Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | clara-jordan |
View: | 212 times |
Download: | 0 times |
Memory-Efficient Algorithms for the Verification of Temporal Properties
C. CourcoubetisInst. Of Comp. Sci.FORTH, Crete, Greece
M. VerdiIBM Almaden
P. WolperUn. de Liege
M. YannakakisAT&T Bell Labs
Presented By: Prateem Mandal 4710-410-041-03374 [email protected]
Outline of the talk
• Introduction and previous work
• Formal Problem Definition
• Analysis and critique of previous approaches
• The Algorithms
• Questions and Answers
Introduction and previous work
• The paper addresses the problem of designing memory-efficient algorithms for verification of temporal properties of finite state programs modeled as Buchi Automata.
• Thus the problem is that of checking the emptiness of the automata.
• Allowing programs to err, the paper gives algorithm with memory access size of O(n) bits.
Previous work
• Reachability Analysis.• Theorem Prover.• Model Checking.
The problem of state space explosion was solved with the use of hashing (Holtzmann technique). This paper furthers the technique to find bad cycles as opposed to bad state in Holtzmann’s technique.
Formal Problem Definition
empty.-non is automata theofproduct theifCheck
.Aautomaton theof and P program theofproduct theTake
.P systemsn transitio theofP
computingby P program ofbehaviour global theCompute
.A isautomaton resulting The f. formula theof
negation for the wordsinfiniteon automaton finite a Build
f
i i
f
Formal Problem Definition contd..
states. designated ofset a is S F
and state, initialan is S s
,functionn transitionisticnondetermi a is ^2S :
states, ofset a is S
alphabet,an is
whereF),,s,S, ,(A tuplea isAutomaton Buchi
0
0
S
Formal Problem Definition contd..
).v,...,(vv
asuch that ieach for v v'-
and asuch that ieach for a),v(v'-
iff a)),v,..,((v)v',..,(v'by defined is
.components theof
actions of sets ofunion theis actions ofset the,
s.'P of spaces
state theofproduct cartesian is space state the,V v
where)V , ,(V,P is PP systemn transitioThe
0n010
iii
iii
n1n1
i
i
i
0i
Formal Problem Definition contd..
f. formula the violateand P of behaviours possible
are which runs all accepts APautomaton product The
FV states designated ofset and
s0)state(v0, initial
a)s1,(s2 and a)v1,( v2iff a)),1,1((s2)(v2,
by defined S)V(^2SV:function transition
SVset state
as computed is AP then F),s,S,,( ALet
. AP compute then A and P buildfirst we
fproperty logic temporala satisfies Pher check whet To
f
ff
ff
0
sv
Characterization of memory requirements
• Memory requirements have been characterized by considering the data structures used by the algorithm.
• They are of two types: randomly accessed and sequentially accessed.
• Hash table needs randomly accessed memory while stack or queue needs sequentially accessed memory.
Characterization of memory requirements contd..
• Bottleneck in performance of verification algorithms is related to amount of randomly accessed memory usage.
“Holtzmann observed that there is a tremendous speed-up for an algorithm implemented so that its randomly accessed memory requirements do not exceed the main memory available in the system(since sequentially accessed memory can be implemented in secondary storage)”
The Basic Method
• Holzmann considered how to perform reach ability analysis by using least amount of random memory access.
• The method is basically a DFS with marking of states by using a hashed m bit array.
• Since collision detection is avoided, there is a possibility that a state will be missed.
The Basic Method contd..
• The key assumption here is that one can choose a large enough value of m so that the collision events become arbitrary small.
• Holzmann claims that table size m=O(n) where n is the number of reachable states.
Analysis of the Basic Method
• Is the claim true?
• Let |U| be the namespace of the states where |U|>>n.
• If we consider the case of complete reach ability analysis the requirement is m=O(nlog |U|). Why?
Analysis of Basic Method contd..
• From probabilistic point of view the total possible mappings from set S={1,…,n} to states {1,…,m} are mn and number of possible one to one mappings are m!/(m-n)! Which for n<<m can be approximated by e-n2/m.
• Thus partial reach ability can be achieved in m=O(n log n) by first mapping n reachable states to set {1,…,m} with m=O(n2) and then do complete reachability by assuming namespace to be of size m.
