Presentation is loading. Please wait.

Presentation is loading. Please wait.

Complexity Relief Techniques for Model Checking METU, Aug. 2002 SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,

Published byBarnaby Logan Modified over 7 years ago

Similar presentations

Presentation on theme: "Complexity Relief Techniques for Model Checking METU, Aug. 2002 SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,"— Presentation transcript:

1 Complexity Relief Techniques for Model Checking METU, Aug. 2002 SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute, Middle East Technical University August 26-27, 2002 COMPLEXITY RELIEF TECHNIQUES FOR MODEL CHECKING by

2 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Outline : - General Model Cheking Tool Structure - State Space Explosion - Partial Order Reduction - Static Partial Order Reduction - SDLCheck - HW/SW Model Checking - OBDDs for state representation - Assume-guarantee approach - Conclusion

3 Complexity Relief Techniques for Model Checking METU, Aug. 2002 General Model Cheking Tool Structure Model of the system Specification of the sytem The Model Checker YesNo (counter example) Out of memory

4 Complexity Relief Techniques for Model Checking METU, Aug. 2002 State Space Explosion : a terrorizing example 100 states Proc A 100x100x100x10000x10000x10000x10000x10000x10000 = 10 30 (potential) states 4 different messages can be sent to each queue Using a computer at 10GHz which can search a state in 1 cycle => 10 10 states/sec We need 10 20 secs, approximately 10 12 years!!! 100 states Proc B 100 states Proc C In general, the size of the reachable set of states grows exponentially in the number of components.

5 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Complexity Relief Techniques: - Partial order reduction - Symbolic search using OBDDs (record : 10 120 states) - Assume-guarantee - Abstraction - Symmetry - Induction

6 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction - A property (given in next time free LTL) preserving reduction in the reachable state space. - Using POR, we can generate B’ D instead of B D such that for any next-time free LTL formula  : 1) |B D |  |B’ D |; and 2) L(B D  B  ) =  iff (B D  B  ) =  - Main trick is to eliminate reduntant interpretation generations.

7 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction {p 2,p 3 } {p 3 } {p 1,p 2,p 3 }... {p 3 } {p 1,p 2,p 3 }... I’ I’’ {p 2,p 3 } {p 1,p 3 } Note that: for any next-time free LTL formula , I’ |=  iff I’’ |=  Such (equivalent) interpretation pairs are generated by the following patterns in the global state space:... {p 3 } {p 2,p 3 }

8 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction Such patterns in the global state space are (almost) always generated by the transitions of different processes. s1 s2 s3 s4 a b (s1,s3) (s2,s3)(s1,s4) (s2,s4) a a b b When we arrive at the state (s1,s3), since both of the transition a & b are enabled, we generate both of the states (s2,s3) and (s1,s4), which in turn causes generation of I’ and I’’ which are equivalent.

9 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction S R =  ; dfs ( s 0 ); proc dfs ( s ) S R = S R  { s };  a  enabled(s) do let s –a-> s’ if s’  S R then dfs ( s’ ); fi od endproc dfs S R =  ; dfs ( s 0 ); proc dfs ( s ) S R = S R  { s };  a  ample(s) do let s –a-> s’ if s’  S R then dfs ( s’ ); fi od endproc dfs Conventional ReachabilityPartial Order Reachability where ample(s)  enabled(s)

10 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction However, there are certain conditions that must be satisfied by ample(s). C0 : ample(s) =  iff enabled(s) =  If there are enabled transitions, then amples(s) cannot be an empty set.

11 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction Consider: s1 s2 if (x>0) else s4 terminate Start the self destruct mechanism s3 s5 s6 x = -1 (...,s1,...s5,..4,...) a b c (...,s1,...s6,..-1,...) c ab ab

12 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction Let us call a transition “a” as globally indepent iff “a” does not disable any other transitions and no other transition can disable “a”. C1 : If ample(s)  enabled(s) then all the transitions in ample(s) are globally independent transitions.

13 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction Consider: s3 s4 (s1,s3) b ab s1 s2 a (s2,s3)(s1,s4) (s2,s4) ba And suppose we are checking G(  p 1   p 2 ) where - p 1 = “A is at s2” - p 2 = “B is at s3”

14 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction Let us call a transition “a” as visible if there exists a global state s such that s –a-> s’, and the set of atomic propositions that hold at s and s’ are different. C2 : If ample(s)  enabled(s) then all the transitions in ample(s) are invisible transitions. (s1,s3) b (s1,s4) {p 2 } { }

15 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction Consider: s3 s4 (s1,s3) b a s1 a and suppose “a” is globally independent and invisible. The search ends prematurely if we take ample((s1,s3)) = {a}. C3 : Along any cycle in the reduced state space there exists a state s such that amples(s) = enabled(s).

