Efficient Hybrid Reachability Analysis for Asynchronous Concurrent Systems

E. Pastor and M.A. Peña

Department of Computer Architecture

Technical University of Catalonia (UPC)

Barcelona, Spain

Context and GoalsContext and Goals

Hybrid Strategy for Reachability Analysis

oriented to Asynchronous Concurrent Systems

Why hybrid state exploration? The system is too large An early counter-example is required with low computation cost

Why special focus on concurrent systems? Performance of classical state exploration is low Structure of the state space can be partially analyzed

Context and GoalsContext and Goals

Environment

a

b

c da

Simple example:

Initial State: a = 1, b = c = d = 0 a is ready to fall

Context and GoalsContext and Goals

Environment

a

b

c da

a-

c+ b+

b+d+c+

b+d+

a+

. . .

Transition Systems: FSM-like model

States, transitions and events

State generation: Initial state + transition relation reachable states

Iterate until fix-point

OutlineOutline

Background

Overview of the hybrid strategy

Causality analysis

State space exploration by simulation

Guided-traversal

Experimental results

Conclusions

Background: Transition SystemsBackground: Transition Systems

a-

c+ b+

b+d+c+

b+d+

a+

. . .

1000

0000

0010 0100

0111

1111

0011 0110

abcd

4 Boolean variables

a-

c+ b+

b+d+c+

b+d+

a+

. . .

s0

s1

s3

s2

s4s5

s6

s7

Background: Transition SystemsBackground: Transition Systems

a-

c+ b+

b+d+c+

b+d+

a+

. . .

1000

0000

0010 0100

0111

1111

0011 0110

abcd

Fr(c+) = {0000, 0100}

Tr(c+) Disjunctive TR:

Each event TR Tr(e) is

manipulated

separately

Background: Transition SystemsBackground: Transition Systems

Breadth First Search (BFS) state exploration does not exploit

the peculiarities of concurrent systems

Much efficient results are obtained by using a mixed (BFS/DFS)

called chaining: firing order is crucial

s0s0s0 s0

s1

a

s2

b

s3

b a

s1

a

s2

b

s3

b a

BFS chained BFS

Background: Transition SystemsBackground: Transition Systems

Breadth First Search (BFS) state exploration does not exploit

the peculiarities of concurrent systems

Much efficient results are obtained by using a mixed (BFS/DFS)

called chaining: firing order is crucial

s0s0s0 s0

s1 s2

b

s3

b a

s1

a

s2

b

s3

b a

BFS chained BFS

a

Background: Transition SystemsBackground: Transition Systems

Breadth First Search (BFS) state exploration does not exploit

the peculiarities of concurrent systems

Much efficient results are obtained by using a mixed (BFS/DFS)

called chaining: firing order is crucial

s0s0s0 s0

s1

a

s2

b

s3

b a

s1

a

s3

b a

BFS chained BFS

s2

b

Background: Transition SystemsBackground: Transition Systems

Breadth First Search (BFS) state exploration does not exploit

the peculiarities of concurrent systems

Much efficient results are obtained by using a mixed (BFS/DFS)

called chaining: firing order is crucial

s0s0s0 s0

s1

a

s2

b

s3

b a

s1

a

s3

b a

BFS chained BFS

s2

b

Background: Transition SystemsBackground: Transition Systems

Breadth First Search (BFS) state exploration does not exploit

the peculiarities of concurrent systems

Much efficient results are obtained by using a mixed (BFS/DFS)

called chaining: firing order is crucial

s0s0s0 s0

s1

a

s2

b

s3

b a

s1

a

s2

b

s3

b a

BFS chained BFS

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS chained BFS chained BFS

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

{a,b,c,d,e,f,g}

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS

{a,b,c,d,e,f,g}

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

chained BFS chained BFS

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS

{a,b,c,d,e,f,g}

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

chained BFS chained BFS

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS

{a,b,c,d,e,f,g}

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

chained BFS chained BFS

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS

{a,b,c,d,e,f,g}

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

chained BFS chained BFS

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS

{a,b,c,d,e,f,g}

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

chained BFS chained BFS

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

s0

s1 s2

s3 s4 s5

s6 s7 s8

s9 s10 s11

s12

a

a

b

b b

c

c

e d

eb

e

a

a

db f

f

g

d

BFS

{a,b,c,d,e,f,g}

{a,b,c,d,e,f,g}

{e,a,g,c,b,f,d}

chained BFS chained BFS

Overview of the hybrid strategyOverview of the hybrid strategy

First phase:

Simulation strategy using an automatic

branching exploration of the state space.

Classical simulation algorithm, but…

Separate choice from concurrency

Causality analysis is used to identify branching states

Concurrency alternatives are avoided to be explored later

Overview of the hybrid strategyOverview of the hybrid strategy

Second phase:

Traversal of a subset of the state-space driven by

the causality obtained from the simulation. Alternative sequences are used to drive a pseudo-traversal

algorithm

This traversal algorithm generates additional sequences

equivalent to the original “modulo” concurrency

States are generated in a single pass. No fix-point iteration is

necessary

Causality analysisCausality analysis

Causality analysis is key to identify alternative branching

sequences and differentiate them from interleaving due to

concurrency.

