local state space construction for compositional verification of...

Local State Space Construction forCompositional Verification of Concurrent

Systems

Hao Zheng

Department of Computer Science and EngineeringUniversity of South Florida

H. Zheng (CSE USF) Local State Space Construction for Compositional Verification of Concurrent Systems1 / 19

Introduction

• Scope: model checking of finite state concurrent systems.• Asynchronous.• Communication via shared variables.• Applications: communication protocols, multi-thread programs,

• To present a local state space construction approach.• As a key part of a methodology for scalable model checking of

finite state concurrent systems.• To addressing state explosion due to the interleavings of

concurrent executions.• For local safety verification.• To helping partial order reduction to be more effective in global

state space.


Overview of the MethodologyParallel composition of communicating processes

M1‖ . . . ‖Mn |= ϕ

Local State SpaceConstruction & Verification

Local state transition modelsG1, . . . , Gn

Is ϕ verified?TerminateYes

Behavioral Analysis

Transition Dependence Relation

Global State Space Searchwith Partial Order Reduction

No



M1‖ . . . ‖Mn |= ϕ



Is ϕ verified?

TerminateYes

Behavioral Analysis



No



M1‖ . . . ‖Mn |= ϕ



Is ϕ verified?TerminateYes

Behavioral Analysis



No


Outline

• Background

• Local state space construction: previous work• The thread-modular approach

• Local state space construction: an improvement• Synchronized local state space search

• Experimental results

• Discussions and conclusions


Background


High Level Description: A Simple Example

M1 = (V1, q0, A1);V1 = {l1, x, z};q0 = (l1 = 0, x = 0, z = 0);A1 = {α1, α2, α3, α4};

whereα1 = (l1 = 0 ∧ x > 0,

z := x+ 1; l1 := 1);α2 = (l1 = 1,

x := 0; l1 := 2);α3 = (l1 = 2 ∧ x > 0,

z := z ∗ x; l1 := 3);α4 = (l1 = 3,

x := 0; z := 0; l1 := 0);

M2 = (V2, p0, A2);V2 = {l2, x, y};p0 = (l2 = 0, x = 0, y = 0);A2 = {β1, β2};

whereβ1 = (l2 = 0 ∧ y = 0,

x := 2; l2 := 1);β2 = (l2 = 1 ∧ x = 0,

y := 1; l2 := 0)

M3 = (V3, s0, A3);V3 = {l3, x, y};s0 = (l3 = 0, x = 0, y = 0);A3 = {γ1, γ2};

whereγ1 = (l3 = 0 ∧ y = 1,

x := 3; l3 := 1);γ2 = (l3 = 1 ∧ x = 0,

y := 0; l3 := 0)

ProcessesVariable declarationsLocal initial statesAction sets

Guard

Assignments




whereα1 = (l1 = 0 ∧ x > 0,

z := x+ 1; l1 := 1);α2 = (l1 = 1,

x := 0; l1 := 2);α3 = (l1 = 2 ∧ x > 0,

z := z ∗ x; l1 := 3);α4 = (l1 = 3,

x := 0; z := 0; l1 := 0);


whereβ1 = (l2 = 0 ∧ y = 0,

x := 2; l2 := 1);β2 = (l2 = 1 ∧ x = 0,

y := 1; l2 := 0)


whereγ1 = (l3 = 0 ∧ y = 1,

x := 3; l3 := 1);γ2 = (l3 = 1 ∧ x = 0,

y := 0; l3 := 0)

Processes

Variable declarationsLocal initial statesAction sets

Guard

Assignments




whereα1 = (l1 = 0 ∧ x > 0,

z := x+ 1; l1 := 1);α2 = (l1 = 1,

x := 0; l1 := 2);α3 = (l1 = 2 ∧ x > 0,

z := z ∗ x; l1 := 3);α4 = (l1 = 3,

x := 0; z := 0; l1 := 0);


whereβ1 = (l2 = 0 ∧ y = 0,

x := 2; l2 := 1);β2 = (l2 = 1 ∧ x = 0,

y := 1; l2 := 0)


whereγ1 = (l3 = 0 ∧ y = 1,

x := 3; l3 := 1);γ2 = (l3 = 1 ∧ x = 0,

y := 0; l3 := 0)

Processes

Variable declarations

Local initial statesAction sets

Guard

Assignments




whereα1 = (l1 = 0 ∧ x > 0,

z := x+ 1; l1 := 1);α2 = (l1 = 1,

x := 0; l1 := 2);α3 = (l1 = 2 ∧ x > 0,

z := z ∗ x; l1 := 3);α4 = (l1 = 3,

x := 0; z := 0; l1 := 0);


whereβ1 = (l2 = 0 ∧ y = 0,

x := 2; l2 := 1);β2 = (l2 = 1 ∧ x = 0,

y := 1; l2 := 0)


whereγ1 = (l3 = 0 ∧ y = 1,

x := 3; l3 := 1);γ2 = (l3 = 1 ∧ x = 0,

y := 0; l3 := 0)

