Yang Liu, Jun Sun and Jin Song Dong
School of Computing
National University of Singapore
Outline
 General Introduction to PAT
 http://pat.comp.nus.edu.sg
 Motivation: Parallel Model Checking
 Model Checking with Fairness
 Experiment Results
 Conclusion
2
Model Checking
 Determining whether a model satisfies a property by
the means of exhaustive searching.
Model
Model Checker
Counterexample!
Property
3
Model Checking Works!
 Three researchers won Turing Award 2007 for their
pioneer work on model checking!
 Intel Core i7 processor is verified by symbolic model
checking completely without executing a single test
case!
 The Slam project from Microsoft successfully detected
many bugs in many driver software!
4
PAT: Motivation
 We aim to develop a self-contained framework for
formal specification and verification of compositional
systems which involves,
 concurrency,
 real-time,
 complex data structures and operations,
 complicated control flows,
 and etc.
5
PAT: Architecture
6
Motivation
 Model checking is
limited by state space
explosion.
 We do have multiple
cores nowadays!
7
Safety
 “Something bad never
happens”
 Reachability analysis
 Depth-first search
 Breadth-first search
8
Liveness
 “Something good
eventually happens”
 Liveness checking = bad
loop searching
 Nested depth-first-
search
 SCC-based algorithms
9
Fairness
 Liveness often requires fairness!
 Process level weak/strong fairness
 Event level weak/strong fairness
 Strong global fairness
Verification under Fairness
 Automata-based LTL model checking
 weak fairness: SCC search
 strong fairness: strongly connected sub-graph search
 strong global fairness = terminal SCC search
Verification under Fairness
 A lasso is counterexample if and only if the loop is fair
and it fails the liveness property.
 It is (process-level) weak fair iff there is NO process
which is always enabled during the loop and never made
any progress.
 It is (process-level) strong fair iff there is NO process
which is enabled during the loop and never made any
progress.
 It is strong global fairness iff …
Sequential Algorithm
A: Find SCC-0
True
Is Not Fair
B: Check if SCC-0 is fair
Is Fair
C: Generate Counterexample
13
Parallel Algorithm
Thread 1
A0
B0
A1
B1
A2
B2
Thread 2
Thread 3
Thread 4
14
Parallel Algorithm
Thread 1
Thread 2
Thread 3
A0
A1
B0
A2
B1
B2
Thread 4
15
Effectiveness
 Overhead – negligible
 Based on shared-memory architecture.
 Depends on how expensive checking whether a SCC
satisfies the fairness constraint
 Weak fairness: linear in the number of transitions
 Strong fairness: bounded by #states * #transitions
 Global fairness: linear in the number of transitions
16
Experiment A
17
Experiment B
18
Experiment (cont’d)
19
Conclusion
 A simple way of making use of multi-cores for model
checking with fairness.
 The technique is available in PAT.
 http://pat.comp.nus.edu.sg
 Related work
 Spin’s liveness checking algorithm for dual-core systems
 Barnat et al. multi-core LTL model checking
 MAP, OWCTY, NEGC, OBF
20