Model Checking and Related Techniques Liu Yang. Outline Model Checking Techniques – Introduction to MC – Symbolic Model Checking – Bounded Model Checking.
Post on 24-Dec-2015
232 Views
Preview:
Transcript
Model Checking and Related Techniques
Liu Yang
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Model Checking Introduction
bull Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or notndash Advantages over traditional system validation approaches
based on simulation testing and deductive reasoningndash An automatic technique for verifying finite state
concurrent systemsndash Process modeling specification and verificationndash Main challenge state space explosion problem
Model Checking
System designor code Requirements
Finite state modelM
Set of logical properties
Model checkerM |= φ
for each property φ
No Yesradic
manual
automatic
abstract
Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)
Model of Concurrent Systems (Cont)
bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Model Checking Introduction
bull Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or notndash Advantages over traditional system validation approaches
based on simulation testing and deductive reasoningndash An automatic technique for verifying finite state
concurrent systemsndash Process modeling specification and verificationndash Main challenge state space explosion problem
Model Checking
System designor code Requirements
Finite state modelM
Set of logical properties
Model checkerM |= φ
for each property φ
No Yesradic
manual
automatic
abstract
Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)
Model of Concurrent Systems (Cont)
bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model Checking Introduction
bull Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or notndash Advantages over traditional system validation approaches
based on simulation testing and deductive reasoningndash An automatic technique for verifying finite state
concurrent systemsndash Process modeling specification and verificationndash Main challenge state space explosion problem
Model Checking
System designor code Requirements
Finite state modelM
Set of logical properties
Model checkerM |= φ
for each property φ
No Yesradic
manual
automatic
abstract
Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)
Model of Concurrent Systems (Cont)
bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model Checking
System designor code Requirements
Finite state modelM
Set of logical properties
Model checkerM |= φ
for each property φ
No Yesradic
manual
automatic
abstract
Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)
Model of Concurrent Systems (Cont)
bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model of Concurrent Systems(Unwind State Graph to obtain Infinite Tree)
Model of Concurrent Systems (Cont)
bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model of Concurrent Systems (Cont)
bull Formally a Kripke structure is a triple M 1048576 ltSRLgt where
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Temporal logics
bull Temporal logics may differ according to how they handle branching in the underlying computation tree
bull In a linear temporal logic (LTL) operators are provided for describing events along a single computation path
bull In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Temporal logicsbull Formulas are constructed from path quantifiers and temporal operators
ndash Path quantifierbull A for every pathbull E there exists a path
ndash Linear Temporal Operatorbull Xp p holds next timebull Fp p holds sometime in the future ()bull Gp p holds globally in the future ()bull pUq p holds until q holds
bull In LTL only linear temporal operators are allowedbull In CTL each temporal operator must be immediately preceded by a
path quantifierbull In CLT a path quantifier can prefix an assertion composed of arbitrary
combinations of the usual linear-time operators
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
CTL Examples
bull The four most widely used CTL operators are illustrated
bull Each computation tree has initial state s0 as its root
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Fixpoint Algorithms
bull Key properties of EFp
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model Checking Problem
bull Let M be the state-transition graph obtained from the concurrent system
bull Let f be the specification expressed in temporal logic
M s |= fbull and check if initial states are among these
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symbolic Model Checking
bull Method used by most ldquoindustrial strengthrdquo model checkersndash uses Boolean encoding for state machine and sets
of statesndash can handle much larger designs ndash hundreds of
state variablesndash BDDs traditionally used to represent Boolean
