Multi-Core Partial-Order Reduction for LTL Model Checking Alfons - - PowerPoint PPT Presentation

multi core partial order reduction for ltl model checking
SMART_READER_LITE
LIVE PREVIEW

Multi-Core Partial-Order Reduction for LTL Model Checking Alfons - - PowerPoint PPT Presentation

Oct 19, 2022 291 likes •756 views

MC-MC POR LTL MC-POR Conclusions Multi-Core Partial-Order Reduction for LTL Model Checking Alfons Laarman alfons@laarman.com joint work with Anton Wijs (Eindhoven University of Technology) Formal Methods in Systems Engineering Vienna

slide-1
SLIDE 1

MC-MC POR LTL MC-POR Conclusions

Multi-Core Partial-Order Reduction for LTL Model Checking

Alfons Laarman

alfons@laarman.com joint work with Anton Wijs (Eindhoven University of Technology) Formal Methods in Systems Engineering Vienna University of Technology

May 5, 2015

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 1/12

slide-2
SLIDE 2

MC-MC POR LTL MC-POR Conclusions

Goals

Combine: Parallel model checking (exponential gains) Partial-Order Reduction (POR) (exponential gains)

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 2/12

slide-3
SLIDE 3

MC-MC POR LTL MC-POR Conclusions

Goals

Combine: Parallel model checking (exponential gains) Partial-Order Reduction (POR) (exponential gains)

Pi P1P2

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 2/12

slide-4
SLIDE 4

MC-MC POR LTL MC-POR Conclusions

Scalable Multi-Core Model Checking

Research questions Can model checking scale on modern multi-cores? Retain compatibility with different optimizations?

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 3/12

slide-5
SLIDE 5

MC-MC POR LTL MC-POR Conclusions

Scalable Multi-Core Model Checking

Research questions Can model checking scale on modern multi-cores? Retain compatibility with different optimizations?

1

On-the-fly

2

Partial-order reduction

3

State compression

4

OR Symbolic with BDDs [van Dijk, L, van de Pol, 2013]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 3/12

slide-6
SLIDE 6

MC-MC POR LTL MC-POR Conclusions

Scalable Multi-Core Model Checking

Research questions Can model checking scale on modern multi-cores? Retain compatibility with different optimizations?

1

On-the-fly

2

Partial-order reduction

3

State compression

4

OR Symbolic with BDDs [van Dijk, L, van de Pol, 2013] Formalism P r

  • p

e r t y E x p l i c i t s t a t e + C

  • m

p r e s s i

  • n

+ O n

  • t

h e

  • fl

y + P O R S y m b

  • l

i c Plain Reachability ✓ ✓ ✓ ✓ ✓ Liveness ✓ ✓ ✓ ? ✓ Timed Reachability ✓ ✓ ✓ ✓ ✓ Liveness ✓ ✓ ✓ ? ✓

1

Shared hash table approach (as opposed to distributed algorithms)

2

Lockless data structures

3

Parallel algorithms (Multi-Core Nested-DFS)

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 3/12

slide-7
SLIDE 7

MC-MC POR LTL MC-POR Conclusions

Partial-Order Reduction for LTL

State-space graph: G = (S,T,s0,AP) On-the-fly exploration: en : S → S

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 4/12

slide-8
SLIDE 8

MC-MC POR LTL MC-POR Conclusions

Partial-Order Reduction for LTL

State-space graph: G = (S,T,s0,AP) On-the-fly exploration: en : S → S Reduce successor function: por(s) ⊆ en(s).

deadlock

− →

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 4/12

slide-9
SLIDE 9

MC-MC POR LTL MC-POR Conclusions

Partial-Order Reduction for LTL

State-space graph: G = (S,T,s0,AP) On-the-fly exploration: en : S → S Reduce successor function: por(s) ⊆ en(s).

deadlock

− → ↓ +ignoring

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 4/12

slide-10
SLIDE 10

MC-MC POR LTL MC-POR Conclusions

Partial-Order Reduction for LTL

State-space graph: G = (S,T,s0,AP) On-the-fly exploration: en : S → S Reduce successor function: por(s) ⊆ en(s).

deadlock

− → ↓ +ignoring Smaller reduced set por() leads to smaller state space.

