Logic Model Checking

Transcription

1 Logic Model Checking Lecture Notes 17:18 Caltech 101b.2 January-March 2005 Course Text: The Spin Model Checker: Primer and Reference Manual Addison-Wesley 2003, ISBN , 608 pgs.

2 checking omega acceptance (general liveness properties) to prove liveness properties, it is sufficient if we can detect the existence of cyclic paths in the product automaton (i.e., the reachability graph) that contain at least one accepting state note that a straight dfs alone does not suffice to not detect the acceptance cycle in this graph when revisiting state 4 from 5, we cannot tell that there exists a path from 4 back to 5 (no transitions are stored in the statespace) Logic Model Checking [17 of 18] 2

3 different ways of solving this problem the default graph search algorithm would be Robert Tarjan s classic depth-first search algorithm computes all strongly connected components of a graph a strongly connected component (SCC) is a subset of the states such that each of the states within this subset is reachable from all others in the subset Tarjan s algorithm uses two 32-bit integers per state: the depth-first number and a lowlink number we can check each SCC for the presence of accepting states if found, compute a path to the accepting state and a cyclic path within the SCC this graph has one SCC, which contains all states Logic Model Checking [17 of 18] 3

4 Spin s nested depth-first search algorithm to solve the problem in our case, it suffices to know if: there exists at least one accepting state that is: both reachable from the initial state AND reachable from itself start of 1st dfs cycle found! start of 2nd dfs with state 5 as root (the seed state 5 ) two simpler sub-problems that can each be solved with a depth-first search, without the need for computing strong components (SCCs) by combining the two stacks, we again immediately have a complete execution trace for a counter-example Logic Model Checking [17 of 18] 4

5 efficient storage visited in the 1 st visited in the 2 nd statespace statespace initial state for 1 st dfs possible values: seed state revisited: cycle found seed state for 2 nd dfs in postorder: check for every reachable accepting state if the state is reachable from itself what makes it efficient: the 2 nd statespace contains at most 1 copy of each state in the 1 st statespace (but we store the 2 nd copy by tagging states in the 1 st statespace with just two extra bits per state) Logic Model Checking [17 of 18] 5

6 computational complexity every state is visited maximally twice by this algorithm this means the runtime can at worst double complexity remains linear in number of reachable states memory cost is largely unaffected each state is stored only once using a 2-bit tag per state this algorithm also solves non-progress cycle detection acceptance cycle detection for LTL formula: <>[] _np until 1996 there was a separate algorithm in Spin for handling non-progress cycle detection omitted in version without loss of generality Logic Model Checking [17 of 18] 6

7 the non-progress cycle detector non-progress can be expressed as an LTL property: <>[] _np never { /* <>[] _np */ do :: np_ -> break :: true od; accept: do :: np_ od np_ true np_ predefined by compiling the pan.c code with directive -DNP formalized as 2-state Büchi automaton any acceptance cycle in the the final product automaton corresponds to a non-progress cycle Logic Model Checking [17 of 18] 7

8 optimization we can stop the search early when reaching state 1, after just two steps because 1 appears on the first dfs stack as 1 we already know that there is a path from 1 to 5 without having to re-construct it start of 1st dfs root of the 2nd dfs (the seed state ) 4 4 Logic Model Checking [17 of 18] 8

9 the nested depth-first search algorithm Automaton A = { S, s 0, L, T, F Stack D = { Statespace V = { State seed = nil Boolean toggle = false Start() { Add_Statespace(V, A.s 0, toggle) Push_Stack(D, A.s 0, toggle) Search() Search() { (s,toggle) = Top_Stack(D) for each (s,l,s') A.T { /* if seed is reachable from itself */ if s' == seed On_Stack(D,s',false) { PrintStack(D) PopStack(D) return if In_Statespace(V, s', toggle) == false { Add_Statespace(V, s', toggle) Push_Stack(D, s', toggle) Search() if s A.F toggle == false { seed = s /* reachable accepting state */ toggle = true Push_Stack(D, s, toggle) Search() /* start 2nd search */ Pop_Stack(D) seed = nil toggle = false Pop_Stack(D) Logic Model Checking [17 of 18] 9

