CAV‘ 2002 conference, and “Formal Methods in System Design” 2005 journal

Combining symmetry reduction and under-approximation for symbolic model checking by Sharon Barner and Orna Grumber

OutlineBuilding the Invariance GroupOn-the-fly algorithm using under-approximation.On-the-fly algorithm using hintsExtensions for Liveness formulasAlternative method to avoid orbit relation calculationExperimental Results3MotivationPrevious algorithms that use symmetry have some disadvantages:The user has to supply the invariance group for each formula.Once the Invariance group is known, calculating the orbit relation () is expensive both in time and in space. The paper suggests methods and algorithms that avoid these disadvantages.2Outline77Building the Invariance GroupOn-the-fly algorithm using under-approximation.On-the-fly algorithm using hintsExtensions for Liveness formulasAlternative method to avoid orbit relation calculationExperimental ResultsSymmetry (Automorphism)Let M = (S, R, L,S0) be a Kripke structure.A permutation is an automorphism of M iff preserves the transition relation R, and the set of initial states S0 .Formally, should satisfy the following:

:

s0s1s2s3s0s1s2s34Symmetry Group

s0s1s2s3s0s2s1s3s0s1s2s3s0s2s1s3

Invariance groupA symmetry group G of a Kripke structure M = (S, R, L) is an invariance group with respect to a set of boolean formulas BS iff(G) (sS) ( BS) (s (s) )

L(var)var{p,q}s0{p,q}s1{p, q}s2{p, q}s3For: G= < > is an IG w.r.t BS 1={p} but is not an IG w.r.t BS 2={q}G= < > is a symmetry groupof M.5Previous algorithmsThe user had to supply the invariance group.In many cases 2 formulas evaluated on the same model require different invariance groups. For example:AGAF ( p1_in_critical)AG ( (p1_in_critical p2_in_critical) )6AGAF ( p1_in_critical) breaks the symmetry between p1 and p26Building the Invariance GroupThe user has to supply only a symmetry group. The algorithm automatically generates the Invariance Group for each input formula.Providing a symmetry group often requires only a high-level understanding of the system.7Given:1 ,2 ,,k generators of a symmetry group G of M.A formula .Let MAX be the set of maximal boolean subformulas of .If IG={i | MAX, i() = } is not empty, then is an Invariance Group of M w.r.t MAX.LemmaSet of all states that satisfy {i(s) | s}8exampleSymmetry (Automorphism) Group:G= < (1,4)(2,5)(3,6),(10,11),(10,12) >M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:p6:p

, .9example

Symmetry (Automorphism) Group:G= < (1,4)(2,5)(3,6),(10,11),(10,12) >M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:p6:p((S1), (S2))(S1,S2)(4,5) R(1,2) R(2,3) R(5,6) R(9,10) R(9,10) R(6,3) R(3,6) R(6,2) R(3,5) R , .10example

Symmetry (Automorphism) Group:G= < (1,4)(2,5)(3,6),(10,11),(10,12) >M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:p6:p((S1), (S2))(S1,S2)(1,2) R(1,2) R(5,6) R(5,6) R(9,12) R(9,10) R(3,6) R(3,6) R(3,5) R(3,5) R , .11exampleSymmetry (Automorphism) Group:G= < (1,4)(2,5)(3,6),(10,11),(10,12) >

= AG(q)

IG ={i | MAX, i() = } = {(1,4)(2,5)(3,6),(10,12)}

is an Invariance group with respect to {q}M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:p6:pexampleSymmetry (Automorphism) Group:G= < (1,4)(2,5)(3,6),(10,11),(10,12) >

= AG(p)

IG ={i | MAX, i() = } = {(10,11)}

is an Invariance group with respect to {p}

M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:p6:pexampleSymmetry (Automorphism) Group:G= < (1,4)(2,5)(3,6),(10,11),(10,12) >

= AG(pq)

IG ={i | MAX, i() = } = {(1,4)(2,5)(3,6),(10,11)}

is an Invariance group with respect to {pq}M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:p6:p is a permutation group:e :IG is not empty IG . can be written as a composition of disjoint cycles = c1c2cm of length l1,l2,,lm respectively.e= , which means e .For all , -1 :For all IG , , which means -1 .For all , where . Since and according to the previous bullet, we get that -1 .Proof

15 is a permutation group:For all 1 ,2 , 12 : where all are in IG.Since we get 12 . is a symmetry group:IG is a subset of the generators of a symmetry group.

Proof

16 is an Invariance group with respect to MAX:For all , where .For every in MAX and every j, . Thus ( )(sS)(MAX) (s (s) )

Proof

17Largest invariance groupThe largest invariance group Ginv with respect to a symmetry group G, is an Invariance group such that for each Invariance Group GG, |G||Ginv| .

