Double%20check%20conjunctive%20guard%20transition%20of%20German

1

• Double check conjunctive guard transition of
  Germansperhaps even model check
• German model check buggy behaviors

2
A New Approach toUpward-Closed SetBackward
Reachability Analysis
INFINITY '04 6th International Workshop on
Verification of Infinite-State Systems

• Jesse Bingham
• University of British Columbia, Canada

Saturday 4 September 2004 London, England
3
Introduction (1/3)

• A new approach to backwards reachability for
  broadcast protocols (BP)
• The standard approach (SA) Esparza et al. 99 is
  based on theory of well-structured transition
  systems Abdulla et al. 96, Finkel Schnoebelen
  01
• processes sets of vectors of naturals
• these sets form bases for infinite upward-closed
  sets of vectors
• In contrast, our approach (OA)
• analyses finite BP instances of increasing size
• processes sets of concrete global states
• enables BDD-based symbolic model checking

4
Introduction (2/3)

• Let m be the number of local states in the BP.
  The primary strength of OA
• SA processes vectors of dimension m if m is
  large (i.e. 100s or 1000s), things can blow up
• OA uses BDDs to encode local states BDDs have
  been known to represent large sets succinctly
• For example, m 1000 only requires 10 BDD
  variables to encode the state
• Weaknesses
• OA undoes the symmetry reduction inherent in SA
• OA employs a BDD operation called existential
  lifting that might cause things to blow up
  (bounding this is future work)

5
Introduction (3/3)

• Ill assume some basic familiarity with
  well-structured transition systems, upward-closed
  sets, and the algorithm for safety properties in
  Abdulla et al. 96
• Ill omit many technical details and formalities

6
Outline

• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions

7
The Problem

• The systems are broadcast protocols (BP)
• generalization of petri nets
• Specifications are a class of safety properties
• bad scenarios characterized as upward-closed sets
  are not reachable
• The problem is known to be decidable via SA
  Esparza et al. 99

8
Broadcast Protocols
Intuitively A Broadcast Protocol (BP) Emerson
Namjoshi 98 represents an arbitrary number of
identical finite state processes that communicate
through guarded broadcasts and rendezvous-style
synchronizations
9
BP Transitions

• Local A single process locally changes state
  all others stay in the same state.
• Rendezvous Some bounded number of processes
  collaborate to change state atomically all
  others stay in same state.
• Broadcast All processes change state together.
  The next state of each process is determined by
  its current state. Some bounded number of
  processes collaborate to instigate the broadcast
  transition (i.e. they guard the broadcast).

10
Three Notions of BP State

• A local state is the state of an individual
  process we denote the (finite) set of all local
  states by L, and denote m L
• A g-state (global state) is an element of Lk for
  some k
• lists the state of each process in an instance
  with k processes
• A vector is an m-tuple of naturals v (v1,,vm)
  ? Nm
• for each i ? 1,,m, vi is the number of
  processes in local state i
• the weight of vector v is the sum of its
  components, denoted v, i.e. the weight is the
  number of processes
• vectors abstract sets of g-states in the usual
  way

11
BP States Example
Suppose the local states are L x,y,z
process 1 2 3 4 5 6 state y z z x z x
Then the g-state is (y,z,z,x,z,x), while the
vectoris (2,1,3). This g-state (x,z,z,z,y,x)
has the same vector, as do many others, i.e. the
vector abstracts all g-states involving exactly 2
xs, 1 y, and 3 zs.
12
BP Reachability Problem

• The broadcast protocol Reachability Problem
  (BPRP) asks given
• a broadcast protocol B,
• a parameterized set of initial vectors Init,
• an upward-closed set of target (bad) vectors U
• are there vectors v? Init and u? U such that u is
  reachable from v by following transitions of B ?

13
Outline

• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions

14
Standard Algorithm
Previous_Reach ? Reach basis(U) while (
?Reach ? ?Previous_Reach ) do if ( Init n
?Reach ? ? ) then exit with verification
failure Previous_Reach Reach Reach
basis(Pre(?Reach)) ? basis(U) exit with
verification success
Previous_Reach and Reach both have the type
finite subset of Nm
After ith iteration, Reach is a finite basis for
the set of vectors from which U can be reached in
at most i transitions
15
SA Instantiated

• We havent said how to store sets of vectors
  during the computation
• Delzanno et al. 00, 01 use covering sharing
  trees (CSTs) to represent these sets
• CSTs do for vectors what BDDs do for bitvectors
• sophisticated heuristics for checking
  upward-closed set inclusion
• for our experiments, we take the CST approach as
  an example of a state-of-the-art instantiation
  of SA

16
Outline

• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions

17
Skeleton of Our Algorithm
i 1 while (converged) do compute R(i)
Back_Reach( Ui ) if ( intersection_check(R(i
)) ) then exit with verification failure i
i 1 exit with verification success
18
Convergence Theorem
Let U be an upward-closed set and let n ? bw(U).
Then ?R(n?) ? ?R(n?-1) ? ? ?R(n) if and
only if Back_Reach(U) ?(R(1) ? ? ? R(n))

• Notation Key
• bw(U) is maximum weight over the vectors in the
  canonical basis of U
• ? is the maximum number of processes involved in
  a guard (called maxdis(B) in the paper)
• for a set X ? Nm , ?X denotes the upward closure
  of X

19
weight
U
i
n?
. . .
n1
n
. . .
4
3
2
1
20
Termination Theorem
For any broadcast protocol and upward-closed set
U, there exists n ? bw(U) such that ?R(n?) ?
?R(n?-1) ? ? ?R(n) Proof follows
trivially from WSTS theory.
21
Using BDDs

