model checking and related techniques liu yang. outline model checking techniques – introduction...

67
Model Checking and Related Techniques Liu Yang

Upload: earl-carr

Post on 24-Dec-2015

234 views

Category:

Documents


4 download

TRANSCRIPT

Model Checking and Related Techniques

Liu Yang

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Model Checking Introduction

bull Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or notndash Advantages over traditional system validation approaches

based on simulation testing and deductive reasoningndash An automatic technique for verifying finite state

concurrent systemsndash Process modeling specification and verificationndash Main challenge state space explosion problem

Model Checking

System designor code Requirements

Finite state modelM

Set of logical properties

Model checkerM |= φ

for each property φ

No Yesradic

manual

automatic

abstract

Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)

Model of Concurrent Systems (Cont)

bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Model Checking Introduction

bull Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or notndash Advantages over traditional system validation approaches

based on simulation testing and deductive reasoningndash An automatic technique for verifying finite state

concurrent systemsndash Process modeling specification and verificationndash Main challenge state space explosion problem

Model Checking

System designor code Requirements

Finite state modelM

Set of logical properties

Model checkerM |= φ

for each property φ

No Yesradic

manual

automatic

abstract

Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)

Model of Concurrent Systems (Cont)

bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model Checking Introduction

bull Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or notndash Advantages over traditional system validation approaches

based on simulation testing and deductive reasoningndash An automatic technique for verifying finite state

concurrent systemsndash Process modeling specification and verificationndash Main challenge state space explosion problem

Model Checking

System designor code Requirements

Finite state modelM

Set of logical properties

Model checkerM |= φ

for each property φ

No Yesradic

manual

automatic

abstract

Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)

Model of Concurrent Systems (Cont)

bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model Checking

System designor code Requirements

Finite state modelM

Set of logical properties

Model checkerM |= φ

for each property φ

No Yesradic

manual

automatic

abstract

Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)

Model of Concurrent Systems (Cont)

bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)

Model of Concurrent Systems (Cont)

bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model of Concurrent Systems (Cont)

bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Temporal logics

bull Temporal logics may differ according to how they handle branching in the underlying computation tree

bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path

bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators

ndash Path quantifierbull A for every pathbull E there exists a path

ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds

bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a

path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary

combinations of the usual linear-time operators

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

CTL Examples

bull The four most widely used CTL operators are illustrated

bull Each computation tree has initial state s0 as its root

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Fixpoint Algorithms

bull Key properties of EFp

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model Checking Problem

bull Let M be the state-transition graph obtained from the concurrent system

bull Let f be the specification expressed in temporal logic

M s |= fbull and check if initial states are among these

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symbolic Model Checking

bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets

of statesndash can handle much larger designs ndash hundreds of

state variablesndash BDDs traditionally used to represent Boolean

functions

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symbolic Model Checking with BDDs

bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987

bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre

bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Ordered Binary Decision Trees and Diagrams

bull Ordered Binary Decision Tree for the two-bit comparator given by the formula

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

OBDD for Comparator Example

bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Variable Ordering Problem

bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator

function we get the OBDD below

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symbolic Model Checking Algorithm

bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n

Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean

formula in terms of the state variables

ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state

ndash Now convert T to a OBDD

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symbolic Model Checking (cont)

bull Representing transition relations symbolically

bull Boolean formula for transition relation

bull Now represent as an OBDD

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symbolic Model Checking (cont)

bull How to evaluate fixpoint formulas using OBDDs

bull Introduce state variables

bull Now compute the sequence

bull until convergence

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Problems with BDDs

bull BDDs are a canonical representation Often become too large

bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists

bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Advantages of SAT Procedures

bull SAT procedures also operate on Boolean expressions but do not use canonical forms

bull Do not suffer from the potential space explosion of BDDs

bull Can handle functions with s to s of variables

bull Very efficient implementations available

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs

bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine

bull We look for longer and longer paths by incrementing the bound k

bull After some number of iterations we may conclude no such path exists and specification holds

bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Main Advantages of SAT Approach

bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures

bull It finds finite paths of minimal length This helps user understand the example more easily

bull It uses much less space than BDD based approaches

bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

NuSMV A New Symbolic Model Verifier

bull Finite-state Systems described in a specialized language

bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model

checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving

efficiency and control state explosion

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

NuSMV language by examples

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Explicit Model Checking

bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy

bull Counterexample

ndash M is the set of traces of M

ndash is the set of traces that satisfy

bull M

bull Equivalently M not=

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Buumlchi Automata

bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F

ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states

bull An infinite sequence of states is accepted iff it contains accepting states infinitely often