10 the nested depth-first search algorithm Automaton A = { S, s 0, L, T, F Stack D = { Statespace V = { State seed = nil Boolean toggle = false Start() { Add_Statespace(V, A.s 0, toggle) Push_Stack(D, A.s 0, toggle) Search() important detail: the 2nd search is started in post-order: after searching all successors of an accepting state in the 1st search Search() { (s,toggle) = Top_Stack(D) for each (s,l,s') A.T { /* if seed is reachable from itself */ if s' == seed On_Stack(D,s',false) { PrintStack(D) PopStack(D) return if In_Statespace(V, s', toggle) == false { Add_Statespace(V, s', toggle) Push_Stack(D, s', toggle) Search() if s A.F toggle == false { seed = s /* reachable accepting state */ toggle = true Push_Stack(D, s, toggle) Search() /* start 2nd search */ Pop_Stack(D) seed = nil toggle = false Pop_Stack(D) Logic Model Checking [17 of 18] 10

11 correctness the critical property: the algorithm will detect at least one acceptance cycle, if at least one such cycle exists z n z e z a for a more formal argument, see book p. 179 z a the first accepting state that is reachable from itself for which the 2nd dfs is performed z e a successor of an earlier accepting state z n (not reachable from itself) we can only fail to close the cycle on z a if the cycle passes through such a state z e z n an earlier accepting state (not reachable from itself) with z e as a successor Q: can state z e exist? A: no, because if z e is reachable from z n, then z a is reachable from z n and z a would have been explored in the 2nd dfs before z n Logic Model Checking [17 of 18] 11

12 weak and strong fairness strong fairness an ω-run σ satisfies the strong fairness requirement if it contains infinitely many transitions from every process (component automaton in the asynchronous product) that is enabled (has an executable action) infinitely often in σ weak fairness an ω-run σ satisfies the weak fairness requirement if it contains infinitely many transitions from every process (component automaton in the asynchronous product) that is enabled (has an executable action) infinitely long in σ Logic Model Checking [17 of 18] 12

13 example bit i; active proctype A() { accept: do :: i = 1 - i od active proctype B() { do :: i = 1 - i od active proctype C() { do :: (i%2) -> i = 1 - i od A: B: C: A: B: i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i only A executes, B infinitely long enabled C infinitely often enabled neither weakly nor strongly fair i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i C: A and B execute, C infinitely often enabled weakly but not strongly fair A: i=1-i i=1-i i=1-i i=1-i i=1-i i=1-i B: i=1-i i=1-i i=1-i C: B: (i%2) i=1-i (i%2) i=1-i (i%2) weakly and strongly fair Logic Model Checking [17 of 18] 13

14 enforcing fairness constraints fairness can be expressed in LTL, but this is not always simple / convenient we can also provide options in the model checker to enforce default types of process scheduling fairness there is a cost associated with the implementation as part of the nested depth-first search procedure: weak fairness: linear increase of complexity (in # processes) strong fairness: quadratic increase of complexity Logic Model Checking [17 of 18] 14

15 the basic idea: unfolding Choueka s flag construction method create (k+2) copies of the global reachability graph, with k the number of active processes we number them from 0..(k+1) preserve accept-state labels only in the 1 st copy the copy numbered 0 change the transition relation to connect all k+2 copies: in copy 0, change the destination state for outgoing transitions of all accepting states so that they point to the corresponding state in copy 1 in copy k+1, change the destination state for outgoing transitions of all states so that they point to the corresponding state in copy 0 in copy i, 1 i k, change the destination state for all transitions contributed by process i to the corresponding state in copy i+1 add a nil-transition from any state in copy i where process i is blocked (has no enabled transitions) to the same state in copy i+1 an accepting ω-run in the unfolded graph now necessarily contains transitions from all active processes and therefore satisfies the weak fairness requirement Logic Model Checking [17 of 18] 15

16 (k+2)-times unfolded graph copy k+1 pid!= 1 pid!= 2 1 pid k pid==1 pid==2... pid==k 1 pid k all runs of the original system are preserved, but unfolded. no accept cycles can exist within copy 0 all accept cycles must traverse all copies to return to copy 0 and are therefore necessarily weakly fair Logic Model Checking [17 of 18] 16

