Guard-based Partial-Order Reduction in...

Guard-based Partial-Order Reduction in LTSmin

UNIVERSITY OF TWENTE. Formal Methods & Tools.

Alfons Laarman, Elwin Pater,Jaco van de Pol, Michael Weber

8 july 2013

SPIN’13, Stony Brook

... Introduction LTSmin Theory POR Implementation Experiments Conclusion ...

LTSmin Tool Architecture (1)

Languages

SymbolicDistributed Multi−coreToolsReachability

mCRL2 Promela DVE UPPAALSpecification

PINS

Functionality

I On-the-fly detection of errors: deadlocks, actions, invariant violations

I On-the-fly LTL model checking for liveness (Nested DFS)

I Symbolic model checker for CTL*, full µ-calculus

I State space generation, bisimulation minimization, export

I State and edge labels support timed and stochastic systems

UNIVERSITY OF TWENTE. Guard-based Partial-Order Reduction in LTSmin 8 july 2013 2 / 16



Languages

SymbolicDistributed Multi−coreToolsReachability

mCRL2 Promela DVE UPPAALSpecification

PINS

Functionality

I On-the-fly detection of errors: deadlocks, actions, invariant violations

I On-the-fly LTL model checking for liveness (Nested DFS)

I Symbolic model checker for CTL*, full µ-calculus

I State space generation, bisimulation minimization, export

I State and edge labels support timed and stochastic systems




Pins2pins

mCRL2 Promela DVE UPPAAL

Symbolic

Specification

PINS

PINS

Distributed Multi−core

Languages

ToolsReachability

reduction Partial−order Variable reordering

Transition groupingcachingTransition

Wrappers



Pins interface

Partitioned Interface for Next States:

I States are partitioned into vector of N state variables

I The next-state function is partitioned into M transition groupsI Show locality: N ×M dependency matrix (hopefully sparse)

I indicates which state parts each transition group depends on

On-the-fly access to the state space via an API:

Three basic functions

I init-state(): returns the initial state vector

I next-state(i,s): successors of state s in transition group i

I get-matrix: returns the dependency matrix DM×N



Pins interface

Partitioned Interface for Next States:

I States are partitioned into vector of N state variables

I The next-state function is partitioned into M transition groupsI Show locality: N ×M dependency matrix (hopefully sparse)

I indicates which state parts each transition group depends on

On-the-fly access to the state space via an API:

Three basic functions

I init-state(): returns the initial state vector

I next-state(i,s): successors of state s in transition group i

I get-matrix: returns the dependency matrix DM×N



Dependency Matrix: caching and regrouping

global int x=7;

process p1() {

do

::{x>0 -> x--;y++}

::{x>0 -> x--;z++}

od }

global int y=3;

process p2() {

do

::{y>0 -> y--;x++}

::{y>0 -> y--;z++}

od }

global int z=9;

process p3() {

do

::{z>0 -> z--;x++}

::{z>0 -> z--;y++}

od }

Process Matrix

x y z

p1 + + +p2 + + +p3 + + +

In general:using r/w/+

Refined Matrix

x y z

p1.1 + + −p1.2 + − +p2.1 + + −p2.2 − + +p3.1 + − +p3.2 − + +

Static Regrouping

x y z

p1.1, 2.1 + + −p1.2, 3.1 + − +p2.2, 3.2 − + +

I Less overhead

I Better structure




global int x=7;

process p1() {

do

::{x>0 -> x--;y++}

::{x>0 -> x--;z++}

od }

global int y=3;

process p2() {

do

::{y>0 -> y--;x++}

::{y>0 -> y--;z++}

od }

global int z=9;

process p3() {

do

::{z>0 -> z--;x++}

::{z>0 -> z--;y++}

od }

Process Matrix

x y z

p1 + + +p2 + + +p3 + + +


Refined Matrix

x y z

p1.1 + + −p1.2 + − +p2.1 + + −p2.2 − + +p3.1 + − +p3.2 − + +

Static Regrouping

x y z

p1.1, 2.1 + + −p1.2, 3.1 + − +p2.2, 3.2 − + +

I Less overhead

I Better structure




global int x=7;

process p1() {

do

::{x>0 -> x--;y++}

::{x>0 -> x--;z++}

od }

global int y=3;

process p2() {

do

::{y>0 -> y--;x++}

::{y>0 -> y--;z++}

od }

global int z=9;

