Scalable Multi-core Model Checking: Technology & Applications of - PowerPoint PPT Presentation

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II: Liveness & Timed Systems Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Table of Contents 1 Multi-core LTL model checking B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search 2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 2 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Recall LTL LTL formulae are built using temporal operators φ and ψ are formulae, interpreted over infinite paths ◮ X φ : φ holds in the next state in this path . . . . . . . . . . . . . neXt ◮ F φ : φ holds somewhere in this path . . . . . . . . . . . . . . . . . Future ◮ G φ : φ holds everywhere on this path . . . . . . . . . . . . . . . . Global ◮ φ U ψ : ψ holds somewhere on this path, and φ holds in all preceding states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Until ◮ φ R ψ : ψ holds as long as φ did not hold before . . . . .Releases φ ::= p | ¬ φ | φ ∧ φ | φ ∨ φ | X φ | F φ | G φ | φ U φ | φ R φ Sufficient basis for LTL: φ ::= p | ¬ φ | φ ∧ φ | X φ | φ U φ UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 3 / 45 φ ∨ ψ = ¬ ( ¬ φ ∧ ¬ ψ ) G φ = ¬ F ¬ φ φ R ψ = ¬ ( ¬ φ U ¬ ψ )

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Kripke Structures and Paths Kripke Structures . . . . . . . . . . . . . . . . . . . . . . . . . . (just labeled graphs) A Kripke structure is a tuple M = ( S , S 0 , R , AP , L ), where ◮ S is a set of states ◮ S 0 ⊆ S is set of initial states ◮ R ⊆ S × S is a (total) transition relation on S ◮ AP is a set of atomic proposition labels ◮ L : S → P ( AP ) assigns to each state a set of labels Infinite Paths . . . . . . . . . . . . . . . (just sequences of connected states) ◮ A path π in M is an infinite sequence ( s 0 , s 1 , s 2 , . . . ) through the Kripke structure M , so ∀ i . s i R s i +1 ◮ Notation: π ∈ path ( s ) if π starts with s (i.e.: s 0 = s ) ◮ Notation: π i is the suffix from i , i.e.: ( s i , s i +1 , . . . ) UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 4 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Formal CTL* semantics: M , s 0 � φ Semantics of Path Formulas (given path π ) π � φ ⇔ π (0) � φ if φ is a state formula π 1 � φ ⇔ π � X φ for some i ≥ 0 , π i � φ π � F φ ⇔ for all i ≥ 0 , π i � φ ⇔ π � G φ ∃ i ≥ 0 . π i � ψ ∧ ∀ j < i . π j � φ π � φ U ψ ⇔ ( ∀ i < j . π i � � φ ) ⇒ π j � ψ � � π � φ R ψ ⇔ ∀ j ≥ 0 . Some examples of LTL properties ◮ Every request will be acknowledged: G ( req = ⇒ req U ack ) ◮ G F p : p happens infinitely often ◮ F G p : p is nearly always true ◮ Note duality: ¬ G F p ⇐ ⇒ F G ¬ p UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 5 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Basic Automata Theoretic Approach Automata Theoretic Approach ◮ Kripke Structure M (system); LTL formula φ (requirement) ◮ Construct an automaton A that recognizes violations of φ . ◮ In other words: A accepts a word π ⇐ ⇒ π � ¬ φ ◮ M � φ iff L ( M ) ⊆ L ( φ ) iff M × A accepts ∅ ◮ Problem: How to deal with infinite words? B¨ uchi automata for accepting infinite words ◮ Just like an normal automaton (NFA), with accepting states ◮ Accept words that hit an accepting state infinitely often UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 6 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Examples of B¨ uchi automata almost always: F G p infinitely often: G F p ¬ p p ¬ p p p infinitely often with guarantee: G ( q U p ) q , ¬ p p ¬ q , ¬ p UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 7 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Model Checking by Accepting Cycles LTL Model Checking ◮ A buggy run in a system can be viewed as an infinite word ◮ Absence of bugs: emptiness of some B¨ uchi automaton ◮ S ⊆ P iff S ∩ P = ∅ iff S × ¬P has no accepting cycle ◮ Graph problem: find a reachable accepting state on a cycle ◮ Basic algorithm: Nested Depth First Search (NDFS) Properties of NDFS 2 2 1 1 6 6 ◮ NDFS runs in linear time ◮ Inherently depends on post-order ◮ Post-order is P-complete [Reif’85] 3 4 5 5 ◮ Not parallelizable (unless P=NC) UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 8 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Recall: Nested Depth First Search [CVWY’92] [Holzmann’92] ◮ Blue search: explore graph in DFS order ◮ states on the blue search stack are cyan ◮ on backtracking from an accepting state: ◮ Red search: find an accepting cycle ◮ exit as soon as the cyan stack is reached ◮ Linear time, depends on post-order Blue search Red search 1: procedure dfsBlue ( s ) 2: add s to Cyan 1: procedure dfsRed ( s ) 3: for all successors t of s do 2: add s to Red 4: if t �∈ Blue ∪ Cyan then 3: for all successors t of s do 5: dfsBlue ( t ) 4: if t ∈ Cyan then 6: if s is accepting then 5: Exit: cycle detected 7: dfsRed ( s ) 6: if t �∈ Red then 8: move s from Cyan to Blue 7: dfsRed ( t ) UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 9 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Table of Contents 1 Multi-core LTL model checking B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search 2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 10 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Simple idea: Swarmed Nested Depth First Search Laarman, Langerak, van de Pol, Wijs [ATVA’11] Multi-core Swarmed NDFS ◮ W workers perform independent random NDFS ◮ Visited states are stored in a shared hashtable ◮ All workers use their own set of colors (2W bits per state) ◮ Speeds up bug hunting only Blue search Red search 1: procedure dfsBlue ( s , i ) 1: procedure dfsRed ( s , i ) 2: add s to Cyan [ i ] 2: add s to Red [ i ] 3: for all successors t of s do 3: for all successors t of s do 4: if t �∈ Blue [ i ] ∪ Cyan [ i ] then 4: if t ∈ Cyan [ i ] then 5: dfsBlue ( t , i ) 5: Exit: cycle detected 6: if t �∈ Red [ i ] then 6: if s is accepting then 7: dfsRed ( t , i ) 7: dfsRed ( s , i ) 8: move s from Cyan [ i ] to Blue [ i ] UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 11 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ... Multi-core Nested Depth First Search Laarman, van de Pol,...[ATVA’11][PDMC’11]; Evangelista,L,vdP [ATVA’12] Multi-core NDFS (several variations) ◮ Collaboration between NDFS workers ◮ Share red and/or blue globally ◮ Workers backtrack on parts finished by others ◮ Correctness: Complicated to restore post-order ◮ Performance: Reasonable scalability Blue search Red search 1: procedure dfsBlue ( s , i ) 2: add s to Cyan [ i ] 1: procedure dfsRed ( s , i ) 3: for all successors t of s do 2: add s to Red 4: if t �∈ Blue ∪ Cyan [ i ] then 3: for all successors t of s do 5: dfsBlue ( t , i ) 4: if t ∈ Cyan [ i ] then 6: if s is accepting then 5: Exit: cycle detected 7: dfsRed ( s , i ) 6: if t �∈ Red then 8: move s from Cyan [ i ] to Blue 7: dfsRed ( t , i ) UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 12 / 45