exploiting predicate structure for efficient reachability detection
DESCRIPTION
Exploiting Predicate Structure for Efficient Reachability Detection. Sujatha Kashyap Dr. Vijay K. Garg. Parallel and Distributed Systems Laboratory. Outline. Problem Statement ( Motivation) Notation and Background Overview of Technique Experimental Results comparison with SPIN - PowerPoint PPT PresentationTRANSCRIPT
DISSERTATION PROPOSALASE 2005
Exploiting Predicate Structure for Efficient Reachability Detection
Sujatha KashyapDr. Vijay K. Garg
Parallel and Distributed Systems Laboratory
ASE 2005
PDSL
Outline
Problem Statement ( Motivation)
Notation and Background
Overview of Technique
Experimental Results
– comparison with SPIN
Concluding Remarks
ASE 2005
PDSL
Complexity of Model Checking
Explicit state representation [Clarke, Emerson 1981]
– Labeled transition systems.
– CTL model checking in O(|M|.|f|) (Clarke, Emerson, Sistla 1986)
– |M| is very large (state space explosion).
Implicit representation
– E.g., BDDs [McMillan 1991].
– Model checking becomes PSPACE-complete in the size of the structure (Feigenbaum et al. 1999)
Motivation: To find a happy medium.
ASE 2005
PDSL
Concurrency and Partial Orders
– Approaches exploiting the nature of concurrent events:
• Partial-order models– Lamport 1978: “happened-before” relation– Mazurkiewicz 1986: “traces”– McMillan 1991: Petri net unfoldings
• Partial-order reduction– Valmari 1990: stubborn sets– Peled 1993: ample sets– Godefroid 1996: persistent sets
a1
a2
a3
a2
a3
a2
a1
a3
a2
a3 a1
a1
ASE 2005
PDSL
Basic Notation
Program P = (S, T, s0)
– S: Finite set of states
– T: Finite set of transitions
– s0: Initial state
enabled(s) T
– All transitions executable from state s
s’ = α(s)
– Only deterministic transitions
Event = occurrence of a transition
Interleaving sequence, w
states(w)
α
β
γ δ
s0
s1s2
w = α β γ
s3
states(w) = {s0, s1, s2}
ASE 2005
PDSL
Independence of events
– An independence relation I T x T is an antireflexive, symmetric relation such that (α, β) I iff for all s S, if α enabled(s) :
• Enabledness: β enabled(s)
β enabled(α (s)).
• Commutativity: α, β enabled(s)
α(β(s)) = β(α(s)).
– The dependency relation D = (T X T) \ I.
α
αβ
β
s
s1
r
s2
Note: We will assume that events belonging to the same process are always dependent.
[Mazurkiewicz 1986]
ASE 2005
PDSL
Trace equivalence D
v D w
v can be transformed into w by commuting only adjacent independent events.
Example: I = {(b, c), (b, d), (e, f) (b, f)}
v = abcdef
D acbdef
D acdbef
D acdbfe
D acdfbe = w
ASE 2005
PDSL
Traces
D partitions the interleaving sequences of a program P into equivalence classes, called traces.
σE: Trace with event set E.
States(σ) = v σ
states(v).
a
a
b
b
d cc df
fc
e
de
I = {(a,b), (c,f), (d,e)}
s0
{abcde, abced, abdcf, abdfc, bacde, baced, badcf, badfc}
σ1 = {abcde, abced, bacde, baced}
σ2 = {abdcf, abdfc, badcf, badfc}
s1s2
ASE 2005
PDSL
Traces as Partial Orders
A trace corresponds to a partial order.
a
a
b
b
d cc df
fc
e
de
s0
s1s2
σ1 = {abcde, abced, bacde, baced}
σ2 = {abdcf, abdfc, badcf, badfc}
a b
c
d
f
b
de
a
c
σ2σ1
State order ideal (down-set)
Q is an order ideal of a poset (P, ) iff Q P and: x Q, y P: y x y Q.
ASE 2005
PDSL
“Happened-before”
The happened-before relation on a trace σE = [w] is the smallest transitive relation that satisfies:
(α, β) D (w = u α v β w’) α β
where α, β E.
Note: is antisymmetric
(E, ) is the poset corresponding to σE.Given the dependency relation D and a representative interleaving sequence of a
trace, we can obtain the corresponding partial order.
[Lamport 1978]
ASE 2005
PDSL
Model Checking with Traces
EFσ(φ) “Some reachable state of the trace σ satisfies φ.”
– In general, NP-complete for boolean formulae φ [Chase, Garg 1993].
Tractable predicate classes for EF:
–“Stable” predicates [Chandy, Lamport 1985]
•Once it turns true, it stays true.•E.g., deadlock, termination.
a
a
b
b
dcf
fc
s0
s2
Stable
ASE 2005
PDSLTraces and Lattices
a b
c
d
f
σ {}
{b}{a}
{a, b}
{a, b, d}
{a, b, d, c}{a, b, d, f}
{a, b, d, c, f}
O (σ)Trace as partial order
Lattice of order ideals
a
a
b
b
d
cf
fc
s0
Interleaved representation
-Order ideals of a poset form a lattice under the subset relation.
-G and H are order ideals G H and G H are order ideals.
Overload “order ideal” to mean “state”
ASE 2005
PDSL
Meet-closed predicates
G φ and H φ G∩ H φ.
A meet-closed predicate φ has a “least” satisfying state– “least” = reached by executing the fewest number
of events.
– If some state G φ, then there exists at least one “crucial event” e G, such that it is necessary to execute e in order to reach any state (from G) that satisfies φ. • “necessary”, but not “sufficient”.