functions
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symbolic Model Checking with BDDs
bull Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987
bull Carl Pixley independently developed a similar algorithm as did the French researchers Coudert and Madre
bull BDDs enabled handling much larger concurrent systems (usually an order of magnitude increase in hardware latches)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Ordered Binary Decision Trees and Diagrams
bull Ordered Binary Decision Tree for the two-bit comparator given by the formula
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
OBDD for Comparator Example
bull If we use the ordering a1 lt b1 lt a2 lt b2 for the comparator function we obtain the OBDD below
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Variable Ordering Problem
bull The size of an OBDD depends critically on the variable orderingbull If we use the ordering a1 lt a2 lt b1 lt b2 for the comparator
function we get the OBDD below
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symbolic Model Checking Algorithm
bull How to represent state-transition graphs with Ordered Binary Decision Diagramsndash Assume that system behavior is determined by n
Boolean state variables v1 v2 hellip vnndash The Transition relation T will be given as a boolean
formula in terms of the state variables
ndash where v1hellip vn represents the current state and vrsquo1hellip vrsquon represents the next state
ndash Now convert T to a OBDD
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symbolic Model Checking (cont)
bull Representing transition relations symbolically
bull Boolean formula for transition relation
bull Now represent as an OBDD
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symbolic Model Checking (cont)
bull How to evaluate fixpoint formulas using OBDDs
bull Introduce state variables
bull Now compute the sequence
bull until convergence
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Problems with BDDs
bull BDDs are a canonical representation Often become too large
bull Selecting right variable ordering very important for obtaining small BDDsndash Often time consuming or needs manual interventionndash Sometimes no space efficient variable ordering exists
bull Next we describe an alternative approach to symbolic model checking that uses SAT procedures
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Advantages of SAT Procedures
bull SAT procedures also operate on Boolean expressions but do not use canonical forms
bull Do not suffer from the potential space explosion of BDDs
bull Can handle functions with s to s of variables
bull Very efficient implementations available
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Bounded Model Checkingbull Bounded model checking uses a SAT procedure instead of BDDs
bull We construct Boolean formula that is satisfiable iff there is a specific finite path of length k in underlying machine
bull We look for longer and longer paths by incrementing the bound k
bull After some number of iterations we may conclude no such path exists and specification holds
bull For example to verify safety properties number of iterations is bounded by diameter of finite state machine
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Main Advantages of SAT Approach
bull Bounded model checking works quickly This is due to depth first nature of SAT search procedures
bull It finds finite paths of minimal length This helps user understand the example more easily
bull It uses much less space than BDD based approaches
bull Does not need manually selected variable order or costly reordering Default splitting heuristics usually sufficient
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
NuSMV A New Symbolic Model Verifier
bull Finite-state Systems described in a specialized language
bull Specifications expressible in CTL LTL bull Provides both BDD and SAT based model
checking bull Allow user specified variable orderingbull Uses a number of heuristics for achieving
efficiency and control state explosion
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
NuSMV language by examples
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Explicit Model Checking
bull Given a model M and an LTL formula ndash All traces of M must satisfy ndash If a trace of M does not satisfy
bull Counterexample
ndash M is the set of traces of M
ndash is the set of traces that satisfy
bull M
bull Equivalently M not=
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Buumlchi Automata
bull Automaton which accepts infinite tracesbull A Buumlchi automaton is 4-tupleS I F
ndash S is a finite set of statesndash I S is a set of initial statesndash S S is a transition relationndash F S is a set of accepting states
