Hybrid Parallel Model Checking of Hybrid LTL on Hybrid State Space Representation Kais Klai1, Chiheb Ameur Abid2,3, Jaime Arias1, and Sami Evangelista1 1LIPN, CNRS UMR 7030, Universit´ e Sorbonne Paris Nord, France 2Faculty of Sciences of Tunis, University of Tunis El Manar, Tunisia 3Mediatron Lab, SupCom, University of Carthage, Tunisia VECoS 2021 November 22, 2021
Motivation Requirements Formalizing Property Specification System Modeling System Model Model Checking Satisfied Violated + Counterexample Figure: Model-checking approach [Baier and Katoen, 2008] Model checking is based on an exhaustive exploration of the system state space ⇒ state space explosion problem . 3 / 23
Motivation Mitigating the state space explosion problem Symbolic representation of the system Compact representation by using Decision Diagram Techniques (e.g. BDD/MDD). Symbolic Observation Graph (SOG) Hybrid representation of the state space. Graph where nodes are sets of reachable states encoded symbolically, and edges are represented explicitly. On-the-fly verification Generation of “interesting” parts of the state space, only. Parallel and distributed algorithms Provide more available memory for storage of the state space. Reduce runtime execution. 4 / 23
Symbolic Observation Graph (SOG) Graph whose construction is guided by a set of observable atomic propositions involved in a formula event-based SOG [Haddad et al., 2004] state-based SOG [Klai and Poitrenaud, 2008] Ignore the unobserved behavior (except deadlock and livelock) Preserve the validity of LTL \ X formulae: stutter-invariant A SOG built for a given LTL formula φ1 can be reused to check any other LTL formula φ2 involving a subset of the atomic propositions of φ1 6 / 23
Symbolic Observation Graph (SOG) s0 s1 s2 s3 s4 s5 a a b b (a) Example of an LTS s0 s1 a0 s2 s3 a1 livelock s4 s5 a2 deadlock a b (b) A SOG with Obs = {a, b} Figure: An LTS and its SOG The nodes of the SOG (aggregates) are defined as sets of states linked with unobserved transitions (encoded symbolically) The edges are labeled with observed transitions only (explicitly) 7 / 23
Hybrid Parallel Model Checking of SOG Extension of the multi-core SOG-based model checking [Abid et al., 2020] Combine parallel (shared memory) and distributed (message passing) construction algorithms Construction of the SOG is partitioned over a set of processes which, in turn, distribute the building of their sub-graphs over a set of threads. Allow handling huge state spaces 10 / 23
Hybrid Parallel Model Checking of SOG Event-state based SOG for LTL model checking Adaption of the SOG to event-state formalism The modeling framework consists of Labeled Kripke structures (LKS) The construction of aggregates will depend on both a set of actions and state variables appearing as atomic propositions in the checked formula. New aggregation criteria: 1. All states belonging to a same aggregate must have the same truth values of the atomic propositions 2. Any state being reachable by the occurrence of an unobserved action from a state s, belongs to the same aggregate that s iff (1) 3. The occurrence of an observed action from a state of an aggregate must lead to another aggregate 11 / 23
Hybrid Parallel Model Checking of SOG Parallel construction of the SOG Partitioning of the construction of a SOG: process level Load balancing between processes is performed statically by using a hash function Partitioning of each part of the graph, for a given process, is performed at the thread level: dynamic load balancing function qa qb qd qc t1 t2 t2 t1 (a) A SOG sample qa qb qd (a). Proc. 1 t1 t2 qb qc (b). Proc. 2 t2 qd qc (c). Proc. 3 t1 (b) A distributed SOG Figure: Distributed construction of SOG (builder processes) 13 / 23