– If the crucial event can be identified in polynomial time (O(|E|k) time, for some constant k), then φ is called a linear predicate.
{}
{b}{a}
{a, b}
GH={a, b, d}
H={a, b, d, c}G={a, b, d, f}
{a, b, d, c, f}
[Chase, Garg 1995]
ASE 2005
PDSL
Linear predicates
Examples of linear predicates:
– “Local” predicates
• Defined using only local variables from a single process.
– A conjunction of local predicates
• l1 l2 l3 ….
If crucial event is identified in O(|E|k), then EF(φ) takes O(|E|k+1) time.
Boolean formulae can be written as a disjunction of linear predicates!
EF(φ1φ2 …φm) = EF(φ1) EF(φ2) … EF(φm)
[Chase, Garg 1995] φ
ASE 2005
PDSL
Trace Cover
A set of traces Δ of a program P is a trace cover for P iff
σΔ States(σ) is
exactly the reachable state space of P.
σ1 σ2 : u σ1, w σ2, such that u is a prefix of w.
Lemma: σ1 σ2 States(σ1) States(σ2)
– Suffices to consider traces that are maximal under .
a
a
b
b
d cc df
fc
e
de
s0
s1s2
Trace Cover:
σ1 = {abcde, abced, bacde, baced}
σ2 = {abdcf, abdfc, badcf, badfc}
[Kashyap, Garg – ASE 2005]
ASE 2005
PDSL
Generating representative interleavings
Persistent set [Godefroid, Pirottin 1993]: T enabled(s) is persistent in s iff for any non-empty path starting from s in the full state space graph:
s = s1 s2 s3 … sn sn+1
where ti T, 1 i n, ti is independent of all transitions in T.
ab
c c
a
b
f
s
If {b, c} is persistent in s, then
(a, b) I, (a, c) I.
t1 t2 t3 tn-1 tn
ASE 2005
PDSL
a
a
b
b
d cc df
fc
e
de
s0
s1s2
a b
abd
abc
f
e
c
d
Theorem 4 [Peled 1994]: Exploring a persistent set of events at each state is sufficient to construct a representative interleaving for each trace of P that is maximal under .
ASE 2005
PDSL
Obtaining (E, ) Assign vector timestamps to events [Mattern 1989, Fidge 1991]
– Timestamp is an integer vector of dimension n (# of processes).
• α.v denotes the timestamp of event α.
– When α Pi is concatenated to sequence τ:
• dep(α) = all events in τ on which α is dependent.• For all j, initialize α.v[j] to the max jth component in dep(α).• Increment α.v[i].
a1, a2 P1
b1, b2 P2
(a2, b2) D
a1
(01)
b1
(10)
a2
(02)
b2(22)
a1
Theorem:
α.v < β.v α β
Vector timestamps capture exactly the poset (E, )
a2 b1 b2
ASE 2005
PDSLComparison with P.O. reduction
A transition is invisible w.r.t. a set of variables if it does not change the value of any of them.
In p.o. reduction:– If persistent(s) enabled(s) then every α persistent(s) must be invisible [Peled 1993]. – Reduction highly dependent on the properties being checked [Gerth et al., 1995].
– High expressibility: can check LTL-X, CTL-X [Peled and Wilke 1997].
Our approach:– Don’t worry about invisibility.– Size of representation is independent of properties being checked .– Can check much more limited classes of predicates.
p,q
p,¬q
p,q
p,q
α β
αβ
ASE 2005
PDSL
SPIN
PROMELAReduced transition graph
ASE 2005
PDSL
“Trace Cover” SPIN
PROMELA
Trace coveralgorithms
Trace Cover
•EFP(φ) “Some reachable state of the program P satisfies φ.”
•Let Δ be a trace cover for P.
•EFP(φ) = σΔ
EFσ(φ)
ASE 2005
PDSL
Experimental Results
Protocol PropertySPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN
Time (sec)
Mem (MB)
StatesTime (sec)
Mem (MB)
StatesTime (sec)
Mem (MB)
States
Dining philosophers (N=6)
[Chandy, Misra 1984]
EF(eatingi eating(i+1) mod N)
*** *** *** 759 439 2116120 0.03 1.25 83
Leader election (N=6)
[Dolev, Klawe, Rodeh 1982]
EF(nr_leaders > 1) *** *** *** 777 64 238569 75 93 118971
Mutual exclusion (N=5)
[Ricart, Agarwala 1981]
EF(incs > 1) 25 349 652365 2.51 26 46880 0.05 2.65 187
(a) No errors in protocols
ASE 2005
PDSL
Experimental Results
Protocol PropertySPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN
Time (sec)
Mem (MB)
StatesTime (sec)
Mem (MB)
StatesTime (sec)
Mem (MB)
States
Dining philosophers (N=6)
[Chandy, Misra 1984]
EF(eatingi eating(i+1)
mod N)42 257 1141680 10 43 170619 0.03 1.25 81
Leader election (N=6)
[Dolev, Klawe, Rodeh 1982]
EF(nr_leaders > 1) *** *** *** 547 44 159750 53 69 87435
Mutual exclusion (N=5)
[Ricart, Agarwala 1981]
EF(incs > 1) 19 276 510828 1.59 15 26126 0.05 2.65 181
(a) Safety violations present in protocols
ASE 2005
PDSL
Concluding Remarks
Two-pronged approach:
• Compact, implicit representation of state space.
• Polynomial algorithms for model checking on the representation.
Main limitation: Expressibility
Future work:
– Increase expressibility!