Exploiting Predicate Structure for Efficient Reachability Detection

DISSERTATION PROPOSALASE 2005

Exploiting Predicate Structure for Efficient Reachability Detection

Sujatha KashyapDr. Vijay K. Garg

Parallel and Distributed Systems Laboratory

ASE 2005

PDSL

Outline

Problem Statement ( Motivation)

Notation and Background

Overview of Technique

Experimental Results

– comparison with SPIN

Concluding Remarks

ASE 2005

PDSL

Complexity of Model Checking

Explicit state representation [Clarke, Emerson 1981]

– Labeled transition systems.

– CTL model checking in O(|M|.|f|) (Clarke, Emerson, Sistla 1986)

– |M| is very large (state space explosion).

Implicit representation

– E.g., BDDs [McMillan 1991].

– Model checking becomes PSPACE-complete in the size of the structure (Feigenbaum et al. 1999)

Motivation: To find a happy medium.

ASE 2005

PDSL

Concurrency and Partial Orders

– Approaches exploiting the nature of concurrent events:

• Partial-order models– Lamport 1978: “happened-before” relation– Mazurkiewicz 1986: “traces”– McMillan 1991: Petri net unfoldings

• Partial-order reduction– Valmari 1990: stubborn sets– Peled 1993: ample sets– Godefroid 1996: persistent sets

a1

a2

a3

a2

a3

a2

a1

a3

a2

a3 a1

a1

ASE 2005

PDSL

Basic Notation

Program P = (S, T, s0)

– S: Finite set of states

– T: Finite set of transitions

– s0: Initial state

enabled(s) T

– All transitions executable from state s

s’ = α(s)

– Only deterministic transitions

Event = occurrence of a transition

Interleaving sequence, w

states(w)

α

β

γ δ

s0

s1s2

w = α β γ

s3

states(w) = {s0, s1, s2}

ASE 2005

PDSL

Independence of events

– An independence relation I T x T is an antireflexive, symmetric relation such that (α, β) I iff for all s S, if α enabled(s) :

• Enabledness: β enabled(s)

β enabled(α (s)).

• Commutativity: α, β enabled(s)

α(β(s)) = β(α(s)).

– The dependency relation D = (T X T) \ I.

α

αβ

β

s

s1

r

s2

Note: We will assume that events belonging to the same process are always dependent.

[Mazurkiewicz 1986]

ASE 2005

PDSL

Trace equivalence D

v D w

v can be transformed into w by commuting only adjacent independent events.

Example: I = {(b, c), (b, d), (e, f) (b, f)}

v = abcdef

D acbdef

D acdbef

D acdbfe

D acdfbe = w

ASE 2005

PDSL

Traces

D partitions the interleaving sequences of a program P into equivalence classes, called traces.

σE: Trace with event set E.

States(σ) = v σ

states(v).

a

a

b

b

d cc df

fc

e

de

I = {(a,b), (c,f), (d,e)}

s0

{abcde, abced, abdcf, abdfc, bacde, baced, badcf, badfc}

σ1 = {abcde, abced, bacde, baced}

σ2 = {abdcf, abdfc, badcf, badfc}

s1s2

ASE 2005

PDSL

Traces as Partial Orders

A trace corresponds to a partial order.

a

a

b

b

d cc df

fc

e

de

s0

s1s2

σ1 = {abcde, abced, bacde, baced}

σ2 = {abdcf, abdfc, badcf, badfc}

a b

c

d

f

b

de

a

c

σ2σ1

State order ideal (down-set)

Q is an order ideal of a poset (P, ) iff Q P and: x Q, y P: y x y Q.

ASE 2005

PDSL

“Happened-before”

The happened-before relation on a trace σE = [w] is the smallest transitive relation that satisfies:

(α, β) D (w = u α v β w’) α β

where α, β E.

Note: is antisymmetric

(E, ) is the poset corresponding to σE.Given the dependency relation D and a representative interleaving sequence of a

trace, we can obtain the corresponding partial order.

[Lamport 1978]

ASE 2005

PDSL

Model Checking with Traces

EFσ(φ) “Some reachable state of the trace σ satisfies φ.”

– In general, NP-complete for boolean formulae φ [Chase, Garg 1993].

Tractable predicate classes for EF:

–“Stable” predicates [Chandy, Lamport 1985]

•Once it turns true, it stays true.•E.g., deadlock, termination.

a

a

b

b

dcf

fc

s0

s2

Stable

ASE 2005

PDSLTraces and Lattices

a b

c

d

f

σ {}

{b}{a}

{a, b}

{a, b, d}

{a, b, d, c}{a, b, d, f}

{a, b, d, c, f}

O (σ)Trace as partial order

Lattice of order ideals

a

a

b

b

d

cf

fc

s0

Interleaved representation

-Order ideals of a poset form a lattice under the subset relation.

-G and H are order ideals G H and G H are order ideals.

Overload “order ideal” to mean “state”

ASE 2005

PDSL

Meet-closed predicates

G φ and H φ G∩ H φ.

A meet-closed predicate φ has a “least” satisfying state– “least” = reached by executing the fewest number

of events.

– If some state G φ, then there exists at least one “crucial event” e G, such that it is necessary to execute e in order to reach any state (from G) that satisfies φ. • “necessary”, but not “sufficient”.