Hybrid Parallel Model Checking of SOG Parallel construction of the SOG Receive message Send successors of A to process 0 Send prId(A0) to process 0 Terminate := true Push A into the stack of the thread having minimum load idThread=1 Push initial M0 into the stack of thread 1 Pop a marking from the stack Build an aggre- gate A from the marking popped from the stack IdPr(A)=1 Build successors of A and push them into stacks of threads having minimum load Store(Id(A), IdPr(A)) Send BUILD A to IdPr(A) All builder threads have no element to process or terminate = true ASK INITIAL ASK SUCCESSORS of A TERMINATE BUILD A · · · Thn Th1 True False True False True False Figure: Algorithm of builder processes 14 / 23
Hybrid Parallel Model Checking of SOG Sequential model checking Build the automaton corresponding to the negation of the formula Send to process 1 message ASK INITIAL Receive Id(A0) and IdPr(A0) A := A0 Send to process IdPr(A) message ASK SUCCESSORS of A Receive list of successors A Explore a new node A An acceptance cycle is detected or no possible progress Send TERMINATE to all builder processes Indicate the empti- ness check result True False Figure: Algorithm of the model checker process 15 / 23
Implementation and Experiments Overview Programming languages: C and C++ Libraries: Spot [Duret-Lutz et al., 2016], Sylvan [van Dijk and van de Pol, 2017], OpenMPI. 200 random LTL \ X formulas generated using randltl tool 100 satisfied 100 violated 5 models from the Model Checking Contest1, and two clusters: Magi cluster2 (40 processors): robot, spool, tring. Grid’50003 (124 processors): philo, train. Comparison between our tool (pmc-sog) and the LTSmin model-checker [Kant et al., 2015] using state-based formulae. Artifact: https://up13.fr/?G8tMFVS2 1https://mcc.lip6.fr/models.php 2http://magi.univ-paris13.fr/wiki/ 3https://www.grid5000.fr 17 / 23
Implementation and Experiments Explored States 0 50 100 0 1B 2B 3B 4B F T robot50 formula # explored states mean = 3.64E+09 mean = 2.56E+09 (a) Explored states for robot50 0 50 100 0 5k 10k 15k 20k 25k F T train12 formula # explored states mean = 4.94E+03 mean = 2.22E+03 (b) Explored states for train12 Figure: Comparison of pmc-sog and pnml2lts-mc 20 / 23
Concluding Remarks Hybrid parallel model-checker approach (shared and distributed memory architectures) for event-and state-based LTL \ X logic. Representation of the system’s state space is a hybrid graph called Symbolic Observation Graph (SOG). Implementation of a C++ prototype: pmc-sog. Preliminary results of experiments show that our approach is competitive in comparison with the LTSmin parallel model checker. 22 / 23
Concluding Remarks Perspectives Evaluation of our prototype on real word examples and against other model checking tools. Improvement of our tool: Heuristics to increase efficiency for small models. Parallelize the emptiness checker. Combine symbolic representation and partial order reduction. 23 / 23
References I Abid, C. A., Klai, K., Arias, J., and Ouni, H. (2020). Sog-based multi-core LTL model checking. In ISPA/BDCloud/SocialCom/SustainCom, pages 9–17. IEEE. Baier, C. and Katoen, J. (2008). Principles of model checking. MIT Press. Duret-Lutz, A., Lewkowicz, A., Fauchille, A., Michaud, T., Renault, E., and Xu, L. (2016). Spot 2.0 - A framework for LTL and ω-automata manipulation. In ATVA, volume 9938 of LNCS, pages 122–129. Haddad, S., Ili´ e, J., and Klai, K. (2004). Design and evaluation of a symbolic and abstraction-based model checker. In ATVA, volume 3299 of Lecture Notes in Computer Science, pages 196–210. Springer.
References II Kant, G., Laarman, A., Meijer, J., van de Pol, J., Blom, S., and van Dijk, T. (2015). Ltsmin: High-performance language-independent model checking. In TACAS, volume 9035 of Lecture Notes in Computer Science, pages 692–707. Springer. Klai, K. and Poitrenaud, D. (2008). MC-SOG: an LTL model checker based on symbolic observation graphs. In Petri Nets, volume 5062 of Lecture Notes in Computer Science, pages 288–306. Springer. van Dijk, T. and van de Pol, J. (2017). Sylvan: multi-core framework for decision diagrams. Int. J. Softw. Tools Technol. Transf., 19(6):675–696.
himito
cutcarbon
kyoun
hiroki13
forest1988
tosseto
kitachan_black
usaito
____rina____
cocomoff
datalabs
ssryuki
jonyablonski
jacobian
jeffersonlam
addyosmani
mongodb
pedronauck
lemiorhan
hannesfritz
holman
lynnandtonic
lara
michaelherold