model checking
DESCRIPTION
Model Checking. basic concepts and techniques Sriram K. Rajamani. Sources: My MSR Model checking crash course from Fall 99 Tom Henzinger’s slides from his OSQ course. Model checking , narrowly interpreted : - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/1.jpg)
Model Checking
basic concepts and techniques
Sriram K. Rajamani
![Page 2: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/2.jpg)
Sources:
My MSR Model checking crash course from Fall 99
Tom Henzinger’s slides from his OSQ course
![Page 3: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/3.jpg)
Model checking, narrowly interpreted:
Decision procedures for checking if a given Kripke structure is a model for a given formula of a temporal logic.
![Page 4: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/4.jpg)
Why is this of interest to us?
Because the dynamics of a discrete system can be captured by a Kripke structure.
Because some dynamic properties of a discrete system can be stated in temporal logics.
Model checking = System verification
![Page 5: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/5.jpg)
Model checking, generously interpreted:
Algorithms for system verification which operate on a system model (semantics) rather than a system description (syntax).
![Page 6: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/6.jpg)
Part I: Models and Specifications
Part II: State explosion
Agenda
![Page 7: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/7.jpg)
S0
S1
S2 S3
Kripke StructureStates: valuations to a finite set
of variables
Initial states : subset of states
Arcs: transitions between states
Atomic Propositions: finite set of predicates over
variables
Observation (color):Valuation to all atomic
propositions at a state
![Page 8: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/8.jpg)
Kripke StructureM = W, I, R, L,
W : set of states (possibly infinite) I W : set of initial states R W X W : set of arcs L : set of atomic propositions
W 2L : mapping from states to subset of atomic propostions (colors)
![Page 9: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/9.jpg)
Three important decisions:
1 may vs. must: branching vs. linear time
2 prohibiting bad vs. desiring good behavior: safety vs. liveness
3 operational vs. declarative: automata vs. logic
Specification
![Page 10: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/10.jpg)
S0
S1
S2 S3
S0 S1 S2
Run
Trace
![Page 11: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/11.jpg)
S0
S1
S2 S3
S0
S1
S2 S3
Run-tree
Trace-tree
![Page 12: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/12.jpg)
Linear temporal logics (eg LTL) view a model as a set of traces
Branching temporal logics (eg CTL) view a model as a set of trace-trees
Branching Vs Linear
![Page 13: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/13.jpg)
S0
S3 S4
S1 S2
t2 t3
t1
t0
Same traces, different trace trees
![Page 14: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/14.jpg)
Linear time is conceptually simpler than branching time (words vs. trees).
Branching time is often computationally more efficient.
Branching “refinement” implies linear “refinement”
Expressive powers are incomparable
![Page 15: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/15.jpg)
Three important decisions:
1 may vs. must: branching vs. linear time
2 prohibiting bad vs. desiring good behavior: safety vs. liveness
3 operational vs. declarative: automata vs. logic
Specification
![Page 16: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/16.jpg)
Safety vs. liveness
Safety: something “bad” will never happen
Liveness: something “good” will happen (but we don’t know when)
![Page 17: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/17.jpg)
Example: Mutual exclusion
It cannot happen that both processes are in their critical sections simultaneously.
![Page 18: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/18.jpg)
Example: Mutual exclusion
It cannot happen that both processes are in their critical sections simultaneously.
Safety
![Page 19: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/19.jpg)
Example: Bounded overtaking
Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.
![Page 20: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/20.jpg)
Example: Bounded overtaking
Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.
Safety
![Page 21: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/21.jpg)
Whenever process P1 wants to enter the critical section, it enters it within 51 cycles
![Page 22: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/22.jpg)
Whenever process P1 wants to enter the critical section, it enters it within 51 cycles
Whenever process P1 wants to enter the critical section, it is not the case that 51 cycles pass without P1 entering the critical section
Safety
![Page 23: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/23.jpg)
Whenever process P1 wants to enter the critical section, it eventually enters it
Liveness
![Page 24: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/24.jpg)
Sequential programs
Safety corresponds to partial correctness
Liveness corresponds to termination
![Page 25: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/25.jpg)
The vast majority of properties to be verified are safety.