• How should we represent the R(i)s? ... Lets use
  binary decision diagrams (BDDs) Bryant 86
• BDDs can succinctly represent large state spaces
• many BDD operations have efficient algorithms
• Our BDDs store sets of g-states (rather than sets
  of vectors)
• For a finite set of vectors X, we use Xbdd to
  denote the BDD for the set of g-states abstracted
  by vectors in X

22
Example

• Suppose
• the local states are l1, l2, l3
• X (0,0,2),(1,0,1),(0,1,1)
• Then Xbdd will store the g-states
• (l3 ,l3),(l1 ,l3),(l3 ,l1),(l2 ,l3),(l3 ,l2)

23
The Convergence Theorem BDDs
Our convergence theorem requires us to check
containments of the form ?R(i1) ? ?R(i)
Problem How do we do such checks against when
the R(i)s are in our BDD/g-states
representation? Solution We use a BDD operation
called existential lifting
24
Existential Lifting (1/2)
Given a symmetric set X ? Li the existential
lifting of X is the set Xel ? Li1 defined
by (l1,, li1) ? Xel ? k ? 1,,i1
(l1,,lk-1,lk1,,li1) ? X Intuitively x ?
Xel iff we can delete a component of x to obtain
a tuple in X
25
Existential Lifting (2/2)
U
i1
i
26
Existential Lifting Theorem
?R(i1) ? ?R(i) if and only if Rbdd(i1)
Rbdd(i)el
27
Outline

• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions

28
Experiments

• Overview
• Petri nets from the CST paper Delzanno et al 01
  (new)
• ME(h) petri net (presented in the paper)
• MESI protocol (new)
• Germans cache coherence protocol (new)
• The SA implementation is based on an extension of
  CSTs called interval sharing trees Ganty Van
  Begin 04

29
Experiments

• Petri nets from the CST paper Delzanno et al 01
  (new)
• ME(h) petri net (presented in the paper)
• MESI protocol (new)
• Germans cache coherence protocol (new)

30
Petri Nets from Delzanno et al 01
Petri net Our runtime (sec) CST runtime (sec)
Multipool 3010 2.09
CSM 95 0.06
Mesh(22) gt1300 1.30
Note the decimal point in this column!
31
When Might OA Outperform SA?

• For both CSTs and BDDs, a rough predictor of
  potential blow-up is the height of the data
  structure
• Standard approach
• CSTs have fixed height of m L
• Our approach
• The state of a single process is encoded using
  log2m BDD variables
• The largest BP instance we analyze has nd
  processes
• Thus the largest BDDs we process have height
  (nd)log2m
• Therefore we expect an advantage whenever
  (nd)log2m ltlt m

32
Petri Nets from Delzanno et al 01Revisited
Petri net Our runtime CST runtime Max BDD height CST height
Multipool 3010 2.09 50 18
CSM 95 0.06 36 14
Mesh(22) gt1300 1.30 gt40 32
33
Petri Net Family ME(h)
h critical section states
Arbitrary number of client processes ( h1 local
states x0, x1,, xh )
Single control process( 2 local states in,
notin )
34
ME(h) Runtimes
runtime (seconds)
h
35
ME(h) Runtimes
h Our runtime CST runtime Max BDD height CST height
25 11 2 30 28
50 43 30 36 53
75 108 387 42 78
100 198 865 42 103
125 331 4,766 42 128
150 565 6,942 48 153
175 823 24,814 48 178
200 1,159 30,156 48 203
225 1,578 56,795 48 228
250 2,155 105,618 48 253
36
MESI Caching Protocol
Delzanno 00s technique
of blocks Our runtime CST runtime HyTech runtime Max BDD height CST height
1 0.1 0.0 0.0 8 4
2 0.2 0.1 88.3 16 16
3 0.5 44.1 gt264.9 24 64
4 2.2 32 256
HyTech aborts, reporting out of memory
(1.2GB) Description is 5.8 MB, Bison parser
chokes
37
Germans Cache Protocol

• A cache protocol proposed IBMs Steven German
• From Readme I consider it a challenging problem
  to verify this protocol fully automatically!
• Not quite encodable as a broadcast protocol
• Involves a conjunctively guarded transition,
  which renders the problem undecidable Emerson
  Kahlon 03
• Involves a process pointer variable curPtr
• Our version includes datapaths, as in Chou et al
  04
• As a broadcast protocol, the local state space
  has cardinality L 6168 (6144 for clients, 24
  for dir)

38
Germans Cache Protocol
state M,S,I data 0,1
invSet array 1..n of boolean shrSet array 1..n
of boolean exGntd boolean curCmd
null,ReqS,ReqE curPtr 1n memData 0,1
39
Germans Cache Protocol Runtimes
Property (all passed) Runtime (sec)
Encoding of curPtr 3
Conjunctive guard reduction 214
Data coherence 63
40
Outline

• The problem
• The standard approach
• Our approach
• Experiments
• Future work/conclusions

41
Future Work

• More Experimental Evaluation
• Complexity analysis of existential lifting
• Optimizations
• Application to other discrete well-structured
  transition systems
• Are there other (i.e. non-WSTS) classes of
  systems for which a similar approach will work?

42
Conclusions

• A new approach to parameterized verification of
  broadcast protocols
• Uses BDDs and classical symbolic model checking
• A primary contribution is a convergence theorem
  that tells us when we can stop
• Our approach might outperform the standard
  approach when
• The number of local states L is large, and
• Convergence occurs for moderate n
• My hunch is that many systems of practical
  importance have these characteristics (eg German)
• Kudos to Pierre Ganty for support with his
  CST/IST software