Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John.

Published byMargaretMargaret Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John."— Presentation transcript:

1 CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 CIS 842: INTRO: Depth-bounded DFS 2 Objectives Understand the principle of depth- bounded depth-first search Understand how to modify the core DFS algorithm to implement a depth-bounded search

3 CIS 842: INTRO: Depth-bounded DFS 3 Outline Using Bogor’s output to determine the max stack size (number of steps in longest execution path) encountered during the depth-first search Setting Bogor’s depth bound Rationale for using depth-bounded search The consequences (unsoundness) of performing bounded searches Bogor options for finding minimal length counter-examples The core DFS algorithm extended to included depth-bounded search

4 CIS 842: INTRO: Depth-bounded DFS 4 Bogor Output …deepest stack depth reached during search Running a model-check of SumToN with N = 5 [Time: 3315ms, Depth: 395] Error found: Assertion failed Total memory before search: 5,864,216 bytes (5.59 Mb) Total memory after search: 6,676,048 bytes (6.37 Mb) Total search time: 3325 ms State count: 12127 Matched state count: 16393 Max depth: 1922 …depth in computation tree (i.e., transition stack) where assertion violation was found (i.e., number of steps in error trace)

5 CIS 842: INTRO: Depth-bounded DFS 5 Error Trace Length Model-check SumToN with N = 5 From Bogor’s output, we can see that it has found a execution trace that violates the assertion and that the trace is 395 steps long. Having to reason about how the assertion can be violated along a trace of 395 steps is quite painful! You have previously discovered a much shorter violating trace using Bogor’s simulation mode. Does this mean that the Bogor analyzer is not very useful? Not at all!! We will see in a little bit how to tell Bogor to search for shorter violating traces (as well as minimal length violating traces).

6 CIS 842: INTRO: Depth-bounded DFS 6 In general, a system may have many different traces that lead to the same property violation. Error Trace Length Because Bogor does a depth-first search (instead of a bread-first search), the first violating trace that it finds is usually not of minimal length. property violations first property violation found by Bogor GREEN shows portion of statespace covered by Bogor before first violation found

7 CIS 842: INTRO: Depth-bounded DFS 7 Setting Bogor’s Depth Bound Users can set a bound on the depth of Bogor’s search (i.e., entries in Bogor’s depth-first stack Choose the “Configure Bogor” option, then Add/Edit to set the value for the ISearcher.maxDepth attribute.

8 CIS 842: INTRO: Depth-bounded DFS 8 Setting Bogor’s Depth Bound This is often useful… …after a counterexample has been found and you want to see if a shorter one exists. look at Bogor’s output to see the size, then rerun Bogor with an appropriate depth bound (i.e., one smaller than the size of the counter-example). …before a counterexample has been found and Bogor is taking too long or is running out of memory.

9 CIS 842: INTRO: Depth-bounded DFS 9 Setting Bogor’s Depth Bound Be careful! when you bound Bogor’s search, Bogor will not be exploring part of the system state-space, and the omitted part may contain property violations that you want to detect. If Bogor tells you that there are no violations, but you have bounded the search, you cannot assume that the system has no violations. You only know that Bogor has found no violations in the part of the state-space that it searched. Bogor displays “ Max depth reached!!! ” to let you know that the depth bound prevented it from searching the complete state-space.

10 CIS 842: INTRO: Depth-bounded DFS 10 Checking SumToN with N = 5

11 CIS 842: INTRO: Depth-bounded DFS 11 When analyzing a system and given a depth bound as a command- line argument, Bogor will backtrack when that depth is reached. Bounded Depth-first Search property violations Depth-bound of 6 GREEN shows portion of statespace covered by Bogor before first violation found ISearcher.maxDepth = 6 Errors at depth greater than bound are not detected.

12 CIS 842: INTRO: Depth-bounded DFS 12 When analyzing a system and given a depth bound as a command- line argument, Bogor will backtrack when that depth is reached. Bounded Depth-first Search Depth-bound of 3 GREEN shows portion of statespace covered by Bogor before first violation found Errors at depth greater than bound are not detected. In this case, Bogor reports that no violations were found. ISearcher.maxDepth = 3

13 CIS 842: INTRO: Depth-bounded DFS 13 For You To Do… Pause the lecture… Edit SumToN.bir and change the assertion to x != 7. Use Bogor to find an error trace of minimal length. start with a depth bound that allows an error successively choose smaller versions of the bound until Bogor reports no error determine a bound B such that running Bogor with bound B-1 reveals no errors, but running with B reveals an error How does this error trace compare to the one (i.e., size and state vectors encountered) to the error trace that you discovered earlier using Bogor’s guided simulation mode? Note that there may be multiple minimal length error traces.