Safety Vs Liveness
![Page 26: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/26.jpg)
While nobody will ever observe the violation of a true liveness property, fairness is a useful abstraction that turns complicated safety into simple liveness.
Why liveness?
“Eventually, we are all dead!”
The answer is: abstraction and fairness
![Page 27: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/27.jpg)
Why liveness?
r1
r2
g1
g2
r1 r2
~r1~r2
F1 F2
G1 G2
If P1 requests and keeps requesting, it will be granted within 2 cycles
![Page 28: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/28.jpg)
Abstract view
r2
r1
g2
g1
r2r1
F
G1 G2
r1
r2
g1
g2
r1 r2
~r1~r2
F1 F2
G1 G2
Safety: If P1 requests and keeps requesting, it will be granted within 2 cycles
Liveness: If P1 requests and keeps requesting it will be eventually granted (Does this hold?)
![Page 29: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/29.jpg)
q1
q2
Fairness constraint:
the green transition cannot be ignored forever
q3
![Page 30: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/30.jpg)
Without fairness: infRuns = q1 (q3 q1)* (q2) (q1 q3)
With fairness: infRuns = q1 (q3 q1)* (q2)
q1
q2 q3
![Page 31: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/31.jpg)
Two important types of fairness
1 Weak (Buchi) fairness: a specified set of transitions cannot be enabled forever without being taken
2 Strong (Streett) fairness:a specified set of transitions cannot be enabled infinitely often without being
taken
![Page 32: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/32.jpg)
Fair Kripke Structure
M = W, I, R, L, , SF, WF
W : set of states (possibly infinite) I W : set of initial states R W X W : set of arcs L : set of atomic propositions
W 2L : labeling functionSF: set of strongly fair arcsWF: set of weakly fair arcs
![Page 33: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/33.jpg)
Model-Checking Algorithms for finite state Kripke structures = Graph Algorithms
![Page 34: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/34.jpg)
Automata theoretic approach to model checking
Does M satisfy property ?
Step 1: Build automaton A for negation of
Step 2: Construct product P = MxA
Step 3: Check if L(P) is empty
![Page 35: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/35.jpg)
1 Safety:
-algorithm: reachability (linear)
2 Response under weak fairness:
-algorithm: strongly connected components (linear)
3 Liveness:
-algorithm: recursively nested SCCs (quadratic)
![Page 36: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/36.jpg)
Logic Model checking complexity
Invariant |M|
CTL |M| * ||
LTL |M| * 2||
Modal -calculus ?
Refinement |M| * 2|S|
![Page 37: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/37.jpg)
Example: State MachineFor Locking
Unlocked Locked Error
U
L L
U
![Page 38: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/38.jpg)
Product Construction
…
Lock(&x);
If (x->foo) {
if (bar(x)) {
Unlock(&x);
return OK;
}
}
Unlock(&x)
…
![Page 39: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/39.jpg)
Product Construction
…
Lock(&x);
If (x->foo) {
if (bar(x)) {
Unlock(&x);
// return OK;
}
}
Unlock(&x)
…
![Page 40: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/40.jpg)
Part I: Models and Specifications
Part II: State explosion
Agenda
![Page 41: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/41.jpg)
Problem
State explosion :|M| is exponential in the syntactic
description of M
![Page 42: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/42.jpg)
Fighting state explosion
– Symbolic techniques (BDDs) - [SMV, VIS]– Symmetry reduction - [Murphi]– Partial-order reduction - [SPIN]
– Divide and Conquer - [MOCHA, new SMV]– Abstraction - [STeP, InVeSt,SLAM]
![Page 43: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/43.jpg)
Binary Decision Diagrams [Bryant]
Ordered decision tree for f = a b c d
0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0
d d d d d d d d
c c c c
0 1
0 1 0 1
0 1 0 1 0 1 0 1
b b
a
![Page 44: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/44.jpg)
OBDD reduction
a
b b
c c
d d
0 1
0
01
01
01
1
10
01
01
f = a b c d
![Page 45: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/45.jpg)
OBDD properties
Variable order strongly affects size
Canonical representation for a given order
