Hybrid Parallel Model Checking of Hybrid LTL on Hybrid State Space Representation

Transcript

1. Hybrid Parallel Model Checking of Hybrid LTL on Hybrid State

   Space Representation Kais Klai1, Chiheb Ameur Abid2,3, Jaime Arias1, and Sami Evangelista1 1LIPN, CNRS UMR 7030, Universit´ e Sorbonne Paris Nord, France 2Faculty of Sciences of Tunis, University of Tunis El Manar, Tunisia 3Mediatron Lab, SupCom, University of Carthage, Tunisia VECoS 2021 November 22, 2021

2. Outline 1. Motivation 2. Symbolic Observation Graph (SOG) 3. Hybrid

   Parallel Model Checking of SOG 4. Implementation and Experiments 5. Concluding Remarks 1 / 23

3. Outline 1. Motivation 2. Symbolic Observation Graph (SOG) 3. Hybrid

   Parallel Model Checking of SOG 4. Implementation and Experiments 5. Concluding Remarks 2 / 23

4. Motivation Requirements Formalizing Property Specification System Modeling System Model Model

   Checking Satisfied Violated + Counterexample Figure: Model-checking approach [Baier and Katoen, 2008] Model checking is based on an exhaustive exploration of the system state space ⇒ state space explosion problem . 3 / 23

5. Motivation Mitigating the state space explosion problem Symbolic representation of

   the system Compact representation by using Decision Diagram Techniques (e.g. BDD/MDD). Symbolic Observation Graph (SOG) Hybrid representation of the state space. Graph where nodes are sets of reachable states encoded symbolically, and edges are represented explicitly. On-the-fly verification Generation of “interesting” parts of the state space, only. Parallel and distributed algorithms Provide more available memory for storage of the state space. Reduce runtime execution. 4 / 23

6. Outline 1. Motivation 2. Symbolic Observation Graph (SOG) 3. Hybrid

   Parallel Model Checking of SOG 4. Implementation and Experiments 5. Concluding Remarks 5 / 23

7. Symbolic Observation Graph (SOG) Graph whose construction is guided by

   a set of observable atomic propositions involved in a formula event-based SOG [Haddad et al., 2004] state-based SOG [Klai and Poitrenaud, 2008] Ignore the unobserved behavior (except deadlock and livelock) Preserve the validity of LTL \ X formulae: stutter-invariant A SOG built for a given LTL formula φ1 can be reused to check any other LTL formula φ2 involving a subset of the atomic propositions of φ1 6 / 23

8. Symbolic Observation Graph (SOG) s0 s1 s2 s3 s4 s5

   a a b b (a) Example of an LTS s0 s1 a0 s2 s3 a1 livelock s4 s5 a2 deadlock a b (b) A SOG with Obs = {a, b} Figure: An LTS and its SOG The nodes of the SOG (aggregates) are defined as sets of states linked with unobserved transitions (encoded symbolically) The edges are labeled with observed transitions only (explicitly) 7 / 23

9. Outline 1. Motivation 2. Symbolic Observation Graph (SOG) 3. Hybrid

   Parallel Model Checking of SOG 4. Implementation and Experiments 5. Concluding Remarks 8 / 23

10. Motivation Negation of property LTL formula ¬φ B¨ uchi automaton

    A¬φ System Model of system Symbolic Observation Graph (SOG) On-the-fly synchronized product L(A¬φ ⊗ SOG) Emptiness check L(A¬φ ⊗ SOG) ? = ∅ Satisfied Violated + Counterexample Yes No Figure: Model-checking approach for SOG 9 / 23

11. Hybrid Parallel Model Checking of SOG Extension of the multi-core

    SOG-based model checking [Abid et al., 2020] Combine parallel (shared memory) and distributed (message passing) construction algorithms Construction of the SOG is partitioned over a set of processes which, in turn, distribute the building of their sub-graphs over a set of threads. Allow handling huge state spaces 10 / 23