bull An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Example
S0 S1 S2
1=S0S1S2S2S2S2hellip
2=S0S1S2S1S2S1hellip
3=S0S1S2S1S1S1hellip
ACCEPTED
ACCEPTED
REJECTED
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
LTL and Buumlchi Automata
bull LTL formulandash Represents a set of infinite traces which satisfy
such formulabull Buumlchi Automaton
ndash Accepts a set of infinite tracesbull We can build an automaton which accepts all
and only the infinite traces represented by an LTL formula
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
LTL Model Checking
bull Given a model M and an LTL formula ndash Build the Buchi automaton Bnot
ndash Compute product of M and Bnotbull Each state of M is labeled with propositionsbull Each state of Bnot is labeled with propositionsbull Match states with the same labels
ndash The product accepts the traces of M that are also traces of Bnot (M not)
ndash If the product accepts any sequencebull We have found a counterexample
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Nested Depth First Search
bull The product is a Buumlchi automatonbull How do we find accepted sequences
ndash Accepted sequences must contain a cyclebull In order to contain accepting states infinitely often
ndash We are interested only in cycles that contain at least an accepting state
ndash During depth first search start a second search when we are in an accepting states
bull If we can reach the same state again we have a cycle (and a counterexample)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Example
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Example
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Nested Depth First Searchprocedure DFS(s) visited = visited s for each successor srsquo of s if srsquo visited then DFS(srsquo) if srsquo is accepting then DFS2(srsquo srsquo) end if end if end forend procedure
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Nested Depth First Searchprocedure DFS2(s seed) visited2 = visited2 s for each successor srsquo of s if srsquo = seed then return ldquoCycle Detectrdquo end if if srsquo visited2 then DFS2(srsquo seed) end if end forend procedure
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Explicit Model Checking
bull Avoid to construct the entire state space of the modeled system can be done On-the-Fly
bull Some states are not generated in the productbull Counterexample can be found before
searching all statesbull Easy to optimizebull Better support for asynchronous composition
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
SPIN
bull Explicit State Model Checkerbull Process Algebra
ndash Asynchronous composition of independent processesndash Communication using channels and global variablesndash Non-deterministic choices and interleavings
bull Nested Depth First Searchbull Uses a hashing function to store each state using
only 2 bits (no guarantee of soundness)bull Partial Order Reduction
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
SPIN Example of Petersonrsquos Algorithm
bool turn flag[2]byte ncrit
active proctype user0()again
flag[0] = 1reach turn = 0cs (flag[1 - 0] == 0 || turn == 1 - 0)
ncrit++ss assert(ncrit == 1) critical section
ncrit--
flag[0] = 0goto again
active proctype user1()again
flag[1] = 1reach turn = 1cs (flag[1 - 1] == 0 || turn == 1 - 1)
ncrit++assert(ncrit == 1) critical section ncrit--
flag[1] = 0goto again
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Partial Order Reduction
bull The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily
bull To avoid discriminating against any particular ordering the events are interleaved in all possible ways
bull The ordering between independent transitions is largely meaningless
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
The State Explosion Problembull Allowing all possible orderings is a potential cause of the state
explosion problembull To see this consider n transitions that can be executed
concurrentlybull In this case there are n different orderings and 2n different states
(one for each subset of the transitions)bull If the specification does not distinguish between these
sequences it is beneficial to consider only one with n + 1 states
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Partial Order Reduction
bull The partial order reduction is aimed at reducing the size of the state space that needs to be searched
bull It exploits the commutativity of concurrently executed transitions which result in the same state
bull Thus this reduction technique is best suited for asynchronous systems
bull (In synchronous systems concurrent transitions are executed simultaneously rather than being interleaved)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Partial Order Reduction (Cont)
bull The method consists of constructing a reduced state graph