Types of causality to be encountered: Concurrency Symmetric conflict Asymmetric conflict

Causality analysisCausality analysis

Concurrency between a and b:

both events can be executed interleaved

s0s0

s1

a

s2

b

s3

b a

Causality analysisCausality analysis

Symmetric conflict between a and b:

each branch is mutually exclusive

s0s0

s1

a

s2

b

Causality analysisCausality analysis

Asymmetric conflict between a and b:

one branch disables the other

s0s0

s1

a

s2

b

s3

b

State space explorationState space exploration

Simulation algorithm:

Keep a list of “active” state sequences to be explored

Take a sequence and analyze the bottom state:

1. Select an enabled event

2. If concurrent to all other successors then extend the sequence

3. If in conflict, duplicate the sequence and force the exploration the selected event in one, and disable the event in the other

4. Keep both sequences active

Exploration of a sequence stops (and stored) when:

1. Some state is already reached

2. Maximum exploration depth reached

3. Error condition identified

State space explorationState space exploration

branching states

First phase: simulation

alternativesequences

StateSpace

InitialState

Guided traversalGuided traversal

Second phase: expansion1. Sequence selection

2. Causality extraction

3. Traversal guided by causality

StateSpace

InitialState

Guided traversalGuided traversal

Second phase: expansion

1. Sequence selection

2. Causality extraction

3. Traversal guided by causality

StateSpace

InitialState

expandedsequences

Guided traversalGuided traversal

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

A single sequence is a

snapshot of the causality in

the system.

Local causality can be

extracted from a sequence

by checking the enabling

and firings of events at

each state.

Guided traversalGuided traversal

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

{x}

{a,b}

{b,c,g}

{c,g}

{d,g}

{g}

Ø

x

a

b

c

d

g

Guided traversalGuided traversal

{x}

{a,b}

{b,c,g}

{c,g}

{d,g}

{g}

Ø

x

a

b

c

d

g

aa

xx

g

b

b

c

c

d

d

gTime-line

The actual causality

between events is

determined by: Comparing the live-span of

events

A Causal Event Structure

(CES) can by extracted.

Guided traversalGuided traversal

{x}

{a,b}

{b,c,g}

{c,g}

{d,g}

{g}

Ø

x

a

b

c

d

g

aa

xx

g

b

b

c

c

d

d

gTime-line

x

a b

c

d

g

Guided traversalGuided traversal

{x}

{a,b}

{b,c,g}

{c,g}

{d,g}

{g}

Ø

x

a

b

c

d

g

x

a b

c

d

g

{x}

{a,b}

{a}

{c,g}

{d,g}

{g}

Ø

x

b

a

c

d

g

{x}

{a,b}

{b,c,g}

{b,g}

{b}

{d}

Ø

x

a

c

g

b

d

{x}

{a,b}

{b,c,g}

{b,c}

{c}

{d}

Ø

x

a

g

b

c

dEquivalent sequences

modulo concurrency

Guided traversalGuided traversal

x

a b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Guided traversalGuided traversal

x

a b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Guided traversalGuided traversal

x

a b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Guided traversalGuided traversal

x

a b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Guided traversalGuided traversal

x

a b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Guided traversalGuided traversal

x

a b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Guided traversalGuided traversal

x

a b

c

d

g

All alternatives reached

in a single pass

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

b d

dy

g

Experiments: reachability analysisExperiments: reachability analysis

Examples: get as much states as possible

GALS-C

PCC-C

RGA-A

RGA-C

IPCMOS-C 4

IPCMOS-C 6

BDD13485

9120

10493

17480

8088

15191

States381

306

142

221

179

263

CPU0.5

0.5

0.5

1.2

0.3

0.6

BDD16208

21185

33355

148711

99799

278575

States1.2e3

9.8e5

1.0e9

9.1e12

8.05e9

1.75e14

CPU0.8

3.7

2.7

17.4

21.6

14.9

IPCMOS-C 4

IPCMOS-C 6

13727

28481

133

241

0.3

0.9

151493

179577

1.16e7

9.15e9

25.6

32.9

STARI-C 8 141299 5646 16.9 283725 9.73e11 126.0

Simulation Traversal

States1.2e3

9.8e5

3.3e9

5.4e13

8.15e9

1.78e14

CPU0.2

2.7

6.1

46.0

44.1

19.1

1.16e7

9.15e9

48.4

27.3

1.07e12 73.0

Fixpoint

Experiments: timed verificationExperiments: timed verification

ConclusionsConclusions

Concurrent systems require traversal strategies that differ from classical used in synchronous systems

Incremental analysis of the state space exploiting structural information from the system is possible

We suggest a two-step hybrid traversal methodology

Simulation provides information from the structure of the state space (alternative branches and event causality)

Traversal exploits that information to speed-up the generation of additional states

However, traversal is too heavy due to extensive use of chaining (must find a trade-off)