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 4/12

slide-11
SLIDE 11

MC-MC POR LTL MC-POR Conclusions

DFS Stack Proviso

procedure DFS(s) for all s’inpor(s) do if s’ is not on stack and not visited then DFS(s’) if successor of s is on the stack then explore s fully ( por(s) := en(s) ) mark s visited

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 5/12

slide-12
SLIDE 12

MC-MC POR LTL MC-POR Conclusions

DFS Stack Proviso

procedure DFS(s) for all s’inpor(s) do if s’ is not on stack and not visited then DFS(s’) if successor of s is on the stack then explore s fully ( por(s) := en(s) ) mark s visited

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 5/12

slide-13
SLIDE 13

MC-MC POR LTL MC-POR Conclusions

DFS Stack Proviso

procedure DFS(s) for all s’inpor(s) do if s’ is not on stack and not visited then DFS(s’) if successor of s is on the stack then explore s fully ( por(s) := en(s) ) mark s visited

Why not anything else? (Minimal) feedback vertex set (FVS) → NP-complete Stack proviso is the best we can do on-the-fly and in linear time

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 5/12

slide-14
SLIDE 14

MC-MC POR LTL MC-POR Conclusions

DFS Stack Proviso

procedure DFS(s) for all s’inpor(s) do if s’ is not on stack and not visited then DFS(s’) if successor of s is on the stack then explore s fully ( por(s) := en(s) ) mark s visited

Why not anything else? (Minimal) feedback vertex set (FVS) → NP-complete Stack proviso is the best we can do on-the-fly and in linear time DFS is P-complete ⇒ inherently sequential (assuming P NC)

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 5/12

slide-15
SLIDE 15

MC-MC POR LTL MC-POR Conclusions

Related Work (Parallel LTL + POR)

Algorithm/Proviso R e d u c t i

  • n

S c a l a b i l i t y NDFS/Stack ++ TwoPhase [Gopalakrishnan et al.] +- ?? Topological sort [Barnat et al.] +- + Sticky transitions [Peled et al]

  • +

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 6/12

slide-16
SLIDE 16

MC-MC POR LTL MC-POR Conclusions

Related Work (Parallel LTL + POR)

Algorithm/Proviso R e d u c t i

  • n

S c a l a b i l i t y NDFS/Stack ++ TwoPhase [Gopalakrishnan et al.] +- ?? Topological sort [Barnat et al.] +- + Sticky transitions [Peled et al]

  • +

MC-NDFS/n/a

n/a ++

Challenge: do as good as DFS stack proviso in the parallel setting

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 6/12

slide-17
SLIDE 17

MC-MC POR LTL MC-POR Conclusions

Nested Depth-First Search for LTL

[Courcoubetis’93]

B¨ uchi graph: G = (S,F ,T,s0,AP) On-the-fly exploration: en : S → S [Vardi et al, 1996]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 7/12

slide-18
SLIDE 18

MC-MC POR LTL MC-POR Conclusions

Nested Depth-First Search for LTL

[Courcoubetis’93]

B¨ uchi graph: G = (S,F ,T,s0,AP) On-the-fly exploration: en : S → S [Vardi et al, 1996] Accepting cycle detection in B¨ uchi automaton (6 ∈ F ):

1 2 3 4 5 6

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 7/12

slide-19
SLIDE 19

MC-MC POR LTL MC-POR Conclusions

Nested Depth-First Search for LTL

[Courcoubetis’93]

B¨ uchi graph: G = (S,F ,T,s0,AP) On-the-fly exploration: en : S → S [Vardi et al, 1996] Accepting cycle detection in B¨ uchi automaton (6 ∈ F ):

