31Hong,Shin @ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann...

/ 31Hong,Shin @ PSWLAB

SPIN Search Optimization

from “THE SPIN MODEL CHECKER” by G. Holzmann

Presented by Hong,Shin23th Nov 2007

23年 4月 21日

1SPIN Search Optimization


Introduction (1/1)

• In explicit model checking, verification problem is reduced to the reachability problem in a graph.

• The hard problem in explicit model checking to solve is finding effective ways to scale reachability checking algorithm to handle large to very large graph.

Approaches(1)Reduce the number of reachable states to check

- Partial order reduction, Statement merging

(2) Reduce the amount of memory that is needed to store visited states.- Loseless compression : Collapse compression, Minimized automaton- Lossy compression : Bitstate hashing, Hash compact

23年 4月 21日

SPIN Search Optimization 2


Partial Order Reduction (1/9)

23年 4月 21日

3SPIN Search Optimization

L0 L1 L2

x=1 g=g+2

L’0 L’1 L’2

y=1 g=g*2

T1:

T2:

byte g = 0 ;

active proctype T1(){

byte x ;x = 1 ;g = g + 2 ;

}

active proctype T2(){

byte y ;y = 1 ;g = g * 2 ;

}



23年 4月 21日


0,0,0L0, L’0

1,0,0

L1,L’

0

0,1,0

L0,L’

11,1,0

L1,L’

1

1,0,2

L2,L’

0

0,1,0

L0,L’

2

1,1,2

L2,L’

1

1,1,0

L1,L’

2

1,1,4

L2,L’

2

1,1,2

L2,L’

2

x=1 y=1

x=1y=1

g=g*2

x=1

g=g+2

g=g*2

y=1

g=g+2

g=g+2

g=g*2

x,y,g

L, L’



• For two statements a and b, if two interleavings of these statements from any state result different states or two interleavings are impossible, then a and b are dependent to each other.

- Dependent statements pairsg=g*2 and g=g+2 because both touch same data object.

x=1 and g=g+2 the order of statements are fixed.

y=1 and g=g*2 the order of statements are fixed.

- Independent statements pairsx=1 and y=1x=1 and g=g*2y=1 and g=g+2

23年 4月 21日




¾1 ={(0,0,0,L0, L’0) , (1,0,0,L1, L’0), (1,0,2,L2, L’0), (1,1,2,L2,L’1), (1,1,4,L2,L’2)}

¾2 ={(0,0,0,L0, L’0) , (1,0,0,L1, L’0), (1,1,0,L1, L’1), (1,1,2,L2,L’1), (1,1,4,L2,L’2)}

¾3 ={(0,0,0,L0, L’0) , (1,0,0,L1, L’0), (1,1,0,L1, L’1), (1,1,0,L1,L’2), (1,1,2,L2,L’2)}

¾4 ={(0,0,0,L0, L’0) , (0,1,0,L0, L’1), (0,1,0,L0, L’2), (1,1,0,L1,L’2), (1,1,2,L2,L’2)}

¾5 ={(0,0,0,L0, L’0) , (0,1,0,L0, L’1), (1,1,0,L1, L’1), (1,1,0,L1,L’2), (1,1,2,L2,L’2)}

¾6 ={(0,0,0,L0, L’0) , (0,1,0,L0, L’1), (1,1,0,L1, L’1), (1,1,2,L2,L’1), (1,1,4,L2,L’2)}

These runs can be classified into two groups according to the end state.

{¾1, ¾2, ¾6} , {¾3, ¾4, ¾5}

23年 4月 21日



Partial Order Reduction (5/9)¼1 = { x=1 ; g=g+2 ; y=1 ; g=g*2;}

¼2 = { x=1 ; y=1 ; g=g+2 ; g=g*2;}

¼6 = { y=1 ; x=1 ; g=g+2 ; g=g*2;}

¼3 = { x=1 ; y=1 ; g=g*2 ; g=g+2;}

¼5 = { y=1 ; x=1 ; g=g*2 ; g=g+2;}

¼4 = { y=1 ; g=g*2 ; x=1 ; g=g+2;}

23年 4月 21日


Independent statements pairs

x=1 and y=1 x=1 and g=g*2 y=1 and g=g+2

• Within each class, each run can be obtained from the other runs by one or more permutations of adjacent independent transitions. • The eventual outcome of a computation remains unchanged under such permutations.• For verification, it therefore would suffice to consider just one run from each class.