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Example

S0 S1 S2

1=S0S1S2S2S2S2hellip

2=S0S1S2S1S2S1hellip

3=S0S1S2S1S1S1hellip

ACCEPTED

ACCEPTED

REJECTED

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

LTL and Buumlchi Automata

bull LTL formulandash Represents a set of infinite traces which satisfy

such formulabull Buumlchi Automaton

ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all

and only the infinite traces represented by an LTL formula

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

LTL Model Checking

bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot

ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels

ndash The product accepts the traces of M that are also traces of Bnot (M not)

ndash If the product accepts any sequencebull We have found a counterexample

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Nested Depth First Search

bull The product is a Buumlchi automatonbull How do we find accepted sequences

ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often

ndash We are interested only in cycles that contain at least an accepting state

ndash During depth first search start a second search when we are in an accepting states

bull If we can reach the same state again we have a cycle (and a counterexample)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Example

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Example

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Explicit Model Checking

bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly

bull Some states are not generated in the productbull Counterexample can be found before

searching all statesbull Easy to optimizebull Better support for asynchronous composition

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

SPIN

bull Explicit State Model Checkerbull Process Algebra

ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings

bull Nested Depth First Searchbull Uses a hashing function to store each state using

only 2 bits (no guarantee of soundness)bull Partial Order Reduction

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

SPIN Example of Petersonrsquos Algorithm

bool turn flag[2]byte ncrit

active proctype user0()again

flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)

ncrit++ss assert(ncrit == 1) critical section

ncrit--

flag[0] = 0goto again

active proctype user1()again

flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)

ncrit++assert(ncrit == 1) critical section ncrit--

flag[1] = 0goto again

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Partial Order Reduction

bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily

bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways

bull The ordering between independent transitions is largely meaningless

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

The State Explosion Problembull Allowing all possible orderings is a potential cause of the state

explosion problembull To see this consider n transitions that can be executed

concurrentlybull In this case there are n different orderings and 2n different states

(one for each subset of the transitions)bull If the specification does not distinguish between these

sequences it is beneficial to consider only one with n + 1 states

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Partial Order Reduction

bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched

bull It exploits the commutativity of concurrently executed transitions which result in the same state

bull Thus this reduction technique is best suited for asynchronous systems

bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Partial Order Reduction (Cont)

bull The method consists of constructing a reduced state graph

bull The full state graph which may be too big to fit in memory is never constructed

bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph

bull The justification of the reduction method shows that the behaviors that are not present do not add any information

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Partial Order Reduction (Cont)

bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution

bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Compositional Reasoning

bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a

receiver bull Assume-Guarantee Paradigm

ndash Verify each sub-process separately by adding assumptions on sub-process

ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Abstraction

bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the

propertyndash Eg Infinite state Finite state approximation

bull Disadvantage ndash Loss of Precision False positivesnegatives

bull Approachesndash Cone of influence reductionndash Data abstraction

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Cone of Influence Reduction

bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Cone of Influence Reduction

Boolean v1 v2 v3 v4 v5 v6

Repeat forever in parallel

v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6

End

(F (~ v1)) v1 will eventually become False

Boolean v1 v2 v3

Repeat forever in parallel

v1 = v2

v2 = v1 amp v3

End

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Data Abstraction

h h hh h

Abstraction Function h S Srsquo

S

Srsquo

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Data Abstraction Example

bull Abstraction proceeds component-wise where variables are components

xint Even

Oddhellip -3 -1 1 3 hellip

hellip -2 0 2 4 hellip

1 2 3 hellip

hellip -3 -2 -1

0

Pos

Neg

Zeroyint

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symmetry

bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per

equivalence class

bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry

bull Ideally both should be fully automatic

bull Challenges detecting amp exploiting symmetries

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model Written in SPIN

byte tok = 1

active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Symmetry Reduction Example

