Cached Murphi

1
Cached Murphi

• Enrico Tronci
• Dipartimento di Informatica
• Università di Roma La Sapienza, Via Salaria
  113, 00198 Roma
• Tronci_at_dsi.uniroma1.it http//www.dsi.uniroma1.
  it/tronci

Meeting Mefisto, March 31-April 2, 2003, Salerno,
Italy
2
Overview
Murphi is an Explicit Model Checker for Low Level
(i.e. close to the final implementation) Analysis
of Protocols and Software-like systems. Murphi
only checks for Invariants (safety properties).

• We will sketch
• Murphi Input Language
• Cached Murphi Performances

3
History

• Murphi has been realized Alan Hu, David Dill,
  Ulrich Stern, and many others from University of
  Stanford, USA.
• Murphi http//sprout.stanford.edu/dill/murphi.htm
  l
• Cached Murphi has been obtained from Murphi by
  changing Murphi engine so as to use a cache based
  BFS. Cmurphi 4.2 uses a disk based BFS.
• Cached Murphi is a joint effort of the University
  of LAquila and at the University of Rome La
  Sapienza.
• Cached Murphi http//www.dsi.uniroma1.it/tronci

4
A Simple System
0
2
2
0
1
3
0
2
0
1
5
1
1
1
1
2
1
2
4
2
0
0
0
2
x(t) d(t) when x(t) lt
3 x(t 1) x(t) d(t)
when x(t) gt 3 d(t) 0, 1, 2. x(0)
0
5
Murphi Code
x(t 1) if x(t) lt 3 then x(t) d(t) else
x(t) d(t) d(t) 0, 1, 2 x(0) 0
Spec x(t) lt 5 (FAIL). Spec x(t) lt 5
(PASS).
CONST -- constant declarations MAX_STATE_VA
LUE 5 TYPE -- type declarations state_type
0 .. 10 -- integers from 0 to
10 disturbance_type 0 .. 2 VAR --
(global) variable declarations x state_type
-- variable of type state_type -- next state
function function next(x state_type d
disturbance_type) state_type begin if (x lt
3) then return (x d) else
return (x - d) endif end
startstate "startstate" -- define initial
state x 0 end -- nondeterministic
disturbances -- trigger system
transitions ruleset d disturbance_type do
-- define transition rule rule "time step" true
gt begin x next(x, d) end end
-- define property to be verified invariant "x
less than 5" (x lt MAX_STATE_VALUE)
6
Murphi Error Trace
Startstate startstate fired. x0 ---------- Rule
time step, d1 fired. x1 ---------- Rule time
step, d2 fired. x3 ---------- Rule time step,
d2 fired. The last state of the trace (in full)
is x5 ----------
7
Model Checking as State Space Exploration
For safety properties (no bad state is reachable)
the model checking problem becomes the
reachability problem on the transition graph of
the system to be analyzed.
Given a Finite State System S (S, I, Next),
where S Finite set of states I set of
initial states Next function mapping a state
to the set of its successors Visit all states
that S can reach from I. Murphi defines S (S,
I, Next) using Murphi input language.
8
Explicit State Space Exploration via BFS
Queue Q Hash_Table T bfs(init_states,
next) forall s in init_states enqueue(Q,
s) / load Q with initial states /
forall s in init_states insert(T, s) /
mark init states as visited / while (Q is
not empty) / visit / s
dequeue(Q) forall s in next(s)
if (s is not in T) insert(T,
s) enqueue(Q, s)
9
Obstructions

• Queue Q may become very large.
• Hash Table T may become very large.