18Largest invariance group may not be the largest Invariance Group:G={e,(p1 ,p2),(p2 ,p3),(p1 ,p3),(p1 ,p2 ,p3),(p1 ,p3 ,p2)} = = AG ( (p1 _in_critical p3 _in_critical) )We get IG={e} which leads to ={e} .While the largest Invariance Group w.r.t G is {(p1 ,p3),e} .

19Implementation with BDDsThe construction of IG can be implemented with BDDs:A permutation can be represented as the BDD:

but sometimes it can be represented using index permutation: A boolean formula represented by , and

We check that () = using the operator.

20 : , - i Vi, . , i .20Quotient ModelM = (S, R, L) is a Kripke structure.G is an invariance group w.r.t BS.The quotient structure MG = (SG, RG, LG):SG = {(s) | sS} the set of orbits of the states in S (groups of states)RG = { ((s1), (s2)) | (s1, s2) R }LG( (s) ) = L( rep((s)) )22Taken from lecture #2 by Anastasia BraginskyQuotient ModelM = (S, R, L) is a Kripke structure.G is an invariance group w.r.t BS.The quotient structure MG = (SG, RG, LG):SG = {[s] | sS} RG = { ([s1], [s2]) | (s1, s2) R }LG( [s] ) = L(s) BS

23 23Quotient Structure for multiple representativesM = (S, R, L) is a Kripke structure.G is an invariance group w.r.t BS.Rep S a group of representatives. RepS is a representative relation: For all s,s : (s,s) s Rep [s] = [s]The quotient structure for multiple representatives Mm = (Sm, Rm, Lm) :Sm = Rep Rm = -1RLm( [s] ) = L(s) BS24Example quotient structures25Q || P1||||Pi t , n, , nQ || P1||||Pi n , t, , nQ || P1||||Pi n , c, , nQ || P1||||Pi c , n, , n[t , n, , n][c , n, , n]

t, n, n, n, ,nc , n, , nn, n, t, n, ,n(One possible option)

Quotient ModelsWeve proved that MG bis M .Similar proof can be applied in order to show that for every kripke structure M, every Invariance Group G and every set Rep S which contains at least one representative from each orbit , MG bis Mm .Prove that B= {(s,[s])| sRep} is a bisimulation relation.In this case, for every formula , M Mm 26Quotient ModelsFor every kripke structure M, every Invariance Group G and every set Rep S which may contain zero representatives for some of the orbits , Mm M .Prove that B= {(s,s)| sRep} is a simulation relation.This case can be used for falsification.The algorithm uses Mm instead of MG. If bisimulation was achieved, the algorithm can verify and falsify. If only simulation was achieved, The algorithm can only falsify.27

The algorithm Symmetry_MC

28

The algorithm Symmetry_MC29

The algorithm Symmetry_MCGroup of representatives of the reachable states30


31


32

The algorithm Symmetry_MCCalculates the states belonging to the orbits of states in reach_rep33

Calculating the states belonging to the orbits of states in reach_rep

example

IG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:pexample

IG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:pexampleIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:pStep::

exampleIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) M::2:q11:p,q12:












































Counter-example generatedBut what ifIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) M::2:q11:p,q12:


But what ifIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) M::2:q11:p,q12:






















No Counter-example found

Calculating the states belonging to the orbits of states in reach_rep_stepCalculates the states belonging to the orbits of the input states.Will result in a smaller BDD than the BDD of the orbit relation:Depends on one set of variables: _step(v) VS (v,v)Applied only to reachable states.Might be computationally heavySolution: Stop the computation before reaching a fix pointWill not affect correctness

73(_step is used only to remove representatives for orbits that already have one)73Robustness of Symmetry_MCMm MCounter example generated for Mm is also a counter example in M.74Robustness of Symmetry_MCIf a bad generator for the symmetry group was given (associates states that are not symmetric ):_step might return states which are not symmetric to any state in reach_rep.Representatives of these states will not be added to reach_rep.No harm is done:reach_rep does not contain a representative of an unreachable orbit. Counterexample will hold.

7575Robustness of Symmetry_MCIf a good generator is missing (a permutation which associates symmetric pairs):_step might return fewer states.There might be more representatives for each reachable orbit.No harm in here too.

76Hints_Sym78Uses hints (supplied by the user) in order to control the under-approximation.Suitable for falsification and verification.

The algorithm Hints_Sym

79

The algorithm Hints_Sym80Use the user hints to calculate the under-approximationUse next hintexampleM::2:q11:p,q12:

1:p,q5:q10:p4:q9:qIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) 8:p,q7:p3:q6:ph2h1exampleM::2:q11:p,q12:

1:p,q5:q10:p4:q9:qIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) 8:p,q7:p3:q6:ph2

h1exampleIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) hint=h1

M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:ph2h1exampleM::2:q11:p,q12:

1:p,q5:q10:p4:q9:qIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) hint=h18:p,q7:p3:q6:ph2

h1exampleM::2:q11:p,q12:


















h1exampleIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) hint=h1

M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:ph2h1exampleIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) hint=h1

M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:ph2h1exampleIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) hint=h1

M::2:q11:p,q12:

1:p,q5:q10:p4:q9:q8:p,q7:p3:q6:ph2h1exampleM::2:q11:p,q12:























1:p,q5:q10:p4:q9:qIG = {(1,4)(2,5)(3,6),(10,11)} = AG(pq) hint=S8:p,q7:p3:q6:ph2



h1If the last hint is hl=S: reach_rep will contain at least one representative for each reachable orbit .Last hint-> no under-approximation from now on + restart from the set of all representatives achieved up to now.109exampleM::2:q11:p,q12:






















h1Counter-example generatedThe use of hintsIf the last hint is hl=S:reach_rep will contain at least one representative for each reachable orbit .M bis Mm . This algorithm is Suitable for verification!

