Title: Large Scale External Directed Liveness Checking
1Large Scale External Directed Liveness Checking
- Stefan Edelkamp
- Shahid Jabbar
-
- Computer Science Department
- University of Dortmund, Dortmund, Germany
2Model Checking
- Given
- A model of a system.
- A specification property
- Model Checking Problem Does the system satisfy
the property ? - An exhausting exploration of the state space.
- Problem How to cope with large state spaces that
do not fit into the main memory? - In Practice successes in finding bugs.
3Directed Model Checking (Edelkamp, Leue,
Lluch-Lafuente, 2004)
- A guided search in the state space.
- Usually by some heuristic estimate.
- Only promising states are explored.
- Under certain conditions proved to be optimal.
- Short error trails
- Better for human comprehension
- Problem The inevitable demands of the model ..
Space, space and space.
4A Algorithm
- A heuristic estimate is used to guide the search.
- E.g. Straight line distance from the current node
to the goal in case of a graph with a geometric
layout. - Problems
- A needs to store all the states during
exploration. - A generates large amount of duplicates that can
be removed using an internal hash table only if
it can fit in the main memory. - A do not exhibit any locality of expansion. For
large state spaces, standard virtual memory
management can result in excessive page faults.
5Problem with the Virtual Memory
Virtual Address Space
0x000000
Memory Page
0xFFFFFF
6External Memory Model (Aggarwal and Vitter)
If the input size is very large, running time
depends on the I/Os rather than on the number of
instructions.
M
Scan(N) O(N / B) Sort(N) O(N/B log M/B N/B)
Input of size N and N gtgt M
7External BFS (Munagala Ranade)
I Remove Duplicates by sorting the nodes
according to the indices and doing an scan and
compaction phase.
II Subtract layers t and t1 from t2.
8Set A (Jensen, Veloso, Bryant 2000)
h
- Consistent
- heuristic
- estimates.
- gt ?h -1,0,1,
0 1 2 3 4 5 6
0
1
2
3
4
5
A Bucket !!
g
9External A Edelkamp, Jabbar, and Schroedl,
2004
- Buckets represent temporal locality cache
efficient order of expansion. - If we store the states in the same bucket
together we can exploit the spatial locality. - Munagala and Ranades BFS and Korfs delayed
duplicate detection for implicit graphs.
External A
10External Search For Model Checking Jabbar and
Edelkamp VMCAI 05
- Uses Harddisk to store the state space divided
in the form of Buckets. - Implemented on top of SPIN model checker.
- Promising Largest exploration so far took 20
GB much larger than even the address limits of
most computers. - Pause and Resume support Can add more
harddisks. - Problems
- Slow duplicate detection phase
- Internal Processing Time gtgt External I/O time
11External Parallel DMC Jabbar and Edelkamp VMCAI
06
- Internal work distributed over multiple
processors might even be separate machines
connected over a network. - Inter-process communications through simple
files. - Workload transferred in bulks rather than
individual states. - Promising Almost a linear speed-up on
multiple-processors machines.
12Liveness Property
- Search for a cycle that visits an accepting state
infinitely often. - Perform Nested Depth-first search that look for a
state that is already residing on the stack
(Holzmann ).
Head of Lasso
Initial State
Accepting State
DFS does not show any locality gt Not Suitable
for External Search!
13Liveness as Safety (Schuppan and Biere, 2005)
- Explicitly unroll the lasso.
- Search for the head again.
Head of Lasso
Head of Lasso
Initial State
Accepting State
14Liveness as Safety Extended State Description
- Piggyback the head of lasso on the state and
search for it!
Start
15What makes a state, Head of Lasso ?
- They said Every state! O(V2)
- We say Only the accepting states! O(V x
F)
16Algorithm Heuristic Search for Livenss as Safety
- Stage 1 For a state (s,s,0), perform a directed
search for an accepting state s in the
never-claim. - When found
- Spawn two children
- (s, s, 1) Head of lasso found!
- (s, s, 0) Head of lasso not found!
- Stage 2 For a state (s, s, 1), perform a
directed search for s.
s might not form a cycle! So keep searching!
17Heuristics for the first stage Head of the lasso
- We want to reach an accpeting state in the
never-claim faster!
Model
Never-claim
HN min?(c,a1), ?(c,a2), ?(c,a3)
? is the shortest path distance between two
states and can be pre-computed.
18Heuristics for the second stage Close the lasso
- We want to reach a particular state (in red) in
both the model and the never-claim from my
current state (in blue).
Model
Never-claim
c
a1
a2
H maxHN, HM
a3
19External Directed LTL Model Checking
0 1 2 3 4
Same states in both parts
Arrives at the final state
Arrives again at the same final state
Already seen final state
Current state
20I/O Complexity
- External memory algorithms are evaluated on the
number of I/Os. - Expansion Linear I/O O(Scan(V x F))
- Delayed Duplicate Detection
- Removing duplicates from the same buffer
- O(sort(E x F))
- Subtracting previous levels O(l x Scan(V x
F)) where l is the length of the found
counterexample.
I/O Complexity O(sort(ExF) l x
Scan(VxF))
21LTL Model Checking in 2-Elevator
Expanded Inserted Time Length
I/O-HSF-SPIN External A 2,090,933 2,275,778 1m18s 6734
I/O-HSF-SPIN External BFS 2,642,575 2,827,073 2m3.96s 6734
Transitions Stored Time Length
SPIN 4.2 Nested DFS 33,900 11,149 0m0.064s 109100
SPIN is Fast!
22LTL Model Checking in SGC Protocol (Zhang, 1999)
Expanded Inserted Time Length
I/O-HSF-SPIN External A 178 369 0m1.318s 155
I/O-HSF-SPIN External BFS 1,343 1,427 0m0.787s 155
Transitions Stored Time Length
SPIN 4.2 Nested DFS 155,963 8,500 1m47s 185
BFS is faster! External A had to flush several
unfilled buffers to the disk
23LTL Model Checking in 64-Dining Philosphers
Expanded Inserted Time Length
I/O-HSF-SPIN External A 2,298 127,813 0m6.108s 1962
I/O-HSF-SPIN External BFS 2,298 47,118 0m13.549s 1962
SPIN 4.2 Nested DFS -out-of-mem -out-of-mem -out-of-mem -out-of-mem
Several states are inserted but no refinment is
done on them and hence faster
24Parallel LTL Model Checking in 124-Dining
Philosphers
Time Secondary Memory Length
1 Processor - - -
2 Processors 5m53.96s 4.7 gigabytes 3882
3 Processors 4m7.13s 5.28 gigabytes 3882
Multiple Processors Machine
25Summary
- Schuppan and Biere approach gt liveness as
reachability. - Liveness requires searching for an acceptance
cycle - A path to a previously seen state that also
visits an accepting state. - Save a tuple of states.
- Two new heuristics to accelerate the search.