12. Hybrid Parallel Model Checking of SOG Event-state based SOG for

    LTL model checking Adaption of the SOG to event-state formalism The modeling framework consists of Labeled Kripke structures (LKS) The construction of aggregates will depend on both a set of actions and state variables appearing as atomic propositions in the checked formula. New aggregation criteria: 1. All states belonging to a same aggregate must have the same truth values of the atomic propositions 2. Any state being reachable by the occurrence of an unobserved action from a state s, belongs to the same aggregate that s iff (1) 3. The occurrence of an observed action from a state of an aggregate must lead to another aggregate 11 / 23

13. Hybrid Parallel Model Checking of SOG Event-state based SOG for

    LTL model checking s0 a.b s1 a.b s2 a.b s3 a.b s4 a.b s5 a.b s6 a.b s7 a.b τ o1 τ o2 τ τ τ o1 o2 τ τ (a) Example of LKS s0 s4 a0 a.b τ s2 s3 a1 a.b τ τ s6 s7 a2 a.b τ τ s1 s5 a3 a.b o1 o1 τ o2 (b) A corresponding SOG: AP = {a, b} and Obs = {o1, o2} Figure: An LKS and its SOG 12 / 23

14. Hybrid Parallel Model Checking of SOG Parallel construction of the

    SOG Partitioning of the construction of a SOG: process level Load balancing between processes is performed statically by using a hash function Partitioning of each part of the graph, for a given process, is performed at the thread level: dynamic load balancing function qa qb qd qc t1 t2 t2 t1 (a) A SOG sample qa qb qd (a). Proc. 1 t1 t2 qb qc (b). Proc. 2 t2 qd qc (c). Proc. 3 t1 (b) A distributed SOG Figure: Distributed construction of SOG (builder processes) 13 / 23

15. Hybrid Parallel Model Checking of SOG Parallel construction of the

    SOG Receive message Send successors of A to process 0 Send prId(A0) to process 0 Terminate := true Push A into the stack of the thread having minimum load idThread=1 Push initial M0 into the stack of thread 1 Pop a marking from the stack Build an aggre- gate A from the marking popped from the stack IdPr(A)=1 Build successors of A and push them into stacks of threads having minimum load Store(Id(A), IdPr(A)) Send BUILD A to IdPr(A) All builder threads have no element to process or terminate = true ASK INITIAL ASK SUCCESSORS of A TERMINATE BUILD A · · · Thn Th1 True False True False True False Figure: Algorithm of builder processes 14 / 23

16. Hybrid Parallel Model Checking of SOG Sequential model checking Build

    the automaton corresponding to the negation of the formula Send to process 1 message ASK INITIAL Receive Id(A0) and IdPr(A0) A := A0 Send to process IdPr(A) message ASK SUCCESSORS of A Receive list of successors A Explore a new node A An acceptance cycle is detected or no possible progress Send TERMINATE to all builder processes Indicate the empti- ness check result True False Figure: Algorithm of the model checker process 15 / 23

17. Outline 1. Motivation 2. Symbolic Observation Graph (SOG) 3. Hybrid

    Parallel Model Checking of SOG 4. Implementation and Experiments 5. Concluding Remarks 16 / 23

18. Implementation and Experiments Overview Programming languages: C and C++ Libraries:

    Spot [Duret-Lutz et al., 2016], Sylvan [van Dijk and van de Pol, 2017], OpenMPI. 200 random LTL \ X formulas generated using randltl tool 100 satisfied 100 violated 5 models from the Model Checking Contest1, and two clusters: Magi cluster2 (40 processors): robot, spool, tring. Grid’50003 (124 processors): philo, train. Comparison between our tool (pmc-sog) and the LTSmin model-checker [Kant et al., 2015] using state-based formulae. Artifact: https://up13.fr/?G8tMFVS2 1https://mcc.lip6.fr/models.php 2http://magi.univ-paris13.fr/wiki/ 3https://www.grid5000.fr 17 / 23