23年 4月 21日


0,0,0L0, L’0

1,0,0

L1,L’

0

0,1,0

L0,L’

11,1,0

L1,L’

1

1,0,2

L2,L’

0

0,1,0

L0,L’

2

1,1,2

L2,L’

1

1,1,0

L1,L’

2

1,1,4

L2,L’

2

1,1,2

L2,L’

2

x,y,g

L, L’ x=1 y=1

x=1y=1

g=g*2

x=1

g=g+2

g=g*2

y=1

g=g+2

g=g+2

g=g*2



• For previous example, it would be suffice to consider only runs ¾2 and ¾3. to accurately prove LTL formulae such as– Always(g = 0) – Eventually(2 · g)

23年 4月 21日




¼1 = { x=1 ; g=g+2 ; y=1 ; g=g*2;}

¼2 = { x=1 ; y=1 ; g=g+2 ; g=g*2;}

¼6 = { y=1 ; x=1 ; g=g+2 ; g=g*2;}

¼3 = { x=1 ; y=1 ; g=g*2 ; g=g+2;}

¼5 = { y=1 ; x=1 ; g=g*2 ; g=g+2;}

¼4 = { y=1 ; g=g*2 ; x=1 ; g=g+2;}

23年 4月 21日


Independent statements pairs

x=1 and g=g*2 y=1 and g=g+2

• What if “Always(y · x)” ? → The formula secretly introduces dependency between

x=1 and y=1.



• SPIN constructs global reachability graph on the fly.

• SPIN uses a static reduction method for partial order reduction.– The dependency relations are computed offline.

• Pre-evaluated dependency relations are used to decide which successors to search at each state exploration in SPIN.

23年 4月 21日



Statement Merging (1/5)

• Merge sequences of transitions within a process into a single step to avoid the creation of unnecessary intermediate system states.

• Automatically add d_step constructs into a specification whenever a sequence of statements meets merging condition.

23年 4月 21日




• Merging can be safely done if a sequence of statements in a process(1) accesses only local data.(2) does not have any guarded condition

(if or do statements).

• Statement merging is enabled in default. And this can be disabled by –o3 option.

23年 4月 21日




active proctype merging()

{

byte c ;

if

:: c = 0 ;

:: c = 1 ;

:: c = 2 ;

fi ;

do

:: c < 2 -> c++ ;

:: c > 0 -> c-- ;

od ;

}

23年 4月 21日


L0

L1

L2 L3

c=2c=0

c=1

[c<2]

[c>0]

c++ c--



23年 4月 21日


0,L0

0,L1

1,L1

2,L1

0,L2

1,L2

1,L3

2,L3

c=0 c=1 c=2

[c<2]

[c<2]

[c>0]

[c>0]

c++

c++

c--

c--

c, L



23年 4月 21日


L0

L1

c=2c=0 c=1

[c<2] c++[c>0] c--

0,L0

0,L1

1,L1

2,L1

c=0 c=1 c=2

[c<2] c++ [c<2] c++

[c>0] c-- [c>0] c--

active proctype merging()

{

byte c ;

if

:: c = 0 ;

:: c = 1 ;

:: c = 2 ;

fi ;

do

:: d_step {c < 2 -> c++ ; }

:: d_step {c > 0 -> c-- ; }

od ;

}


Collapse Compression (1/3)

• Replicating a complete description of all local component of the system state in each global state that is stored is wasteful technique.

• Collapse compression mode tries to store smaller state components separately while assigning small unique index numbers to each one.

23年 4月 21日



Collapse Compression (2/3)• Def. System State

(gvars, procs, chans, exclusive, handshake,timeout, else, stutter)

gvars: a finite set of variables with global scopeprocs: a finite set of processeschans: a finite set of message channelsexclusive, handshake are integerstimeout, else, stutter are booleans

• Def. Process(pid, lvars, lstates, initial, curstate, trans)

lvars: a finite set of local variableslstates: a finite set of integerinitial: an element of lstatestrans: a finite set of transitions on lstates.

