Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking Authors: E. Allen Emerson and Thomas Wahl (CHARME 2003) Presented.

Published byKenneth Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "1 On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking Authors: E. Allen Emerson and Thomas Wahl (CHARME 2003) Presented."— Presentation transcript:

1 1 On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking Authors: E. Allen Emerson and Thomas Wahl (CHARME 2003) Presented by: Yael Meller April 2012 Technion – Israel Institute of Technology

2 Outline Introduction Systems and hand and symmetry reduction Unique representatives Multiple representatives Generic representatives Generic representatives via example From program to generic form model BDD based implementation 2

3 System at Hand The system: n concurrent processes interleaved computation sharing global variables 3

4 System at Hand A system state: (v,l 1,…,l n ) such that v – global variable (possibly tuple). l i  L – location of process i. 4

5 System Example 5 NTC if sem=0 sem:=1 sem:=0 NTC if sem=0 sem:=1 sem:=0 Critical Non-critical Trying semaphore

6 System Example 6 (0,N,N)(0,T,N)(0,N,T)(0,T,T)(1,C,N)(1,N,C)(1,T,C)(1,C,T)

7 Permutations on States A system state: (v,l 1,…,l n ) Permutation:  :[1..n]  [1..n] acting on process indexes. Rearrangement of processes in a state.  (s)=(v ,l  (1),…,l  (n) ). v  - acting  on v : Invariant under every  (e.g. binary semphore) Depends to process id (e.g. token pointing to proc id). 7

8 Permutation on States  =(1,2) 8 (0,N,N)(0,T,N)(0,N,T)(0,T,T)(1,C,N)(1,N,C)(1,T,C)(1,C,T)

9 Symmetry and Orbit Relation M=(S,R,s 0 ) – Kripke structure M symmetric w.r.t. group G. For all  G,  (R)={(  (s),  (t))|(s,t)  R} satisfies  (R)=R. M is fully symmetric if G contains all permutations. Orbit relation defines equivalence between states:  (s,t):=  :  (s)=t 9 set of permutations

10 Symmetry and Orbit Relation 10 (0,N,N)(0,T,N)(0,N,T)(0,T,T)(1,C,N)(1,N,C)(1,T,C)(1,C,T)

11 Symmetry Reduction Suffices to choose a representative from each orbit, Rep. Rep defines a representative relation S  Rep such that: Soundness: for all (s,r) , there exists  such that  (s)=r. Totality: for all s  S, there exists r  Rep such that (s,r) . 11

12 Symmetry Reduction The reduced model (quotient model): M =(Rep, R, s 0 ) R ={( s, t )  Rep  Rep:  s’,t’:(s’, s ) , (t’, t )   (s’,t’)  R} M  bis M : For (s’, s )  : M,s’  f  M,s  f if atomic propositions of f are consistent for every . 12

13 Symmetry and Orbit Relation 13 (0,N,N)(0,T,N)(0,N,T)(0,T,T)(1,C,N)(1,N,C)(1,T,C)(1,C,T)

14 Symmetry and Orbit Relation 14 (0,N,N)(0,N,T)(0,T,T)(1,N,C)(1,T,C)

15 Unique Representatives and BDD Implementation Unique representatives – one representative from every orbit. Need BDD of for model checking M. BDD based construction of : 1.Construct BDD for the orbit relation  (s,r). 2. (s,r):=  (s,r)  Rep(r). Cons: construction of  is a bottleneck: BDD size of min{2 n,2 |L| } – exponential space and time. 15 Number of processes Number of locations

16 Multiple Representatives and BDD Implementation The idea: Find a complete set of permutations C. Restrict attention to permutations from C when creating. Programmer defines a set Rep that is represented by a small BDD. C and are derived from Rep. 16

17 Multiple Representatives and BDD Implementation Pros: BDD for is small (since derived from subset C ). Avoid construction of orbit relation . Cons: Negative impact on symmetry reduction effect. Not clear that Rep with small BDD for exists. 17

18 Generic Representatives for Fully Symmetrical Systems First introduced in: “From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking”, by E. Allen Emerson and Richard J. Trefler (CHARME 1999). This paper: apply the idea to practical systems, where communication via shared variables. 18

19 Generic Representatives Keep track of number of processes in a given location. E.g.: (N,N,T,C), (N,C,T,N), (T,N,N,C) are represented generically as (2N,1T,1C). Compile the original program to operate on counter variables.  Avoid construction of orbit relation 19

20 Generic Reps. by Example Synchronization Skeletons 20 NTC tok = self tok := ndet[1..n] guard action Input model given as synchronization skeleton. Action represents atomic action by a process.

