240 likes | 345 Views
Cached Murphi. Enrico Tronci Dipartimento di Informatica Università di Roma “La Sapienza”, Via Salaria 113, 00198 Roma Tronci@dsi.uniroma1.it http://www.dsi.uniroma1.it/~tronci. Meeting Mefisto, March 31-April 2, 2003, Salerno, Italy. Overview.
E N D
Cached Murphi Enrico Tronci Dipartimento di Informatica Università di Roma “La Sapienza”, Via Salaria 113, 00198 Roma Tronci@dsi.uniroma1.ithttp://www.dsi.uniroma1.it/~tronci Meeting Mefisto, March 31-April 2, 2003, Salerno, Italy
Overview Murphi is an Explicit Model Checker for Low Level (i.e. close to the final implementation) Analysis of Protocols and Software-like systems. Murphi only checks for Invariants (safety properties). • We will sketch: • Murphi Input Language • Cached Murphi Performances
History • Murphi has been realized Alan Hu, David Dill, Ulrich Stern, and many others from University of Stanford, USA. • Murphi: http://sprout.stanford.edu/dill/murphi.html • Cached Murphi has been obtained from Murphi by changing Murphi engine so as to use a cache based BFS. Cmurphi 4.2 uses a disk based BFS. • Cached Murphi is a joint effort of the University of L’Aquila and at the University of Rome “La Sapienza”. • Cached Murphi: http://www.dsi.uniroma1.it/~tronci
A Simple System 0 2 0 2 1 3 0 2 0 1 5 1 1 1 1 2 1 2 4 2 0 0 0 2 x(t) + d(t) when x(t) <= 3 x(t + 1) = x(t) – d(t) when x(t) > 3 d(t) = 0, 1, 2. x(0) = 0
Murphi Code x(t + 1) = if x(t) <= 3 then x(t) + d(t) else x(t) – d(t) ; d(t) = 0, 1, 2 ; x(0) = 0; Spec: x(t) < 5 (FAIL). Spec: x(t) <= 5 (PASS). CONST -- constant declarations MAX_STATE_VALUE : 5; TYPE -- type declarations state_type : 0 .. 10; -- integers from 0 to 10 disturbance_type : 0 .. 2; VAR -- (global) variable declarations x : state_type; -- variable of type state_type -- next state function function next(x: state_type; d : disturbance_type): state_type; begin if (x <= 3) then return (x + d); else return (x - d); endif end; startstate "startstate" -- define initial state x := 0; end; -- nondeterministic disturbances -- trigger system transitions ruleset d : disturbance_type do -- define transition rule rule "time step" true ==> begin x := next(x, d); end; end; -- define property to be verified invariant"x less than 5" (x < MAX_STATE_VALUE);
Murphi Error Trace Startstate startstate fired. x:0 ---------- Rule time step, d:1 fired. x:1 ---------- Rule time step, d:2 fired. x:3 ---------- Rule time step, d:2 fired. The last state of the trace (in full) is: x:5 ----------
Model Checking as State Space Exploration For safety properties (no bad state is reachable) the model checking problem becomes the reachability problem on the transition graph of the system to be analyzed. Given a Finite State System S = (S, I, Next), where: S : Finite set of states; I : set of initial states; Next : function mapping a state to the set of its successors; Visit all states that S can reach from I. Murphi definesS = (S, I, Next) using Murphi input language.
Explicit State Space Exploration via BFS Queue Q; Hash_Table T; bfs(init_states, next) { forall s in init_states enqueue(Q, s); /* load Q with initial states */ forall s in init_states insert(T, s); /* mark init states as visited */ while (Q is not empty) /* visit */ { s = dequeue(Q); forall s’ in next(s) if (s’ is not in T) { insert(T, s’); enqueue(Q, s’); } } }
Obstructions • Queue Q may become very large. • Hash Table T may become very large. Counteractions Use compressed representation for states. That is store state signatures in T rather than states. Even if a state takes around one hundred of bytes a state signature takes 5 bytes. Thus, using hashing with open addressing we can store 200,000,000 states using about 1GB of RAM (we are not considering the RAM needed for the queue here). Using secondary memory is thus very appealing. Unfortunately disk memory is much slower than RAM. Thus suitable visit algorithms are needed.
Under the Hood of Cached Murphi • Our disk based verification algorithm exploits transition locality to decrease disk read accesses thus reducing time overhead due to disk usage. • Our disk based algorithm has been implementation within the Murphi verifier and is available in http://www.dsi.uniroma1.it/~tronci/cached.murphi.html • Our experimental results show that even using 1/10 of the RAM needed to complete verification our disk based algorithm is on average only 3 times slower than RAM Murphi with enough RAM to complete the verification task at hand. • Using just 300M of RAM with our disk based Murphi we were able to complete verification of a protocol with about 109 reachable states. This would require more than 5 gigabytes of RAM using RAM Murphi.
K-transition iff level(s’) – level(s) = K Locality Transition k-local iff |level(s’) – level(s)| <= k -4 1 -2 1 0 1 0 -1 -1 1 0 1 1 -1 0 1 2 3 4
Locality Our experimental results show that: For all protocol like systems, for most states, most transitions (typically more than 75%) are 1-local.
Notation Let d(s, k) be the fraction of transitions from state s that are k-transitions. Thus d(s, k) is the probability of getting a k-transition when picking at random a transition from state s. Consider the experiment of selecting at random a state s and then returning d(s, k). In this way we get a random variable that we denote with d(k). The expected value of d(k) is the average value of d(s, k) on all reachable states. s
Exploiting Locality We were able to exploit locality to reduce disk read accesses in the disk based BFS Explicit State Space Exploration algorithm presented in: U. Stern, D. Dill, Using Magnetic disk instead of main memory in the Murphi verifier, CAV 98 Our modified disk based BFS algorithm typically speeds up verification by a factor of 10 (Formal Methods in Computer Aided Design 2002, Portland, Oregon, USA, LNCS)
Local Disk Murphi vs RAM Murphi M = <RAM used in LD Murphi>/<Min Mem needed for RAM Murphi>, Dummy = <Dummy LD Murphi>/<Dummy RAM Murphi>, Dummy = States, Rules, Time
Local Disk Murphi vs RAM Murphi (continued) Time Statistics M = <RAM used in LD Murphi>/<Min Mem needed for RAM Murphi>
Disk Murphi vs RAM Murphi Mem = <RAM used in LD Murphi>/<Min Mem needed for RAM Murphi>, Dummy = <Dummy LD Murphi>/<Dummy RAM Murphi>, Dummy = States, Rules, Time
Comparing LDMurphi with DMurphi Time Statistics Mem = <RAM used in disk Murphi (LD or D)>/<Min Mem needed for RAM Murphi> Time = <Time DMurphi>/<Time LDMurphi>
Hybrid Systems with CMurphi We added to Cmurphi finite precision real numbers. This allows us to easily handle discrete time Hybrid Systems. E.g. using Cmurphi we were able to automatically verify a Turbogas Control System, a system out of reach for Hytech as well as SMV (Hybrid Systems Computation and Control (HSCC) 2003, Praga, Czech Republic, LNCS).
Conclusions • Cached Murphi can be effectively used to analyze protocols, software like systems and hybrid systems. • Cached Murphi exploits statistical properties of transition graphs to save memory and to speed up disk based verification. • Looking for new statistical properties of transition graphs is a natural next step for our research.