Memory-Efficient Algorithms for the Verification of Temporal Properties

C. CourcoubetisInst. Of Comp. Sci.FORTH, Crete, Greece

M. VerdiIBM Almaden

P. WolperUn. de Liege

M. YannakakisAT&T Bell Labs

Presented By: Prateem Mandal 4710-410-041-03374 prateem@csa.iisc.ernet.in

Outline of the talk

• Introduction and previous work

• Formal Problem Definition

• Analysis and critique of previous approaches

• The Algorithms

• Questions and Answers

Introduction and previous work

• The paper addresses the problem of designing memory-efficient algorithms for verification of temporal properties of finite state programs modeled as Buchi Automata.

• Thus the problem is that of checking the emptiness of the automata.

• Allowing programs to err, the paper gives algorithm with memory access size of O(n) bits.

Previous work

• Reachability Analysis.• Theorem Prover.• Model Checking.

The problem of state space explosion was solved with the use of hashing (Holtzmann technique). This paper furthers the technique to find bad cycles as opposed to bad state in Holtzmann’s technique.

Formal Problem Definition

empty.-non is automata theofproduct theifCheck

.Aautomaton theof and P program theofproduct theTake

.P systemsn transitio theofP

computingby P program ofbehaviour global theCompute

.A isautomaton resulting The f. formula theof

negation for the wordsinfiniteon automaton finite a Build

f

i i

f

Formal Problem Definition contd..

states. designated ofset a is S F

and state, initialan is S s

,functionn transitionisticnondetermi a is ^2S :

states, ofset a is S

alphabet,an is

whereF),,s,S, ,(A tuplea isAutomaton Buchi

0

0

S

Formal Problem Definition contd..

).v,...,(vv

asuch that ieach for v v'-

and asuch that ieach for a),v(v'-

iff a)),v,..,((v)v',..,(v'by defined is

.components theof

actions of sets ofunion theis actions ofset the,

s.'P of spaces

state theofproduct cartesian is space state the,V v

where)V , ,(V,P is PP systemn transitioThe

0n010

iii

iii

n1n1

i

i

i

0i

Formal Problem Definition contd..

f. formula the violateand P of behaviours possible

are which runs all accepts APautomaton product The

FV states designated ofset and

s0)state(v0, initial

a)s1,(s2 and a)v1,( v2iff a)),1,1((s2)(v2,

by defined S)V(^2SV:function transition

SVset state

as computed is AP then F),s,S,,( ALet

. AP compute then A and P buildfirst we

fproperty logic temporala satisfies Pher check whet To

f

ff

ff

0

sv

Characterization of memory requirements

• Memory requirements have been characterized by considering the data structures used by the algorithm.

• They are of two types: randomly accessed and sequentially accessed.

• Hash table needs randomly accessed memory while stack or queue needs sequentially accessed memory.

Characterization of memory requirements contd..

• Bottleneck in performance of verification algorithms is related to amount of randomly accessed memory usage.

“Holtzmann observed that there is a tremendous speed-up for an algorithm implemented so that its randomly accessed memory requirements do not exceed the main memory available in the system(since sequentially accessed memory can be implemented in secondary storage)”

The Basic Method

• Holzmann considered how to perform reach ability analysis by using least amount of random memory access.

• The method is basically a DFS with marking of states by using a hashed m bit array.

• Since collision detection is avoided, there is a possibility that a state will be missed.

The Basic Method contd..

• The key assumption here is that one can choose a large enough value of m so that the collision events become arbitrary small.

• Holzmann claims that table size m=O(n) where n is the number of reachable states.

Analysis of the Basic Method

• Is the claim true?

• Let |U| be the namespace of the states where |U|>>n.

• If we consider the case of complete reach ability analysis the requirement is m=O(nlog |U|). Why?

Analysis of Basic Method contd..

• From probabilistic point of view the total possible mappings from set S={1,…,n} to states {1,…,m} are mn and number of possible one to one mappings are m!/(m-n)! Which for n<<m can be approximated by e-n2/m.

• Thus partial reach ability can be achieved in m=O(n log n) by first mapping n reachable states to set {1,…,m} with m=O(n2) and then do complete reachability by assuming namespace to be of size m.

