Scalable Multi-core Model Checking: Technology & Applications of - - PowerPoint PPT Presentation

Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II: Liveness & Timed Systems UNIVERSITY OF TWENTE.

Formal Methods & Tools. Jaco van de Pol 30, 31 October 2014

VTSA 2014, Luxembourg

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 2 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Recall LTL

LTL formulae are built using temporal operators φ and ψ are formulae, interpreted over infinite paths

◮ X φ: φ holds in the next state in this path . . . . . . . . . . . . . neXt ◮ F φ: φ holds somewhere in this path . . . . . . . . . . . . . . . . . Future ◮ G φ: φ holds everywhere on this path . . . . . . . . . . . . . . . . Global ◮ φ U ψ: ψ holds somewhere on this path, and φ holds in all

preceding states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Until

◮ φ R ψ: ψ holds as long as φ did not hold before . . . . .Releases

φ ::= p | ¬φ | φ ∧ φ | φ ∨ φ | X φ | F φ | G φ | φ U φ | φ R φ Sufficient basis for LTL: φ ::= p | ¬φ | φ ∧ φ | X φ | φ U φ φ ∨ ψ = ¬(¬φ ∧ ¬ψ) G φ = ¬F ¬φ φ R ψ = ¬(¬φ U ¬ψ)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 3 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Kripke Structures and Paths

Kripke Structures . . . . . . . . . . . . . . . . . . . . . . . . . . (just labeled graphs) A Kripke structure is a tuple M = (S, S0, R, AP, L), where

◮ S is a set of states ◮ S0 ⊆ S is set of initial states ◮ R ⊆ S × S is a (total) transition relation on S ◮ AP is a set of atomic proposition labels ◮ L : S → P(AP) assigns to each state a set of labels

Infinite Paths . . . . . . . . . . . . . . . (just sequences of connected states)

◮ A path π in M is an infinite sequence (s0, s1, s2, . . .)

through the Kripke structure M, so ∀i. si R si+1

◮ Notation: π ∈ path(s) if π starts with s (i.e.: s0 = s) ◮ Notation: πi is the suffix from i, i.e.: (si, si+1, . . .)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 4 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Formal CTL* semantics: M, s0 φ

Semantics of Path Formulas (given path π) π φ ⇔ π(0) φ if φ is a state formula π X φ ⇔ π1 φ π F φ ⇔ for some i ≥ 0, πi φ π G φ ⇔ for all i ≥ 0, πi φ π φ U ψ ⇔ ∃i ≥ 0. πi ψ ∧ ∀j < i. πj φ π φ R ψ ⇔ ∀j ≥ 0.

• (∀i < j. πi φ) ⇒ πj ψ
• Some examples of LTL properties

◮ Every request will be acknowledged: G (req =

⇒ req U ack)

◮ G F p: p happens infinitely often ◮ F G p: p is nearly always true ◮ Note duality: ¬G F p ⇐

⇒ F G ¬p

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 5 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Basic Automata Theoretic Approach

Automata Theoretic Approach

◮ Kripke Structure M (system); LTL formula φ (requirement) ◮ Construct an automaton A that recognizes violations of φ. ◮ In other words: A accepts a word π

⇐ ⇒ π ¬φ

◮ M φ

iff L(M) ⊆ L(φ) iff M × A accepts ∅

◮ Problem: How to deal with infinite words?

B¨ uchi automata for accepting infinite words

◮ Just like an normal automaton (NFA), with accepting states ◮ Accept words that hit an accepting state infinitely often

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 6 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Examples of B¨ uchi automata

almost always: F G p p p ¬p infinitely often: G F p ¬p p infinitely often with guarantee: G (q U p) q, ¬p ¬q, ¬p p

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 7 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Model Checking by Accepting Cycles

LTL Model Checking

◮ A buggy run in a system can be viewed as an infinite word ◮ Absence of bugs: emptiness of some B¨

uchi automaton

◮ S ⊆ P iff S ∩ P = ∅ iff S × ¬P has no accepting cycle

◮ Graph problem: find a reachable accepting state on a cycle ◮ Basic algorithm: Nested Depth First Search (NDFS) 1 2 3 4 5 6 1 2 5 6

