Complexity Relief Techniques for Model Checking METU, Aug SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute, Middle East Technical University August 26-27, 2002 COMPLEXITY RELIEF TECHNIQUES FOR MODEL CHECKING by

Complexity Relief Techniques for Model Checking METU, Aug Outline : - General Model Cheking Tool Structure - State Space Explosion - Partial Order Reduction - Static Partial Order Reduction - SDLCheck - HW/SW Model Checking - OBDDs for state representation - Assume-guarantee approach - Conclusion

Complexity Relief Techniques for Model Checking METU, Aug General Model Cheking Tool Structure Model of the system Specification of the sytem The Model Checker YesNo (counter example) Out of memory

Complexity Relief Techniques for Model Checking METU, Aug State Space Explosion : a terrorizing example 100 states Proc A 100x100x100x10000x10000x10000x10000x10000x10000 = (potential) states 4 different messages can be sent to each queue Using a computer at 10GHz which can search a state in 1 cycle => states/sec We need secs, approximately years!!! 100 states Proc B 100 states Proc C In general, the size of the reachable set of states grows exponentially in the number of components.

Complexity Relief Techniques for Model Checking METU, Aug Complexity Relief Techniques: - Partial order reduction - Symbolic search using OBDDs (record : states) - Assume-guarantee - Abstraction - Symmetry - Induction

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction - A property (given in next time free LTL) preserving reduction in the reachable state space. - Using POR, we can generate B’ D instead of B D such that for any next-time free LTL formula  : 1) |B D |  |B’ D |; and 2) L(B D  B  ) =  iff (B D  B  ) =  - Main trick is to eliminate reduntant interpretation generations.

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction {p 2,p 3 } {p 3 } {p 1,p 2,p 3 }... {p 3 } {p 1,p 2,p 3 }... I’ I’’ {p 2,p 3 } {p 1,p 3 } Note that: for any next-time free LTL formula , I’ |=  iff I’’ |=  Such (equivalent) interpretation pairs are generated by the following patterns in the global state space:... {p 3 } {p 2,p 3 }

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction Such patterns in the global state space are (almost) always generated by the transitions of different processes. s1 s2 s3 s4 a b (s1,s3) (s2,s3)(s1,s4) (s2,s4) a a b b When we arrive at the state (s1,s3), since both of the transition a & b are enabled, we generate both of the states (s2,s3) and (s1,s4), which in turn causes generation of I’ and I’’ which are equivalent.

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction S R =  ; dfs ( s 0 ); proc dfs ( s ) S R = S R  { s };  a  enabled(s) do let s –a-> s’ if s’  S R then dfs ( s’ ); fi od endproc dfs S R =  ; dfs ( s 0 ); proc dfs ( s ) S R = S R  { s };  a  ample(s) do let s –a-> s’ if s’  S R then dfs ( s’ ); fi od endproc dfs Conventional ReachabilityPartial Order Reachability where ample(s)  enabled(s)

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction However, there are certain conditions that must be satisfied by ample(s). C0 : ample(s) =  iff enabled(s) =  If there are enabled transitions, then amples(s) cannot be an empty set.

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction Consider: s1 s2 if (x>0) else s4 terminate Start the self destruct mechanism s3 s5 s6 x = -1 (...,s1,...s5,..4,...) a b c (...,s1,...s6,..-1,...) c ab ab

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction Let us call a transition “a” as globally indepent iff “a” does not disable any other transitions and no other transition can disable “a”. C1 : If ample(s)  enabled(s) then all the transitions in ample(s) are globally independent transitions.

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction Consider: s3 s4 (s1,s3) b ab s1 s2 a (s2,s3)(s1,s4) (s2,s4) ba And suppose we are checking G(  p 1   p 2 ) where - p 1 = “A is at s2” - p 2 = “B is at s3”

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction Let us call a transition “a” as visible if there exists a global state s such that s –a-> s’, and the set of atomic propositions that hold at s and s’ are different. C2 : If ample(s)  enabled(s) then all the transitions in ample(s) are invisible transitions. (s1,s3) b (s1,s4) {p 2 } { }

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction Consider: s3 s4 (s1,s3) b a s1 a and suppose “a” is globally independent and invisible. The search ends prematurely if we take ample((s1,s3)) = {a}. C3 : Along any cycle in the reduced state space there exists a state s such that amples(s) = enabled(s).

