DISSERTATION PROPOSALASE 2005

Exploiting Predicate Structure for Efficient Reachability Detection

Sujatha KashyapDr. Vijay K. Garg

Parallel and Distributed Systems Laboratory

ASE 2005

PDSL

Outline

Problem Statement ( Motivation)

Notation and Background

Overview of Technique

Experimental Results

– comparison with SPIN

Concluding Remarks

ASE 2005

PDSL

Complexity of Model Checking

Explicit state representation [Clarke, Emerson 1981]

– Labeled transition systems.

– CTL model checking in O(|M|.|f|) (Clarke, Emerson, Sistla 1986)

– |M| is very large (state space explosion).

Implicit representation

– E.g., BDDs [McMillan 1991].

– Model checking becomes PSPACE-complete in the size of the structure (Feigenbaum et al. 1999)

Motivation: To find a happy medium.

ASE 2005

PDSL

Concurrency and Partial Orders

– Approaches exploiting the nature of concurrent events:

• Partial-order models– Lamport 1978: “happened-before” relation– Mazurkiewicz 1986: “traces”– McMillan 1991: Petri net unfoldings

• Partial-order reduction– Valmari 1990: stubborn sets– Peled 1993: ample sets– Godefroid 1996: persistent sets

a1

a2

a3

a2

a3

a2

a1

a3

a2

a3 a1

a1

ASE 2005

PDSL

Basic Notation

Program P = (S, T, s0)

– S: Finite set of states

– T: Finite set of transitions

– s0: Initial state

enabled(s) T

– All transitions executable from state s

s’ = α(s)

– Only deterministic transitions

Event = occurrence of a transition

Interleaving sequence, w

states(w)

α

β

γ δ

s0

s1s2

w = α β γ

s3

states(w) = {s0, s1, s2}

ASE 2005

PDSL

Independence of events

– An independence relation I T x T is an antireflexive, symmetric relation such that (α, β) I iff for all s S, if α enabled(s) :

• Enabledness: β enabled(s)

β enabled(α (s)).

• Commutativity: α, β enabled(s)

α(β(s)) = β(α(s)).

– The dependency relation D = (T X T) \ I.

α

αβ

β

s

s1

r

s2

Note: We will assume that events belonging to the same process are always dependent.

[Mazurkiewicz 1986]

ASE 2005

PDSL

Trace equivalence D

v D w

v can be transformed into w by commuting only adjacent independent events.

Example: I = {(b, c), (b, d), (e, f) (b, f)}

v = abcdef

D acbdef

D acdbef

D acdbfe

D acdfbe = w

ASE 2005

PDSL

Traces

D partitions the interleaving sequences of a program P into equivalence classes, called traces.

σE: Trace with event set E.

States(σ) = v σ

states(v).

a

a

b

b

d cc df

fc

e

de

I = {(a,b), (c,f), (d,e)}

s0

{abcde, abced, abdcf, abdfc, bacde, baced, badcf, badfc}

σ1 = {abcde, abced, bacde, baced}

σ2 = {abdcf, abdfc, badcf, badfc}

s1s2

ASE 2005

PDSL

Traces as Partial Orders

A trace corresponds to a partial order.

a

a

b

b

d cc df

fc

e

de

s0

s1s2

σ1 = {abcde, abced, bacde, baced}

σ2 = {abdcf, abdfc, badcf, badfc}

a b

c

d

f

b

de

a

c

σ2σ1

State order ideal (down-set)

Q is an order ideal of a poset (P, ) iff Q P and: x Q, y P: y x y Q.

ASE 2005

PDSL

“Happened-before”

The happened-before relation on a trace σE = [w] is the smallest transitive relation that satisfies:

(α, β) D (w = u α v β w’) α β

where α, β E.

Note: is antisymmetric

(E, ) is the poset corresponding to σE.Given the dependency relation D and a representative interleaving sequence of a

trace, we can obtain the corresponding partial order.

[Lamport 1978]

ASE 2005

PDSL

Model Checking with Traces

EFσ(φ) “Some reachable state of the trace σ satisfies φ.”

– In general, NP-complete for boolean formulae φ [Chase, Garg 1993].

Tractable predicate classes for EF:

–“Stable” predicates [Chandy, Lamport 1985]

•Once it turns true, it stays true.•E.g., deadlock, termination.

a

a

b

b

dcf

fc

s0

s2

Stable

ASE 2005

PDSLTraces and Lattices

a b

c

d

f

σ {}

{b}{a}

{a, b}

{a, b, d}

{a, b, d, c}{a, b, d, f}

{a, b, d, c, f}

O (σ)Trace as partial order

Lattice of order ideals

a

a

b

b

d

cf

fc

s0

Interleaved representation

-Order ideals of a poset form a lattice under the subset relation.

-G and H are order ideals G H and G H are order ideals.

Overload “order ideal” to mean “state”

ASE 2005

PDSL

Meet-closed predicates

G φ and H φ G∩ H φ.

A meet-closed predicate φ has a “least” satisfying state– “least” = reached by executing the fewest number

of events.

– If some state G φ, then there exists at least one “crucial event” e G, such that it is necessary to execute e in order to reach any state (from G) that satisfies φ. • “necessary”, but not “sufficient”.

– If the crucial event can be identified in polynomial time (O(|E|k) time, for some constant k), then φ is called a linear predicate.

