1 verification of parameterized systems reducing model checking of the few to the one. e. allen...

1

Verification of Parameterized Systems

Reducing Model Checking of the Few to the One.E. Allen Emerson, Richard J. Trefler and Thomas Wahl

Junaid Surve6644418

22

What, How, Why

1. WHAT IS THE GOAL?Verify; automatically and efficiently; temporal logic properties of a parameterized system for a large finite parameter range.

2. HOW TO ACHIEVE THE GOAL?Merge all instances into single aggregate structure capable of simulating all systems from the range in 1 go.

3. WHY THIS TECHNIQUE?• Trades the benefit of solving the verification problem for infinitely

many instances of a system, in exchange for greatly enhanced practicability.

• No manual reasoning.• Imposes no restrictions on the input syntax.• Easy to implement

3

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

4

Introduction

MODEL CHECKINGA technique for automatically verifying correctness properties of finite-state systems.

M |= Ф

Many systems composed of replicated components↓(to allow reusability)

System descriptions parameterized by the no. of components

PARAMETERIZED VERIFICATION PROBLEMA given property holds for all (i.e. infinitely many) instances of the size parameter ?

5

Ways of approaching parameterized verification algorithmically:

1. Identify decidable subclasses of parameterized systems.• Restrict system and properties.• Give (almost) efficiently verifiable conditions under which the

properties hold for all instances.

2. Realize that it is often possible and sufficient to consider a bound on the parameter size.• E.g. no. of components that fit on a particular circuit board.

TECHNIQUE TO BOUNDED PARAMETERIZED VERIFICATION(with bound N)

1. Check:P1 |= Ф; P1 ||P2|= Ф; …….. ; P1 ||P2 ||P3 …. || PN|= Ф

2. Construct BDD‘s for all of these systems.

WHY AGGREGATION?3. Instances of parameterized systems of similar form.4. To use the power of symbolic data structures to compactly

represent a large no. of similar structures, at lesser cost.

6

7

• Aggregation technique applicable to :• Arbitrary, inhomogeneous, finite system family.• No restrictions on the syntax of the system description

or property.

• The property (under investigation) : TRUE for few instances.

8

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

9

Local states : nodes in the graphTransitions : edges.

Consider a token-ring solution to the n-process Mutual Exclusion problem with a shared variable tok ϵ [1::n], and the skeleton

Preliminaries

N T C tok = self

tok := (tok mod n) + 1

Guard

Action

The transition relation Rn of the n-process concurrent system :

Rn = {(s, t) : Ǝi : i ≤ n : ( s U g t U ϵ SKEL ^ V j : j ≠ i : sj = tj )} : (1)

10

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

11

The Aggregate System

AIM:Develop an approach to parameterized verification that :

• works for any bounded family of systems • is derived from a synchronization skeleton • is parameterized by the number of processes and arbitrary CTL*

properties.

I : No. of local states occurring in the skeletonAP : Set of Atomic Propositions

The skeleton gives rise to a family (Mn) nϵN of Kripke structures with Mn = (Sn; Rn; Ln). We have

Sn = [0..(l - 1)]n , Rn ⊆ Sn x Sn, Ln : Sn 2AP

12

Definition 1.

For n ≤ N, the completion of a state sn = (s1,…,sn) ϵ Sn and of an edge (sn, tn) ϵ Rn, respectively, are defined as

c(s1,…,sn) = (s1,…,sn,$,…,$) ϵ S, c (sn, tn) = (c(sn), c(tn)) ϵ R.

A state s ϵ S is proper if there exists a number n such that s is of the form (s1,…,sn , $,…,$), sj ≠ $ V j ϵ [1::n].

13

n=1 n=2 n=3(N, $,$,…,$) (N,N,$,…,$) (N,N,N,…$)

(T,$,$,…,$) (T,N,$,…,$) (N,T,$,…,$) (T,N,N,…,$) (N,T,N,…,$) (N,N,T,…$)

14

Property 2 For (s,t) ϵ R, both s and t are proper and have the same width.

Corollary 3

All states along non empty paths in the aggregate structure M are proper and have the same width.

15

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

16

Efficiently Constructing the Aggregate System

Theorem 4

Assumption : Family of systems : (Sn; Rn)n≤N given as a synchronization skeleton.

Then⋃ c(Rn) = {(s,t) : s is proper of some width n, and n≤N Ǝ i : i ≤ n : (si g ti ϵ SKEL ˄ V j : j ≠ i : sj = tj)}

17

Implementation of the Aggregate System

Divide the skeleton edges in two classes:

1. Those independent of the system size n.

2. Those dependant on n.

N T C tok = self

tok := (tok mod n) + 1

Guard

Action

18

Implementation of the Aggregate System

1. R := Ф;2. for p := 1 to N do:3. for every edge e independent of the system size:4. R := R ˅ e(p)5. for n := 1 to N do:6. for p := 1 to n do:7. for every edge e dependent on the system size:8. R := R ˅ (proper (n) ^ e(p; n))

• e(p) stands for the propositional.• e(p; n) stands for the formula representing edge e executed by

p.• The term proper (n) symbolizes the set of proper states of width

n. • It ensures that transition e(p; n) can only be executed from a

state that belongs to Mn

19

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

20

Verifying the Aggregate System

AIM –Soundness of the Verification technique

Verification of the system accomplished by establishing N bisimulations, one between each MN and M, which contain pairs of a state and its completion.

BISIMULATION

Given a labeled state transition system (S, Λ, →), a bisimulation relation is a binary relation R over S

R ⊆ S × S, such that both R-1 and R are simulations.

(N, $,$) N

(T,$,$) T

21

Lemma 5

For any n ≤ N, the relation sn ϵ Sn ~ c(sn) ϵ S is a bisimulation relation between structures Mn and M.

Theorem 6

Let f be a CTL* formula, and sn = (s1, …. , sn) Ʃ = {c(sn) ϵ S : n ≤ N} Then

V n : n ≤ N : Mn, sn |= f iff V s : s ϵ Ʃ : M, s |= f.

22

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

23

Application comparision to the One-by One Method

One-by-one method and Aggregate technique have same theoretical Power.

ExampleA parallel program written for a particular cluster of machines with a natural upper bound on the parameter: the physical number of CPUs in the cluster.

Verification technique - A variant of parallel odd-even sort.

Initial state : unconstrainedNo. of elements to be sorted grows with N. The CTL property we verified is of the form AF sorted .

24

25

Agenda

1. Introduction2. Preliminaries3. The Aggregate System4. Efficiently Constructing the Aggregate System5. Verifying the Aggregate System6. Applications7. Conclusion

26

Conclusion

• Technique to reduce various instances of an Arbitrary Parameterized

System into a single aggregate.

• Initial states of the original system can be converted appropriatley to

the states of the aggregate.

• Experimental results using a BDD-based implementation of their technique.

• Shared variables are used for communication and synchronization among processes. They may appear in atomic propositions of CTL* formulas

27

Thank You