Properties of NDFS

◮ NDFS runs in linear time ◮ Inherently depends on post-order ◮ Post-order is P-complete [Reif’85] ◮ Not parallelizable (unless P=NC)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 8 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Recall: Nested Depth First Search

[CVWY’92] [Holzmann’92]

◮ Blue search: explore graph in DFS order

◮ states on the blue search stack are cyan ◮ on backtracking from an accepting state:

◮ Red search: find an accepting cycle

◮ exit as soon as the cyan stack is reached

◮ Linear time, depends on post-order

Blue search

1: procedure dfsBlue(s) 2: add s to Cyan 3: for all successors t of s do 4: if t ∈ Blue ∪ Cyan then 5: dfsBlue(t) 6: if s is accepting then 7: dfsRed(s) 8: move s from Cyan to Blue

Red search

1: procedure dfsRed(s) 2: add s to Red 3: for all successors t of s do 4: if t ∈ Cyan then 5: Exit: cycle detected 6: if t ∈ Red then 7: dfsRed(t)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 9 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 10 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Simple idea: Swarmed Nested Depth First Search

Laarman, Langerak, van de Pol, Wijs [ATVA’11]

Multi-core Swarmed NDFS

◮ W workers perform independent random NDFS

◮ Visited states are stored in a shared hashtable ◮ All workers use their own set of colors

(2W bits per state)

◮ Speeds up bug hunting only

Blue search

1: procedure dfsBlue(s, i) 2: add s to Cyan[i] 3: for all successors t of s do 4: if t ∈ Blue[i] ∪ Cyan[i] then 5: dfsBlue(t, i) 6: if s is accepting then 7: dfsRed(s, i) 8: move s from Cyan[i] to Blue[i]

Red search

1: procedure dfsRed(s, i) 2: add s to Red[i] 3: for all successors t of s do 4: if t ∈ Cyan[i] then 5: Exit: cycle detected 6: if t ∈ Red[i] then 7: dfsRed(t, i)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 11 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Multi-core Nested Depth First Search

Laarman, van de Pol,...[ATVA’11][PDMC’11]; Evangelista,L,vdP [ATVA’12]

Multi-core NDFS (several variations)

◮ Collaboration between NDFS workers

◮ Share red and/or blue globally ◮ Workers backtrack on parts finished by others ◮ Correctness: Complicated to restore post-order ◮ Performance: Reasonable scalability

Blue search

1: procedure dfsBlue(s, i) 2: add s to Cyan[i] 3: for all successors t of s do 4: if t ∈ Blue ∪ Cyan[i] then 5: dfsBlue(t, i) 6: if s is accepting then 7: dfsRed(s, i) 8: move s from Cyan[i] to Blue

Red search

1: procedure dfsRed(s, i) 2: add s to Red 3: for all successors t of s do 4: if t ∈ Cyan[i] then 5: Exit: cycle detected 6: if t ∈ Red then 7: dfsRed(t, i)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 12 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Swarmed NDFS versus Parallel NDFS

Experiments from [ATVA’11] on BEEM benchmarks on 16 cores

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&'(()*+',-&#.' !/"#$%&'(()*+',-&#.' +,+-./' 01'+,+-./' ,'2'3' ,'2'!4'5'3'

Swarmed versus Sequential NDFS

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&'())*+,(-.'$/( !"#$%&'(01#))*+,(-.'$/( +,+-./' 01'+,+-./' ,'2'3' ,'2'!%'4'3'

Swarmed versus Parallel NDFS

Conclusions

◮ Swarmed NDFS speeds up bug hunting ◮ Parallel NDFS also speeds up verification

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 13 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 14 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Nested Depth First Search [Courcoubetis, Vardi, etal.]

procedure DFSblue(s) s.blue := true for all t ∈ post(s) do if ¬t.blue then DFSblue(t) if s ∈ Accepting then seed := s DFSred(s) procedure DFSred(s) s.red := true for all t ∈ post(s) do if t = seed then ExitCycle if ¬t.red then DFSred(t) Nested DFS