21 Generic Reps. by Example Synchronization Skeletons 21 NTC tok = self tok := ndet[1..n] guard action (1,N,…,N) (n,N,…,N) (1,T,…,N)(1,N,T…,N) (1,C,…,N) ….

22 Generic Reps. by Example Our goal: Compile the original program to operate on counter variables. 22 NTC tok = self tok := ndet[1..n]

23 Create Counter-Based Programs Declare global counter variables per local state: n N, n T, n C. Problem: how to translate guards? E.g: what is tok=self? The location of the token process is relevant. E.g: (tok=2,N,T,C) and (tok=3,N,C,T) equivalent Solution: remember the location of token process ({N,T,C}) 23

24 Counter-Based Programs 24 N T C tok = self tok := ndet[1..n] Variables: n N, n T, n C :[0..n] TOK :{N,T,C} Init values: (n N,n T,n C ):=(n,0,0) TOK := N if n N > 0 if TOK = N if n N =1 TOK := T else TOK := {N,T} n N := n N – 1 n T := n T + 1 if n T > 0  TOK=T TOK := C n T := n T – 1 n C := n C + 1 if n C > 0 n C := n C – 1 n N := n N + 1 TOK := ndet{L:n L >0} if n N > 0 n N := n N – 1 n T := n T + 1 if n N > 0 if TOK = N n N := n N – 1 n T := n T + 1

25 Counter-Based Programs 25 if n N > 0 if TOK = N if n N =1 TOK := T else TOK := {N,T} n N := n N – 1 n T := n T + 1 if n T > 0  TOK=T TOK := C n T := n T – 1 n C := n C + 1 if n C > 0 n C := n C – 1 n N := n N + 1 TOK := ndet{L:n L >0} (N,n,0,0) (N,n-1,1,0) (T,n-1,1,0) …. State: (TOK,n N,n T,n C ) (N,1,n-1,0) (C,n-1,0,1) ….

26 Model Checking on New Model Properties need to be translated into counters. 26 specificgeneric Safety: AG  i,j:i  j:  (C i  C j )

27 Model Checking on New Model Properties need to be translated into counters. 27 specificgeneric Safety: AG  i,j:i  j:  (C i  C j )AG (n C < 2)

28 Model Checking on New Model Properties need to be translated into counters. 28 specificgeneric Safety: AG  i,j:i  j:  (C i  C j )AG (n C < 2) Liveness: AG (  i T i  AF  j C j )

29 Model Checking on New Model Properties need to be translated into counters. Liveness is not progress of individual process ( AG (  i :T i  AF C i ) ) Such property is not invariant under permutation. 29 specificgeneric Safety: AG  i,j:i  j:  (C i  C j )AG (n C < 2) Liveness: AG (  i T i  AF  j C j )AG (n T > 0  AF n C > 0 )

30 Reminder: Invariant Property p is an invariant under G:  G,  s  S : s  p   (s)  p For property  = AG (  i :T i  AF C i ): T i is not an invariant   cannot be checked under symmetry reduced model 30

31 AG (  i :T i  AF C i ) on Symmetry Reduced Model 31 (0,N,N)(0,N,T)(0,T,T)(1,N,C)(1,T,C) Violation!

32 Model Checking With Generic Representatives 32 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ From P’ to Kripke structure M’ with BDDs

33 Define the Program Two types of global variables id-sensitive – permutations affect them by changing their value (e.g. tok) id-independent – invariant w.r.t. permutations (e.g. boolean semaphore) 33

34 Define the Program Program under consideration: 1. n processes. 2. Any number of id-independent global variables v=(v 1,…,v m ). Initial value x 0. 3. Any number of id-sensitive global variables d=(d 1,…,d z )  [1..n] z. Initial value k 0. 4. A synchronization skeleton. I 0 is the initial node. 34

35 Syntax of Guards Restrict syntax of guards to ensure full symmetry. Basic guards: conditions on process locations and expressions over global variables. Guards: propositional combination of boolean-valued basic guards. 35

36 Fully Symmetric Formulas A formula f is fully symmetric iff for every  : f   (f) Examples of fully symmetric basic guards: 36 Basic GuardMeaning  i:  L i None

37 Fully Symmetric Formulas A formula f is fully symmetric iff for every  : f   (f) Examples of fully symmetric basic guards: 37 Basic GuardMeaning  i:  L i None  i:L i All

38 Fully Symmetric Formulas A formula f is fully symmetric iff for every  : f   (f) Examples of fully symmetric basic guards: 38 Basic GuardMeaning  i:  L i None  i:L i All  i,j:i  j:L i  L j At least two

39 Syntax of Guards Legal basic guards: Fully symmetric basic guards. Expressions over id-independent global variables (fully symmetric by nature). For id-sensitive variable d : d=self or d  self 39

40 Syntax of Actions Syntax of actions: Any assignment to id-independent variables. For id-sensitive variable d : d:=self d:=ndet[1..n] d:=ndet([1..n]\{self}) 40

41 From Program to Kripke Structure 41 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ with BDDs From P to Kripke structure M

42 From Program to Kripke Structure P defines M=(S,R,s 0 ) S=V  [1..n] z  [1..l] n V – domain of id-independent variables (V 1  …  V m ) [1..n] z – id-sensitive variables [1..l] n – program location of processes s 0 = (x 0,k 0,I 0,…, I 0 ) 42

43 From Program to Kripke Structure R(s,t) holds for: s=(x,k,l 1,…, l i-1,A, l i+1,…, l n ) t=(x’,k’,l 1,…, l i-1,B, l i+1,…, l n ) such that edge e:A  B exists in skeleton. 43 C AB guard action

44 From Program to Kripke Structure s=(x,(k 1,…,k z ),l 1,…, l i-1,A, l i+1,…, l n ) t=(x’,(k’ 1,…,k’ z ),l 1,…, l i-1,B, l i+1,…, l n ) Edge e:A  B exists in skeleton and: grd is true for v=x, d=k, self=i and process locations as in s. act d id-sensitive variable at index j: act is d:=self and k’ j = i act is d:=ndetZ and k’ j  Z No assignment to d and k’ j =k j 44 A B C grd act Hoare triplet

45 From Program to Kripke Structure Theorem: M is fully symmetric. 45 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ with BDDs From P to Kripke structure M

46 Translate P to P’ 46 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ with BDDs From P to Kripke structure M

47 Translate P to P’ Program P’ has the following variables: 1. Same id-independent global variables v=(v 1,…,v m ). Initial value x 0. 2. Replace id-sensitive global variables d=(d 1,…,d z )  [1..n] z with (d̂ 1,…,d̂ z )  [1..l] z. Initial value (I 0,…I 0 ). 3. Variables n 0,…,n l with range [0..n]. Initial values n I0 =n, n L =0 for L  I 0. 47

48 Translate P to P’ Every Edge is skeleton is translated into the statement: if (n A >0)  gen(grd) update1(grd) n A := n A - 1 n B := n B +1 update2(act) 48 AB grd act Ensure exists a process in location A Requirement from grd Update due to location change Update due to action

49 Translate P to P’ gen(grd) : Basic guard on process locations: 49 Basic GuardGeneric GuardMeaning  i:  L i None  i:L i All  i,j:i  j:L i  L j At least two

50 Translate P to P’ gen(grd) : Basic guard on process locations: 50 Basic GuardGeneric GuardMeaning  i:  L i n L = 0None  i:L i All  i,j:i  j:L i  L j At least two

51 Translate P to P’ gen(grd) : Basic guard on process locations: 51 Basic GuardGeneric GuardMeaning  i:  L i n L = 0None  i:L i n L = nAll  i,j:i  j:L i  L j At least two

52 Translate P to P’ gen(grd) : Basic guard on process locations: For id-sensitive variable d j : d j =self  d̂ j =A d j  self  d̂ j  A  n A  2 Expressions over id-independent variables remain the same. 52 Basic GuardGeneric GuardMeaning  i:  L i n L = 0None  i:L i n L = nAll  i,j:i  j:L i  L j n L  2At least two

53 Translate P to P’ update1(grd) updates d̂ j resulting from location change: 53 d j =self d̂ j :=B

54 Translate P to P’ update1(grd) updates d̂ j resulting from location change: 54 d j =selfd j  self d̂ j :=B no-op

55 Translate P to P’ update1(grd) updates d̂ j resulting from location change: 55 d j =selfd j  self Otherwise (including true) d̂ j :=B no-op if d̂ j =A if n A = 1 d̂ j :=B else d̂ j :=ndet{A,B}

56 Translate P to P’ update2(act) updates d̂ j and id- independent variables resulting from act : Assignment to id-independent variables remain the same. Assignments on id-sensitive variables: 56 d j :=self d̂ j :=B

57 Translate P to P’ update2(act) updates d̂ j and id- independent variables resulting from act : Assignment to id-independent variables remain the same. Assignments on id-sensitive variables: 57 d j :=selfd j :=ndet([1..n]\{self}) d̂ j :=Bif n B = 1 d̂ j :=ndet({L:n L >0}\{B}) else d̂ j :=ndet{L:n L >0}

58 Translate P to P’ update2(act) updates d̂ j and id- independent variables resulting from act : Assignment to id-independent variables remain the same. Assignments on id-sensitive variables: 58 d j :=selfd j :=ndet([1..n]\{self})d j :=ndet[1..n] d̂ j :=Bif n B = 1 d̂ j :=ndet({L:n L >0}\{B}) else d̂ j :=ndet{L:n L >0}

59 P’ to Kripke Stucture M’ 59 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ From P to Kripke structure M From P’ to Kripke structure M’

60 Program P‘ to Kripke Structure P’ defines M’=(S’,R’,s’ 0 ) S’=V  [1..l] z  [0..n] l s’ 0 = (x 0,(I 0,…,I 0 ),n 1,…,n l ) such that: n I0 =n and n L =0 for every L  I 0. R(s’,t’) : if exists statement with condition evaluating to true, and the execution applied on s’ results in t’. 60

61 Connection Between M and M’ 61 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ w From P to Kripke structure M From P’ to Kripke structure M’

62 Connection between M and M’ Theorem: M and M’ are bisimulation equivalent via b:S  S’ : b(x,k 1,…,k z,l 1,…,l n ) = (x,l k1,…,l kz,n 1,…,n l ) where n L :=|j  [1..n]:l j =L| Example: b(3,N,C,T,N)=(T,n N =2,n T =1,n C =1) 62

63 From Generic Programs to BDDs 63 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ w From P to Kripke structure M From P’ to Kripke structure M’ From P’ to Kripke structure M’ with BDDs

64 From Generic Programs to BDDs Encode statements of generic programs in a BDD. M’=(S’,R’,s’ 0 ): R’ is a disjunction of statements: if (n A >0)  gen(grd) update1(grd) n A := n A - 1 n B := n B +1 update2(act) 64

65 From P’ to BDDs (example) n A >0 : true iff at least one true bit in representation of n A. n A >0 disjunction over n A bits. gen(grd): combination of basic guards. E.g.: basic guards on locations – constant bit-wise comparison. update1(grd): implement if-then-else: if F1 then F2 else F3  (F1  F2)  (  F1  F3) Translation: low-degree polynomial in n. 65

66 Model Checking with BDDs using Generic Representatives. 66 Program P From P to Kripke structure M From P to generic form P’ From P’ to Kripke structure M’ w From P to Kripke structure M From P’ to Kripke structure M’ From P’ to Kripke structure M’ with BDDs

67 Experimental Results 67

68 Questions? Thank you! 68

Download ppt "1 On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking Authors: E. Allen Emerson and Thomas Wahl (CHARME 2003) Presented."

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
Complexity Classes: P and NP

Complexity Classes: P and NP
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Similar presentations

Ads by Google