ProcessesVariable declarations

Local initial states

Action sets

Guard

Assignments




whereα1 = (l1 = 0 ∧ x > 0,

z := x+ 1; l1 := 1);α2 = (l1 = 1,

x := 0; l1 := 2);α3 = (l1 = 2 ∧ x > 0,

z := z ∗ x; l1 := 3);α4 = (l1 = 3,

x := 0; z := 0; l1 := 0);


whereβ1 = (l2 = 0 ∧ y = 0,

x := 2; l2 := 1);β2 = (l2 = 1 ∧ x = 0,

y := 1; l2 := 0)


whereγ1 = (l3 = 0 ∧ y = 1,

x := 3; l3 := 1);γ2 = (l3 = 1 ∧ x = 0,

y := 0; l3 := 0)

ProcessesVariable declarationsLocal initial states

Action sets

Guard

Assignments




whereα1 = (l1 = 0 ∧ x > 0,

z := x+ 1; l1 := 1);α2 = (l1 = 1,

x := 0; l1 := 2);α3 = (l1 = 2 ∧ x > 0,

z := z ∗ x; l1 := 3);α4 = (l1 = 3,

x := 0; z := 0; l1 := 0);


whereβ1 = (l2 = 0 ∧ y = 0,

x := 2; l2 := 1);β2 = (l2 = 1 ∧ x = 0,

y := 1; l2 := 0)


whereγ1 = (l3 = 0 ∧ y = 1,

x := 3; l3 := 1);γ2 = (l3 = 1 ∧ x = 0,

y := 0; l3 := 0)

ProcessesVariable declarationsLocal initial statesAction sets

Guard

Assignments


State Graphs

q0

q1

q2

q3

q4

q5

p0

p1

p2

p3

s0

s1

s2

s3

s4

s5

p4

p5

States labeledw.variable

assignments

LocaltransitionsExternal

transitions


State Graphs

q0

q1

q2

q3

q4

q5

p0

p1

p2

p3

s0

s1

s2

s3

s4

s5

p4

p5

States labeledw.variable

assignments

Localtransitions

Externaltransitions


Local State Graph ConstructionThe Thread Modular Model Checking Approach

Parallel composition of communicating processesM1‖ . . . ‖Mn |= ϕ


Local state graphsG1, . . . , Gn


Thread Modular Model Checking (TMMC)

• Each process is verified locally with a derived environmentcapturing all possible interactions with its neighbors.

• For each process, its environment is derived from the guaranteesof its neighbors.

• The guarantee of a process P is a set of state transitions on theshared variables resulting from executions of process P .

∀ Process Pi, fix its env. Ei = ∅

∀ Process Pi, compute its guarantee gi wrt Ei

∃gi st gi is extended?

∀ Process Pi, update its env. Ei = ∪i 6=jgj

Terminate.No

Yes


TMMC: Illustration

G1 [l1, x, z] G2 [l2, x, y] G3 [l3, x, y]

0, 0, 0

0, 2, 0

β 1

1, 2, 3

2, 0, 3

α1

α2α2

2, 3, 32, 2, 3

3, 3, 9

0, 3, 0

1, 3, 4

2, 0, 4β1

γ1

α3

γ1

α1

α2

0, 0, 0

1, 2, 0

β1

1, 2, 0

β1

1, 0, 0

α2

0, 0, 1

β2

0, 3, 1

γ1

0, 0, 0

0, 2, 0

β1

0, 0, 0

α2

0, 0, 1

β2

1, 3, 1

γ1


TMMC: Illustration

G1 [l1, x, z] G2 [l2, x, y] G3 [l3, x, y]

0, 0, 0

0, 2, 0β 1

1, 2, 3

2, 0, 3

α1

α2α2

2, 3, 32, 2, 3

3, 3, 9

0, 3, 0

1, 3, 4

2, 0, 4β1

γ1

α3

γ1

α1

α2

0, 0, 0

1, 2, 0

β1

1, 2, 0

β1

1, 0, 0

α2

0, 0, 1

β2

0, 3, 1

γ1

0, 0, 0

0, 2, 0

β1

0, 0, 0

α2

0, 0, 1

β2

1, 3, 1

γ1


TMMC: Illustration

G1 [l1, x, z] G2 [l2, x, y] G3 [l3, x, y]