– If the crucial event can be identified in polynomial time (O(|E|k) time, for some constant k), then φ is called a linear predicate.

{}

{b}{a}

{a, b}

GH={a, b, d}

H={a, b, d, c}G={a, b, d, f}

{a, b, d, c, f}

[Chase, Garg 1995]

ASE 2005

PDSL

Linear predicates

Examples of linear predicates:

– “Local” predicates

• Defined using only local variables from a single process.

– A conjunction of local predicates

• l1 l2 l3 ….

If crucial event is identified in O(|E|k), then EF(φ) takes O(|E|k+1) time.

Boolean formulae can be written as a disjunction of linear predicates!

EF(φ1φ2 …φm) = EF(φ1) EF(φ2) … EF(φm)

[Chase, Garg 1995] φ

ASE 2005

PDSL

Trace Cover

A set of traces Δ of a program P is a trace cover for P iff

σΔ States(σ) is

exactly the reachable state space of P.

σ1 σ2 : u σ1, w σ2, such that u is a prefix of w.

Lemma: σ1 σ2 States(σ1) States(σ2)

– Suffices to consider traces that are maximal under .

a

a

b

b

d cc df

fc

e

de

s0

s1s2

Trace Cover:

σ1 = {abcde, abced, bacde, baced}

σ2 = {abdcf, abdfc, badcf, badfc}

[Kashyap, Garg – ASE 2005]

ASE 2005

PDSL

Generating representative interleavings

Persistent set [Godefroid, Pirottin 1993]: T enabled(s) is persistent in s iff for any non-empty path starting from s in the full state space graph:

s = s1 s2 s3 … sn sn+1

where ti T, 1 i n, ti is independent of all transitions in T.

ab

c c

a

b

f

s

If {b, c} is persistent in s, then

(a, b) I, (a, c) I.

t1 t2 t3 tn-1 tn

ASE 2005

PDSL

a

a

b

b

d cc df

fc

e

de

s0

s1s2

a b

abd

abc

f

e

c

d

Theorem 4 [Peled 1994]: Exploring a persistent set of events at each state is sufficient to construct a representative interleaving for each trace of P that is maximal under .

ASE 2005

PDSL

Obtaining (E, ) Assign vector timestamps to events [Mattern 1989, Fidge 1991]

– Timestamp is an integer vector of dimension n (# of processes).

• α.v denotes the timestamp of event α.

– When α Pi is concatenated to sequence τ:

• dep(α) = all events in τ on which α is dependent.• For all j, initialize α.v[j] to the max jth component in dep(α).• Increment α.v[i].

a1, a2 P1

b1, b2 P2

(a2, b2) D

a1

(01)

b1

(10)

a2

(02)

b2(22)

a1

Theorem:

α.v < β.v α β

Vector timestamps capture exactly the poset (E, )

a2 b1 b2

ASE 2005

PDSLComparison with P.O. reduction

A transition is invisible w.r.t. a set of variables if it does not change the value of any of them.

In p.o. reduction:– If persistent(s) enabled(s) then every α persistent(s) must be invisible [Peled 1993]. – Reduction highly dependent on the properties being checked [Gerth et al., 1995].

– High expressibility: can check LTL-X, CTL-X [Peled and Wilke 1997].

Our approach:– Don’t worry about invisibility.– Size of representation is independent of properties being checked .– Can check much more limited classes of predicates.

p,q

p,¬q

p,q

p,q

α β

αβ

ASE 2005

PDSL

SPIN

PROMELAReduced transition graph

ASE 2005

PDSL

“Trace Cover” SPIN

PROMELA

Trace coveralgorithms

Trace Cover

•EFP(φ) “Some reachable state of the program P satisfies φ.”

•Let Δ be a trace cover for P.

•EFP(φ) = σΔ

EFσ(φ)

ASE 2005

PDSL

Experimental Results

Protocol PropertySPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN

Time (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

States

Dining philosophers (N=6)

[Chandy, Misra 1984]

EF(eatingi eating(i+1) mod N)

*** *** *** 759 439 2116120 0.03 1.25 83

Leader election (N=6)

[Dolev, Klawe, Rodeh 1982]

EF(nr_leaders > 1) *** *** *** 777 64 238569 75 93 118971

Mutual exclusion (N=5)

[Ricart, Agarwala 1981]

EF(incs > 1) 25 349 652365 2.51 26 46880 0.05 2.65 187

(a) No errors in protocols

ASE 2005

PDSL

Experimental Results

Protocol PropertySPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN

Time (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

States

Dining philosophers (N=6)

[Chandy, Misra 1984]

EF(eatingi eating(i+1)

mod N)42 257 1141680 10 43 170619 0.03 1.25 81

Leader election (N=6)

[Dolev, Klawe, Rodeh 1982]

EF(nr_leaders > 1) *** *** *** 547 44 159750 53 69 87435

Mutual exclusion (N=5)

[Ricart, Agarwala 1981]

EF(incs > 1) 19 276 510828 1.59 15 26126 0.05 2.65 181

(a) Safety violations present in protocols

ASE 2005

PDSL

Concluding Remarks

Two-pronged approach:

• Compact, implicit representation of state space.

• Polynomial algorithms for model checking on the representation.

Main limitation: Expressibility

Future work:

– Increase expressibility!