Symbolic Model Checking of Software
Nishant Sinha
with
Edmund Clarke, Flavio Lerda, Michael Theobald
Carnegie Mellon University
Symbolic Model Checking of Software
• Goal:
– Use BDD-based Symbolic Model Checker
for the verification of concurrent software
• Motivation:
– Very successful for large state spaces in hardware
• Challenges:
– Generating the models (language -> SMV)
– Adding Partial-Order Reduction
– Optimized BDD-operations (e.g., generation and
storage)
• This Talk:
– Focus on Partial-Order Reduction
Outline
• Background
– Modeling language
– Partial-order reduction
– Twophase algorithm
• New Approach: ImProviso
– Basic formulation
– Extensions
– Experimental results
• Related Work
• Future Work
• Conclusions
Background: Software Verification
• Concurrent software
– Asynchronous execution, unlike hardware
– Huge state space, e.g. large variable ranges
• Partial-order reduction (POR)
– Attacks the state-space explosion problem
– Very effective in explicit-state model checking
– Symbolic Model Checking yet to benefit
Background: Modeling Language
• Process-oriented modeling language
– Each process maintains local variables
– Each process has a program counter
• System
– Concurrent processes
– Global variables
– Point-to-point channels
• Each process is specified as statements
– Statements are formalized as transition functions
– Multiple statements per pc value allowed,
i.e. non-determinism
• Example: Promela
Background: Partial-Order Reduction
s0s0’
y=2
x=1
Choose a representative
set of paths
s0s1’
s1s0’
y=2
x=1
s1s1’
Background: Partial-Order Reduction
• Two kinds of state-expansion
– Full Expansion
generate next states for all enabled transitions
– Partial Expansion
expand only a subset of enabled transitions,
postponing all others
• Challenges:
– How to choose such subset? (-> deterministic)
– How to avoid transitions being postponed indefinitely?
(-> proviso)
Background: Deterministic States
• Which subset of enabled transitions to choose?
• Deterministic state for a process P:
– Only one transition t of P enabled at that state
– Can be taken without affecting property to be verified
A state s is deterministic for a process P iff:
 only one transition t of P is enabled in s
 t commutes with transitions that can be executed by other
processes
 executing t does not disable transitions of other processes
 executing a transition of another process cannot disable or enable
any transition of P
• Partial Expansions of deterministic states
– Do not need to consider all interleavings
Background: Partial-Order Reduction
• Avoiding transitions being postponed
indefinitely: Proviso
S1
t0
t5
S2 t
1
t t2
3
S4
t2
S3
t1
t4 t2
t1
• SPIN: In-Stack Proviso
– Partial Expansion should not generate a state in stack
– Otherwise, must do Full Expansion
Combining POR with
Symbolic Model Checking
• POR developed for explicit-state
– DFS
– Stack: for proviso check
• Whereas symbolic verification
– Involves a BFS-like algorithm
– No stack exists
– Only frontier at hand
Twophase Partial-Order Algorithm
• Nalumasu, Gopalakrishnan [1997]
– Modified proviso check
– Alternating phases
• Phase 1: Do for each process in sequence
expand if in deterministic state
• Phase 2: Full expansion of the current state
• Proviso check:
S1
P2
S2
S3
S4
S5
P2
S6
P2
P1
P1
Suits the
symbolic
case
P1
S7
P1
P1
S8
(a)
(b)
New Approach: ImProviso
• Implicit Proviso check
– Employs BDDs
• Motivation
– Based on Twophase (explicit-state)
– Observation: can be formulated in an implicit way
– Crucial point: more efficient proviso than previous techniques
• New Contributions:
–
–
–
–
Defining the transition relation
Implicit formulation
Dropping the determinism
Additional fixpoint computation
• Automated and incorporated into NuSMV
ImProviso: Defining the Transition Relation
• Two transition relations:
– TR1: all transitions from deterministic states (Phase 1)
– TR2: entire system (Phase 2)
• TR1 is further partitioned:
– one transition relation for each process Pi
• Example:
– Statement reads from a channel into a local variable
– States in which the channel is not empty are
deterministic
– TR1 := channel is not empty => TR-stmt
ImProviso: Dropping the Determinism
• Twophase:
– Only one transition in Phase 1 may be enabled
– Simplifies Twophase implementation
– Not necessary for correctness
• ImProviso allows non-determinism in Phase 1
– Multiple enabled transitions in each process
– Each enabled transition must fulfill other conditions of
a deterministic state
• BFS search, i.e. enabled transitions expanded at
the same time
ImProviso: Illustration
bool c=-1;
chan a = [1] of {int};
rec: d=0
active proctype rec() {
int x=0;
bool d;
d=0;
a?x;
}
1
1
2
active proctype send()
{
a!1;
}
active proctype p1() {
c=0;
...