◮ Blue search

◮ Visits all reachable states ◮ Starts Red search on

accepting states (seed) in post order

◮ Red Search

◮ Finds cycle through seed ◮ Visits states at most once

◮ Linear time, on-the-fly ◮ Blue is inherently depth-first

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 15 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Swarmed Multi-core Nested Depth First Search

code for worker i procedure DFSblue(s,i) s.blue[i] := true for all t ∈ post(s) do if ¬t.blue[i] then DFSblue(t,i) if s ∈ Accepting then seed[i] := s DFSred(s,i) procedure DFSred(s,i) s.red[i] := true for all t ∈ post(s) do if t = seed[i] then ExitCycle if ¬t.red[i] then DFSred(t,i) Multi-core Swarmed NDFS

◮ N workers perform parallel

search independently [G. Holzmann etal.]

◮ Multi-core: store visited

states in a shared hash table [FMCAD 2010, SPIN 2011]

◮ Scales well in the presence

• f accepting cycles (bugs)

◮ Otherwise, all workers

traverse the whole graph

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 16 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Approaches to Parallel LTL Model Checking

Speedup of Swarmed NDFS (1 versus 16 cores)

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&'(()*+',-&#.' !/"#$%&'(()*+',-&#.' +,+-./' 01'+,+-./' ,'2'3' ,'2'!4'5'3'

[BEEM database] Alternatives

◮ Swarm verification with NDFS

◮ Effective, only for bug finding

◮ Dual-core NDFS

[Holzmann]

◮ Red search on 2nd CPU ◮ Speedup of at most factor 2

◮ Red Search as parallel reachability

◮ Speedup still ≤ 2: |G| + |G|/N

◮ Can one do better?

◮ Post-order is P-Complete, so ◮ DFS not efficiently parallelizable

◮ Breadth-first based:

◮ OWCTY, MAP

[Brno]

◮ Not linear (|G| · h), not on-the-fly UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 17 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

New NDFS with Cyan and Pink [` a la Schwoon/Esparza]

s.bc: white → cyan → blue s.rc: white → pink → red procedure DFSblue(s) s.bc := cyan for all t ∈ post(s) do if t.bc=white then DFSblue(t) if s ∈ Acc then DFSred(s) s.bc := blue procedure DFSred(s) s.rc := pink for all t ∈ post(s) do if t.bc=cyan then ExitCycle if t.rc=white then DFSred(t) s.rc := red

1 2 3 4 5 6 7 8

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 18 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

What goes wrong if the DFS order is violated?

1 2 3 4 1 2 3 4 1 2 3 4

What if:

◮ Red search starts from 1, no

Cyan state is encountered

◮ On the backtrack, the states

are colored red

◮ A new red search starts from

2, but terminates immediately No accepting cycle is detected!

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 19 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Parallel NDFS: share the red color (first try)

s.color[i] : white → cyan → blue s.pink[i], s.red : Boolean procedure DFSblue(s,i) pruned by shared red color s.color[i] := cyan for all t ∈ post(s) do if t.color[i]=white and ¬t.red then DFSblue(t,i) if s ∈ Acc then DFSred(s,i) s.color[i] := blue procedure DFSred(s,i) pruned by shared red color s.pink[i] := true for all t ∈ post(s) do if t.color[i]=cyan then ExitCycle if ¬t.pink[i] and ¬t.red then DFSred(t,i) s.red := true (unfortunately incorrect)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 20 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Example: what is the meaning of red? (2 workers)

All accepting cycles contain red: 1 2 3 4 5 1 2 3 4 5 4 3 2 3 4 5 6 Accepting states on cycles get red: 1 2 3 4 5 6 No problem: path pink→cyan 1 2 3 4 5 6

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 21 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Synchronisation is necessary: third worker strikes!

1 7 4 3 5

Workers 1,2 proceed as before

1 7 4 3 5 7

Worker 3 starts Red search in 1, 0 No cycle will be detected!

