yang liu, jun sun and jin song dong school of computing national university of singapore
TRANSCRIPT
Scalable Multi-core Model Checking Fairness Enhanced Systems
Yang Liu, Jun Sun and Jin Song Dong School of Computing
National University of Singapore
2
OutlineGeneral Introduction to PAT
http://pat.comp.nus.edu.sgMotivation: Parallel Model Checking Model Checking with FairnessExperiment ResultsConclusion
3
Model CheckingDetermining whether a model satisfies a
property by the means of exhaustive searching.
Model
Model Checker
PropertyCounterexample!
4
Model Checking Works!Three researchers won Turing Award 2007
for their pioneer work on model checking! Intel Core i7 processor is verified by symbolic
model checking completely without executing a single test case!
The Slam project from Microsoft successfully detected many bugs in many driver software!
5
PAT: MotivationWe aim to develop a self-contained
framework for formal specification and verification of compositional systems which involves,concurrency, real-time,complex data structures and operations,complicated control flows,and etc.
6
PAT: Architecture
7
MotivationModel checking is
limited by state space explosion.
We do have multiple cores nowadays!
8
Safety“Something bad
never happens”Reachability analysis
Depth-first searchBreadth-first search
9
Liveness“Something good
eventually happens”Liveness checking =
bad loop searchingNested depth-first-
searchSCC-based
algorithms
FairnessLiveness often requires fairness!
Process level weak/strong fairnessEvent level weak/strong fairnessStrong global fairness
Verification under FairnessAutomata-based LTL model checking
weak fairness: SCC search strong fairness: strongly connected sub-graph
searchstrong global fairness = terminal SCC search
Verification under FairnessA lasso is counterexample if and only if the
loop is fair and it fails the liveness property.It is (process-level) weak fair iff there is NO
process which is always enabled during the loop and never made any progress.
It is (process-level) strong fair iff there is NO process which is enabled during the loop and never made any progress.
It is strong global fairness iff …
13
Sequential AlgorithmA: Find SCC-0
B: Check if SCC-0 is fair
Is Not Fair
C: Generate Counterexample
True
Is Fair
14
Parallel AlgorithmThread 1Thread 2
Thread 4
Thread 3
A0 B0
A1 B1 A2 B2
15
Parallel AlgorithmThread 1Thread 2
Thread 4
Thread 3
A0
B0
A1
B1
A2
B2
16
EffectivenessOverhead – negligible
Based on shared-memory architecture.Depends on how expensive checking whether
a SCC satisfies the fairness constraintWeak fairness: linear in the number of
transitionsStrong fairness: bounded by #states *
#transitionsGlobal fairness: linear in the number of
transitions
17
Experiment A
18
Experiment B
19
Experiment (cont’d)
20
ConclusionA simple way of making use of multi-cores for
model checking with fairness.The technique is available in PAT.
http://pat.comp.nus.edu.sgRelated work
Spin’s liveness checking algorithm for dual-core systems
Barnat et al. multi-core LTL model checkingMAP, OWCTY, NEGC, OBF