Efficient apply algorithm– boolean operations on BDD’s is
easy– Can build BDD’s for large circuits
f
g O(|f| |g|)
fg
![Page 46: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/46.jpg)
Boolean quantification
• If v is a boolean variable, thenv.f = f |v =0 + f |v =1
Example: b,c). (ab +ce + b´d) = a + e d
• Complexity on BDD representation– worst case exponential– heuristically efficient
![Page 47: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/47.jpg)
Characterizing sets
• Let M be a model with boolean variables (v1,v2,…,vn)
• Represent any P {0,1}n by its characteristic function P
P = {(v1,v2,…,vn) : P}
Example:Variables = (x,y,z)P = { (0,0,1) , (0,1,0), (1,0,0), (1,1,1) }P = x + y + z
![Page 48: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/48.jpg)
Characterizing sets
• Represent characteristic function as BDD• Set operations can be now done as BDD
operations
= false S = true
PQ= P + Q PQ = P Q S\ P= P
![Page 49: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/49.jpg)
Transition Relations• Transition relation R is a set of state pairs
for all the arcs in the state machine– R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : R}
v1
v0
R = (v’0 = v0) (v’1 = v0 v1)
![Page 50: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/50.jpg)
Forward Image
})',( and , somefor :'{),(Image RPRP vvvvv
))',()((.)'(),(Image vvvvv RPRP
PR
Image(P,R)
![Page 51: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/51.jpg)
Reverse Image
})',( and ',' somefor :{),(Image-1 RPRP vvvvv
))',()'(('.)(),(Image vvvvv RPRP
PR
Image-1(P,R)
![Page 52: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/52.jpg)
Symbolic invariant checkingS := BDD for initial states
V := BDD for negation of invariantR := BDD for transition relationLoop
If ( S V) then print “failed” and exitI := Image( S, R)S’ := S IIf ( S = S’) then print “passed” and exit
End
![Page 53: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/53.jpg)
BDDs
Big breakthrough in hardware • McMillan’s thesis won the ACM thesis award• Intel, IBM, Motorola all have BDD based model
checkers, and large “formal verification” teams based on them.
BDDs compactly represent transition relations• Can prove that if the circuit has “bounded”
communication,then transition relation is small• Images and Reachable sets tend to blowup
![Page 54: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/54.jpg)
BDDs
Images and reachable sets blow up often
Subject of intense investigation (PhD theses on how to compute images without BDDs
blowing up)
Alphabetical soup of variations: ADDs to ZDDs
Work upto ~100 variables , don’t really scale to thousands of variables
Provide good “bootstrap” for compositional methods
![Page 55: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/55.jpg)
Infinite state model checking
S := constraint for initial statesV := constraint for negation of invariantR := constraint for transition relationLoop
If ( S V) then print “failed” and exitI := Image( S, R)S’ := S IIf ( S = S’) then print “passed” and exit
End
![Page 56: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/56.jpg)
Fighting state explosion
– Symbolic techniques (BDDs) - [SMV, VIS]– Symmetry reduction - [Murphi]– Partial-order reduction - [SPIN]
– Divide and Conquer - [MOCHA, new SMV]– Abstraction - [STeP, InVeSt,SLAM]
![Page 57: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/57.jpg)
Symmetry Reductions
Idea: If state space is symmetric, explore only a symmetric “quotient” of the state space
Let us define “quotient” first… (also useful in abstractions)
![Page 58: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/58.jpg)
Recall our modelM = W, I, R, L,
W : set of states I W : set of initial states R W X W : set of arcs L : set of atomic propositions
W 2L : mapping from states to colors
Usually we fix the colors and say: M = W, I, R,
![Page 59: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/59.jpg)
Quotient M = W, I, R,
Let be an equivalence relation on W. Assume: s t (s) = (t)
s I iff t I Quotient: M’ = W’, I’, R’, ’
– W’ = W / I’ = I / – R’ ([s] ,[t]) whenever R(s,t) ’([s]) = (s)
![Page 60: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/60.jpg)
Abstract search Suppose we want to check an invariant: Does M satisfy ? Instead check: Does M’ satisfy ?
This is sound but not complete. (Why?)
