1 / 26

Memory-Efficient Algorithms for the Verification of Temporal Properties

Memory-Efficient Algorithms for the Verification of Temporal Properties. C. Courcoubetis Inst. Of Comp. Sci. FORTH, Crete, Greece. M. Verdi IBM Almaden. P. Wolper Un. de Liege. M. Yannakakis AT&T Bell Labs. Presented By: Prateem Mandal 4710-410-041-03374

gail
Télécharger la présentation

Memory-Efficient Algorithms for the Verification of Temporal Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Memory-Efficient Algorithms for the Verification of Temporal Properties C. Courcoubetis Inst. Of Comp. Sci. FORTH, Crete, Greece M. Verdi IBM Almaden P. Wolper Un. de Liege M. Yannakakis AT&T Bell Labs Presented By: Prateem Mandal 4710-410-041-03374 prateem@csa.iisc.ernet.in

  2. Outline of the talk • Introduction and previous work • Formal Problem Definition • Analysis and critique of previous approaches • The Algorithms • Questions and Answers

  3. Introduction and previous work • The paper addresses the problem of designing memory-efficient algorithms for verification of temporal properties of finite state programs modeled as Buchi Automata. • Thus the problem is that of checking the emptiness of the automata. • Allowing programs to err, the paper gives algorithm with memory access size of O(n) bits.

  4. Previous work • Reachability Analysis. • Theorem Prover. • Model Checking. The problem of state space explosion was solved with the use of hashing (Holtzmann technique). This paper furthers the technique to find bad cycles as opposed to bad state in Holtzmann’s technique.

  5. Formal Problem Definition

  6. Formal Problem Definition contd..

  7. Formal Problem Definition contd..

  8. Formal Problem Definition contd..

  9. Characterization of memory requirements • Memory requirements have been characterized by considering the data structures used by the algorithm. • They are of two types: randomly accessed and sequentially accessed. • Hash table needs randomly accessed memory while stack or queue needs sequentially accessed memory.

  10. Characterization of memory requirements contd.. • Bottleneck in performance of verification algorithms is related to amount of randomly accessed memory usage. “Holtzmann observed that there is a tremendous speed-up for an algorithm implemented so that its randomly accessed memory requirements do not exceed the main memory available in the system(since sequentially accessed memory can be implemented in secondary storage)”

  11. The Basic Method • Holzmann considered how to perform reach ability analysis by using least amount of random memory access. • The method is basically a DFS with marking of states by using a hashed m bit array. • Since collision detection is avoided, there is a possibility that a state will be missed.

  12. The Basic Method contd.. • The key assumption here is that one can choose a large enough value of m so that the collision events become arbitrary small. • Holzmann claims that table size m=O(n) where n is the number of reachable states.

  13. Analysis of the Basic Method • Is the claim true? • Let |U| be the namespace of the states where |U|>>n. • If we consider the case of complete reach ability analysis the requirement is m=O(nlog |U|). Why?

  14. Analysis of Basic Method contd.. • From probabilistic point of view the total possible mappings from set S={1,…,n} to states {1,…,m} are mn and number of possible one to one mappings are m!/(m-n)! Which for n<<m can be approximated by e-n2/m. • Thus partial reach ability can be achieved in m=O(n log n) by first mapping n reachable states to set {1,…,m} with m=O(n2) and then do complete reachability by assuming namespace to be of size m.

  15. Analysis of Basic Method contd.. • Holtzmann goes a step further and uses m=O(n). The assumption here is there exists a hashing function that can work in this constraint with arbitrarily small collision. • This however is not supported by the above analysis. • The above assumption can only hold if the hashing function exploits some particular structure of state space U. This assumption is not general enough to apply to algos finding strongly connected components.

  16. The Algorithms • S is a stack which stores the path from root to the present node. • Q is a queue to hold the reachable members of F in post order. • The above two data structures are sequential in nature therefore inconsequential to the analysis of the algorithm. • M is a bit array indexed by hash values 1,…,m and is used for marking states.

  17. Algorithm A: part 1 • Initialize: S:=[s0], M:=0, Q:=null; • Loop: while S != null do begin v:=top(S); if M[h(w)]=1 for all w belonging to succ(v) then begin pop v from S; if v belong to F insert v into Q; end else begin let w be the first member of succ(v) with M[h(w)]=0; M[h(w)]:=1; push w into S; end end

  18. Algorithm A: part 2 • Initialize: S:=null, M:=0. • Loop: while Q=null do begin: f:=head(Q); remove f from Q; push f into S; while s != null do begin v:=top(S); if f belongs to succ(v) then halt and return “YES”; if M[h(w)]:=1 for all w belong to succ(v) then pop v from S else begin let w be the first member of succ(v) with m[h(w)]=0; M[h(w)]:=1; push w into S end end end end

  19. Lemma 1: Let f1,…,fk be the members of Q after the first DFS, i.e., the members of F that are reachable from s0 in post order (f1 is the first member of F to be reached in post order, fk the last). If for some pair fi, fj with i<j there is a path from fi to fj then node fi belongs to a non trivial strongly connected component.

  20. Proof of Lemma 1 • Suppose there is a path from fi to fj. • If no node on this path was marked before fi, then the DFS would have reached fj from fi in the post order. • Therefore some node p in the path was marked before fi. • If p comes before fi in the post order then fj should come before fi in the post order. • Since p was marked before fi but comes after fi in the post order, it must be an ancestor of fi. • Thus fi can reach an ancestor and thus belongs to a non trivially strongly connected component.

  21. Theorem 1: If the second DFS halts and returns “YES”, then some reachable node of F belongs to a non trivial strongly connected component. Conversely, suppose that some reachable node of F belongs to a non trivial strongly connected component, then the second DFS will return “YES”.

  22. Proof of Theorem 1 • Suppose second DFS returns “YES” then it is building a tree with root fj and discovers a back edge to root fj, and therefore fj is in a cycle. • For the converse let fj be the smallest indexed(j) reachable member of F that belongs to a non trivial strongly connected component. • Consider a path p from fj to itself. If p is reachable from a fi with a smaller i then fi will also reach fj which by Lemma 1 contradicts the choice of fj. • Thus no marked p exists when fj is pushed and thus back edge will be found eventually.

  23. Algorithm B • Initialize S1:=[s0], S2:=null, M1:=M2:=0. • While S1!=null do begin x:=top(S1); if there is a y in succ(x) with M1[h(y)]=0 then begin let y be the first such number of succ(x); M1[h(y)]:=1; push y into S1; end else begin pop x from S1; if x belongs to F then begin push x into S2;  end end end

  24. Algorithm B contd.. while S2!=null do begin v:=top(S2); if x belongs to succ(v) then ret “YES” if M2[h(w)]=1 for all w belong to succ(v) then pop v from S2 else begin let w be the first member of succ(v) with M2[h(w)]=0; m2[h(w)]:=1; push w into S2; end end end

  25. Algorithm B contd.. • The above algorithm requires twice as much space as algorithm A. • If an automaton is found to be non-empty an accepted word can be extracted from stacks S1 and S2. • In verification terms if a protocol is incorrect, the incorrect path can be reproduced. • Both the algorithms may err due to collisions which means miss some error but will never proclaim a right protocol as wrong so they essentially behave like debuggers.

  26. Questions and Answers

More Related