16 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Partial Order Reduction C0 : ample(s) =  iff enabled(s) =  C1 : If ample(s)  enabled(s) then all the transitions in ample(s) are globally independent transitions. C2 : If ample(s)  enabled(s) then all the transitions in ample(s) are invisible transitions. C3 : Along any cycle in the reduced state space there exists a state s such that amples(s) = enabled(s). The four conditions on ample(s) :

17 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Static Partial Order Reduction -Normally, in order to implement partial order reduction, one has to modify the model checker in order to guarantee C0, C1, C2, C3. - In Static Partial Order Reduction approach, the original system D is converted into another system D’ such that B’ D = B D’ - This can be done using a self-compilation (from the language in which D is specified to the same language), or during compilation into the input language of the model checker.

18 Complexity Relief Techniques for Model Checking METU, Aug. 2002 SDLCheck System in SDL Property in QL

19 Complexity Relief Techniques for Model Checking METU, Aug. 2002 SDLCheck System in SDL System in S/R Property in QLProperty in S/R COSPAN (Formal Check) sdl2sr

20 Complexity Relief Techniques for Model Checking METU, Aug. 2002 SDLCheck System in SDL System in S/R Property in QLProperty in S/R Out of mem. COSPAN (Formal Check) Yes No sdl2sr

21 Complexity Relief Techniques for Model Checking METU, Aug. 2002 SDLCheck System in SDL System in S/R Property in QLProperty in S/R Out of mem. COSPAN (Formal Check) Yes No Error track in S/R sdl2sr

22 Complexity Relief Techniques for Model Checking METU, Aug. 2002 SDLCheck System in SDL System in S/R Property in QLProperty in S/R Out of mem. COSPAN (Formal Check) Yes No Error track in S/RError track in SDL sdl2sr

23 Complexity Relief Techniques for Model Checking METU, Aug. 2002 HW/SW Model Checking System in SDL System in S/R Property in QLProperty in S/R Driver in SDL+ HW in HDL Out of mem. COSPAN (Formal Check) Yes No Error track in S/RError track in SDL sdl2sr

24 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1

25 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 x3 0

26 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 x3 F 0 0

27 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 x3 x4 F 1 0 0

28 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 with x2 < x3 < x1 - Unique structure upto variable ordering - Variable ordering may affect the size of the structure x3 x4 TF 1 1 0 0 0 x1 x3 TF 0 0 1 X2 0 1 0 1 1 x4 0 1 0 1

29 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 X2 x3 x4 TF 1 1 1 0 0 0

30 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 X2 x3 x4 TF 1 1 1 1 0 0 0

31 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 X2 x3 x4 TF 1 1 1 1 0 0 0 0

32 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 X2 x3 x4 TF 1 1 1 1 0 0 0 0

33 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 with x1 < x3 < x2 < x4 X2 x3 x4 TF 1 1 1 1 0 0 0 0 x1 x3 TF 0 0 1 X2 0 1 0 1 1 x4 0 1 0 1

34 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 with x1 < x3 < x2 < x4 - Unique structure up-to variable ordering X2 x3 x4 TF 1 1 1 1 0 0 0 0 x1 x3 TF 0 0 1 X2 0 1 0 1 1 x4 0 1 0 1

35 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 with x1 < x3 < x2 < x4 - Unique structure upto variable ordering - Variable ordering may affect the size of the structure X2 x3 x4 TF 1 1 1 1 0 0 0 0 x1 x3 TF 0 0 1 X2 0 1 0 1 1 x4 0 1 0 1

36 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation Suppose we have two processes each with for local states - P1: s1,s2,s3,s4 - P2: s5,s6,s7,s8 The local states of P1 can be represented using two boolean variables: x1,x2 s1 -> (x1=0 and x2 =0) s2 -> (x1=0 and x2 =1) s3 -> (x1=1 and x2 =0) s4 -> (x1=1 and x2 =1) Similarly, the local states of P2 can be represented by boolean vars x3 and x4. s5 -> (x3=0 and x4 =0) s6 -> (x3=0 and x4 =1) s7 -> (x3=1 and x4 =0) s8 -> (x3=1 and x4 =1) Then set of global states {(s1,s6),(s4,s5)} can be represented by a boolean formula : (  x1   x2   x3  x4)  (x1  x2   x3   x4)

37 Complexity Relief Techniques for Model Checking METU, Aug. 2002 OBDDs for state representation Similarly, since the transition function T: S -> S can be represented as a subset of SxS, it can also be represented using OBDDs. - Use of OBDDs for Symbolic Model Checking was a breakthrough. - Allowed verification of huge state spaces. S R = {s 0 }; new =  do { S R = S R  new new = image of S R under OBDD for T } while (new \ S R   ) Symbolic Search Algorithm

38 Complexity Relief Techniques for Model Checking METU, Aug. 2002 Assume-Guarantee Approach P1 P2 Property: “if a happens in P1 then eventually b happens in P1” AND “if c happens in P2 then eventually d happens in P2” S

39 Complexity Relief Techniques for Model Checking METU, Aug. 2002 -Yes, we have the problem of state space explosion - But we are not hopeless, we have some techniques to cope with the problem. -More techniques: - Symmetry reduction, automatic abstraction, induction, etc... Conclusion

Download ppt "Complexity Relief Techniques for Model Checking METU, Aug. 2002 SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

Similar presentations

Ads by Google