process p3() {

do

::{z>0 -> z--;x++}

::{z>0 -> z--;y++}

od }

Process Matrix

x y z

p1 + + +p2 + + +p3 + + +


Refined Matrix

x y z

p1.1 + + −p1.2 + − +p2.1 + + −p2.2 − + +p3.1 + − +p3.2 − + +

Static Regrouping

x y z

p1.1, 2.1 + + −p1.2, 3.1 + − +p2.2, 3.2 − + +

I Less overhead

I Better structure




global int x=7;

process p1() {

do

::{x>0 -> x--;y++}

::{x>0 -> x--;z++}

od }

global int y=3;

process p2() {

do

::{y>0 -> y--;x++}

::{y>0 -> y--;z++}

od }

global int z=9;

process p3() {

do

::{z>0 -> z--;x++}

::{z>0 -> z--;y++}

od }

Process Matrix

x y z

p1 + + +p2 + + +p3 + + +


Refined Matrix

x y z

p1.1 + + −p1.2 + − +p2.1 + + −p2.2 − + +p3.1 + − +p3.2 − + +

Static Regrouping

x y z

p1.1, 2.1 + + −p1.2, 3.1 + − +p2.2, 3.2 − + +

I Less overhead

I Better structure



Dependency Matrix: caching and regroupingglobal int x=7;

process p1() {

do

::{x>0 -> x--;y++}

::{x>0 -> x--;z++}

od }

global int y=3;

process p2() {

do

::{y>0 -> y--;x++}

::{y>0 -> y--;z++}

od }

global int z=9;

process p3() {

do

::{z>0 -> z--;x++}

::{z>0 -> z--;y++}

od }

Process Matrix

x y z

p1 + + +p2 + + +p3 + + +


Refined Matrix

x y z

p1.1 + + −p1.2 + − +p2.1 + + −p2.2 − + +p3.1 + − +p3.2 − + +

init state = 〈7, 3, 9〉

〈7, 3, 9〉 p1.1−→ 〈6, 4, 9〉〈7, 3, ∗〉 p1.1−→ 〈6, 4, ∗〉

〈7, 3, 9〉 p3.2−→ 〈7, 4, 8〉〈∗, 3, 9〉 p3.2−→ 〈∗, 4, 8〉

cache short transitionsenable symbolic means

Static Regrouping

x y z

p1.1, 2.1 + + −p1.2, 3.1 + − +p2.2, 3.2 − + +

I Less overhead

I Better structure




global int x=7;

process p1() {

do

::{x>0 -> x--;y++}

::{x>0 -> x--;z++}

od }

global int y=3;

process p2() {

do

::{y>0 -> y--;x++}

::{y>0 -> y--;z++}

od }

global int z=9;

process p3() {

do

::{z>0 -> z--;x++}

::{z>0 -> z--;y++}

od }

Process Matrix

x y z

p1 + + +p2 + + +p3 + + +


Refined Matrix

x y z

p1.1 + + −p1.2 + − +p2.1 + + −p2.2 − + +p3.1 + − +p3.2 − + +

Static Regrouping

x y z

p1.1, 2.1 + + −p1.2, 3.1 + − +p2.2, 3.2 − + +

I Less overhead

I Better structure



Table of Contents

1 Introduction LTSminLTSmin Tool ArchitecturePINS Interface

2 TheoryBasis: Stubborn SetsGuard Based PORNecessary Disabling Sets

3 ImplementationLanguage Module ExtensionsAlgorithm to find small Stubborn SetsPOR and LTL model checking

4 Experiments

5 Conclusion



Partial-Order Reduction (Godefroid,Valmari)

s

sd

t1

t2

t3

t4

Ts

t1

t2

t3

Main idea of partial-order reduction

I Avoid exploring all transition interleavingsI Select sufficient subset of enabled transitions

I don’t destroy conflicting transitions

Necessary Enabling Sets (NES)

I If transition α is not enabled in state s, thenI NES(α, s) is some necessary enabling set

I it contains a transition from each path to α

Algorithm to compute a Stubborn Set

1 Select an arbitrary enabled transition in Ts

2 Repeat, for each α ∈ Ts :

1 If α enabled: add all conflicting transitions β to Ts

2 If α disabled: add all transitions in some NES(α, s) to Ts

It is sufficient to take transitions that are enabled and stubborn




s

sd

t1

t2

t3

t4

Ts

t1

t2

t3

NES(t4)
















s

sd

t1

t2

t3

t4

Ts

t1

t2

t3

NES(t4)