bull The full state graph which may be too big to fit in memory is never constructed
bull The behaviors of the reduced graph are a subset of the behaviors of the full state graph
bull The justification of the reduction method shows that the behaviors that are not present do not add any information
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Partial Order Reduction (Cont)
bull The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution
bull However the method can be described better as model checking using representatives since the verification is performed using representatives from the equivalence classes of behaviors
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Compositional Reasoning
bull Big systems are composed by sub-processes running in parallel The specifications for such systems can be decomposed into properties hold in the sub processesndash Communication protocol a sender a network and a
receiver bull Assume-Guarantee Paradigm
ndash Verify each sub-process separately by adding assumptions on sub-process
ndash Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Abstraction
bull Eliminate details irrelevant to the propertybull Obtain simple finite models sufficient to verify the
propertyndash Eg Infinite state Finite state approximation
bull Disadvantage ndash Loss of Precision False positivesnegatives
bull Approachesndash Cone of influence reductionndash Data abstraction
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Cone of Influence Reduction
bull If f is an LTL formula that refers only to the variables in V and C is the cone of influence of V then ltf Mgt is satisfied if and only if ltf Ngt is satisfied where N is the reduced model with respect to C
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Cone of Influence Reduction
Boolean v1 v2 v3 v4 v5 v6
Repeat forever in parallel
v1 = v2 v2 = v1 amp v3 v3 = v1 amp v2 v4 = v5 amp v3 v5 = v4 amp v6
End
(F (~ v1)) v1 will eventually become False
Boolean v1 v2 v3
Repeat forever in parallel
v1 = v2
v2 = v1 amp v3
End
A Simple System Model
A Simple LTL property
Cone of Influence Reduction
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Data Abstraction
h h hh h
Abstraction Function h S Srsquo
S
Srsquo
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Data Abstraction Example
bull Abstraction proceeds component-wise where variables are components
xint Even
Oddhellip -3 -1 1 3 hellip
hellip -2 0 2 4 hellip
1 2 3 hellip
hellip -3 -2 -1
0
Pos
Neg
Zeroyint
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symmetry
bull Symmetry partitions state-space into equivalence classesbull Knowledge of symmetry search only 1 state per
equivalence class
bull Need techniques forndash Symmetry detectionndash Efficient exploitation of symmetry
bull Ideally both should be fully automatic
bull Challenges detecting amp exploiting symmetries
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model Written in SPIN
byte tok = 1
active [2] proctype user() byte state = N do (state == N) -gt state = T (state == T) ampamp (tok == _pid) -gt state = C (state == C) -gt state = N if tok = 1 tok = 2 fi od
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Symmetry Reduction Example
N1 N2
tok=1N1 N2
tok=2
N1 T2
tok=1T1 N2
tok=2T1 N2
tok=1N1 T2
tok=2
T1 T2
tok=1T1 T2
tok=2C1 N2
tok=1N1 C2
tok=2
C1 T2
tok=1T1 C2
tok=2
N1 N2
tok=1
N1 T2
tok=1T1 N2
tok=1
T1 T2
tok=1C1 N2
tok=1
C1 T2
tok=1
State-graphReduced state-graph
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
PAT Process Analysis Toolkit
bull A interactive system to support composing simulating and reasoning of extended Process Algebra
bull Modelingndash Extended CSP (Communicating Sequential Processes)ndash LTL
bull Model Checkersndash Explicit Model Checkerndash Bounded Model Checker
bull Featuresndash Handle Fairness with Partial Order Reductionndash Bounded Model Checking Process Algebra
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
PAT Workflow Diagram
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Fairness Assumptions
bull Fairness properties state that if something is possible sufficiently often then it must eventually happen
bull deadlock-freeness FALSEbull non-starvation FALSE
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Specifying Fairness
bull Let e be an eventaction
bull A weak fair event is written as wf(e)bull A strong fair event is written as sf(e)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Outline
bull Model Checking Techniquesndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Comparison NuSMV-ImProviso and SPIN
states time memory states time memory
Migratory Protocol (2) 155040 10863s 563 MB 435456 234s 428 MBStable Marriage (2) 710 084s 73 MB 568 lt001s 15 MBStable Marriage (3) 1275 272s 104 MB 945 lt001s 15 MBStable Marriage (5) 10351 3156s 300 MB 8421 003s 21 MBBest (7) 15 006s 07 MB 2187 003s 15 MB
