1 on combining symmetry reduction and symbolic representation for efficient model checking authors:...
Post on 31-Dec-2015
222 Views
Preview:
TRANSCRIPT
1
On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking
Authors: E. Allen Emerson and Thomas Wahl
(CHARME 2003)
Presented by: Yael MellerApril 2012
Technion – Israel Institute of Technology
Outline
Introduction Systems and hand and symmetry
reduction Unique representatives Multiple representatives Generic representatives
Generic representatives via example
From program to generic form model
BDD based implementation
2
System at Hand
The system: n concurrent processes interleaved computation sharing global variables
3
System at Hand
A system state: (v,l1,…,ln) such that v – global variable (possibly tuple). liL – location of process i.
4
System Example
5
N
T
C
if sem=0 sem:=1sem:=0
N
T
C
if sem=0 sem:=1sem:=0
Critical
Non-critical
Trying
semaphore
Permutations on States
A system state: (v,l1,…,ln) Permutation: :[1..n][1..n] acting
on process indexes. Rearrangement of processes in a state. (s)=(v,l(1),…,l(n)). v - acting on v:
Invariant under every (e.g. binary semphore)
Depends to process id (e.g. token pointing to proc id). 7
Symmetry and Orbit Relation
M=(S,R,s0) – Kripke structure M symmetric w.r.t. group G.
For all G, (R)={((s),(t))|(s,t)R} satisfies (R)=R.
M is fully symmetric if G contains all permutations.
Orbit relation defines equivalence between states: (s,t):=:(s)=t 9
set of permutations
Symmetry Reduction
Suffices to choose a representative from each orbit, Rep.
Rep defines a representative relation SRep such that: Soundness: for all (s,r), there
exists such that (s)=r. Totality: for all sS, there exists rRep such that (s,r).
11
Symmetry Reduction
The reduced model (quotient model):
M=(Rep,R,s0) R={(s,t)RepRep:s’,t’:(s’,s), (t’,t) (s’,t’)R} M bis M :
For (s’,s) : M,s’ f M,s f if atomic propositions of f are consistent for every .
12
Unique Representatives andBDD Implementation
Unique representatives – one representative from every orbit.
Need BDD of for model checking M.
BDD based construction of :1. Construct BDD for the orbit relation
(s,r).2. (s,r):= (s,r)Rep(r).
Cons: construction of is a bottleneck: BDD size of min{2n,2|L|} – exponential
space and time.
15
Number of processes
Number of locations
Multiple Representatives andBDD Implementation
The idea: Find a complete set of permutations C. Restrict attention to permutations from C
when creating . Programmer defines a set Rep that is
represented by a small BDD. C and are derived from Rep.
16
Multiple Representatives andBDD Implementation
Pros: BDD for is small (since derived from
subset C). Avoid construction of orbit relation .
Cons: Negative impact on symmetry reduction
effect. Not clear that Rep with small BDD for
exists.17
Generic Representatives for Fully Symmetrical Systems
First introduced in: “From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking”, by E. Allen Emerson and Richard J. Trefler (CHARME 1999).
This paper: apply the idea to practical systems, where communication via shared variables.
18
Generic Representatives
Keep track of number of processes in a given location. E.g.: (N,N,T,C), (N,C,T,N), (T,N,N,C)
are represented generically as (2N,1T,1C).
Compile the original program to operate on counter variables. Avoid construction of orbit relation
19
Generic Reps. by ExampleSynchronization Skeletons
20
N T Ctok = self
tok := ndet[1..n]
guard
action
Input model given as synchronization skeleton.
Action represents atomic action by a process.
Generic Reps. by ExampleSynchronization Skeletons
21
N T Ctok = self
tok := ndet[1..n]
guard
action
(1,N,…,N) (n,N,…,N)
(1,T,…,N) (1,N,T…,N)
(1,C,…,N)
….
….
Generic Reps. by Example
Our goal: Compile the original program to operate on counter variables.
22
N T Ctok = self
tok := ndet[1..n]
Create Counter-Based Programs
Declare global counter variables per local state: nN, nT, nC.
Problem: how to translate guards? E.g: what is tok=self?
The location of the token process is relevant. E.g: (tok=2,N,T,C) and (tok=3,N,C,T) equivalent
Solution: remember the location of token process ({N,T,C}) 23
Counter-Based Programs
24
N T Ctok = self
tok := ndet[1..n]
Variables:nN, nT, nC:[0..n]TOK :{N,T,C}Init values:(nN,nT,nC):=(n,0,0)TOK := N
if nN > 0 if TOK = N if nN =1 TOK := T else TOK := {N,T} nN := nN – 1 nT := nT + 1
if nT > 0 TOK=T TOK := C nT := nT – 1 nC := nC + 1if nC > 0 nC := nC – 1 nN := nN + 1 TOK := ndet{L:nL >0}
if nN > 0if nN > 0
nN := nN – 1 nT := nT + 1
if nN > 0 if TOK = N
nN := nN – 1 nT := nT + 1
Counter-Based Programs
25
if nN > 0 if TOK = N if nN =1 TOK := T else TOK := {N,T} nN := nN – 1 nT := nT + 1
if nT > 0 TOK=T TOK := C nT := nT – 1 nC := nC + 1if nC > 0 nC := nC – 1 nN := nN + 1 TOK := ndet{L:nL >0}
(N,n,0,0)(N,n-1,1,0)
(T,n-1,1,0)
….