Innovation 1: Guard-centric approach

Atomic transitions: g1(~x) ∧ · · · ∧ gn(~x) −→ ~x := tExtend Pins with a function to evaluate guards

Define all notions on guards rather than transitions

I guards x > 0 and x < 5 may be co-enabled . . . . . . MC (g1, g2)

I guards x = 0 and x > 5 cannot be co-enabled

I guards pc = 3 and pc = 5 cannot be co-enabled

I How to enable a guard pc = 3? . . . . . . . . . . . . . . . . . . .NES(g1)I Add all transitions that assign pc := 3

I An update x := 5 conflicts with guard x + y = z . . . . . . . DNA

I An update v := 5 doesn’t conflict with guard x + y = z

I An update x := x + 1 doesn’t conflict with guard x + y > z

Program counters or process locations are treatedno different than just any other state variable








I guards pc = 3 and pc = 5 cannot be co-enabledI How to enable a guard pc = 3? . . . . . . . . . . . . . . . . . . .NES(g1)

I Add all transitions that assign pc := 3

































Innovation 2: Necessary Disabling Sets

P1 P2

t1

t2· · ·t5

t6

t7

t8

DNA,MC

Keeping stubborn sets small

I Assume (t1, t7) and (t6, t7) are conflictingI Typically, NES works backwards:

I Fat stubborn set: {t1, t2···5, t6, t7}

I Note: t1 and t6 may not be co-enabledI Disabling t1 is necessary to enable t6:

I {t1, t6, t7} is a sufficient stubborn set

Necessary Disabling Sets

I So, how to find an necessary enabling transition for α?

I Disable any enabled transition β that is not co-enabled with α

I NDS(β, s) contains some transition necessary to disable β




P1 P2

t1

t2· · ·t5

t6

t7

t8

DNA,MC



I Fat stubborn set: {t1, t2···5, t6, t7}I Note: t1 and t6 may not be co-enabledI Disabling t1 is necessary to enable t6:









P1 P2

t1

t2· · ·t5

t6

t7

t8

DNA,MC












P1 P2

t1

t2· · ·t5

t6

t7

t8

DNA,MC











Table of Contents

1 Introduction LTSminLTSmin Tool ArchitecturePINS Interface

2 TheoryBasis: Stubborn SetsGuard Based PORNecessary Disabling Sets

3 ImplementationLanguage Module ExtensionsAlgorithm to find small Stubborn SetsPOR and LTL model checking

4 Experiments

5 Conclusion



Language Module Extensions

What every language must provide

I Dependency Matrix for state variables and guards . . . . . . DMI distinguish read/write dependencies

I Matrix to report conflicting transitions . . . . . . . . . . . . . . . . .DNA

Optional improvements for more reduction

I Necessary Enabling Sets for guards . . . . . . . . . . . . . . . . . . . . .NES

I Necessary Disabling Sets for guards . . . . . . . . . . . . . . . . . . . . NDS

I May-be Co-enabled matrix on guards . . . . . . . . . . . . . . . . . . . MC

I All matrices can be approximated by static analysis

I A good default can be computed for the optional information

I We did extend the language modules for Promela and DVE





























Heuristics for finding Stubborn Sets

Implementation of Stubborn Sets

I Heuristics to choose stubborn set with minimum costsI enabled transitions more expensive than disabled transitionsI transitions that were selected already come for free

I This is sufficient for reachability/deadlockI for the sequential + parallel algorithms

Extra implemented provisos (Holzmann, Peled)

I Incorporated extra features in algorithm + language module:I Extra: provide visibility informationI Extra: implemented several cycle provisos

I This is sufficient for LTL model checkingI only for the sequential algorithms






























The Tower of Pins Layers: LTL with POR

NDFS emptiness check

LTL crossproduct

Partial-order reduction

Transition cache

Language module

system spec property ϕ

M,DM

M,DMR

MR ,−

MR × B¬ϕ

DNA,MC ,NES

DNA,MC ,NES

Vis

stack proviso

Pins

Pins

Pins

Pins

Stretching the Pins interface

I Get new transitions on-the-flyI request from upper layerI call-back on each successor

I POR layer needs extra info:I visibility from Buchi productI cycle-proviso from NDFS