14 CIS 842: INTRO: Depth-bounded DFS 14 Assessment Minimal length error traces can be found with the ISearch.maxDepth option for Bogor. This is somewhat tedious for the user. SPIN provides two other options to find shorter traces… pan.exe –i finds a minimal length path by successively rerunning with bound set to length-of-current-violating-trace – 1 (can be costly!) pan.exe –I similar to the option above but faster (a form of binary search is used), but approximate (sometimes minimal error trace is not found) We will eventually incorporate functionality similar to this in Bogor (it’s not difficult!)

15 CIS 842: INTRO: Depth-bounded DFS 15 Summary Bogor, like most other model-checkers, provides for a depth-bounded search A depth-bounded search can be useful when… …after a counterexample has been found and you want to see if a shorter one exists. look at Bogor’s output to see the size, then rerun Bogor with an appropriate depth bound (i.e., one smaller than the size of the counter-example). …before a counterexample has been found and Bogor is taking too long or is running out of memory. However, a depth-bounded search is technically unsound since it gives rise to an under-approximation of the system’s behavior In other words, an error may actually lie in an area that is outside of the area searched in the model-check

Download ppt "CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John."

Similar presentations

Artificial Intelligence

Artificial Intelligence
Heuristic Searches. Feedback: Tutorial 1 Describing a state. Entire state space vs. incremental development. Elimination of children. Closed and the solution.

Heuristic Searches. Feedback: Tutorial 1 Describing a state. Entire state space vs. incremental development. Elimination of children. Closed and the solution.
Bit-State Space Exploration It’s a variation on reachability analysis The reachability analysis: –Keeps track of the already explored states –Performs.

Bit-State Space Exploration It’s a variation on reachability analysis The reachability analysis: –Keeps track of the already explored states –Performs.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Traveling Salesperson Problem

Traveling Salesperson Problem
Chapter 3: The Efficiency of Algorithms Invitation to Computer Science, Java Version, Third Edition.

Chapter 3: The Efficiency of Algorithms Invitation to Computer Science, Java Version, Third Edition.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 22.

Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 22.
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 15: Exception Handling.

C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 15: Exception Handling.
Chapter 16: Exception Handling C++ Programming: From Problem Analysis to Program Design, Fifth Edition.

Chapter 16: Exception Handling C++ Programming: From Problem Analysis to Program Design, Fifth Edition.
C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 16: Exception Handling.

C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 16: Exception Handling.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
ICS-171:Notes 4: 1 Notes 4: Optimal Search ICS 171 Summer 1999.

ICS-171:Notes 4: 1 Notes 4: Optimal Search ICS 171 Summer 1999.
Uninformed Search Jim Little UBC CS 322 – Search 2 September 12, 2014

Uninformed Search Jim Little UBC CS 322 – Search 2 September 12, 2014
Artificial Intelligence Lecture No. 7 Dr. Asad Safi ​ Assistant Professor, Department of Computer Science, COMSATS Institute of Information Technology.

Artificial Intelligence Lecture No. 7 Dr. Asad Safi ​ Assistant Professor, Department of Computer Science, COMSATS Institute of Information Technology.
Searching. 2 Searching an array of integers If an array is not sorted, there is no better algorithm than linear search for finding an element in it static.

Searching. 2 Searching an array of integers If an array is not sorted, there is no better algorithm than linear search for finding an element in it static.
MAE 552 – Heuristic Optimization Lecture 27 April 3, 2002

MAE 552 – Heuristic Optimization Lecture 27 April 3, 2002
Chapter 3: The Efficiency of Algorithms Invitation to Computer Science, C++ Version, Third Edition Additions by Shannon Steinfadt SP’05.

Chapter 3: The Efficiency of Algorithms Invitation to Computer Science, C++ Version, Third Edition Additions by Shannon Steinfadt SP’05.
Chapter 3: The Efficiency of Algorithms Invitation to Computer Science, C++ Version, Fourth Edition.

Chapter 3: The Efficiency of Algorithms Invitation to Computer Science, C++ Version, Fourth Edition.

Similar presentations

Ads by Google