}
active proctype p2() {
c=1;
...
}
rec: a?x
send: a!1
1
2
2
p1: c=0
p2: c=1
rec: a?x
1
rec: a?x
2
p2: c=0
2
p1: c=1
1
rec: a?x
ImProviso: Illustration
bool c=-1;
chan a = [1] of {int};
rec: d=0
1
active proctype rec() {
int x=0;
bool d;
d=0;
a?x;
}
send: a!1
active proctype send()
{
a!1;
}
1
1
active proctype p1() {
c=0;
...
}
active proctype p2() {
c=1;
...
}
rec: a?x
2
Phase1:
Fixed Point
p1: c=0
rec: a?x
2
p2: c=1
1
ImProviso: Implicit Formulation
• Implicit formulation of the algorithm
– conceptually simple but… not so easy to get right
• Reason: paths may have different lengths
– BFS instead of DFS
• ImProviso: ‘tighter’ over-approximation than previous
symbolic methods
– Problem: visited vs. in-stack
• phase-1 only Cycles -> local check
• Larger than phase-1 -> no issue!
Related Work
• Two other approaches combine PO and Symbolic Model
Checking:
– Kurshan et al.: Preprocess the model
– Alur et al.: BDD-based
Stack
P1
P2
P1
Current
Image
Alur’s approach
P1
ImProviso
Implementation
Promela
Specifications
Promela2SMV
translator
Add Phase 1 and
Phase 2 information
NuSMV +
ImProviso
• Automated Model Checking framework
– ImProviso implemented in NuSMV
• Current examples translated from Promela
• Considerable effort to compare with explicit
state model checkers
– e.g., atomic construct in Spin
Comparison: NuSMV vs. NuSMV-ImProviso
NuSMV
#states
time
NuSMV-ImProviso
memory
4864210 3217.69s 63.6 MB Migratory Protocol (2)
1270
0.87s 6.2 MB Stable Marriage (2)
3107
4.26s 10.3 MB Stable Marriage (3)
71495 112.25s 24.7 MB Stable Marriage (5)
2187
0.08s 0.7 MB
Best (7)
3486780000
0.56s 5.7 MB
Best (20)
27
0.04s 0.3 MB
Worst (3)
3486780000
0.46s 5.0 MB
Worst (20)
1
N/A
Worst (100)
• #states: significant reduction
• Time: significant reduction
• Memory: No reduction
#states
time
memory
155040 108.63s 56.3 MB
710
0.84s 7.3 MB
1275
2.72s 10.4 MB
10351 31.56s 30.0 MB
15
0.06s 0.7 MB
41
0.34s 5.7 MB
15
0.04s 0.3 MB
2097150
0.36s 5.0 MB
2.54E+30 14.34s 14.6 MB
Comparison: NuSMV-ImProviso, PV, and SPIN
NuSMV-ImProviso
#states
Migratory Protocol (2)
Stable Marriage (2)
Stable Marriage (3)
Stable Marriage (5)
Best (7)
Best (20)
Worst (3)
Worst (20)
Worst (100)
time
PV
memory #states
155040 108.63s 56.3 MB
710
0.84s 7.3 MB
1275
2.72s 10.4 MB
10351 31.56s 30.0 MB
15
0.06s 0.7 MB
41
0.34s 5.7 MB
15
0.04s 0.3 MB
2097150
0.36s 5.0 MB