0, 0, 0

0, 2, 0β 1

1, 2, 3

2, 0, 3

α1

α2

α2

2, 3, 32, 2, 3

3, 3, 9

0, 3, 0

1, 3, 4

2, 0, 4β1

γ1

α3

γ1

α1

α2

0, 0, 0

1, 2, 0

β1

1, 2, 0

β1

1, 0, 0

α2

0, 0, 1

β2

0, 3, 1

γ1

0, 0, 0

0, 2, 0

β1

0, 0, 0

α2

0, 0, 1

β2

1, 3, 1

γ1


TMMC: Weakness

G1 [l1, x, z] G2 [l2, x, y] G3 [l3, x, y]

0, 0, 0

0, 2, 0β 1

1, 2, 3

2, 0, 3

α1

α2

2, 3, 32, 2, 3

3, 3, 9

0, 3, 0

1, 3, 4

2, 0, 4

β1 γ1

α3

γ1

α1

α2

0, 0, 0

1, 2, 0

β1

1, 0, 0

α2

0, 0, 1

β2

0, 3, 1

γ1

0, 0, 0

0, 2, 0

β1

0, 0, 0

α2

0, 0, 1

β2

1, 3, 1

γ1


Improved Local State Graph ConstructionThe Synchronized Local State Space Search Approach

Parallel composition of communicating processesM1‖ . . . ‖Mn |= ϕ


Local state graphsG1, . . . , Gn


Local State Space Search (LS3)

• Construct local state graphs by searching joint state space ofcommunicating processes.• Extend the local SGs resulting from interactions among processes.• Avoiding adding external transitions in wrong states.

Algorithm

∀ Process Pi, initialize Gi with initi

∀ Processes Pi and Pj, search their joint state space Gij

Extend Gi and Gj wrt Gij

∃ Process Pi st Gi extended with new transitions?

Terminate.

No

Yes


LS3: Illustration

localSearch() G1 G2 G3

M1,M2

q0, p0

q1, p1

q2, p1

q3, p2

q3, p3

β1

α1

α2

β2

M2,M3

p0, s0

p1, s1

β1

M1,M3

q0, s0

q1, s1

q2, s1

q3, s2

β1

α1

α2

q0

q1

q2

q3

β1

α1

α2

p0

p1

p2

p3

β1

α2

β2

s0

s1

β1

s2

α2


LS3: Illustration: Final ResultsG1 G2 G3

q0

q1

q2

q3

q4

q5

β1

α1

α2

γ1

α3

α4

q0

p1

p2

p3

p4

p5

β1

α2

β2

γ1

α4

γ2

s0

s1

s2

s3

s4

s5

β1

α2

β2

γ1

α4

γ2


Experiment 1

• Experimented on small examples to show that LS3 is capable ofavoiding extra states added into local SGs.

phil peterson.3 syzmanski.4

Mono (9, 9, 9, 9) (2627, 2421, 2745) (4311, 4415, 4383, 4352)TMMC (16, 16, 16, 16) (2997, 2952, 2952) (5875, 6125, 6250, 6375)LS3 (9, 9, 9, 9) (2627, 2421, 2745) (5201, 5453, 5598, 5755)

Mono: construct local SGs while searching the global state space ofthe whole system.

• A special case of LS3 applied to all processes.

• Used as the baseline to compare the results from TMMC and LS3.


Experiment 2

Method Time Mem State counts of local state graphs

brpTMMC 2.7 174 (5600∗, 2226∗, 351694∗, 295∗, 84, 30)LS3 9.8 214 (1368, 1496, 25091, 77, 35, 14)

iprotocolTMMC 8.8 408 (19, 1256∗, 53, 18104∗, 110627∗, 283444∗)LS3 10.1 68 (19, 230, 29, 2647, 3656, 23747)

lamportTMMC 15.9 106 (9344∗, 9344∗, 9344∗, 9344∗, 9344∗)LS3 24.8 143 (8800, 8800, 8800, 8800, 8800)

lannTMMC 1.3 15 (250, 250, 250, 250, 566, 560, 561, 412)LS3 4.3 33 (250, 248, 248, 248, 566, 554, 555, 408)

peterson.4TMMC TO − (124535∗, 104922∗, 104088∗, 103319∗)LS3 10.9 88.5 (13573, 12993, 12869, 12801)

syzmanski.5TMMC 59.4 198 (35000∗, 36250∗, 36875∗, 37500∗, 38125∗)LS3 59.1 211 (30684∗, 31934∗, 32659∗, 33444∗, 34265∗)


Discussions & Conclusions

• Presented an improved local state space construction methodLS3.• A key part of a methodology to address the state explosion

problem due to interleavings of concurrent executions.

• LS3 can produce local SGs with less unreachable states.

• LS3 may incur noticeable time/mem. overhead.• Need to balance between size & accuracy of local SGs and cost of

time & memory.

• Good target applications are loosely coupled systems.

• Future work:• Improve the LS3 method further.• Combine TMMC and LS3 for their advantages.


Thank you

and

Questions?


local state space construction for compositional verification of...

Documents