15시 51분 PROMELA Semantics 18


Collapse Compression (3/3)

• Break down a global state into separate components– first component: the set of all global data objects

such as global variables and all message channels.– one component for each active process: its control

state and local states of the process.

23年 4月 21日



Minimized Automaton (1/4)

• Use a minimized deterministic automaton for storage of statespace instead of conventional lookup table.

• If a state descriptor is accepted by the minimized deterministic automaton, then that state was visited.

• Lookup and update operation has a time complexity of O(S) where S is the maximum length of a state descriptor.– Both minimized automaton and lookup table have same order

time complexity for the operations, minimized automaton takes much more time for the operations.

• The user should provide an initial estimate of the maximum depth of the graph that is constructed for the minimized automaton representation using –DMA option for pan.

23年 4月 21日




23年 4月 21日


Automaton Structure After Storing {000, 001, 101}

1

0



23年 4月 21日


Automaton Structure After Storing {000, 001, 101, 100}

1

0



In verification of SM_ReadSector() model where SECT_PER_U is 4, NUM_LS_USED is 6, and MAX_VUN is 5.

• SPIN result with –DSAFETY –DCOLLAPSE options- memory: 138.302 total actual memory usage- time: 0m17.509s

• SPIN result with –DSAFETY –DCOLLAPSE –DMA option- memory: 87.779total actual memory usage- time: 13m55.321s

23年 4月 21日



Bitstate Hashing (1/4)

• SPIN uses standard hash table as statespace storage.

- Each slot in hash table has a sorted linked list of states of the same hash value.

23年 4月 21日




• R : the number of states stored in hash table• H : the number of slots in hash table.• when R > H,

- The hash function computes the same value for different states(hash collision).- The average number of comparisons for a lookup or update operation is R/2H.

• when H >> R, - Each state can be stored in a different slot.- The lists stored in each slot will either be empty or contains one single states.

23年 4月 21日




• R : the number of reachable states• M : the memory size that hash table can use• S : the memory size that each state holds• H : the number of slots in hash table

In standard hash table, H = M/S andIf R*S >> M, only (M/S*R) of system state can be covered.

If M >> R, assume that hash table has M slots.→ Then we can assume that there is either no state or one state in each slot. → Therefore only one bit is enough to represent each slot.

23年 4月 21日




• In bitstate hashing, it is possible to cover at most M states where M is the memory size for statespace in bits.

• Using a hash function hash(state s) that maps a state descriptor to a value in range of 0..M-1.

• For a state s, if slot(hash(s)) is true then state s was visited during the searching.

• But this method can not guarantee exhaustive search. For a state s where k=hash(s), if slots(k) = true , it is impossible to distinguish whether s was visited or some other state s’ where hash(s’)=k was visited. But this method does not report false error.

23年 4月 21日



Hash Compact (1/2)

• If M · R*S, then we can assign bM/Rc bits for each reachable state.

• In hash compact, the hash function hash(state s) returns values in range of 0..2bM/Rc -1

• SPIN stores these hash values instead of state descriptor.

• The hash compact method can be enabled by compiling a verifier with –DHC4.

For example, M=109 and R=107

In bitstate hashing, R/M=1/102

In hash compact, R/2M/R = 107/2100 ~ 1/1013

23年 4月 21日



Hash Compact (2/2)

23年 4月 21日


Measured Coverage of Double Bitstate Hashing(k=2) compared with Hash-Compact(hc), and Exhaustive SearchProblem size: 427567reachable states, state descriptor size 1376 bits


Further Study• Partial Order Reduction– Static reduction technique used in SPIN.

23年 4月 21日



References[1]“THE SPIN MODEL CHECKER” by G. J. Holzmann.[2]The Engineering of a Model Checker: the Gnu i-

Protocol Case Study Revisited, G. J. Holzmann. [3]An Improvement in Formal Verification, G.J.

Holzmann and Doron Peled.

23年 4月 21日


31Hong,Shin @ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann...

Documents

Transcript of 31Hong,Shin @ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann...