Embed Size (px)
Citation preview
A New Approach toUpward-Closed Set
Backward Reachability Analysis
Jesse Bingham
University of British Columbia, Canada
. . .
INFINITY '04: 6th International Workshop on Verification of Infinite-State Systems
Saturday 4 September 2004
London, England
Introduction (1/3)• A new approach to backwards reachability for
broadcast protocols (BP)• The standard approach (SA) [Esparza et al. 99] is
based on theory of well-structured transition systems [Abdulla et al. 96, Finkel & Schnoebelen 01]– processes sets of vectors of naturals – these sets form bases for infinite upward-closed sets of
vectors
• In contrast, our approach (OA)– analyses finite BP instances of increasing size– processes sets of concrete global states– enables BDD-based symbolic model checking
Introduction (2/3)• Let m be the number of local states in the BP. The
primary strength of OA:– SA processes vectors of dimension m… if m is large (i.e.
100s or 1000s), things can blow up– OA uses BDDs to encode local states; BDDs have been
known to represent large sets succinctly• For example, m = 1000 only requires 10 BDD variables to
encode the state
• Weaknesses: – OA “undoes” the symmetry reduction inherent in SA– OA employs a BDD operation called existential lifting
that might cause things to blow up (bounding this is future work)
Introduction (3/3)
• I’ll assume some basic familiarity with well-structured transition systems, upward-closed sets, and the algorithm for safety properties in [Abdulla et al. 96]
• I’ll omit many technical details and formalities
Outline
• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions
The Problem
• The systems are broadcast protocols (BP) – generalization of petri nets
• Specifications are a class of safety properties– bad scenarios characterized as upward-closed
sets are not reachable• The problem is known to be decidable via SA
[Esparza et al. 99]
Broadcast Protocols
Intuitively: A Broadcast Protocol (BP) [Emerson & Namjoshi 98] represents an arbitrary number of identical finite state processes that communicate through guarded broadcasts and rendezvous-style synchronizations
BP Transitions• Local: A single process locally changes state; all
others stay in the same state.• Rendezvous: Some bounded number of processes
collaborate to change state atomically; all others stay in same state.
• Broadcast: All processes change state together. The next state of each process is determined by its current state. Some bounded number of processes collaborate to instigate the broadcast transition (i.e. they guard the broadcast).
Three Notions of BP State• A local state is the state of an individual process; we
denote the (finite) set of all local states by L, and denote m = |L|
• A g-state (global state) is an element of Lk for some k– lists the state of each process in an instance with k processes
• A vector is an m-tuple of naturals v = (v1,…,vm) Nm
– for each i {1,…,m}, vi is the number of processes in local state i
– the weight of vector v is the sum of its components, denoted |v|, i.e. the weight is the number of processes
– vectors abstract sets of g-states in the usual way
BP States ExampleSuppose the local states are L = {x,y,z}
process: 1 2 3 4 5 6state: y z z x z x
Then the g-state is (y,z,z,x,z,x), while the vectoris (2,1,3). This g-state: (x,z,z,z,y,x) has the same vector, as do many others, i.e. the vector abstractsall g-states involving exactly 2 x’s, 1 y, and 3 z’s.
BP Reachability ProblemThe broadcast protocol Reachability Problem (BPRP) asks: given
• a broadcast protocol B,• a parameterized set of initial vectors Init, • an upward-closed set of target (bad) vectors U
are there vectors v Init and u U such that u is reachable from v by following transitions of B ?
Outline
• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions
Previous_Reach := Reach := basis(U);
while ¬( ↑Reach ↑Previous_Reach ) do
if ( Init ∩ ↑Reach ≠ ) then
exit with verification failure;
Previous_Reach := Reach;
Reach := basis(Pre(↑Reach)) basis(U);
exit with verification success;
Standard Algorithm Previous_Reach and Reach both have the type: finite subset of Nm
After ith iteration, Reach is a finite basis for the set of vectors from which U can be reached in at most i transitions
SA Instantiated• We haven’t said how to store sets of vectors
during the computation• [Delzanno et al. 00, 01] use covering sharing
trees (CSTs) to represent these sets– CSTs do for vectors what BDDs do for bitvectors
– sophisticated heuristics for checking upward-closed set inclusion
– for our experiments, we take the CST approach as an example of a state-of-the-art “instantiation” of SA
Outline
• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions
Skeleton of Our Algorithm
The transitive pre-image from U involving exactly i processes
These are the vectors in U with exactly i processes
i := 1;
while (¬converged) do
compute R(i) := Back_Reach( [U]i );
if ( intersection_check(R(i)) ) then
exit with verification failure;
i := i + 1;
exit with verification success;
Convergence TheoremLet U be an upward-closed set and let n bw(U). Then
R(n+) R(n+-1) … R(n)
if and only if
Back_Reach(U) = (R(1) R(n))
Notation Key
• bw(U) is maximum weight over the vectors in the canonical basis of U
is the maximum number of processes involved in a guard (called maxdis(B) in the paper)
• for a set X Nm , X denotes the upward closure of X
1
2
3
n
n+1
n+
weight U
R(1)
R(3)
4
R(2)
R(4)
. . .
. . .
. . .
i
R(n)
R(U,n) i n : R(i) R(n)
R(n+1)
. . .
R(n+)
Termination Theorem
For any broadcast protocol and upward-closed set U, there exists n bw(U) such that
R(n+) R(n+-1) … R(n)
Proof: follows trivially from WSTS theory.
Using BDDs
• How should we represent the R(i)’s? ... Let’s use binary decision diagrams (BDDs) [Bryant 86]– BDDs can succinctly represent large state spaces
– many BDD operations have efficient algorithms
• Our BDDs store sets of g-states (rather than sets of vectors)
• For a finite set of vectors X, we use Xbdd to denote the BDD for the set of g-states abstracted by vectors in X
Example
Suppose…
• the local states are {ℓ1, ℓ2, ℓ3}• X = {(0,0,2),(1,0,1),(0,1,1)} Then Xbdd will store the g-states:
{(ℓ3 ,ℓ3),(ℓ1 ,ℓ3),(ℓ3 ,ℓ1),(ℓ2 ,ℓ3),(ℓ3 ,ℓ2)}
The Convergence Theorem & BDDsOur convergence theorem requires us to check containments of the form
R(i+1) R(i)
Problem: How do we do such checks against when the R(i)’s are in our BDD/g-states representation?
Solution: We use a BDD operation called existential lifting
Existential Lifting (1/2)Given a symmetric set X Li the existential lifting of X is the set Xel Li+1 defined by
(ℓ1,…, ℓi+1) Xel ≡
k {1,…,i+1} : (ℓ1,…,ℓk-1,ℓk+1,…,ℓi+1) X
Intuitively: x Xel iff we can delete a component of x to obtain a tuple in X
U
i
i+1
Rbdd(i)
Rbdd(i)el
Existential Lifting (2/2)
Existential Lifting Theorem
R(i+1) R(i)
if and only if
Rbdd(i+1) Rbdd(i)el
Check required to apply our convergence
theorem
How to do the check when the R’s are sets of g-states stored as BDDs
Logical implication between BDDs (fast).
In fact, this will always be a bidirectional when it holds, so it can be done
in constant time
Application of existential lifting operator
Outline
• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions
Experiments
• Petri nets from the CST paper [Delzanno et al 01] (new)
• ME(h) petri net (presented in the paper)• MESI protocol (new)• German’s cache coherence protocol (new)
Petri net Our runtime
(sec)
CST runtime
(sec)
Multipool 3010 2.09
CSM 95 0.06
Mesh(2×2) >1300 1.30
Petri Nets from [Delzanno et al 01]
Note the decimal point in this column!
When Might OA Outperform SA?• For both CSTs and BDDs, a rough predictor of
potential blow-up is the height of the data structure• Standard approach:
– CSTs have fixed height of m = |L|
• Our approach:– The state of a single process is encoded using log2m BDD
variables– The largest BP instance we analyze has n+δ processes– Thus the largest BDDs we process have height
(n+δ)log2m
• Therefore we expect an advantage whenever (n+δ)log2m << m
Petri net Our runtime
CST runtime
Max BDD height
CST height
Multipool 3010 2.09 50 18
CSM 95 0.06 36 14
Mesh(2×2) >1300 1.30 >40 32
Petri Nets from [Delzanno et al 01]Revisited
Petri Net Family ME(h)
Single control process( 2 local states: in, notin )
Arbitrary number of client processes
( h+1 local states: x0, x1,…, xh )
h critical section states
ME(h) Runtimes
h
runtime(seconds)
ME(h) Runtimesh Our
runtimeCST
runtimeMax BDD
heightCST
height
25 11 2 30 28
50 43 30 36 53
75 108 387 42 78
100 198 865 42 103
125 331 4,766 42 128
150 565 6,942 48 153
175 823 24,814 48 178
200 1,159 30,156 48 203
225 1,578 56,795 48 228
250 2,155 105,618 48 253
MESI Caching Protocol
# of blocks
Our runtime
CST runtime
HyTech runtime
Max BDD height
CST height
1 0.1 0.0 0.0 8 4
2 0.2 0.1 88.3 16 16
3 0.5 44.1 *>264.9 24 64
4 2.2 ** 32 256
* HyTech aborts, reporting “out of memory” (~1.2GB)** Description is 5.8 MB, Bison parser chokes
[Delzanno 00]’stechnique
German’s Cache Protocol
• A cache protocol proposed IBM’s Steven German– From Readme: “I consider it a challenging problem to
verify this protocol fully automatically!”
• Not quite encodable as a broadcast protocol– Involves a conjunctively guarded transition, which
renders the problem undecidable [Emerson & Kahlon 03]
– Involves a process “pointer” variable curPtr
• Our version includes datapaths, as in [Chou et al 04]• As a broadcast protocol, the local state space has
cardinality |L| = 6168 (6144 for clients, 24 for dir)
German’s Cache Protocol
Client 1
Directory
Client 2 Client n
state: {M,S,I}data: {0,1}
invSet: array 1..n of booleanshrSet: array 1..n of booleanexGntd: booleancurCmd: {null,ReqS,ReqE}curPtr: {1…n}memData: {0,1}
German’s Cache Protocol Runtimes
Property (all passed) Runtime (sec)
Encoding of curPtr 3
Conjunctive guard reduction 214
Data coherence 63
Outline
• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions
Future Work
• More Experimental Evaluation• Complexity analysis of existential lifting• Optimizations• Application to other discrete well-structured
transition systems• Are there other (i.e. non-WSTS) classes of systems
for which a similar approach will work?
Conclusions• A new approach to parameterized verification of broadcast
protocols
• Uses BDDs and classical symbolic model checking
• A primary contribution is a convergence theorem that tells us when we can stop
• Our approach might outperform the standard approach when:– The number of local states |L| is large, and
– Convergence occurs for moderate n My hunch is that many systems of practical importance have these
characteristics (eg German)
• Kudos to Pierre Ganty for support with his CST/IST software