Refined Proviso’s

I Cycles: color provisoI Valmari, Evangelista

I Visibility: atoms as guardsI Reuse en/dis-abling infoI Dynamic (per state)



The Tower of Pins Layers: LTL with POR

NDFS emptiness check

LTL crossproduct

Partial-order reduction

Transition cache

Language module

system spec property ϕ

M,DM

M,DMR

MR ,−

MR × B¬ϕ

DNA,MC ,NES

DNA,MC ,NES

Vis

stack proviso

Pins

Pins

Pins

Pins

Stretching the Pins interface

I Get new transitions on-the-flyI request from upper layerI call-back on each successor

I POR layer needs extra info:I visibility from Buchi productI cycle-proviso from NDFS

Refined Proviso’s

I Cycles: color provisoI Valmari, Evangelista

I Visibility: atoms as guardsI Reuse en/dis-abling infoI Dynamic (per state)



Experimental Results

46 DVE models from BEEM database

I Compare stubborn sets versus ample sets (theory):I Reduce more than best possible ample set (Geldenhuys)I Heuristics for selecting stubborn sets are very effectiveI Necessary Disabling Sets can help as well

16 Promela models, up to 50M states, 250M transitions

I Compare stubborn sets (LTSmin) with ample sets (SPIN)I LTSmin por provides more reduction than Spin porI Spin’s partial-order reduction is more efficient in timeI LTSmin requires less memory (reduction + state compression)

POR combined with LTL model checking

I Guard-based dynamic visibility proviso pays off

I Subtle cycle proviso’s (Valmari, Evangelista) pay off

































0.0%$

20.0%$

40.0%$

60.0%$

80.0%$

100.0%$

120.0%$

garp$

i/protocol2$

peterson4$

i/protocol0$

brp.prm$

philo.pm

l$sort$

i/protocol3$

i/protocol4$

snoopy$

peterson3$

SMALL1$

SMALL2$

X.509.prm$

dbm.prm

$smcs$

States&

SPIN$

LTSmin$

0"

10"

20"

30"

40"

50"

60"

70"

80"

garp"

i0protocol2"

peterson4"

i0protocol0"

brp.prm"

philo.pm

l"

Run$me'(sec)'

0"

1"

10"

100"

1,000"

garp"

i*protocol2"

peterson4"

i*protocol0"

brp.prm"

philo.pm

l"

Memory'(MB,'log'scale)'



0.0%$

20.0%$

40.0%$

60.0%$

80.0%$

100.0%$

120.0%$

garp$

i/protocol2$

peterson4$

i/protocol0$

brp.prm$

philo.pm

l$sort$

i/protocol3$

i/protocol4$

snoopy$

peterson3$

SMALL1$

SMALL2$

X.509.prm$

dbm.prm

$smcs$

States&

SPIN$

LTSmin$

0"

10"

20"

30"

40"

50"

60"

70"

80"

garp"

i0protocol2"

peterson4"

i0protocol0"

brp.prm"

philo.pm

l"

Run$me'(sec)'

0"

1"

10"

100"

1,000"

garp"

i*protocol2"

peterson4"

i*protocol0"

brp.prm"

philo.pm

l"

Memory'(MB,'log'scale)'


Pins2pins


Symbolic

Specification

PINS

PINS

Distributed Multi!core

Languages

ToolsReachability

reduction Partial!order Variable reordering


Wrappers


Why join the LTSmin project?

End users: profit without changing modeling language

I probably the best scalable model checker up to 48 cores

I economic with memory (lossless compression, por reduction)

I supports major modeling languages: SPIN, UPPAAL, mCRL2

Developers: build your own HP Domain Specific Model Checker

I easy to link to new language modules through API + matrices

I now provides LTL model checker with partial-order reduction

I provides multi-core, distributed and symbolic algorithms

Scientists: prototype, benchmark, compare and combine

I symbolic, partial-order reduction, multi-core in one framework


Pins2pins


Symbolic

Specification

PINS

PINS


Languages

ToolsReachability



Wrappers














Pins2pins


Symbolic

Specification

PINS

PINS


Languages

ToolsReachability



Wrappers














Pins2pins


Symbolic

Specification

PINS

PINS


Languages

ToolsReachability



Wrappers














Date post:	15-Jul-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Guard-based Partial-Order Reduction in...

Documents