State: (TOK,nN,nT,nC)
(N,1,n-1,0)
(C,n-1,0,1)
….
Model Checking on New Model Properties need to be translated
into counters.
26
specific generic
Safety: AG i,j:ij:(Ci Cj)
Model Checking on New Model Properties need to be translated
into counters.
27
specific generic
Safety: AG i,j:ij:(Ci Cj) AG (nC < 2)
Model Checking on New Model Properties need to be translated
into counters.
28
specific generic
Safety: AG i,j:ij:(Ci Cj) AG (nC < 2)Liveness: AG (i Ti AF j Cj)
Model Checking on New Model Properties need to be translated
into counters.
Liveness is not progress of individual process (AG (i :Ti AF Ci)) Such property is not invariant under
permutation.29
specific generic
Safety: AG i,j:ij:(Ci Cj) AG (nC < 2)Liveness: AG (i Ti AF j Cj) AG (nT > 0 AF nC > 0 )
Reminder: Invariant Property
p is an invariant under G: G, sS : sp (s)p
For property =AG (i :Ti AF Ci): Ti is not an invariant cannot be checked under symmetry reduced model
30
Model Checking With Generic Representatives
32
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’
From P’ to Kripke structure M’ with BDDs
Define the Program
Two types of global variables id-sensitive – permutations affect
them by changing their value (e.g. tok)
id-independent – invariant w.r.t. permutations (e.g. boolean semaphore)
33
Define the Program
Program under consideration:1. n processes.2. Any number of id-independent global
variables v=(v1,…,vm). Initial value x0.3. Any number of id-sensitive global
variables d=(d1,…,dz)[1..n]z . Initial value k0.
4. A synchronization skeleton. I0 is the initial node.
34
Syntax of Guards
Restrict syntax of guards to ensure full symmetry.
Basic guards: conditions on process locations and expressions over global variables.
Guards: propositional combination of boolean-valued basic guards.
35
Fully Symmetric Formulas
A formula f is fully symmetric iff for every : f (f)
Examples of fully symmetric basic guards:
36
Basic Guard Meaning
i:Li None
Fully Symmetric Formulas
A formula f is fully symmetric iff for every : f (f)
Examples of fully symmetric basic guards:
37
Basic Guard Meaning
i:Li None
i:Li All
Fully Symmetric Formulas
A formula f is fully symmetric iff for every : f (f)
Examples of fully symmetric basic guards:
38
Basic Guard Meaning
i:Li None
i:Li All
i,j:ij:Li Lj At least two
Syntax of Guards
Legal basic guards: Fully symmetric basic guards. Expressions over id-independent
global variables (fully symmetric by nature).
For id-sensitive variable d:d=self or dself39
Syntax of Actions
Syntax of actions: Any assignment to id-independent
variables. For id-sensitive variable d:d:=self d:=ndet[1..n] d:=ndet([1..n]\{self})
40
From Program to Kripke Structure
41
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’ with BDDs
From P to Kripke structure M
From Program to Kripke Structure
P defines M=(S,R,s0) S=V[1..n]z [1..l]n
V – domain of id-independent variables (V1 … Vm)
[1..n]z – id-sensitive variables [1..l]n – program location of processes
s0 = (x0,k0,I0,…, I0)42
From Program to Kripke Structure
R(s,t) holds for: s=(x,k,l1,…, li-1,A, li+1,…, ln) t=(x’,k’,l1,…, li-1,B, li+1,…, ln) such that edge e:AB exists in skeleton.
43
CA Bguardaction
From Program to Kripke Structure s=(x,(k1,…,kz),l1,…, li-1,A, li+1,…, ln) t=(x’,(k’1,…,k’z),l1,…, li-1,B, li+1,…, ln)
Edge e:AB exists in skeleton and: grd is true for v=x, d=k, self=i and
process locations as in s. <v=x>act<v=x’> d id-sensitive variable at index j:
act is d:=self and k’j = i act is d:=ndetZ and k’jZ No assignment to d and k’j=kj 44
A B
C
grdactHoare triplet
From Program to Kripke Structure
Theorem: M is fully symmetric.45
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’ with BDDs
From P to Kripke structure M
Translate P to P’
46
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’ with BDDs
From P to Kripke structure M
Translate P to P’
Program P’ has the following variables:1. Same id-independent global
variables v=(v1,…,vm). Initial value x0.2. Replace id-sensitive global variables d=(d1,…,dz)[1..n]z with (dA1,…,dAz)[1..l]z. Initial value (I0,…I0).3. Variables n0,…,nl with range [0..n].