![Page 61: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/61.jpg)
Stable equivalences Equivalence is called stable if:
R ( x, y) for every s in [x] there exists some t in [y] such that R (s,t)
Claim: Suppose is called stable, then:M satisifies iff M’ satisfy
Sound and complete! (Why?)
![Page 62: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/62.jpg)
Automorphisms
0,0
1,1
0,1
1,0
A permutation function f : W W is an
automorphism if:
1. x f(x) for all x2. R( x, z) R( f(x), f(z))
![Page 63: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/63.jpg)
Automorphisms
f: f(0,0) = 1,1 f(1,1) = 0,0
f(0,1) = 0,1 f(1,0) = 1,0
g: g(0,0) = 0,0 g(1,1) = 1,1 g(0,1) = 1,0 g(1,0) = 0,1
A = { f, g, f g, I}
The set of all automorphisms forms a group!
0,0
1,1
0,1
1,0
![Page 64: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/64.jpg)
AutomorphismsLet x y
if there is some automorphism f such that f(x) = y
The equivalence classes of are called orbits
Claim 1: is an equivalence
Claim 2: is stable
![Page 65: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/65.jpg)
Orbits
[ (0,0), (1,1) ] [ (0,1), (1,0) ]
0,0
1,1
0,1
1,0
![Page 66: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/66.jpg)
Symmetry reduction
[ (0,0),(1,1) ]
[ (0,1), (1,0) ]
Map each state to its representative in the orbit
![Page 67: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/67.jpg)
Symmetry reduction
Step 1: Analyze the system statically and come up with a function that maps each state to its representative
Step 2: When exploring the states, store and explore the representatives!
![Page 68: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/68.jpg)
Symmetry reduction
Difficulty:Computing the function (which maps states to representatives) is hard!
Solutions:• Be satisfied with multiple
representatives for each orbit• Ask user to tell you where the symmetries
are
![Page 69: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/69.jpg)
Symmetry reduction
• Implemented in Mur
• Similar ideas have also impacted Nitpick
![Page 70: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/70.jpg)
Fighting state explosion
– Symbolic techniques (BDDs) - [SMV, VIS]– Symmetry reduction - [Murphi]– Partial-order reduction - [SPIN]
– Divide and Conquer - [MOCHA, new SMV]– Abstraction - [STeP, InVeSt,SLAM]
![Page 71: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/71.jpg)
Partial Order Methods
Protocols are usually modeled as an asynchronous composition of processes (interleaving model)
Partial order reduction explores only a portion of the state space
You can still prove properties about the entire state space
![Page 72: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/72.jpg)
S0
S1
S2 S3
Actions • An action is a guarded
command• Nondeterminism arises
because any of the enabled actions could be scheduled next!
• Can label state machine transitions with action names
![Page 73: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/73.jpg)
Independent Actions
S0
S1
S2 S3
Actions and are independent if:
1. Neither action enables or disables the other
2. If both and are enabled, then they commute
![Page 74: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/74.jpg)
Partial Order Methods
Key idea:
If actions {} are independent then:
Need to explore only one!But there are some caveats..
![Page 75: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/75.jpg)
Parital Order Equivalence
Two action sequences A and B are partial-order-equivalent if:
A can be transformed to B by swapping adjacent independent actions
Need to explore only one representative in each equivalence class!
![Page 76: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/76.jpg)
Partial Order Methods
Offer good reductions in asynchronous protocols:• Exponential reductions in “artificial”
examples• 5-10 times faster in “real” examples
Implemented in SPIN
Also implemented in Verisoft (we will revisit this later!)
![Page 77: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/77.jpg)
Example
integer x, y; boolean bomb;Init
true x := 0; y := 0; bomb := falseUpdate : ( x < 10) & ! bomb x := x+1
: ( y < 10) & ! bomb y := y+1 : ( x = 3) & ( y = 3) & ! bomb
bomb := true
![Page 78: Model Checking](https://reader035.vdocument.in/reader035/viewer/2022062520/5681572c550346895dc4c862/html5/thumbnails/78.jpg)
0,0
1,0
2,0
3,0
4,0
0,1
1,1
2,1
3,1
4,1
0,2
1,2
2,2
3,2
4,2
0,3
1,3
2,3
3,3
4,3