Counteractions
Use compressed representation for states. That is
store state signatures in T rather than states.
Even if a state takes around one hundred of bytes
a state signature takes 5 bytes. Thus, using
hashing with open addressing we can store
200,000,000 states using about 1GB of RAM (we are
not considering the RAM needed for the queue
here). Using secondary memory is thus very
appealing. Unfortunately disk memory is much
slower than RAM. Thus suitable visit algorithms
are needed.
10
BFS of some Protocols
11
Under the Hood of Cached Murphi

• Our disk based verification algorithm exploits
  transition locality to decrease disk read
  accesses thus reducing time overhead due to disk
  usage.
• Our disk based algorithm has been implementation
  within the Murphi verifier and is available in
  http//www.dsi.uniroma1.it/tronci/cached.murphi.h
  tml
• Our experimental results show that even using
  1/10 of the RAM needed to complete verification
  our disk based algorithm is on average only 3
  times slower than RAM Murphi with enough RAM to
  complete the verification task at hand.
• Using just 300M of RAM with our disk based Murphi
  we were able to complete verification of a
  protocol with about 109 reachable states. This
  would require more than 5 gigabytes of RAM using
  RAM Murphi.

12
Locality
K-transition iff level(s) level(s) K
Transition k-local iff level(s) level(s) lt k
-4
1
-2
1
0
1
0
-1
-1
1
0
1
1
-1
0 1 2
3 4
13
Locality
Our experimental results show that For all
protocol like systems, for most states, most
transitions (typically more than 75) are
1-local.
14
Notation
Let d(s, k) be the fraction of transitions from
state s that are k-transitions. Thus d(s, k) is
the probability of getting a k-transition when
picking at random a transition from state
s. Consider the experiment of selecting at
random a state s and then returning d(s, k). In
this way we get a random variable that we denote
with d(k). The expected value of d(k) is the
average value of d(s, k) on all reachable states.
s
15
Experimental Evidence of Locality
16
Exploiting Locality
We were able to exploit locality to reduce disk
read accesses in the disk based BFS Explicit
State Space Exploration algorithm presented
in U. Stern, D. Dill, Using Magnetic disk
instead of main memory in the Murphi verifier,
CAV 98 Our modified disk based BFS algorithm
typically speeds up verification by a factor of
10 (Formal Methods in Computer Aided Design 2002,
Portland, Oregon, USA, LNCS)
17
Experimental Results with RAM Murphi
mu b c g MaxQ/Reach
Protocol By Di Reach States Rules Max Q Min Mem g T (sec)
ns 96 12 2,455,257 8,477,970 1,388,415 145,564,125 0.57 1,211
n_peterson 20 241 2,871,372 25,842,348 46,657 15,290,000 0.02 764
newlist6 7 32 91 3,619,556 21,612,905 140,382 22,590,004 0.04 1,641
ldash 144 72 8,939,558 112,808,653 509,751 118,101,934 0.06 12,352
sci 60 94 9,299,127 30,037,227 347,299 67,333,575 0.04 2,852
sci 31151 64 95 75, 081, 011 254,261,319 2,927,550 562,768,255 0.04 35,904
sci 31171 68 143 126,784,943 447,583,731 4,720,612 964,926,331 0.04 99,904
kerb 148 15 7,614,392 9,859,187 4,730,277 738,152,956 0.62 2,830
mcslock1 16 111 12,783,541 76,701,246 392,757 70,201,817 0.03 3,279
newlist6 8 40 110 81,271,421 563,937,480 2,875,471 521,375,945 0.03 31,114
18
Local Disk Murphi vs RAM Murphi
M Prot ns n_peterson newlist6 7 mcslock1 Sci 31121 Sci 31151 Sci 31171 kerb ldash newlist6 8
States 1.348 1.178 1.366 1.346 1.260 ------ ------ ------ 1.566 ------
1 Rules 1.487 1.178 1.365 1.346 1.279 ------ ------ ------ 1.528 ------
Time 1.734 2.148 1.703 1.915 1.811 ------ ------ ------ 2.037 ------

States 1.405 1.124 1.335 1.550 1.189 1.169 1.130 1.282 1.668 1.416
0.5 Rules 2.011 1.124 1.334 1.550 1.206 1.195 1.152 1.060 1.626 1.412
Time 2.144 2.056 1.765 2.477 1.798 1.828 1.421 1.234 2.226 2.612