{}

{b}{a}

{a, b}

GH={a, b, d}

H={a, b, d, c}G={a, b, d, f}

{a, b, d, c, f}

[Chase, Garg 1995]

ASE 2005

PDSL

Linear predicates

Examples of linear predicates:

– “Local” predicates

• Defined using only local variables from a single process.

– A conjunction of local predicates

• l1 l2 l3 ….

If crucial event is identified in O(|E|k), then EF(φ) takes O(|E|k+1) time.

Boolean formulae can be written as a disjunction of linear predicates!

EF(φ1φ2 …φm) = EF(φ1) EF(φ2) … EF(φm)

[Chase, Garg 1995] φ

ASE 2005

PDSL

Trace Cover

A set of traces Δ of a program P is a trace cover for P iff

σΔ States(σ) is

exactly the reachable state space of P.

σ1 σ2 : u σ1, w σ2, such that u is a prefix of w.

Lemma: σ1 σ2 States(σ1) States(σ2)

– Suffices to consider traces that are maximal under .

a

a

b

b

d cc df

fc

e

de

s0

s1s2

Trace Cover:

σ1 = {abcde, abced, bacde, baced}

σ2 = {abdcf, abdfc, badcf, badfc}

[Kashyap, Garg – ASE 2005]

ASE 2005

PDSL

Generating representative interleavings

Persistent set [Godefroid, Pirottin 1993]: T enabled(s) is persistent in s iff for any non-empty path starting from s in the full state space graph:

s = s1 s2 s3 … sn sn+1

where ti T, 1 i n, ti is independent of all transitions in T.

ab

c c

a

b

f

s

If {b, c} is persistent in s, then

(a, b) I, (a, c) I.

t1 t2 t3 tn-1 tn

ASE 2005

PDSL

a

a

b

b

d cc df

fc

e

de

s0

s1s2

a b

abd

abc

f

e

c

d

Theorem 4 [Peled 1994]: Exploring a persistent set of events at each state is sufficient to construct a representative interleaving for each trace of P that is maximal under .

ASE 2005

PDSL

Obtaining (E, ) Assign vector timestamps to events [Mattern 1989, Fidge 1991]

– Timestamp is an integer vector of dimension n (# of processes).

• α.v denotes the timestamp of event α.

– When α Pi is concatenated to sequence τ:

• dep(α) = all events in τ on which α is dependent.• For all j, initialize α.v[j] to the max jth component in dep(α).• Increment α.v[i].

a1, a2 P1

b1, b2 P2

(a2, b2) D

a1

(01)

b1

(10)

a2

(02)

b2(22)

a1

Theorem:

α.v < β.v α β

Vector timestamps capture exactly the poset (E, )

a2 b1 b2

ASE 2005

PDSLComparison with P.O. reduction

A transition is invisible w.r.t. a set of variables if it does not change the value of any of them.

In p.o. reduction:– If persistent(s) enabled(s) then every α persistent(s) must be invisible [Peled 1993]. – Reduction highly dependent on the properties being checked [Gerth et al., 1995].

– High expressibility: can check LTL-X, CTL-X [Peled and Wilke 1997].

Our approach:– Don’t worry about invisibility.– Size of representation is independent of properties being checked .– Can check much more limited classes of predicates.

p,q

p,¬q

p,q

p,q

α β

αβ

ASE 2005

PDSL

SPIN

PROMELAReduced transition graph

ASE 2005

PDSL

“Trace Cover” SPIN

PROMELA

Trace coveralgorithms

Trace Cover

•EFP(φ) “Some reachable state of the program P satisfies φ.”

•Let Δ be a trace cover for P.

•EFP(φ) = σΔ

EFσ(φ)

ASE 2005

PDSL

Experimental Results

Protocol PropertySPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN

Time (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

States

Dining philosophers (N=6)

[Chandy, Misra 1984]

EF(eatingi eating(i+1) mod N)

*** *** *** 759 439 2116120 0.03 1.25 83

Leader election (N=6)

[Dolev, Klawe, Rodeh 1982]

EF(nr_leaders > 1) *** *** *** 777 64 238569 75 93 118971

Mutual exclusion (N=5)

[Ricart, Agarwala 1981]

EF(incs > 1) 25 349 652365 2.51 26 46880 0.05 2.65 187

(a) No errors in protocols

ASE 2005

PDSL

Experimental Results

Protocol PropertySPIN, no reduction SPIN, P.O. reduction Trace-Cover SPIN

Time (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

StatesTime (sec)

Mem (MB)

States

Dining philosophers (N=6)

[Chandy, Misra 1984]

EF(eatingi eating(i+1)

mod N)42 257 1141680 10 43 170619 0.03 1.25 81

Leader election (N=6)

[Dolev, Klawe, Rodeh 1982]

EF(nr_leaders > 1) *** *** *** 547 44 159750 53 69 87435

Mutual exclusion (N=5)

[Ricart, Agarwala 1981]

EF(incs > 1) 19 276 510828 1.59 15 26126 0.05 2.65 181

(a) Safety violations present in protocols

ASE 2005

PDSL

Concluding Remarks

Two-pronged approach:

• Compact, implicit representation of state space.

• Polynomial algorithms for model checking on the representation.

Main limitation: Expressibility

Future work:

– Increase expressibility!