1 on combining symmetry reduction and symbolic representation for efficient model checking authors:...

1

On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking

Authors: E. Allen Emerson and Thomas Wahl

(CHARME 2003)

Presented by: Yael MellerApril 2012

Technion – Israel Institute of Technology

Outline

Introduction Systems and hand and symmetry

reduction Unique representatives Multiple representatives Generic representatives

Generic representatives via example

From program to generic form model

BDD based implementation

2

System at Hand

The system: n concurrent processes interleaved computation sharing global variables

3

System at Hand

A system state: (v,l1,…,ln) such that v – global variable (possibly tuple). liL – location of process i.

4

System Example

5

N

T

C

if sem=0 sem:=1sem:=0

N

T

C

if sem=0 sem:=1sem:=0

Critical

Non-critical

Trying

semaphore

System Example

6

(0,N,N)

(0,T,N)(0,N,T)

(0,T,T)

(1,C,N)(1,N,C)

(1,T,C) (1,C,T)

Permutations on States

A system state: (v,l1,…,ln) Permutation: :[1..n][1..n] acting

on process indexes. Rearrangement of processes in a state. (s)=(v,l(1),…,l(n)). v - acting on v:

Invariant under every (e.g. binary semphore)

Depends to process id (e.g. token pointing to proc id). 7

Permutation on States =(1,2)

8

(0,N,N)

(0,T,N)(0,N,T)

(0,T,T)

(1,C,N)(1,N,C)

(1,T,C) (1,C,T)

Symmetry and Orbit Relation

M=(S,R,s0) – Kripke structure M symmetric w.r.t. group G.

For all G, (R)={((s),(t))|(s,t)R} satisfies (R)=R.

M is fully symmetric if G contains all permutations.

Orbit relation defines equivalence between states: (s,t):=:(s)=t 9

set of permutations


10

(0,N,N)

(0,T,N)(0,N,T)

(0,T,T)

(1,C,N)(1,N,C)

(1,T,C) (1,C,T)

Symmetry Reduction

Suffices to choose a representative from each orbit, Rep.

Rep defines a representative relation SRep such that: Soundness: for all (s,r), there

exists such that (s)=r. Totality: for all sS, there exists rRep such that (s,r).

11

Symmetry Reduction

The reduced model (quotient model):

M=(Rep,R,s0) R={(s,t)RepRep:s’,t’:(s’,s), (t’,t) (s’,t’)R} M bis M :

For (s’,s) : M,s’ f M,s f if atomic propositions of f are consistent for every .

12


13

(0,N,N)

(0,T,N)(0,N,T)

(0,T,T)

(1,C,N)(1,N,C)

(1,T,C) (1,C,T)


14

(0,N,N)

(0,N,T)

(0,T,T)(1,N,C)

(1,T,C)

Unique Representatives andBDD Implementation

Unique representatives – one representative from every orbit.

Need BDD of for model checking M.

BDD based construction of :1. Construct BDD for the orbit relation

(s,r).2. (s,r):= (s,r)Rep(r).

Cons: construction of is a bottleneck: BDD size of min{2n,2|L|} – exponential

space and time.

15

Number of processes

Number of locations

Multiple Representatives andBDD Implementation

The idea: Find a complete set of permutations C. Restrict attention to permutations from C

when creating . Programmer defines a set Rep that is

represented by a small BDD. C and are derived from Rep.

16

Multiple Representatives andBDD Implementation

Pros: BDD for is small (since derived from

subset C). Avoid construction of orbit relation .

Cons: Negative impact on symmetry reduction

effect. Not clear that Rep with small BDD for

exists.17

Generic Representatives for Fully Symmetrical Systems

First introduced in: “From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking”, by E. Allen Emerson and Richard J. Trefler (CHARME 1999).

This paper: apply the idea to practical systems, where communication via shared variables.

18

Generic Representatives

Keep track of number of processes in a given location. E.g.: (N,N,T,C), (N,C,T,N), (T,N,N,C)

are represented generically as (2N,1T,1C).

Compile the original program to operate on counter variables. Avoid construction of orbit relation

19

Generic Reps. by ExampleSynchronization Skeletons

20

N T Ctok = self

tok := ndet[1..n]

guard

action

Input model given as synchronization skeleton.

Action represents atomic action by a process.

Generic Reps. by ExampleSynchronization Skeletons

21

N T Ctok = self

tok := ndet[1..n]

guard

action

(1,N,…,N) (n,N,…,N)

(1,T,…,N) (1,N,T…,N)

(1,C,…,N)

….

….

Generic Reps. by Example

Our goal: Compile the original program to operate on counter variables.

22

N T Ctok = self

tok := ndet[1..n]

Create Counter-Based Programs

Declare global counter variables per local state: nN, nT, nC.

Problem: how to translate guards? E.g: what is tok=self?

The location of the token process is relevant. E.g: (tok=2,N,T,C) and (tok=3,N,C,T) equivalent

Solution: remember the location of token process ({N,T,C}) 23

Counter-Based Programs

24

N T Ctok = self

tok := ndet[1..n]

Variables:nN, nT, nC:[0..n]TOK :{N,T,C}Init values:(nN,nT,nC):=(n,0,0)TOK := N

if nN > 0 if TOK = N if nN =1 TOK := T else TOK := {N,T} nN := nN – 1 nT := nT + 1

if nT > 0 TOK=T TOK := C nT := nT – 1 nC := nC + 1if nC > 0 nC := nC – 1 nN := nN + 1 TOK := ndet{L:nL >0}

if nN > 0if nN > 0

nN := nN – 1 nT := nT + 1

if nN > 0 if TOK = N

nN := nN – 1 nT := nT + 1

Counter-Based Programs

25

if nN > 0 if TOK = N if nN =1 TOK := T else TOK := {N,T} nN := nN – 1 nT := nT + 1

if nT > 0 TOK=T TOK := C nT := nT – 1 nC := nC + 1if nC > 0 nC := nC – 1 nN := nN + 1 TOK := ndet{L:nL >0}

(N,n,0,0)(N,n-1,1,0)

(T,n-1,1,0)

….

State: (TOK,nN,nT,nC)

(N,1,n-1,0)

(C,n-1,0,1)

….

Model Checking on New Model Properties need to be translated

into counters.

26

specific generic

Safety: AG i,j:ij:(Ci Cj)


into counters.

27

specific generic

Safety: AG i,j:ij:(Ci Cj) AG (nC < 2)


into counters.

28

specific generic

Safety: AG i,j:ij:(Ci Cj) AG (nC < 2)Liveness: AG (i Ti AF j Cj)


into counters.

Liveness is not progress of individual process (AG (i :Ti AF Ci)) Such property is not invariant under

permutation.29

specific generic

Safety: AG i,j:ij:(Ci Cj) AG (nC < 2)Liveness: AG (i Ti AF j Cj) AG (nT > 0 AF nC > 0 )

Reminder: Invariant Property

p is an invariant under G: G, sS : sp (s)p

For property =AG (i :Ti AF Ci): Ti is not an invariant cannot be checked under symmetry reduced model

30

AG (i :Ti AF Ci) on Symmetry Reduced Model

31

(0,N,N)

(0,N,T)

(0,T,T)(1,N,C)

(1,T,C)

Violation!

Model Checking With Generic Representatives

32

Program P

From P to Kripke structure M

From P to generic form P’

From P’ to Kripke structure M’

From P’ to Kripke structure M’ with BDDs

Define the Program

Two types of global variables id-sensitive – permutations affect

them by changing their value (e.g. tok)

id-independent – invariant w.r.t. permutations (e.g. boolean semaphore)

33

Define the Program

Program under consideration:1. n processes.2. Any number of id-independent global

variables v=(v1,…,vm). Initial value x0.3. Any number of id-sensitive global

variables d=(d1,…,dz)[1..n]z . Initial value k0.

4. A synchronization skeleton. I0 is the initial node.

34

Syntax of Guards

Restrict syntax of guards to ensure full symmetry.

Basic guards: conditions on process locations and expressions over global variables.

Guards: propositional combination of boolean-valued basic guards.

35

Fully Symmetric Formulas

A formula f is fully symmetric iff for every : f (f)

Examples of fully symmetric basic guards:

36

Basic Guard Meaning

i:Li None




37

Basic Guard Meaning

i:Li None

i:Li All




38

Basic Guard Meaning

i:Li None

i:Li All

i,j:ij:Li Lj At least two

Syntax of Guards

Legal basic guards: Fully symmetric basic guards. Expressions over id-independent

global variables (fully symmetric by nature).

For id-sensitive variable d:d=self or dself39

Syntax of Actions

Syntax of actions: Any assignment to id-independent

variables. For id-sensitive variable d:d:=self d:=ndet[1..n] d:=ndet([1..n]\{self})

40

From Program to Kripke Structure

41

Program P






P defines M=(S,R,s0) S=V[1..n]z [1..l]n

V – domain of id-independent variables (V1 … Vm)

[1..n]z – id-sensitive variables [1..l]n – program location of processes

s0 = (x0,k0,I0,…, I0)42


R(s,t) holds for: s=(x,k,l1,…, li-1,A, li+1,…, ln) t=(x’,k’,l1,…, li-1,B, li+1,…, ln) such that edge e:AB exists in skeleton.

43

CA Bguardaction

From Program to Kripke Structure s=(x,(k1,…,kz),l1,…, li-1,A, li+1,…, ln) t=(x’,(k’1,…,k’z),l1,…, li-1,B, li+1,…, ln)

Edge e:AB exists in skeleton and: grd is true for v=x, d=k, self=i and

process locations as in s. <v=x>act<v=x’> d id-sensitive variable at index j:

act is d:=self and k’j = i act is d:=ndetZ and k’jZ No assignment to d and k’j=kj 44

A B

C

grdactHoare triplet


Theorem: M is fully symmetric.45

Program P





Translate P to P’

46

Program P





Translate P to P’

Program P’ has the following variables:1. Same id-independent global

variables v=(v1,…,vm). Initial value x0.2. Replace id-sensitive global variables d=(d1,…,dz)[1..n]z with (dA1,…,dAz)[1..l]z. Initial value (I0,…I0).3. Variables n0,…,nl with range [0..n].

Initial values nI0=n, nL=0 for LI0.47

Translate P to P’

Every Edge is skeleton is translated into the statement:if (nA>0) gen(grd) update1(grd) nA := nA - 1 nB := nB +1 update2(act)

48

A Bgrdact

Ensure exists a process in location A

Requirement from grdUpdate due to location change

Update due to action

Translate P to P’ gen(grd) :

Basic guard on process locations:

49

Basic Guard Generic Guard Meaning

i:Li None

i:Li All




50


i:Li nL = 0 None

i:Li All




51


i:Li nL = 0 None

i:Li nL = n All




For id-sensitive variable dj: dj=self dAj =A djself dAj A nA2

Expressions over id-independent variables remain the same. 52


i:Li nL = 0 None

i:Li nL = n All

i,j:ij:Li Lj nL 2 At least two

Translate P to P’

update1(grd) updates dAj resulting from location change:

53

dj=self dAj :=B

Translate P to P’


54

dj=self djself dAj :=B no-op

Translate P to P’


55

dj=self djself Otherwise (including true)dAj :=B no-op if dAj =A if nA = 1 dAj :=B else dAj :=ndet{A,B}

Translate P to P’

update2(act) updates dAj and id-independent variables resulting from act: Assignment to id-independent variables

remain the same. Assignments on id-sensitive variables:

56

dj:=self dAj :=B

Translate P to P’



57

dj:=self dj:=ndet([1..n]\{self})dAj :=B if nB = 1 dAj :=ndet({L:nL>0}\{B})else dAj :=ndet{L:nL>0}

Translate P to P’



58

dj:=self dj:=ndet([1..n]\{self}) dj:=ndet[1..n]dAj :=B if nB = 1

dAj :=ndet({L:nL>0}\{B})else dAj :=ndet{L:nL>0} dAj :=ndet{L:nL>0}

P’ to Kripke Stucture M’

59

Program P






Program P‘ to Kripke Structure

P’ defines M’=(S’,R’,s’0) S’=V[1..l]z [0..n]l s’0= (x0,(I0,…,I0),n1,…,nl) such that:nI0=n and nL=0 for every LI0. R(s’,t’): if exists statement with

condition evaluating to true, and the execution applied on s’ results in t’.

60

Connection Between M and M’

61

Program P



From P’ to Kripke structure M’ w



Connection between M and M’ Theorem: M and M’ are

bisimulation equivalent via b:SS’:b(x,k1,…,kz,l1,…,ln) = (x,lk1,…,lkz,n1,…,nl) where nL:=|j[1..n]:lj=L|

Example: b(3,N,C,T,N)=(T,nN=2,nT=1,nC=1)62

From Generic Programs to BDDs

63

Program P







From Generic Programs to BDDs

Encode statements of generic programs in a BDD.

M’=(S’,R’,s’0): R’ is a disjunction of statements:if (nA>0) gen(grd) update1(grd) nA := nA - 1 nB := nB +1 update2(act) 64

From P’ to BDDs (example)

nA>0 : true iff at least one true bit in representation of nA. nA>0 disjunction over nA bits.

gen(grd): combination of basic guards. E.g.: basic guards on locations – constant bit-wise comparison.

update1(grd): implement if-then-else: if F1 then F2 else F3

(F1F2)(F1F3) Translation: low-degree polynomial

in n.

65

Model Checking with BDDs using Generic Representatives.

66

Program P







Experimental Results

67

Questions?Thank you!

68

1 on combining symmetry reduction and symbolic representation for efficient model checking authors:...

Documents

orbit relation s

n concurrent processes

subset c

construction of orbit

orbit relation100

orbit relationm

orbit relation140

orbit relation130