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 22 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Parallel NDFS: share the red color (correct version)

procedure DFSblue(s,i) s.color[i] := cyan for all t ∈ post(s) do if t.color[i]=white and ¬t.red then DFSblue(t,i) if s ∈ Acc then DFSred(s,i) s.color[i] := blue procedure DFSred(s,i) s.pink[i] := true for all t ∈ post(s) do if t.color[i]=cyan then ExitCycle if ¬t.pink[i] and ¬t.red then DFSred(t,i) pink[i] := false if s ∈ Acc then await ∀j : ¬s.pink[j] s.red := true [ATVA 2011]

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 23 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Optimization 1: Early detection and 2N+1+log(N) bits

procedure DFSblue(s,i) s.color[i] := cyan for all t ∈ post(s) do if t.color[i]=cyan and s or t ∈ Acc then ExitCycle if t.color[i]=white and ¬t.red then DFSblue(t,i) if s ∈ Acc then s.count++; DFSred(s,i) s.color[i] := blue procedure DFSred(s,i) s.color[i] := pink for all t ∈ post(s) do if t.color[i]=cyan then ExitCycle if t.color[i]=pink and ¬t.red then DFSred(t,i) if s ∈ Acc then s.count−−; await s.count=0 s.red := true

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 24 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Optimization 2: Sprinkle red paint [Gaiser/Schwoon]

procedure DFSblue(s,i) s.color[i] := cyan all successors red := true for all t ∈ post(s) do if t.color[i]=cyan and s or t ∈ Acc then ExitCycle if t.color[i]=white and ¬t.red then DFSblue(t,i) if ¬t.red then all successors red := false if all successors red then s.red := true else if s ∈ Acc then s.count++; DFSred(s,i) s.color[i] := blue procedure DFSred(s,i) s.color[i] := pink for all t ∈ post(s) do if t.color[i]=cyan then ExitCycle if t.color[i]=pink and ¬t.red then DFSred(t,i) if s ∈ Acc then s.count−−; await s.count=0 s.red := true

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 25 / 45

1 2 3 4 3 1

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Swarmed NDFS versus Parallel NDFS

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&'(()*+',-&#.' !/"#$%&'(()*+',-&#.' +,+-./' 01'+,+-./' ,'2'3' ,'2'!4'5'3'

Swarmed NDFS (1 versus 16-core)

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !!"#$%&'%()*+,%

• ./!!"#$%&'0%()*+1,%

+,+-./' 01'+,+-./' ,'2'3' ,'2'!4'5'3'

Parallel NDFS (1 versus 16-core)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 26 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

OWCTY and Swarmed NDFS versus Parallel NDFS

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&'())*+,(-.'$/( !"#$%&'(01#))*+,(-.'$/( +,+-./' 01'+,+-./' ,'2'3' ,'2'!%'4'3'

Swarmed versus Parallel NDFS (both 16 cores)

!"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#$%&' !"#$%!' !"#(%%' !"#(%!' !"#(%&' !"#(%)' !"#(%*' !"#$%&'()*+,)-.*/(01'$2( !"#$%&'(3.#445+6(01'$2( +,+-./' 01'+,+-./' 2'3',' 2'3'!%'4',' 2'3'!5!%'4','

OWCTY versus Parallel NDFS (both 16 cores)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 27 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Experiments extended to 48 cores

From [PDMC’12]. See fmt.cs.utwente.nl/tools/ltsmin/performance/

Reachability

10 20 30 40

• 10

20 30 40 50

Threads Speedup

Legend

• divine−table

ltsmin−cleary−tree ltsmin−table ltsmin−tree spin−hc spin−nohc

Promela: Bakery protocol LTL model checking

10 20 30 40

• 10

20 30 40 50

Threads Speedup

Legend

• divine−owcty

ltsmin−cndfs spin−pb

Promela: Elevator controllor

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 28 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 29 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Interim Evaluation: what did we learn?

Reachability: Implementation matters, keep it simple

◮ Leave workers alone when possible; load balancing ◮ Rely on randomness to avoid “duplicate work” ◮ Careful design of concurrent data structures

LTL model checking

◮ Previous parallel algorithms (OWCTY) used BFS: O(N2) ◮ Now: linear, speedups . . . P = NC, or what did we do?

◮ W → ∞ versus W = 48 ◮ Worst case O(N · W ), no speedup

Remaining theoretical questions

◮ Average (randomized) runtime/scalability analysis ◮ Why doesn’t this work for Strongly Connected Components?

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 30 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Practical Evaluation: Solved multi-core model checking?

