250 likes | 350 Views
Large Scale External Directed Liveness Checking. Stefan Edelkamp Shahid Jabbar Computer Science Department University of Dortmund, Dortmund, Germany. Model Checking. Given A model of a system. A specification property Model Checking Problem: Does the system satisfy the property ?
E N D
Large Scale External Directed Liveness Checking Stefan Edelkamp Shahid Jabbar Computer Science Department University of Dortmund, Dortmund, Germany
Model Checking • Given • A model of a system. • A specification property • Model Checking Problem: Does the system satisfy the property ? • An exhausting exploration of the state space. • Problem: How to cope with large state spaces that do not fit into the main memory? • In Practice: successes in finding bugs. External Directed Model Checking Liveness
Directed Model Checking (Edelkamp, Leue, Lluch-Lafuente, 2004) • A guided search in the state space. • Usually by some heuristic estimate. • Only promising states are explored. • Under certain conditions proved to be optimal. • Short error trails • Better for human comprehension • Problem: The inevitable demands of the model .. Space, space and space. External Directed Model Checking Liveness
A* Algorithm • A heuristic estimate is used to guide the search. • E.g. Straight line distance from the current node to the goal in case of a graph with a geometric layout. • Problems: • A* needs to store all the states during exploration. • A* generates large amount of duplicates that can be removed using an internal hash table – only if it can fit in the main memory. • A* do not exhibit any locality of expansion. For large state spaces, standard virtual memory management can result in excessive page faults. External Directed Model Checking Liveness
Problem with the Virtual Memory Virtual Address Space 0x000…000 Memory Page 0xFFF…FFF External Directed Model Checking Liveness
B Disk External Memory Model (Aggarwal and Vitter) If the input size is very large, running time depends on the I/Os rather than on the number of instructions. M Scan(N) = O(N / B) Sort(N) = O(N/B log M/B N/B) Input of size N and N >> M External Directed Model Checking Liveness
Duplicates’ Removal X Y Z A X A X Y Z X Y Z B C D A t t+1 t+2 External BFS (Munagala & Ranade) • I: Remove Duplicates by sorting the nodes according to the indices and doing an scan and compaction phase. • II: Subtract layers t andt+1from t+2. External Directed Model Checking Liveness
Set A* (Jensen, Veloso, Bryant 2000) h • Consistent heuristic estimates. => ∆h ={-1,0,1,…} A Bucket !! g External Directed Model Checking Liveness
External A* [Edelkamp, Jabbar, and Schroedl, 2004] • Buckets represent temporal locality – cache efficient order of expansion. • If we store the states in the same bucket together we can exploit the spatial locality. • Munagala and Ranade’sBFS and Korf’s delayed duplicate detection for implicit graphs. External A* External Directed Model Checking Liveness
External Search For Model Checking [Jabbar and Edelkamp VMCAI – 05] + Uses Harddisk to store the state space divided in the form of Buckets. + Implemented on top of SPIN model checker. + Promising: Largest exploration so far took ~20 GB – much larger than even the address limits of most computers. + Pause and Resume support – Can add more harddisks. Problems: • Slow duplicate detection phase • Internal Processing Time >> External I/O time External Directed Model Checking Liveness
External Parallel DMC [Jabbar and Edelkamp VMCAI – 06] + Internal work distributed over multiple processors; might even be separate machines connected over a network. + Inter-process communications through simple files. + Workload transferred in bulks rather than individual states. + Promising: Almost a linear speed-up on multiple-processors machines. External Directed Model Checking Liveness
Liveness Property • Search for a cycle that visits an accepting state infinitely often. • Perform Nested Depth-first search that look for a state that is already residing on the stack (Holzmann ). Head of Lasso Initial State Accepting State DFS does not show any locality => Not Suitable for External Search! External Directed Model Checking Liveness
Liveness as Safety (Schuppan and Biere, 2005) • Explicitly unroll the lasso. • Search for the head again. Head of Lasso Head of Lasso Initial State Accepting State External Directed Model Checking Liveness
State State 0 0 State Head 1 0 State Head 1 1 Head Head 1 1 Head of lasso found Accepting state found Head found again! Liveness as Safety: Extended State Description • Piggyback the head of lasso on the state and search for it! Start External Directed Model Checking Liveness
What makes a state, Head of Lasso ? • They said: Every state! O(|V|2) • We say: Only the accepting states! O(|V| x |F|) External Directed Model Checking Liveness
Algorithm: Heuristic Search for Livenss as Safety • Stage 1: For a state (s,s,0), perform a directed search for an accepting state s’ in the never-claim. When found • Spawn two children: • (s, s, 1): Head of lasso found! • (s, s, 0): Head of lasso not found! • Stage 2: For a state (s, s’, 1), perform a directed search for s’. s’ might not form a cycle! – So keep searching! External Directed Model Checking Liveness
c a1 a2 a3 Heuristics for the first stage – Head of the lasso • We want to reach an accpeting state in the never-claimfaster! Model Never-claim HN = min{(c,a1), (c,a2),(c,a3) } is the shortest path distance between two states and can be pre-computed. External Directed Model Checking Liveness
Heuristics for the second stage – Close the lasso • We want to reach a particular state (in red) in both the model and the never-claim from mycurrent state (in blue). Model Never-claim c a1 a2 H = max{HN, HM } a3 External Directed Model Checking Liveness
External Directed LTL Model Checking 0 1 2 3 4 Same states in both parts Arrives at the final state Arrives again at the same final state Already seen final state Current state External Directed Model Checking Liveness
I/O Complexity External memory algorithms are evaluated on the number of I/Os. • Expansion:Linear I/O O(Scan(|V| x |F|)) • Delayed Duplicate Detection: • Removing duplicates from the same buffer: O(sort(|E| x |F|)) • Subtracting previous levels:O(l x Scan(|V| x |F|)); where lis the length of the found counterexample. I/O Complexity =O(sort(|E|x|F|) + l x Scan(|V|x|F|)) External Directed Model Checking Liveness
LTL Model Checking in 2-Elevator SPIN is Fast! External Directed Model Checking Liveness
LTL Model Checking in SGC Protocol (Zhang, 1999) BFS is faster! External A* had to flush several unfilled buffers to the disk External Directed Model Checking Liveness
LTL Model Checking in 64-Dining Philosphers Several states are inserted but no refinment is done on them and hence faster External Directed Model Checking Liveness
Parallel LTL Model Checking in 124-Dining Philosphers Multiple Processors Machine External Directed Model Checking Liveness
Summary • Schuppan and Biere approach => liveness as reachability. • Liveness requires searching for an acceptance cycle • A path to a previously seen state that also visits an accepting state. • Save a tuple of states. • Two new heuristics to accelerate the search. External Directed Model Checking Liveness