Analysis of Basic Method contd..

• Holtzmann goes a step further and uses m=O(n). The assumption here is there exists a hashing function that can work in this constraint with arbitrarily small collision.

• This however is not supported by the above analysis.

• The above assumption can only hold if the hashing function exploits some particular structure of state space U. This assumption is not general enough to apply to algos finding strongly connected components.

The Algorithms

• S is a stack which stores the path from root to the present node.

• Q is a queue to hold the reachable members of F in post order.

• The above two data structures are sequential in nature therefore inconsequential to the analysis of the algorithm.

• M is a bit array indexed by hash values 1,…,m and is used for marking states.

Algorithm A: part 11. Initialize: S:=[s0], M:=0, Q:=null;

2. Loop:

while S != null do

begin

v:=top(S);

if M[h(w)]=1 for all w belonging to succ(v)

then begin

pop v from S;

if v belong to F insert v into Q;

end

else begin

let w be the first member of succ(v) with M[h(w)]=0;

M[h(w)]:=1;

push w into S;

end

end

Algorithm A: part 21. Initialize: S:=null, M:=0.2. Loop:

while Q=null dobegin:

f:=head(Q);remove f from Q;push f into S;while s != null do

beginv:=top(S);if f belongs to succ(v) then halt and return

“YES”;if M[h(w)]:=1 for all w belong to succ(v)

then pop v from Selse begin

let w be the first member of succ(v) with m[h(w)]=0;

M[h(w)]:=1;push w into S

endend

endend

Lemma 1: Let f1,…,fk be the members of Q after the first DFS, i.e., the members of F that are reachable from s0 in post order (f1 is the first member of F to be reached in post order, fk the last). If for some pair fi, fj with i<j there is a path from fi to fj then node fi belongs to a non trivial strongly connected component.

Proof of Lemma 1

• Suppose there is a path from fi to fj.

• If no node on this path was marked before fi, then the DFS would have reached fj from fi in the post order.

• Therefore some node p in the path was marked before fi.

• If p comes before fi in the post order then fj should come before fi in the post order.

• Since p was marked before fi but comes after fi in the post order, it must be an ancestor of fi.

• Thus fi can reach an ancestor and thus belongs to a non trivially strongly connected component.

Theorem 1: If the second DFS halts and returns “YES”, then some reachable node of F belongs to a non trivial strongly connected component. Conversely, suppose that some reachable node of F belongs to a non trivial strongly connected component, then the second DFS will return “YES”.

Proof of Theorem 1

• Suppose second DFS returns “YES” then it is building a tree with root fj and discovers a back edge to root fj, and therefore fj is in a cycle.

• For the converse let fj be the smallest indexed(j) reachable member of F that belongs to a non trivial strongly connected component.

• Consider a path p from fj to itself. If p is reachable from a fi with a smaller i then fi will also reach fj which by Lemma 1 contradicts the choice of fj.

• Thus no marked p exists when fj is pushed and thus back edge will be found eventually.

Algorithm B1. Initialize S1:=[s0], S2:=null, M1:=M2:=0.

2. While S1!=null dobegin

x:=top(S1);

if there is a y in succ(x) with M1[h(y)]=0then beginlet y be the first such number of succ(x);

M1[h(y)]:=1;

push y into S1;endelse begin

pop x from S1;if x belongs to F then begin

push x into S2;endendend

Algorithm B contd..

while S2!=null do begin

v:=top(S2);if x belongs to succ(v) then ret “YES”

if M2[h(w)]=1 for all w belong to succ(v)then pop v from S2

else beginlet w be the first member of

succ(v) with M2[h(w)]=0;

m2[h(w)]:=1;

push w into S2;end

endend

Algorithm B contd..• The above algorithm requires twice as much space as

algorithm A.• If an automaton is found to be non-empty an accepted

word can be extracted from stacks S1 and S2.• In verification terms if a protocol is incorrect, the

incorrect path can be reproduced.• Both the algorithms may err due to collisions which

means miss some error but will never proclaim a right protocol as wrong so they essentially behave like debuggers.

Questions and Answers