SPIN. Seach Optimization Exhaustive search requires so much time and memory to perform verification realistically, must perform some shortcuts –reduce.

SPIN

Seach Optimization

• Exhaustive search requires so much time and memory

• to perform verification realistically, must perform some shortcuts– reduce the number of reachable states– reduce the amount of memory required to

represent a state

Agenda

• Search Algorithm• Search Optimization

– Reduction of the number of reachable states– Reduction of the amount of memory

• lossless method– State Compression– Minimized automaton representation

• lossy method– Bit state hashing– Bloom Filter– Hash Compact

Partial Order Reduction

• 考えられる実行順序– 1 : x = 1;g = g+2;y = 1 ;g = g*2;– 2 : x = 1;y = 1 ;g = g+2 ;g = g*2;– 3 : x = 1;y = 1 ;g = g*2 ;g = g+2;– 4 : y = 1;g = g*2 ;x = 1 ;g = g+2; – 5 : y = 1;x = 1 ;g = g*2 ;g = g+2;– 6 : y = 1;x = 1 ;g = g+2;g = g*2;

P1 : x = 1; g = g+2;

P2 : y = 1 g = g*2

Partial Order Reduction

• x = 1 と y = 2 と (g = g + 2, g= g * 2) は独立

• 重要なのは g = g+2, g = g * 2 の順序のみ– 2 : x = 1;y = 1 ;g = g+2 ;g = g*2;– 3 : x = 1;y = 1 ;g = g*2 ;g = g+2;

の二つについてのみ探索を行えば十分

Statement Merging

• if permissible, merge adjacent statements (operations) into one

• if there is a possibility that a different process might interleave between statements, this is not possible– eg: when global variables are accessed conse

cutively

• It is a special case of Partial Order Reduction

adjacent: 隣接する

Agenda

• Search Algorithm• Search Optimization

– Reduction of the number of reachable states– Reduction of the amount of memory

• lossless method– State Compression– Minimized automaton representation

• lossy method– Bit state hashing– Bloom Filter– Hash Compact

State Compression

• 各プロセスの状態表現に P[bits] – プロセス数が n なら状態表現に nP[bits] 必要– しかし P[bits] で表現される全ての状態に到達

するわけではない。– よって P[bits] は情報量として冗長– 各プロセス毎に到達した状態に unique な番

号を割り振って、全状態としてはその番号の組み合わせを記憶する。

State Compression

• e.g.– P1 : integer x, y , z; P2 : integer a, b , c;– the size of memory to represent a state of each

process is 24bits.– the number of reachable states is 5,000– the number of reachable states of each process is

100 ( <= 256 = 2^8)• If states is represented straightforwardly, you

need …– (24 + 24)*5,000 = 240,000 [bits]

• If you use this method, you need only …– (100 + 100)*24 + 8 * 5,000 = 44,800 [bits]

Minimized automaton representation

• 状態が到達済みかどうかの判定を OBDDを利用して行う。

• OBDD– bit 列の入力に対して、真偽を判断するための

データ構造• 戦略

– 状態 S をビット列に変換– OBDD で到達済みか判断。– 到達済みでないなら、 OBDD を更新する。

OBDD

• BDD (Binary Decision Diagram)– bit 列 [b0,b1, …] に対して true, false を判定する

automaton– 各 vertex が b0,b1, … に対応 edges が bit の値に対応

• OBDD– BDD に以下の条件を加えたもの。– b0,b1,b2, … の順に処理– 同じ構造のツリーはまとめる。– 冗長な vertex は除去

OBDD Structure

b0 b1

b1

b2

F

T

0

1 0

1

1

00

1

(b0,b1,b2) { (0,0,0),(0,0,1),(1,0,1) } →∈ 　 Trueotherwise → 　 False

+ (1,0,0)

Agenda

• Search Algorithm• Search Optimization

– Reduction of the number of reachable states– Reduction of the amount of memory

• lossless method– State Compression– Minimized automaton representation

• lossy method– Bit state hashing– Bloom Filter– Hash Compact

Bit state hashing

• Depth-first search constructs a set of reachable states to conclude whether a state was reached.

• The set is normally implemented using hash table.

Standard implementation

• Standard implementation uses– 8×h + S×r [bits]

• h : the number of slots of a hash table

• S : the size of memory to represent a state

• r : the number of reachable states

• 8 : pointer• m : total size of memory

in the machine

Standard Implementation

• If parameters are ...– m = 10^9 bits ,S = 1000 , r = 10^7– (S ・ r)/m = 10 > 1– coverage of the problem size is only 10%

Bit state hashing

• If we configure the hash table as an array of m bits, using it as a hash table with h = m slots.....– h >> r and coverage close to 100%– when a hash collision happens, we will

conclude incorrectly that a state was visited before.

s0

s1

s2s3

s4

s5

hash collision!!

not reached

h(s0) = 0, h(s1) = 5, h(s2) = 3, h(s3) = 2,h(s4) = 5, h(s5) = 1

0 1 2 3 4 5

h(s0) h(s1)h(s2)h(s3) h(s4)

This state was reached !?

Bloom Filters

push (s) : existed = True hlist = hash(s,k) for h in hlist: if (hash_table[h] is False): existed = False hash_table[h] = True return existed

hash(s,k): return [h0(s),h1(s),...., h_k_1(s)]

Bloom Filters (k = 2)

h0(s0) = 0h1(s0) = 1

h0(s1) = 0h1(s1) = 3

h0(s2) = 3h1(s2) = 1

0 1 2 3 4

OK

OK OKCollision OK

OK

Collision Collision

False Collision

Bloom Filter• After r states is stored, probability that a

certain bit is still false is

• Probability that we incorrectly conclude that the (r + 1)th state was visited

• optimal k (that minimize probability) is

Bloom Filter

• e.g.– r = 10,000,000– m = 1,000,000,000– optimal value of k = 69.315

Hash Compact

• Normal Implementation な hash table に State ではなく、 State を hash 関数を使って、より小さい空間に写像したものを渡す。– 当然、写像に使う hash 関数は hashtable 内で利用さ

れているものとは異ならなければならない。• the number of reachable states << hash 値の空

間の大きさ << State 空間の大きさの時効果を発揮する。

• 前者の <<→ 衝突の確率が低い。• 後者の <<→ 保存データサイズの縮小• 要するに State 空間の表現が冗長だよってこと。