Best (20) 41 034s 57 MBWorst (3) 15 004s 03 MB 15 lt001s 15 MB
Worst (20) 2097150 036s 50 MB 2097150 1503s 1106 MB
Worst (100) 254E+30 1434s 146 MB
NuSMV-ImProviso SPIN
NA1
NA1
bull SPIN faster if it can handle examplebull NuSMV-ImProviso can handle more examplesbull NuSMV-ImProviso matches SPIN on Best Worst
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Comparison Leader Election Protocol
states time memory states time memory
2 70 011s 11 MB 70 lt001s 15 MB3 488 057s 46 MB 488 lt001s 15 MB4 3576 677s 106 MB 3576 010s 23 MB
8
states time memory states time memory
2 48 010s 10 MB 48 002s 15 MB3 209 031s 30 MB 209 lt001s 15 MB4 922 177s 104 MB 922 lt001s 17 MB8 306903 355386s 3818 MB 306903 1182s 2328 MB
SPIN
NA1
Non-PO
PONuSMV-ImProviso
NuSMV
NA1
SPIN
bull Models of same size in SMV and Promelabull Same reductionbull SPIN faster untilhellip
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Comparison PAT SPIN and FDR
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Comparison Conclusion
bull Generally Spin is faster tha NuSMV and can scale up to larger states The partial order reduction in Spin is very helpful
bull Generally explicit model checking and BMC complements BDD-based model checking BMC can also outperform BDD for some systems
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Outlinebull Model Checking Techniques
ndash Introduction to MCndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Tackle the State Space Explosionndash Partial Order Reductionndash Equivalences and Pre-orders between Structuresndash Compositional Reasoningndash Abstractionndash Symmetry
bull PAT Process Analysis Toolkitbull Performance Comparisonbull Conclusion
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Conclusion
bull Three ways to do model checkingndash Symbolic Model Checkingndash Bounded Model Checkingndash Explicit Model Checking
bull Various optimization techniquesndash Partial Order Reductionndash Compositional Reasoningndash Abstractionndash Symmetry
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model Checking Distributed Algorithms
bull Summary of Papers studiedndash Model Checking of Consensus Algorithms [T
Tsuchiya and A Schiper SRDS 07] ndash MC of Distributed Dependable Protocols Semantic
Property Preserving Abstractions [P Boker M Serafini A Pataricza and N Suri 07]
ndash Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski DSN 07]
ndash Model Checking Transactional Memories
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
Model Checking Distributed Algorithms
bull Most suitable MC techniquendash Explicit Model Checkingndash Benefits
bull Better support for asynchronous communicationbull Better control of optimization techniquesbull Tools with better performance SPIN or PAT (better support
for the fairness with POR)
bull Possible optimization techniquesbull Abstractionbull Compositional Reasoningbull Symmetry
- Model Checking and Related Techniques
- Outline
- Model Checking Introduction
- Model Checking
- Model of Concurrent Systems
- Model of Concurrent Systems (Cont)
- Temporal logics
- Temporal logics (2)
- CTL Examples
- Fixpoint Algorithms
- Model Checking Problem
- Symbolic Model Checking
- Symbolic Model Checking with BDDs
- Ordered Binary Decision Trees and Diagrams
- OBDD for Comparator Example
- Variable Ordering Problem
- Symbolic Model Checking Algorithm
- Symbolic Model Checking (cont)
- Symbolic Model Checking (cont) (2)
- Problems with BDDs
- Advantages of SAT Procedures
- Bounded Model Checking
- Main Advantages of SAT Approach
- NuSMV A New Symbolic Model Verifier
- NuSMV language by examples
- Explicit Model Checking
- Buumlchi Automata
- Example
- LTL and Buumlchi Automata
- LTL Model Checking
- Nested Depth First Search
- Example (2)
- Example (3)
- Nested Depth First Search (2)
- Nested Depth First Search (3)
- Explicit Model Checking (2)
- SPIN
- SPIN Example of Petersonrsquos Algorithm
- Outline (2)
- Partial Order Reduction
- The State Explosion Problem
- Partial Order Reduction (2)
- Partial Order Reduction (Cont)
- Partial Order Reduction (Cont) (2)
- Compositional Reasoning
- Abstraction
- Cone of Influence Reduction
- Cone of Influence Reduction (2)
- Data Abstraction
- Data Abstraction Example
- Symmetry
- Model Written in SPIN
- Symmetry Reduction Example
- Outline (3)
- PAT Process Analysis Toolkit
- PAT Workflow Diagram
- Fairness Assumptions
- Specifying Fairness
- Outline (4)
- Comparison NuSMV-ImProviso and SPIN
- Comparison Leader Election Protocol
- Comparison PAT SPIN and FDR
- Comparison Conclusion
- Outline (5)
- Conclusion
- Model Checking Distributed Algorithms
- Model Checking Distributed Algorithms (2)
top related