2.54E+30 14.34s 14.6 MB
86246
595
1135
9063
15
41
27
SPIN
time
memory
1.00s
<0.01s
<0.01s
0.14s
<0.01s
<0.01s
<0.01s
N/A1
N/A1
4.3 MB
2.2 MB
2.2 MB
2.6 MB
2.2 MB
2.2 MB
2.1 MB
#states
time
memory
435456 2.34s 42.8 MB
568 <0.01s
1.5 MB
945 <0.01s
1.5 MB
8421 0.03s
2.1 MB
2187 0.03s
1.5 MB
N/A1
15 <0.01s
1.5 MB
2097150 15.03s 110.6 MB
N/A1
• SPIN and PV faster, if they can handle example
• NuSMV-ImProviso can handle more examples
• NuSMV-ImProviso matches PV, SPIN on Best, Worst
Comparison: Leader Election Protocol
Non-PO
PV
NuSMV
# #states
2
3
4
8
70
488
3576
time
0.11s
0.57s
6.77s
N/A1
memory #states
1.1 MB
4.6 MB
10.6 MB
NuSMV-ImProviso
# #states
time
time
70 <0.01s
488 0.03s
3576 0.38s
N/A1
memory #states
SPIN
memory #states
2.1 MB
2.2 MB
2.5 MB
PO
PV
time
time
70 <0.01s
488 <0.01s
3576 0.10s
N/A1
memory
1.5 MB
1.5 MB
2.3 MB
SPIN
memory #states
time
memory
2
48
0.10s
1.0 MB
48 0.04s 2.1 MB
48 0.02s
1.5 MB
3
209
0.31s
3.0 MB
209 <0.01s 2.2 MB
209 <0.01s
1.5 MB
4
922
1.77s 10.4 MB
922 0.04s 2.2 MB
922 <0.01s
1.7 MB
8 306903 3553.86s 381.8 MB 306903 28.62s 60.4 MB 306903 11.82s 232.8 MB
• Models of same size in SMV and Promela
• Same reduction
• SPIN, PV faster until…
Leader with Non-deterministic Initial State
Non-PO
PV
NuSMV
#
2
3
4
5
#states
187
5602
473173
#states
time
memory
0.17s
5.61s
650.25s
N/A1
3.0 MB
187 <0.01s 2.1 MB
187 <0.01s
1.5 MB
12.5 MB
5602 0.32s 2.6 MB
5602 0.07s
2.4 MB
62.9 MB 473173 46.62s 49.1 MB 473173 13.58s 119.7 MB
N/A1
N/A1
memory
memory #states
PO
PV
NuSMV-ImProviso
time
time
SPIN
#states
time
time
memory
SPIN
#
#states
memory #states
time
2
3
4
5
119
0.17s
3.3 MB
139 <0.01s 2.1 MB
119 <0.01s
2566
2.14s 11.7 MB
3298 0.12s 2.4 MB
2566 0.07s
135173
133.69s 37.6 MB 167173 6.99s 18.9 MB 135173 1.81s
7699370 11635.00s 829.2 MB
N/A1
N/A1
memory
1.5 MB
1.9 MB
34.3 MB
Future Work
• Reduce memory and run time
– BDD blowup problem
– BDD algorithms optimized for Concurrent Software
• Verification of both safety and liveness
properties
– Only safety now
• Flexible input languages
– Only Promela now
Conclusions
• Novel Partial Order Reduction algorithm for
Symbolic Model Checking
– Incorporated into NuSMV
• Illustrated the effectiveness with several
benchmark examples
• Current focus is on tackling large run-time and
memory problems
• Symbolic Model Checking of Software, Software
Model Checking Workshop CAV’03