Multi-core MC is compatible

◮ On-the-fly ◮ Partial-order reduction ◮ State compression ◮ Symbolic model checking

Quite general

◮ Arbitrary state/edge labels ◮ mCRL2, Promela, DVE, GSPN, ◮ LLVM, C, xUML, POOSL, ?? ◮ Domain Specific Languages?

Remaining Questions

◮ Even better speedup – especially for symbolic model checking ◮ Quite restricted to explicit state model checking ◮ Infinite state systems? data, recursion, time, BDDs, . . .

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 31 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 32 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Model checking LTL for Timed Automata

Laarman, Olesen, Dalsgaard, Kim Larsen, vdPol [FORMATS’12] [CAV’13]

Handling Timed Automata

◮ Work with timed zones (DBM) for Timed B¨

uchi Automata

◮ Checking LTL properties for Uppaal timed automata

◮ Use subsumption to prune Nested DFS where possible ◮ Multi-core NDFS algorithm for Timed B¨

uchi Automata

Tool support

property DBM library result verification mc−NDFS LTSmin C++ code successor

• paal

xml−file generator ltl2ba Uppaal LTL ◮ Open source through opaal and LTSmin

◮ opaal-modelchecker.com/ ◮ fmt.cs.utwente.nl/tools/ltsmin/ UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 33 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 34 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Timed B¨ uchi Automata

[Alur,Dill’94]

ℓ0 ℓ1 ℓ2 y ≤ 2 y ≤ 2 x := 0, y := 0 y := 0 [x > 2] x := 0, y := 0

Ingredients

◮ locations (ℓ0, ℓ1, ℓ2), can be initial or accepting ◮ transitions, governed by real-valued clocks (x, y) ◮ timed runs should respect clock guards, resets, invariants

ℓ0,

• 2.7

− → ℓ0,

• 1.8

− → ℓ1, 1.8

• 0.5

− → ℓ2,

• 2.0

− → ℓ1, 2.0 2.0

• →

Question: is the B¨ uchi language empty? . . . . . . . no counterexample

Does a (non-zeno) timed run exist that visits an accepting state infinitely often?

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 35 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Finite representation: zone abstraction, extrapolation

ℓ0 ℓ1 ℓ2 y ≤ 2 y ≤ 2 y := 0 [x > 2] x := 0, y := 0 x := 0, y := 0

Finite representation by zones (DBM)

[Dill’89] [Daws,Tripakis’98]

◮ A zone is a set of constraints ◮ finite by taking into account the lower/upperbounds ℓ0, Z0 ℓ1, Z1 ℓ2, Z2 ℓ1, Z2 ⊒

No accepting run! Z0 := y = x Z1 := y ≤ x ∧ y ≤ 2 Z2 := y = x ∧ y ≤ 2 Subsumption: Z2 ⊆ Z1, so (ℓ1, Z2) ⊑ (ℓ1, Z1)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 36 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Subsumption, or inclusion abstraction

Why explore a state again, if it is subsumed by a previous state?

s0 s1 s2 s3 ⊒

Zone abstraction

s0 s2 s3 s1

s3 ⊑ s1

s0 s1 s2

subsumption Known results

[Behrmann et al’04] [Tripakis’09] [Li’09]

◮ finite zone abstraction preserves reachability of locations ◮ finite zone abstraction also preserve B¨

uchi emptiness

◮ subsumption preserves reachability of locations as well

Open problem

posed in [Tripakis’09] Is emptiness of Timed B¨ uchi Automata preserved by subsumption? NO

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 37 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 38 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Extension to Multi-core Reachability . . . [FORMATS’12]

◮ Timed zones captured in Difference Bound Matrices (DBM) ◮ For LTSmin, extend discrete state vector s

with a pointer to a DBM (s, σ)

◮ Extend the PINS API with a function Covers(σ, τ) ◮ Hash based on discrete parts, keep list of maximal zones ◮ Can be generalized to other symbolic domains

(lattice model checking)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 39 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Table of Contents

1 Multi-core LTL model checking

B¨ uchi automata for LTL model checking Nested Depth First Search Parallel Nested Depth First Search