Analysis of Basic Method contd..
• Holtzmann goes a step further and uses m=O(n). The assumption here is there exists a hashing function that can work in this constraint with arbitrarily small collision.
• This however is not supported by the above analysis.
• The above assumption can only hold if the hashing function exploits some particular structure of state space U. This assumption is not general enough to apply to algos finding strongly connected components.
The Algorithms
• S is a stack which stores the path from root to the present node.
• Q is a queue to hold the reachable members of F in post order.
• The above two data structures are sequential in nature therefore inconsequential to the analysis of the algorithm.
• M is a bit array indexed by hash values 1,…,m and is used for marking states.
Algorithm A: part 11. Initialize: S:=[s0], M:=0, Q:=null;
2. Loop:
while S != null do
begin
v:=top(S);
if M[h(w)]=1 for all w belonging to succ(v)
then begin
pop v from S;
if v belong to F insert v into Q;
end
else begin
let w be the first member of succ(v) with M[h(w)]=0;
M[h(w)]:=1;
push w into S;
end
end
Algorithm A: part 21. Initialize: S:=null, M:=0.2. Loop:
while Q=null dobegin:
f:=head(Q);remove f from Q;push f into S;while s != null do
beginv:=top(S);if f belongs to succ(v) then halt and return
“YES”;if M[h(w)]:=1 for all w belong to succ(v)
then pop v from Selse begin
let w be the first member of succ(v) with m[h(w)]=0;
M[h(w)]:=1;push w into S
endend
endend
Lemma 1: Let f1,…,fk be the members of Q after the first DFS, i.e., the members of F that are reachable from s0 in post order (f1 is the first member of F to be reached in post order, fk the last). If for some pair fi, fj with i<j there is a path from fi to fj then node fi belongs to a non trivial strongly connected component.
Proof of Lemma 1
• Suppose there is a path from fi to fj.
• If no node on this path was marked before fi, then the DFS would have reached fj from fi in the post order.
• Therefore some node p in the path was marked before fi.
• If p comes before fi in the post order then fj should come before fi in the post order.
• Since p was marked before fi but comes after fi in the post order, it must be an ancestor of fi.
• Thus fi can reach an ancestor and thus belongs to a non trivially strongly connected component.
Theorem 1: If the second DFS halts and returns “YES”, then some reachable node of F belongs to a non trivial strongly connected component. Conversely, suppose that some reachable node of F belongs to a non trivial strongly connected component, then the second DFS will return “YES”.
Proof of Theorem 1
• Suppose second DFS returns “YES” then it is building a tree with root fj and discovers a back edge to root fj, and therefore fj is in a cycle.
• For the converse let fj be the smallest indexed(j) reachable member of F that belongs to a non trivial strongly connected component.
• Consider a path p from fj to itself. If p is reachable from a fi with a smaller i then fi will also reach fj which by Lemma 1 contradicts the choice of fj.
• Thus no marked p exists when fj is pushed and thus back edge will be found eventually.
Algorithm B1. Initialize S1:=[s0], S2:=null, M1:=M2:=0.
2. While S1!=null dobegin
x:=top(S1);
if there is a y in succ(x) with M1[h(y)]=0then beginlet y be the first such number of succ(x);
M1[h(y)]:=1;
push y into S1;endelse begin
pop x from S1;if x belongs to F then begin
push x into S2;endendend
Algorithm B contd..
while S2!=null do begin
v:=top(S2);if x belongs to succ(v) then ret “YES”
if M2[h(w)]=1 for all w belong to succ(v)then pop v from S2
else beginlet w be the first member of
succ(v) with M2[h(w)]=0;
m2[h(w)]:=1;
push w into S2;end
endend
Algorithm B contd..• The above algorithm requires twice as much space as
algorithm A.• If an automaton is found to be non-empty an accepted
word can be extracted from stacks S1 and S2.• In verification terms if a protocol is incorrect, the
incorrect path can be reproduced.• Both the algorithms may err due to collisions which
means miss some error but will never proclaim a right protocol as wrong so they essentially behave like debuggers.
Questions and Answers