Complexity Relief Techniques for Model Checking METU, Aug Partial Order Reduction C0 : ample(s) =  iff enabled(s) =  C1 : If ample(s)  enabled(s) then all the transitions in ample(s) are globally independent transitions. C2 : If ample(s)  enabled(s) then all the transitions in ample(s) are invisible transitions. C3 : Along any cycle in the reduced state space there exists a state s such that amples(s) = enabled(s). The four conditions on ample(s) :

Complexity Relief Techniques for Model Checking METU, Aug Static Partial Order Reduction -Normally, in order to implement partial order reduction, one has to modify the model checker in order to guarantee C0, C1, C2, C3. - In Static Partial Order Reduction approach, the original system D is converted into another system D’ such that B’ D = B D’ - This can be done using a self-compilation (from the language in which D is specified to the same language), or during compilation into the input language of the model checker.

Complexity Relief Techniques for Model Checking METU, Aug SDLCheck System in SDL Property in QL

Complexity Relief Techniques for Model Checking METU, Aug SDLCheck System in SDL System in S/R Property in QLProperty in S/R COSPAN (Formal Check) sdl2sr

Complexity Relief Techniques for Model Checking METU, Aug SDLCheck System in SDL System in S/R Property in QLProperty in S/R Out of mem. COSPAN (Formal Check) Yes No sdl2sr

Complexity Relief Techniques for Model Checking METU, Aug SDLCheck System in SDL System in S/R Property in QLProperty in S/R Out of mem. COSPAN (Formal Check) Yes No Error track in S/R sdl2sr

Complexity Relief Techniques for Model Checking METU, Aug SDLCheck System in SDL System in S/R Property in QLProperty in S/R Out of mem. COSPAN (Formal Check) Yes No Error track in S/RError track in SDL sdl2sr

Complexity Relief Techniques for Model Checking METU, Aug HW/SW Model Checking System in SDL System in S/R Property in QLProperty in S/R Driver in SDL+ HW in HDL Out of mem. COSPAN (Formal Check) Yes No Error track in S/RError track in SDL sdl2sr

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 x3 0

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 x3 F 0 0

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 x3 x4 F 1 0 0

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 with x2 < x3 < x1 - Unique structure upto variable ordering - Variable ordering may affect the size of the structure x3 x4 TF x1 x3 TF X x

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 X2 x3 x4 TF

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 X2 x3 x4 TF

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 X2 x3 x4 TF

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 X2 x3 x4 TF

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 with x1 < x3 < x2 < x4 X2 x3 x4 TF x1 x3 TF X x

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 with x1 < x3 < x2 < x4 - Unique structure up-to variable ordering X2 x3 x4 TF x1 x3 TF X x

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation - A compact data structure for representing boolean formulae - Allows efficient implementations for boolean operators - e.g. (x1  x2)  (x3  x4) x1 with x1 < x2 < x3 < x4 with x1 < x3 < x2 < x4 - Unique structure upto variable ordering - Variable ordering may affect the size of the structure X2 x3 x4 TF x1 x3 TF X x

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation Suppose we have two processes each with for local states - P1: s1,s2,s3,s4 - P2: s5,s6,s7,s8 The local states of P1 can be represented using two boolean variables: x1,x2 s1 -> (x1=0 and x2 =0) s2 -> (x1=0 and x2 =1) s3 -> (x1=1 and x2 =0) s4 -> (x1=1 and x2 =1) Similarly, the local states of P2 can be represented by boolean vars x3 and x4. s5 -> (x3=0 and x4 =0) s6 -> (x3=0 and x4 =1) s7 -> (x3=1 and x4 =0) s8 -> (x3=1 and x4 =1) Then set of global states {(s1,s6),(s4,s5)} can be represented by a boolean formula : (  x1   x2   x3  x4)  (x1  x2   x3   x4)

Complexity Relief Techniques for Model Checking METU, Aug OBDDs for state representation Similarly, since the transition function T: S -> S can be represented as a subset of SxS, it can also be represented using OBDDs. - Use of OBDDs for Symbolic Model Checking was a breakthrough. - Allowed verification of huge state spaces. S R = {s 0 }; new =  do { S R = S R  new new = image of S R under OBDD for T } while (new \ S R   ) Symbolic Search Algorithm

Complexity Relief Techniques for Model Checking METU, Aug Assume-Guarantee Approach P1 P2 Property: “if a happens in P1 then eventually b happens in P1” AND “if c happens in P2 then eventually d happens in P2” S

Complexity Relief Techniques for Model Checking METU, Aug Yes, we have the problem of state space explosion - But we are not hopeless, we have some techniques to cope with the problem. -More techniques: - Symmetry reduction, automatic abstraction, induction, etc... Conclusion