121Choosing hints - ExampleEach process has a signal eni which means that the process is active:h1 = {s|s 2i n (eni=false) }h2 = {s|s 3i n (eni=false) }hn-1 = {s|s (enn=false) }hn = SFirst search for bug when 1 process is active, then search when 2 are active

122Outline123Building the Invariance GroupOn-the-fly algorithm using under-approximation.On-the-fly algorithm using hints(Extension for temporal Safety Properties)Extensions for Liveness formulasAlternative method to avoid orbit relation calculationExperimental ResultsExtension for temporal Safety Properties(in a nutshell)Use a tableau, ABuild the product structure MA .Find a formula so that:M (M A) Use previous algorithms (on-the-fly) to check (M A)

124A - . , , . (s1,s2)->(t1,t2) " s1 t1 s2 t2.

124Liveness restricted to representativesCombine classical (non on-the-fly) model checking with symmetry reduction.Construct the restricted model M|rep using the representatives from Symmetry_MC.M|rep=(S|rep, S0|rep, R|rep, L|rep)S|rep=repS0|rep=repS0s,s S|rep[(s,s) R|rep(s,s) R]s S|rep[L|rep(s)=L(s)]

Example the restricted modelM|reach_rep ::M::2:

11:

12:

1:

5:

10:

4:

9:

8:

7:

3:

6:

11:

12:

1:

5:

10:

4:

9:

8:

7:

6:

LemmaFor every Kripke structure M and repS, M|rep M.The relation: B={(s,s)|srep} is a simulation relation.Live_RepThe algorithm:Run Symmetry_MC to obtain reach_rep.Perform classical symbolic MC on M|reach_repThe formula is checked on a smaller model than M.The construction of the orbit relation () is avoided.129Live_RepWhy not use an arbitrary set of representatives?M|reach_rep contains more behaviors Its states are connected by transitions.The states represent many other states.reach_rep contains only reachable states. , - , . . -> BDD .

130Not suitable for verificationUnfortunately M|reach_repbisM even when there is at least 1 representative for each orbit:

Black are chosen to be representatives.No edge from s1 to t2131Liveness with representative relationA more expensive method.Also suitable for verification.As the previous method Starts by computing reach_rep.Requires calculation of the representative relation reach_repS .(v,v)vreach_rep [v]=[v]

maps each representative to all the states in its orbit.132Liveness with representative relation

Output: (v,v)vreach_rep [v]=[v](v,v)vreach_rep [v]=[v] can be proved by induction.133The algorithmThe algorithm:Run Symmetry_MC to obtain reach_rep.Calculate using create_.Perform classical symbolic MC on the quotient structure.If reach_rep contains at least one representative from each orbit, Mbis Mm .Benefits:a) it doesn't ask the user to supply the invariance group, and produces it on it's ownb) the possibility to stop the calculation of the orbit relation when it is too heavy/expensive.

134Iterative symmetry reductionThe previous algorithm used _Step in order to avoid building the orbit relation.Alternatively build the orbit relation iterativelyIn each iteration only a subset of the orbit relation is built.Each iteration builds a different subset.Create_

137Create__Limit

138

Representatives. Supplied by the user.Start with all the representatives.Remove all the representatives that were already reached.Continue until all Rep are found reachable or fixpoint reached.

Iterative_SymIn every step, Create__limit is called on a smaller set of representative More likely that it will result with a function that is closer to . , BDD , LIMIT.142

Iterative_SymM is a partial structure of the quotient Model Mm .Was generated using i .If a bad state is found, it is also a bad reachable state of M|Rep .143Experimental results The arbiter example

Arbiters are electronic devices that allocate access to shared resourcesOn-the-fly -> achieved with ruleBaseNo memory decrease most likely because _step produces large intermediate BDDs.Time decrease most likely because _step significantly reduces Si.145Experimental results Liveness restricted to representatives

The Futurebus examplen processors access a single busthe larger the number the processors was, the better the results were.146Outline147Building the Invariance GroupOn-the-fly algorithm using under-approximation.On-the-fly algorithm using hintsExtensions for Liveness formulasAlternative method to avoid orbit relation calculationExperimental Results

Documents

CAV‘ 2002 conference, and “Formal Methods in System Design” 2005 journal