19. Implementation and Experiments Multi-Core vs. Hybrid pmc-sog 10 −4 10

    −2 1 10 2 10 −4 10 −3 10 −2 10 −1 1 10 10 2 property True False tring10 Verification time (seconds) pmc-sog (# nodes: 1, # cores: 16) Verification time (seconds) pmc-sog (# nodes: 2, # cores: 16) (a) Model tring10. Results using 1 and 2 processes with 16 threads each 10 −4 10 −2 1 10 2 10 −4 10 −3 10 −2 10 −1 1 10 10 2 property True False philo10 Verification time (seconds) pmc-sog (# nodes: 2, # cores: 16) Verification time (seconds) pmc-sog (# nodes: 4, # cores: 16) (b) Model philo10. Results using 2 and 4 processes with 16 threads each Figure: Comparison of performances in pmc-sog by increasing the number of processes 18 / 23

20. Implementation and Experiments Hybrid pmc-sog vs LTSmin 10 −4 10

    −2 1 10 2 10 −4 10 −3 10 −2 10 −1 1 10 10 2 property True False robot50 Verification time (seconds) pmc-sog (# nodes: 2, # cores: 16) Verification time (seconds) pnml2lts-mc (# nodes: 1, # cores: 16) (a) Performances for robot50 (b) Performances for train12 Figure: Comparison of pmc-sog and pnml2lts-mc 19 / 23

21. Implementation and Experiments Explored States 0 50 100 0 1B

    2B 3B 4B F T robot50 formula # explored states mean = 3.64E+09 mean = 2.56E+09 (a) Explored states for robot50 0 50 100 0 5k 10k 15k 20k 25k F T train12 formula # explored states mean = 4.94E+03 mean = 2.22E+03 (b) Explored states for train12 Figure: Comparison of pmc-sog and pnml2lts-mc 20 / 23

22. Outline 1. Motivation 2. Symbolic Observation Graph (SOG) 3. Hybrid

    Parallel Model Checking of SOG 4. Implementation and Experiments 5. Concluding Remarks 21 / 23

23. Concluding Remarks Hybrid parallel model-checker approach (shared and distributed memory

    architectures) for event-and state-based LTL \ X logic. Representation of the system’s state space is a hybrid graph called Symbolic Observation Graph (SOG). Implementation of a C++ prototype: pmc-sog. Preliminary results of experiments show that our approach is competitive in comparison with the LTSmin parallel model checker. 22 / 23

24. Concluding Remarks Perspectives Evaluation of our prototype on real word

    examples and against other model checking tools. Improvement of our tool: Heuristics to increase efficiency for small models. Parallelize the emptiness checker. Combine symbolic representation and partial order reduction. 23 / 23

25. Thanks for your attention! Any questions?

26. References I Abid, C. A., Klai, K., Arias, J., and

    Ouni, H. (2020). Sog-based multi-core LTL model checking. In ISPA/BDCloud/SocialCom/SustainCom, pages 9–17. IEEE. Baier, C. and Katoen, J. (2008). Principles of model checking. MIT Press. Duret-Lutz, A., Lewkowicz, A., Fauchille, A., Michaud, T., Renault, E., and Xu, L. (2016). Spot 2.0 - A framework for LTL and ω-automata manipulation. In ATVA, volume 9938 of LNCS, pages 122–129. Haddad, S., Ili´ e, J., and Klai, K. (2004). Design and evaluation of a symbolic and abstraction-based model checker. In ATVA, volume 3299 of Lecture Notes in Computer Science, pages 196–210. Springer.

27. References II Kant, G., Laarman, A., Meijer, J., van de

    Pol, J., Blom, S., and van Dijk, T. (2015). Ltsmin: High-performance language-independent model checking. In TACAS, volume 9035 of Lecture Notes in Computer Science, pages 692–707. Springer. Klai, K. and Poitrenaud, D. (2008). MC-SOG: an LTL model checker based on symbolic observation graphs. In Petri Nets, volume 5062 of Lecture Notes in Computer Science, pages 288–306. Springer. van Dijk, T. and van de Pol, J. (2017). Sylvan: multi-core framework for decision diagrams. Int. J. Softw. Tools Technol. Transf., 19(6):675–696.