1 2 3 4 5 6

accepting-cycles(G) ⊆ cycles(G)

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 7/12

slide-20
SLIDE 20

MC-MC POR LTL MC-POR Conclusions

Nested Depth-First Search for LTL

[Courcoubetis’93]

procedure DFSblue(s) s.cyan := true for all s’inen(s) do if ¬s’.blue∧¬s’.cyan then DFSblue(s’) if s ∈ F then DFSred(s) s.blue := true s.cyan := false procedure DFSred(s) s.red := true for all s’∈en(s) do if s’.cyan then ExitCycle if ¬s’.red then DFSred(s’) B¨ uchi graph: G = (S,F ,T,s0,AP) On-the-fly exploration: en : S → S [Vardi et al, 1996] Accepting cycle detection in B¨ uchi automaton (6 ∈ F ):

1 2 3 4 5 6

accepting-cycles(G) ⊆ cycles(G) Nested DFS (NDFS) Linear time

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 7/12

slide-21
SLIDE 21

MC-MC POR LTL MC-POR Conclusions

Nested Depth-First Search for LTL

[Courcoubetis’93]

procedure DFSblue(s) s.cyan := true for all s’inen(s) do if ¬s’.blue∧¬s’.cyan then DFSblue(s’) if s ∈ F then DFSred(s) s.blue := true s.cyan := false procedure DFSred(s) s.red := true for all s’∈en(s) do if s’.cyan then ExitCycle if ¬s’.red then DFSred(s’) B¨ uchi graph: G = (S,F ,T,s0,AP) On-the-fly exploration: en : S → S [Vardi et al, 1996] Accepting cycle detection in B¨ uchi automaton (6 ∈ F ):

1 2 3 4 5 6

accepting-cycles(G) ⊆ cycles(G) Nested DFS (NDFS) Linear time DFS itself is likely not parallelizable DFS order is P-complete

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 7/12

slide-22
SLIDE 22

MC-MC POR LTL MC-POR Conclusions

Swarm Nested Depth-First Search

[Holzmann, 2010]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue[p]∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then DFSred(s, p) s.blue[p] := true s.cyan[p] := false procedure DFSred(s, p) s.red[p] := true for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if ¬s.red[p] then DFSred(s’, p)

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 8/12

slide-23
SLIDE 23

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-24
SLIDE 24

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2 Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-25
SLIDE 25

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-26
SLIDE 26

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-27
SLIDE 27

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-28
SLIDE 28

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1] a1[1] s1

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-29
SLIDE 29

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1] a1[1] s1 s0[2]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-30
SLIDE 30

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1] a1[1] s1 s0[2] s0 a2[2]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-31
SLIDE 31

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1] a1[1] s1 s0[2] s0 a2[2] s1 a1[1] a2[2]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-32
SLIDE 32

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1] a1[1] s1 s0[2] s0 a2[2] s1 a1[1] a2[2]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-33
SLIDE 33

MC-MC POR LTL MC-POR Conclusions

Multi-core Nested Depth-First Search

[atva11], [pdmc11], [atva12]

code for worker p: procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(en(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(en(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red then DFSred(s’, p)

P1 P2

s0 a1 a2 s1 s0[1] a1[1] s0 a1 s1[1] a1[1] s1 s0[2] s0 a2[2] s1 a1[1] a2[2] Conclusions MC-NDFS scales in practice and uses DFS Does it preserve enough order to implement stack proviso?

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 9/12

slide-34
SLIDE 34

MC-MC POR LTL MC-POR Conclusions

Stack Proviso in Parallel

procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(por(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red if ∃s′ ∈por(s): s’.cyan then explore s fully with DFSblue s.blue := true s.cyan[p] := false

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 10/12

slide-35
SLIDE 35

MC-MC POR LTL MC-POR Conclusions

Stack Proviso in Parallel

procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(por(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red if ∃s′ ∈por(s): s’.cyan then explore s fully with DFSblue s.blue := true s.cyan[p] := false Soundness trivial Completeness Blue ⊆ (Blue ∪

p Cyanp)

.. ..