Initial values nI0=n, nL=0 for LI0.47
Translate P to P’
Every Edge is skeleton is translated into the statement:if (nA>0) gen(grd) update1(grd) nA := nA - 1 nB := nB +1 update2(act)
48
A Bgrdact
Ensure exists a process in location A
Requirement from grdUpdate due to location change
Update due to action
Translate P to P’ gen(grd) :
Basic guard on process locations:
49
Basic Guard Generic Guard Meaning
i:Li None
i:Li All
i,j:ij:Li Lj At least two
Translate P to P’ gen(grd) :
Basic guard on process locations:
50
Basic Guard Generic Guard Meaning
i:Li nL = 0 None
i:Li All
i,j:ij:Li Lj At least two
Translate P to P’ gen(grd) :
Basic guard on process locations:
51
Basic Guard Generic Guard Meaning
i:Li nL = 0 None
i:Li nL = n All
i,j:ij:Li Lj At least two
Translate P to P’ gen(grd) :
Basic guard on process locations:
For id-sensitive variable dj: dj=self dAj =A djself dAj A nA2
Expressions over id-independent variables remain the same. 52
Basic Guard Generic Guard Meaning
i:Li nL = 0 None
i:Li nL = n All
i,j:ij:Li Lj nL 2 At least two
Translate P to P’
update1(grd) updates dAj resulting from location change:
54
dj=self djself dAj :=B no-op
Translate P to P’
update1(grd) updates dAj resulting from location change:
55
dj=self djself Otherwise (including true)dAj :=B no-op if dAj =A if nA = 1 dAj :=B else dAj :=ndet{A,B}
Translate P to P’
update2(act) updates dAj and id-independent variables resulting from act: Assignment to id-independent variables
remain the same. Assignments on id-sensitive variables:
56
dj:=self dAj :=B
Translate P to P’
update2(act) updates dAj and id-independent variables resulting from act: Assignment to id-independent variables
remain the same. Assignments on id-sensitive variables:
57
dj:=self dj:=ndet([1..n]\{self})dAj :=B if nB = 1 dAj :=ndet({L:nL>0}\{B})else dAj :=ndet{L:nL>0}
Translate P to P’
update2(act) updates dAj and id-independent variables resulting from act: Assignment to id-independent variables
remain the same. Assignments on id-sensitive variables:
58
dj:=self dj:=ndet([1..n]\{self}) dj:=ndet[1..n]dAj :=B if nB = 1
dAj :=ndet({L:nL>0}\{B})else dAj :=ndet{L:nL>0} dAj :=ndet{L:nL>0}
P’ to Kripke Stucture M’
59
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’
From P to Kripke structure M
From P’ to Kripke structure M’
Program P‘ to Kripke Structure
P’ defines M’=(S’,R’,s’0) S’=V[1..l]z [0..n]l s’0= (x0,(I0,…,I0),n1,…,nl) such that:nI0=n and nL=0 for every LI0. R(s’,t’): if exists statement with
condition evaluating to true, and the execution applied on s’ results in t’.
60
Connection Between M and M’
61
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’ w
From P to Kripke structure M
From P’ to Kripke structure M’
Connection between M and M’ Theorem: M and M’ are
bisimulation equivalent via b:SS’:b(x,k1,…,kz,l1,…,ln) = (x,lk1,…,lkz,n1,…,nl) where nL:=|j[1..n]:lj=L|
Example: b(3,N,C,T,N)=(T,nN=2,nT=1,nC=1)62
From Generic Programs to BDDs
63
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’ w
From P to Kripke structure M
From P’ to Kripke structure M’
From P’ to Kripke structure M’ with BDDs
From Generic Programs to BDDs
Encode statements of generic programs in a BDD.
M’=(S’,R’,s’0): R’ is a disjunction of statements:if (nA>0) gen(grd) update1(grd) nA := nA - 1 nB := nB +1 update2(act) 64
From P’ to BDDs (example)
nA>0 : true iff at least one true bit in representation of nA. nA>0 disjunction over nA bits.
gen(grd): combination of basic guards. E.g.: basic guards on locations – constant bit-wise comparison.
update1(grd): implement if-then-else: if F1 then F2 else F3
(F1F2)(F1F3) Translation: low-degree polynomial
in n.
65
Model Checking with BDDs using Generic Representatives.
66
Program P
From P to Kripke structure M
From P to generic form P’
From P’ to Kripke structure M’ w
From P to Kripke structure M
From P’ to Kripke structure M’
From P’ to Kripke structure M’ with BDDs
top related