large scale external directed liveness checking

Large Scale External Directed Liveness Checking

Stefan Edelkamp Shahid Jabbar

Computer Science Department

University of Dortmund, Dortmund, Germany

Shahid Jabbar (Dortmund) External Directed Model Checking Liveness

2

Model Checking Given

A model of a system. A specification property

Model Checking Problem: Does the system satisfy the property ?

An exhausting exploration of the state space.

Problem: How to cope with large state spaces that do not fit into the main memory?

In Practice: successes in finding bugs.


3

Directed Model Checking (Edelkamp, Leue, Lluch-Lafuente, 2004)

A guided search in the state space. Usually by some heuristic estimate. Only promising states are explored. Under certain conditions proved to be optimal. Short error trails

Better for human comprehension

Problem: The inevitable demands of the model .. Space, space and space.


4

A* Algorithm A heuristic estimate is used to guide the search.

E.g. Straight line distance from the current node to the goal in case of a graph with a geometric layout.

Problems: A* needs to store all the states during exploration. A* generates large amount of duplicates that can be

removed using an internal hash table – only if it can fit in the main memory.

A* do not exhibit any locality of expansion. For large state spaces, standard virtual memory management can result in excessive page faults.


5

Problem with the Virtual Memory

0x000…000

0xFFF…FFF

Virtual Address Space

Memory Page


6

External Memory Model (Aggarwal and Vitter)

Input of size N and N >> M

M

B

Disk

If the input size is very large, running time depends on the I/Os rather than on the number of instructions.

Scan(N) = O(N / B)

Sort(N) = O(N/B log M/B N/B)


7

External BFS (Munagala & Ranade)

A

t t+1

t+2

BCD

XYZAX

AXYZ

XYZ

Duplicates’ Removal

I: Remove Duplicates by sorting the nodes according to the indices and doing an scan and compaction phase.

II: Subtract layers t and t+1 from t+2.


8

Set A* (Jensen, Veloso, Bryant 2000)

Consistentheuristic estimates.

=> ∆h ={-1,0,1,…}

g

0

1

2

3

4

5

0 1 2 3 4 5 6

h

A Bucket !

!


9

External A* [Edelkamp, Jabbar, and Schroedl,

2004]

Buckets represent temporal locality – cache efficient order of expansion.

If we store the states in the same bucket together we can exploit the spatial locality.

Munagala and Ranade’s BFS and Korf’s delayed duplicate detection for implicit graphs.

External A*


10

External Search For Model Checking [Jabbar and Edelkamp VMCAI – 05]+ Uses Harddisk to store the state space divided in

the form of Buckets.+ Implemented on top of SPIN model checker.+ Promising: Largest exploration so far took ~20 GB

– much larger than even the address limits of most computers.

+ Pause and Resume support – Can add more harddisks.

Problems:- Slow duplicate detection phase- Internal Processing Time >> External I/O time


11

External Parallel DMC [Jabbar and Edelkamp VMCAI – 06]

+ Internal work distributed over multiple processors; might even be separate machines connected over a network.

+ Inter-process communications through simple files.

+ Workload transferred in bulks rather than individual states.

+ Promising: Almost a linear speed-up on multiple-processors machines.


12

Liveness Property

Accepting State

Head of Lasso

Search for a cycle that visits an accepting state infinitely often.

Perform Nested Depth-first search that look for a state that is already residing on the stack (Holzmann ).

Initial State

DFS does not show any locality => Not Suitable for External Search!


13

Liveness as Safety (Schuppan and Biere, 2005)

Accepting State

Head of Lasso

Initial State

Head of Lasso

Explicitly unroll the lasso. Search for the head again.


14

Liveness as Safety: Extended State Description Piggyback the head of lasso on the state and search for it!

State State 0 0 Start

State Head 1 0 Head of lasso found

State Head 1 1 Accepting state found

Head Head 1 1 Head found again!


15

They said: Every state! O(|V|2)

We say: Only the accepting states! O(|V| x |F|)

What makes a state, Head of Lasso ?


16

Algorithm: Heuristic Search for Livenss as Safety Stage 1: For a state (s,s,0), perform a

directed search for an accepting state s’ in the never-claim.When found Spawn two children:

(s, s, 1): Head of lasso found! (s, s, 0): Head of lasso not found!

Stage 2: For a state (s, s’, 1), perform a directed search for s’.

s’ might not form a cycle! –

So keep searching!


17

Heuristics for the first stage – Head of the lasso We want to reach an accpeting state in the never-claim faster!

Model

Never-claim

HN = min{(c,a1), (c,a2), (c,a3) }

c a1

a2

a3

is the shortest path distance between two states and can be pre-computed.


18

Heuristics for the second stage – Close the lasso We want to reach a particular state (in red) in both the model and the

never-claim from my current state (in blue).

Model

Never-claim

H = max{HN, HM }

c a1

a2

a3

n

iiiM ssH

1

' ),(


19

External Directed LTL Model Checking

Arrives at the final state

0 1 2 3 4

Arrives again at the same final state

Same states in both parts

Current state

Already seen final state


20

I/O Complexity

External memory algorithms are evaluated on the number of I/Os.

Expansion: Linear I/O O(Scan(|V| x |F|)) Delayed Duplicate Detection:

Removing duplicates from the same buffer:

O(sort(|E| x |F|)) Subtracting previous levels: O(l x Scan(|V| x |F|));

where l is the length of the found counterexample.

I/O Complexity = O(sort(|E|x|F|) + l x Scan(|V|x|F|))


21

LTL Model Checking in 2-Elevator

Expanded Inserted Time Length

I/O-HSF-SPIN

External A*

2,090,933 2,275,778 1m18s 67+34

External BFS

2,642,575 2,827,073 2m3.96s 67+34

Transitions Stored Time Length

SPIN 4.2 Nested DFS

33,900 11,149 0m0.064s 109+100

SPIN is Fast!


22

LTL Model Checking in SGC Protocol (Zhang, 1999)


I/O-HSF-SPIN

External A*

178 369 0m1.318s 15+5

External BFS

1,343 1,427 0m0.787s 15+5

Transitions Stored Time Length

SPIN 4.2 Nested DFS

155,963 8,500 1m47s 18+5

BFS is faster! External A* had to flush several unfilled buffers to the

disk


23

LTL Model Checking in 64-Dining Philosphers


I/O-HSF-SPIN

External A*

2,298 127,813 0m6.108s 196+2

External BFS

2,298 47,118 0m13.549s

196+2

SPIN 4.2 Nested DFS

-out-of-mem

Several states are inserted but no refinment is done on them

and hence faster


24

Time Secondary Memory

Length

1 Processor

- - -

2 Processors

5m53.96s 4.7 gigabytes 388+2

3 Processors

4m7.13s 5.28 gigabytes 388+2

Multiple Processors Machine

Parallel LTL Model Checking in 124-Dining Philosphers


25

Summary Schuppan and Biere approach => liveness

as reachability. Liveness requires searching for an

acceptance cycle A path to a previously seen state that also

visits an accepting state. Save a tuple of states. Two new heuristics to accelerate the

search.

large scale external directed liveness checking

Documents

model checking jabbar

spin model checker

large state spaces

edelkamp vmcai

main memory

layers t

locality of expansion

promising states