States 1.373 1.199 1.384 1.703 1.183 1.143 1.097 1.279 1.702 1.406
0.1 Rules 1.645 1.199 1.382 1.703 1.200 1.167 1.115 1.080 1.658 1.405
Time 1.953 2.783 2.791 5.259 2.888 2.553 1.743 1.438 3.770 4.436
M ltRAM used in LD Murphigt/ltMin Mem needed for
RAM Murphigt, Dummy ltDummy LD Murphigt/ltDummy
RAM Murphigt, Dummy States, Rules, Time
19
Local Disk Murphi vs RAM Murphi (continued)
Time Statistics
M 1 0.5 0.1
Min 1.703 1.234 1.438
Avg 1.891 1.954 2.961
Max 2.148 2.612 5.259
M ltRAM used in LD Murphigt/ltMin Mem needed for
RAM Murphigt
20
Disk Murphi vs RAM Murphi
Mem Prot ns n_peterson newlist6 7 mcslock1 Sci 31121 ldash
States 1.000 1.000 1.000 1.000 1.000 0.355
1 Rules 1.000 1.000 1.000 1.000 1.000 0.245
Time 1.259 2.623 1.331 1.821 1.616 gt 50.660

States 1.000 1.000 1.000 1.000 0.361 -----
0.5 Rules 1.000 1.000 1.000 1.000 0.647 -----
Time 242.131 2.430 1.357 1.691 gt 11.863 ----

States 0.747 0.527 0.253 0.137 ----- -----
0.1 Rules 0.309 0.507 0.203 0.115 ----- -----
Time gt 77.895 gt 90.704 gt42.817 gt11.605 ---- ----
Mem ltRAM used in LD Murphigt/ltMin Mem needed for
RAM Murphigt, Dummy ltDummy LD Murphigt/ltDummy
RAM Murphigt, Dummy States, Rules, Time
21
Comparing LDMurphi with DMurphi
Mem Prot ns n_peterson newlist6 7 mcslock1 Sci 31121 ldash
1 Time 0.726 1.221 0.781 0.950 0.892 gt 24

0.5 Time 112.934 1.182 0.768 0.683 gt 6 gt 24

0.1 Time gt 39 gt 32 gt 15 gt 2 gt 6 gt 24
Mem Min Avg Max
1 Time 0.726 gt 4.762 gt 24

0.5 Time 0.683 gt 24.261 112.934

0.1 Time gt 2 gt 19.667 gt 39
Time Statistics
Mem ltRAM used in disk Murphi (LD or D)gt/ltMin
Mem needed for RAM Murphigt Time ltTime
DMurphigt/ltTime LDMurphigt
22
A Large Protocol
Prot Param Bytes Reach Rules Max states Q
mcslock2 N4 16 945,950,806 3,783,803,224 30,091,508
Diam Time (sec) MaxMem (MB) (LDMurphi) HT mem (KB) (RAM Murphi) Q Mem (KB) (RAM Murphi) TotMem (KB) (RAM Murphi)
153 406,275 300 4,729,754 481,465 5,211,219
23
Hybrid Systems with CMurphi
We added to Cmurphi finite precision real
numbers. This allows us to easily handle discrete
time Hybrid Systems. E.g. using Cmurphi we were
able to automatically verify a Turbogas Control
System, a system out of reach for Hytech as well
as SMV (Hybrid Systems Computation and Control
(HSCC) 2003, Praga, Czech Republic, LNCS).
24
Conclusions

• Cached Murphi can be effectively used to analyze
  protocols, software like systems and hybrid
  systems.
• Cached Murphi exploits statistical properties of
  transition graphs to save memory and to speed up
  disk based verification.
• Looking for new statistical properties of
  transition graphs is a natural next step for our
  research.