2 Interim Evaluation: Exhaustive Brute Force 3 Timed Automata: subsumption of symbolic states

Timed B¨ uchi automata and subsumption Multi-core Implementation of Reachability LTL model checking with subsumption

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 40 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Analysis of accepting spirals with subsumption

[CAV’13]

⊑ is a simulation relation: s′ s t ⊑ → t′ → ⊑ ⊑ is a finite abstraction

s’ t’ t’’ s t t’’’

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well Lemma: If t′ has an accepting spiral then t′ has an accepting cycle Preservation of accepting cycles Proof Sketch s′ s t t ⊑ →∗ →+ t′ t′′ →∗ →+ ⊑ ⊑ · · · · · · · · · x · · · · · · · · · t′′′ t →+ →+ →+ →+ ⊑ x t →+ →+ ⊑

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 41 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Subsumption in Nested Depth First Search

[CAV’13]

Blue search find accepting states in post order

1: procedure dfsBlue(s) 2: Cyan := Cyan ∪ {s} 3: for all successors t of s do 4: if t ∈ Blue ∪ Cyan∧ t ⊑ Red then Prune the blue search 5: dfsBlue(t) 6: if s is accepting then 7: dfsRed(s) 8: Blue, Cyan := Blue ∪ {s}, Cyan\{s}

Red search find cycles on accepting states

1: procedure dfsRed(s) Postcondition: no accepting spiral reachable 2: Red := Red ∪ {s} 3: for all successors t of s do 4: if t ∈ Cyan t ⊒ Cyan then Accepting spiral found! 5: Exit: cycle detected 6: if t ∈ Red t ⊑ Red then Spiral on t would give spiral from Red 7: dfsRed(t)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 42 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Subsumption on Blue is Unsound

Assume we would backtrack on t as soon as t ⊑ Blue:

s0 s0 s1 s1 s′

1

s′

1

s2 s2 s′

2

s′

2

s4 s4 s3 s3 s3 s5 s5

Accepting cycle s4–s5 not detected

◮ The blue search proceeds via s0, s1, s2, then backtracks via s1 to s3 ◮ Now since s′

2 ⊑ Blue, the blue search is pruned at s3

◮ s3 ∈ Acc, so a red search is started: s3, s′

2, s′ 1, s4, s5

◮ The only accepting cycle s4–s5 is erroneously made red ◮ Note: accepting states are not visited in post-order

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 43 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Experiments: speedup up to 48 cores

Reachability: [Formats’12]. LTL model checking: [CAV’13] BFS Reachability on Timed Automata

10 20 30 40

• ●
• 10

20 30 40 50

Threads Speedup

Model

• fischer6

train−crossing−stdred−5 train−gate−N10 train−gate−N9 viking15 viking17

Checking LTL on Timed Automata

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

Model

• csma

fddi fischer−1 fischer−2 train−gate

Experiments with opaal and LTSmin – open source hours − → minutes − → seconds

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 44 / 45

... Multi-core LTL model checking Interim Evaluation: Exhaustive Brute Force Timed Automata ...

Literature on LTSmin (liveness - LTL model checking)

LTL model checking

◮ Alfons Laarman, Rom Langerak, Jaco vd Pol, Michael Weber, A. Wijs,

Multi-Core Nested Depth-First Search. . . . . . . . . . . . . . . . . . . . (ATVA 2011)

◮ Alfons Laarman, Jaco van de Pol,

Variations on Multi-Core Nested Depth-First Search . . . . . . (PDMC 2011)

◮ Sami Evangelista, Alfons Laarman, Laure Petrucci and Jaco van de Pol,

Improved Multi-Core Nested Depth-First Search . . . . . . . . . . .(ATVA 2012) Timed Automata

◮ A. Dalsgaard, A.W. Laarman, K.G. Larsen, M. Olesen, J. van de Pol,

Multi-Core Reachability for Timed Automata . . . . . . . . . . . (FORMATS’12)

◮ Alfons Laarman, M. Olesen, A. Dalsgaard, K.G. Larsen, J. van de Pol,

Multi-core emptiness checking of timed B¨ uchi automata using inclusion abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (CAV’13)

UNIVERSITY OF TWENTE. Multi-core Model Checking 30, 31 October 2014 45 / 45