz 1986] • An independence relation I  T x T is an antireflexive, symmetric relation such that (α, β)  I iff for all s  S, if α  enabled(s) : • Enabledness: β  enabled(s)  β  enabled(α (s)). • Commutativity: α, β  enabled(s)  α(β(s)) = β(α(s)). • The dependency relation D = (T X T) \ I. s α β s1 s2 β α r Note: We will assume that events belonging to the same process are always dependent.

  7. Trace equivalence D v D w  v can be transformed into w by commuting only adjacent independent events. Example:I = {(b, c), (b, d), (e, f) (b, f)} v = abcdef D acbdef D acdbef D acdbfe D acdfbe= w

  8. Traces s2 s1 f e c d c d f e • D partitions the interleaving sequences of a program P into equivalence classes, called traces. • σE: Trace with event set E. • States(σ) = v  σstates(v). d c b a a b s0 {abcde, abced, abdcf, abdfc, bacde, baced, badcf, badfc} I = {(a,b), (c,f), (d,e)} σ1 = {abcde, abced, bacde, baced} σ2 = {abdcf, abdfc, badcf, badfc}

  9. Traces as Partial Orders • A trace corresponds to a partial order. s2 s1 e d c f f e c d  c d d f e c d c b a a b a b σ1 σ2 a b s0 State  order ideal (down-set) σ1 ={abcde, abced, bacde, baced} σ2 ={abdcf, abdfc, badcf, badfc} Q is an order ideal of a poset (P, ) iff Q  P and: x  Q, y  P: y  x  y  Q.

  10. “Happened-before” [Lamport 1978] • The happened-before relation on a trace σE = [w] is the smallest transitive relation that satisfies: (α, β)  D  (w = u α v β w’) αβ where α, β E. • Note:  is antisymmetric • (E, ) is the poset corresponding to σE. Given the dependency relation D and a representative interleaving sequence of a trace, we can obtain the corresponding partial order.

  11. Model Checking with Traces • EFσ(φ)  “Some reachable state of the trace σ satisfies φ.” • In general, NP-complete for boolean formulae φ [Chase, Garg 1993]. s2 • Tractable predicate classes for EF: • “Stable” predicates [Chandy, Lamport 1985] • Once it turns true, it stays true. • E.g., deadlock, termination. f c Stable c f d b a a b s0

  12. Traces and Lattices {a, b, d, c, f} c f {a, b, d, f} {a, b, d, c} {a, b, d} f c d {a, b} c f {a} {b} a b d b a σ {} Trace as partial order O(σ) a b s0 Lattice of order ideals Interleaved representation • Order ideals of a poset form a lattice under the subset relation. • G and H are order ideals  G  H and G H are order ideals. Overload “order ideal” to mean “state”

  13. Meet-closed predicates [Chase, Garg 1995] • G φ and H φ  G∩ H  φ. • A meet-closed predicate φ has a “least” satisfying state • “least” = reached by executing the fewest number of events. • If some state G  φ, then there exists at least one “crucial event” e  G, such that it is necessary to execute e in order to reach any state (from G) that satisfies φ. • “necessary”, but not “sufficient”. • If the crucial event can be identified in polynomial time (O(|E|k) time, for some constant k), then φ is called a linear predicate. {a, b, d, c, f} G={a, b, d, f} H={a, b, d, c} GH={a, b, d} {a, b} {a} {b} {}

  14. Linear predicates [Chase, Garg 1995]  φ • Examples of linear predicates: • “Local” predicates • Defined using only local variables from a single process. • A conjunction of local predicates • l1 l2  l3 …. • If crucial event is identified in O(|E|k), then EF(φ) takes O(|E|k+1) time. • Boolean formulae can be written as a disjunction of linear predicates! • EF(φ1φ2 …φm) = EF(φ1)  EF(φ2) …  EF(φm)

  15. Trace Cover [Kashyap, Garg – ASE 2005] • A set of traces Δ of a program P is a trace coverfor P iff σΔ States(σ) is exactly the reachable state space of P. • σ1 σ2 :u σ1, w σ2, such that u is a prefix of w. • Lemma:σ1 σ2  States(σ1)  States(σ2) • Suffices to consider traces that are maximal under . s2 s1 f e c d c d f e d c b a a b s0 Trace Cover: σ1 = {abcde, abced, bacde, baced} σ2 = {abdcf, abdfc, badcf, badfc}

  16. Generating representative interleavings • Persistent set [Godefroid, Pirottin 1993]: T enabled(s) is persistent in s iff for any non-empty path starting from s in the full state space graph: s = s1 s2s3… sn sn+1 where ti  T, 1  i  n, ti is independent of all transitions in T. t1 t2 t3 tn-1 tn b a b a s c c If {b, c} is persistent in s, then (a, b)  I, (a, c)  I. f

  17. s2 s1 f e c d • Theorem 4 [Peled 1994]: Exploring a persistent set of events at each state is sufficient to construct a representative interleaving for each trace of P that is maximal under . c d f e d c b a b a s0 abd f c a b abc e d

  18. Obtaining (E, ) • Assign vector timestamps to events [Mattern 1989, Fidge 1991] • Timestamp is an integer vector of dimension n (# of processes). • α.v denotes the timestamp of event α. • When α Piis concatenated to sequence τ: • dep(α) = all events in τ on which α is dependent. • For all j, initializeα.v[j] to the max jth component in dep(α). • Increment α.v[i]. b2 • Theorem: α.v < β.v α β a1, a2 P1 b1, b2 P2 (a2, b2)  D (22) a2 (02) a1 a2 b1 b2 a1 b1 (01) (10) Vector timestamps capture exactly the poset (E, )

  19. Comparison with P.O. reduction p,q α β p,¬q p,q • A transition is invisible w.r.t. a set of variables if it does not change the value of any of them. • In p.o. reduction: • If persistent(s)  enabled(s) then every α persistent(s) must be invisible [Peled 1993]. • Reduction highly dependent on the properties being checked [Gerth et al., 1995]. • High expressibility: can check LTL-X, CTL-X [Peled and Wilke 1997]. • Our approach: • Don’t worry about invisibility. • Size of representation is independent of properties being checked . • Can check much more limited classes of predicates. α β p,q

  20. SPIN PROMELA Reduced transition graph

  21. “Trace Cover” SPIN Trace cover algorithms PROMELA Trace Cover • EFP(φ)  “Some reachable state of the program P satisfies φ.” • Let Δ be a trace cover for P. • EFP(φ) = σΔEFσ(φ)

  22. Experimental Results (a) No errors in protocols

  23. Experimental Results (a) Safety violations present in protocols

  24. Concluding Remarks • Two-pronged approach: • Compact, implicit representation of state space. • Polynomial algorithms for model checking on the representation. • Main limitation: Expressibility • Future work: • Increase expressibility!

More Related