17 small example bit i; k=2 active proctype A() { accept: do :: d_step { (i%2) -> i = 1 i od active proctype B() { do :: d_step {!(i%2) -> i = 1 i od pid=2 pid=1 original pid=2 pid=2 (k+2) times unfolded note: the smallest cycle is 2 steps longer than strictly necessary pid=1 pid=2 pid=1 pid=1 pid=2 memory increase? adding (k+2) bits to each state pid=1 Logic Model Checking [17 of 18] 17

18 fair reminders Spin s built-in notion of fairness applies only to weak fairness, not strong fairness process scheduling not to non-deterministic choices within a process other types of fairness can be expressed in LTL with properties of the type []<>p Logic Model Checking [17 of 18] 18

19 relative complexity parameters: problem size P = (M*B*S) k processes typical values: M reachable states in model typical values: B states in property automaton typical values 1..4 S size of one state in bits Memory Run-Time safety properties P P liveness properties P P*2 liveness+weak fairness P P*2*(k+2) use abstraction and p.o. reduction to keep the model size M small use abstraction and compression to keep state size S small use simple properties, exploit separability, to keep B small use safety properties when possible liveness only when needed fairness constraints only when unavoidable Logic Model Checking [17 of 18] 19

20 sources of complexity data and control usually the size of the proctype automata is relatively small but data objects are easily misused... active [2] proctype bad() { int x; do :: x++ od spin A spec tries to warn about these types of redundancies this model defines 2 automata, with 1 control state each there are 2 integer variables, with 2 32 states each... the total number of reachable states is: 2 64 note that variable x is also write-only and in effect redundant a quick scan of a model can usually reveal these unnecessary sources of complexity in verification models (e.g., step counters) Logic Model Checking [17 of 18] 20

21 complexity of communication q message channels sslots per channel m different types of messages each channel can hold between 0 and s messages each message can be one of m different messages total number of possible states of the q message channels: R Q s q = Σ m i i=0 Logic Model Checking [17 of 18] 21

22 exponentials q: nr of channels s: nr of slots per channel m: nr of messages R Q q s = q synopsis: asynchronous message channels can introduce significant complexity flip-side: reducing the number of channels, the size of channels, the number of messages, can reduce complexity quickly Logic Model Checking [17 of 18] 22

23 divide and conquer... don t connect what is independent separate independent data streams p1 p2 p1 p2 p3 p3 R Q s q = Σ m i i=0 q=1 s=6 R Q = 5,461 states m=4 q=2 s=3 R Q = 225 states m=2 Logic Model Checking [17 of 18] 23

24 search optimization the complexity is determined by M*B*S: reducing any of these 3 numbers reduces verification complexity M: numbers of reachable states in the global state space the size of the asynchronous product automaton B: the number of states in the property automaton M almost always dominates (typically 10 6 states and up), the size of B is almost always very small (1..6 states) M can increase exponentially with the number of asynchronous processes and message channels in the model in many cases this can be avoided by revising the model slightly reducing the nr of processes and/or data objects, splitting data streams B can increase exponentially with the number of sub-formulae (or roughly: the number of operators) in an LTL formula in practice this is insignificant compared to the other factors that contribute to complexity see Appendix B re comparisons between CTL/LTL Logic Model Checking [17 of 18] 24

25 to reduce M*B*S non-algorithmic techniques to reduce complexity B: reducing the size of the property automaton use small separable properties, instead of one large combined one M: reducing the size of the global state space reducing the number of processes, message channels, data objects reducing the length of channels (number of slots) use a unique channel for each sender-receiver combination avoid data types with larger than necessary range using abstraction, separation of concerns, generalization, etc. S: reducing the size of individual states (the state-vector) using abstraction, lossless or lossy compression, or alternate state representation methods Logic Model Checking [17 of 18] 25

26 algorithmic techniques to reduce complexity to reduce M: partial order reduction (default in Spin) avoids computing equivalent paths and states to reduce S: lossless compression masking unused parts in state-vector (default in Spin) collapse compression (-DCOLLAPSE), increases time, reduces memory lossy compression hash-compact (-DHC), no increase in time, reduction in memory use, modest risk of incompleteness bitstate hashing (-DBITSTATE), reduction in time, large reduction in memory use, risk of incompleteness (statistical estimates of coverage) indirect methods using a recognizer (a minimized automaton) instead of a hashed lookup table to store states (-DMA), major increase in time, major reduction in memory Logic Model Checking [17 of 18] 26