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 10/12

slide-36
SLIDE 36

MC-MC POR LTL MC-POR Conclusions

Stack Proviso in Parallel

procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(por(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red if ∃s′ ∈por(s): s’.cyan then explore s fully with DFSblue s.blue := true s.cyan[p] := false Soundness trivial Completeness Blue ⊆ (Blue ∪

p Cyanp)

.. ..

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 10/12

slide-37
SLIDE 37

MC-MC POR LTL MC-POR Conclusions

Stack Proviso in Parallel

procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(por(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red if ∃s′ ∈por(s): s’.cyan then explore s fully with DFSblue s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(por(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red thenDFSred(s’, p) if successor of s is on DFSredp stack then explore s fully with DFSred Soundness trivial Completeness Blue ⊆ (Blue ∪

p Cyanp)

.. ..

Re-visiting problem [Holzmann et al., 1996 – On nested depth-first search]

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 10/12

slide-38
SLIDE 38

MC-MC POR LTL MC-POR Conclusions

Stack Proviso in Parallel

procedure DFSblue(s, p) s.cyan[p] := true for all s’inshuffle(por(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’, p) if s ∈ F then R := ∅ DFSred(s, p) await all accepting in R \ {s} are red mark all in R red if ∃s′ ∈por(s): s’.cyan then explore s fully with DFSblue s.blue := true s.cyan[p] := false procedure DFSred(s, p) R := R ∪ {s} for all s’∈shuffle(por(s)) do if s’.cyan[p] then ExitCycle if s′ R ∧ ¬s.red thenDFSred(s’, p) if successor of s is on DFSredp stack then explore s fully with DFSred Soundness trivial Completeness Blue ⊆ (Blue ∪

p Cyanp)

.. ..

Re-visiting problem [Holzmann et al., 1996 – On nested depth-first search] No termination!

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 10/12

slide-39
SLIDE 39

MC-MC POR LTL MC-POR Conclusions

The Parallel Cycle Proviso

Add a state proviso flag:

? true false

procedure dfsBlue(s, p) ... prov := successor of s is on the local DFSblue stack compare and swap (s.proviso, ?, prov) if s.proviso then explore s fully with dfsRed ... procedure dfsRed(s, p) ... prov := successor of s is on the local DFSred stack compare and swap (s.proviso, ?, prov) if s.proviso then explore s fully with dfsRed ...

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 11/12

slide-40
SLIDE 40

MC-MC POR LTL MC-POR Conclusions

The Parallel Cycle Proviso

Add a state proviso flag:

? true false

procedure dfsBlue(s, p) ... prov := successor of s is on the local DFSblue stack compare and swap (s.proviso, ?, prov) if s.proviso then explore s fully with dfsRed ... procedure dfsRed(s, p) ... prov := successor of s is on the local DFSred stack compare and swap (s.proviso, ?, prov) if s.proviso then explore s fully with dfsRed ... Performance

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 11/12

slide-41
SLIDE 41

MC-MC POR LTL MC-POR Conclusions

The Parallel Cycle Proviso

Add a state proviso flag:

? true false

procedure dfsBlue(s, p) ... prov := successor of s is on the local DFSblue stack compare and swap (s.proviso, ?, prov) if s.proviso then explore s fully with dfsRed ... procedure dfsRed(s, p) ... prov := successor of s is on the local DFSred stack compare and swap (s.proviso, ?, prov) if s.proviso then explore s fully with dfsRed ... Performance Correctness Backtracked states (blue and red): F = {s | s.proviso ?} V = {s | s.proviso = false} Lemma 6. Backtracked states have a proviso set: (B ∪ R) ⊆ F. Lemma 8. Successors of V states are backtracked: V ⊆ (B ∪ R).