N1 N2

tok=1N1 N2

tok=2

N1 T2

tok=1T1 N2

tok=2T1 N2

tok=1N1 T2

tok=2

T1 T2

tok=1T1 T2

tok=2C1 N2

tok=1N1 C2

tok=2

C1 T2

tok=1T1 C2

tok=2

N1 N2

tok=1

N1 T2

tok=1T1 N2

tok=1

T1 T2

tok=1C1 N2

tok=1

C1 T2

tok=1

State-graphReduced state-graph

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

PAT Process Analysis Toolkit

bull A interactive system to support composing simulating and reasoning of extended Process Algebra

bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL

bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker

bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

PAT Workflow Diagram

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Fairness Assumptions

bull Fairness properties state that if something is possible sufficiently often then it must eventually happen

bull deadlock-freeness FALSEbull non-starvation FALSE

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Specifying Fairness

bull Let e be an eventaction

bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Outline

bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Comparison NuSMV-ImProviso and SPIN

states time memory states time memory

Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB

Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB

Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB

Worst (100) 254E+30 1434s 146 MB

NuSMV-ImProviso SPIN

NA1

NA1

bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Comparison Leader Election Protocol

states time memory states time memory

2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB

8

states time memory states time memory

2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB

SPIN

NA1

Non-PO

PONuSMV-ImProviso

NuSMV

NA1

SPIN

bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Comparison PAT SPIN and FDR

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Comparison Conclusion

bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful

bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Outlinebull Model Checking Techniques

ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry

bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Conclusion

bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking

bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model Checking Distributed Algorithms

bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T

Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic

Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]

ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]

ndash Model Checking Transactional Memories

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)

Model Checking Distributed Algorithms

bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits

bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support

for the fairness with POR)

bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry

  • Model Checking and Related Techniques
  • Outline
  • Model Checking Introduction
  • Model Checking
  • Model of Concurrent Systems
  • Model of Concurrent Systems (Cont)
  • Temporal logics
  • Temporal logics (2)
  • CTL Examples
  • Fixpoint Algorithms
  • Model Checking Problem
  • Symbolic Model Checking
  • Symbolic Model Checking with BDDs
  • Ordered Binary Decision Trees and Diagrams
  • OBDD for Comparator Example
  • Variable Ordering Problem
  • Symbolic Model Checking Algorithm
  • Symbolic Model Checking (cont)
  • Symbolic Model Checking (cont) (2)
  • Problems with BDDs
  • Advantages of SAT Procedures
  • Bounded Model Checking
  • Main Advantages of SAT Approach
  • NuSMV A New Symbolic Model Verifier
  • NuSMV language by examples
  • Explicit Model Checking
  • Buumlchi Automata
  • Example
  • LTL and Buumlchi Automata
  • LTL Model Checking
  • Nested Depth First Search
  • Example (2)
  • Example (3)
  • Nested Depth First Search (2)
  • Nested Depth First Search (3)
  • Explicit Model Checking (2)
  • SPIN
  • SPIN Example of Petersonrsquos Algorithm
  • Outline (2)
  • Partial Order Reduction
  • The State Explosion Problem
  • Partial Order Reduction (2)
  • Partial Order Reduction (Cont)
  • Partial Order Reduction (Cont) (2)
  • Compositional Reasoning
  • Abstraction
  • Cone of Influence Reduction
  • Cone of Influence Reduction (2)
  • Data Abstraction
  • Data Abstraction Example
  • Symmetry
  • Model Written in SPIN
  • Symmetry Reduction Example
  • Outline (3)
  • PAT Process Analysis Toolkit
  • PAT Workflow Diagram
  • Fairness Assumptions
  • Specifying Fairness
  • Outline (4)
  • Comparison NuSMV-ImProviso and SPIN
  • Comparison Leader Election Protocol
  • Comparison PAT SPIN and FDR
  • Comparison Conclusion
  • Outline (5)
  • Conclusion
  • Model Checking Distributed Algorithms
  • Model Checking Distributed Algorithms (2)