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 11/12

slide-42
SLIDE 42

MC-MC POR LTL MC-POR Conclusions

Conclusions

Parallel cycle proviso (% reduction) Threads Model 1 64 leader filters.7 2.35 2.35 elevator.3 94.20 94.96 leader election.4 3.02 3.02 leader election.6 0.70 0.70 anderson.6 48.43 51.71 garp 18.69 20.79 peterson4 15.52 15.67 iprotocol-2 34.80 37.91 pacemaker distributed 47.81 48.26 pacemaker concurrent 45.90 46.00 Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 12/12

slide-43
SLIDE 43

MC-MC POR LTL MC-POR Conclusions

Conclusions

Parallel cycle proviso (% reduction) Threads Model 1 64 leader filters.7 2.35 2.35 elevator.3 94.20 94.96 leader election.4 3.02 3.02 leader election.6 0.70 0.70 anderson.6 48.43 51.71 garp 18.69 20.79 peterson4 15.52 15.67 iprotocol-2 34.80 37.91 pacemaker distributed 47.81 48.26 pacemaker concurrent 45.90 46.00

0" 5" 10" 15" 20" 25" 30" 35" 40" 45" 0" 8" 16" 24" 32" 40" 48" 56" 64" sppedup& threads& leader_filters.7"" elevator.3"" leader_elec8on.4"" leader_elec8on.6"" anderson.6"" garp"" peterson4"" iprotocol=2" pacemaker_distributed"" pacemaker_concurrent""

DFS-proviso’s reduction power is preserved Speedups maintained

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 12/12

slide-44
SLIDE 44

MC-MC POR LTL MC-POR Conclusions

Conclusions

Parallel cycle proviso (% reduction) Threads Model 1 64 leader filters.7 2.35 2.35 elevator.3 94.20 94.96 leader election.4 3.02 3.02 leader election.6 0.70 0.70 anderson.6 48.43 51.71 garp 18.69 20.79 peterson4 15.52 15.67 iprotocol-2 34.80 37.91 pacemaker distributed 47.81 48.26 pacemaker concurrent 45.90 46.00

0" 5" 10" 15" 20" 25" 30" 35" 40" 45" 0" 8" 16" 24" 32" 40" 48" 56" 64" sppedup& threads& leader_filters.7"" elevator.3"" leader_elec8on.4"" leader_elec8on.6"" anderson.6"" garp"" peterson4"" iprotocol=2" pacemaker_distributed"" pacemaker_concurrent""

DFS-proviso’s reduction power is preserved Speedups maintained Demonstrates the strength of parallel DFS-based algortihms

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 12/12

slide-45
SLIDE 45

MC-MC POR LTL MC-POR Conclusions

Conclusions

Parallel cycle proviso (% reduction) Threads Model 1 64 leader filters.7 2.35 2.35 elevator.3 94.20 94.96 leader election.4 3.02 3.02 leader election.6 0.70 0.70 anderson.6 48.43 51.71 garp 18.69 20.79 peterson4 15.52 15.67 iprotocol-2 34.80 37.91 pacemaker distributed 47.81 48.26 pacemaker concurrent 45.90 46.00

0" 5" 10" 15" 20" 25" 30" 35" 40" 45" 0" 8" 16" 24" 32" 40" 48" 56" 64" sppedup& threads& leader_filters.7"" elevator.3"" leader_elec8on.4"" leader_elec8on.6"" anderson.6"" garp"" peterson4"" iprotocol=2" pacemaker_distributed"" pacemaker_concurrent""

DFS-proviso’s reduction power is preserved Speedups maintained Demonstrates the strength of parallel DFS-based algortihms How much of the DFS order is preserved? On which type of graphs does CNDFS scale?

Alfons Laarman (Vienna University of Technology) Multi-Core Partial-Order Reduction for LTL Model Checking 12/12