Embed Size (px)
DESCRIPTION
We propose a novel approach to prototype and create symbolic model-checkers. Our approach focuses on providing a high level abstraction above Decision Diagrams. It allows the model-checker creator to start from a high level formal semantics and to define an efficient Decision Diagram based model-checker.
Citation preview
Towards a General Approach for Symbolic
Model-Checker PrototypingEdmundo López Bóbeda, Maximilien Colange, Didier Buchs Wednesday, September 24th 2014 - Enschede, Netherlands
1
2
Your awesome DSL
2
Your awesome DSL
Abstract semantics
2
Your awesome DSL
Abstract semantics
Symbolic Model checker
3
Your awesome DSL
Abstract semantics
3
Your awesome DSL
Existing Symbolic Model checker
Abstract semantics
3
Your awesome DSL
Existing Symbolic Model checker
Translation
Abstract semantics
4
Existing Symbolic Model checker
Abstract semantics
Your awesome DSL
Translation
4
Existing Symbolic Model checker
Your awesome DSL
Translation
4
Existing Symbolic Model checker
Your awesome DSL
Translation
4
Existing Symbolic Model checker
Your awesome DSL
}Too much work!
Translation
4
Existing Symbolic Model checker
Your awesome DSL
}Too much work!
Translation
high level data structures
4
Existing Symbolic Model checker
Your awesome DSL
}Too much work!
Translation
high level data structurescustom operations
4
Existing Symbolic Model checker
Your awesome DSL
}Too much work!
Translation
high level data structurescustom operations
rich data types
4
Existing Symbolic Model checker
Your awesome DSL
}Too much work!
Translation
high level data structurescustom operations
rich data types
low level
4
Existing Symbolic Model checker
Your awesome DSL
}Too much work!
Translation
high level data structurescustom operations
rich data types
low levelfixed primitives operations
Set rewriting
5
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Set rewriting
5
Decision diagrams
Translation{Our approach Translation
Abstract semantics
Your awesome DSL
Set rewriting
5
Decision diagrams
Translation{Our approach Translation
Abstract semantics
Your awesome DSL
}Our contribution
Abstract semantics In context
6
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Abstract semantics In context
• High level representation
6
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Abstract semantics In context
• High level representation
• Suitable for humans
6
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Abstract semantics Variable assignation
7
s
hB := c, si ! s[B = k/B = c]
Abstract semantics Variable assignation
• Let s be a state of a system
7
s
hB := c, si ! s[B = k/B = c]
Abstract semantics Variable assignation
• Let s be a state of a system
• s = {A = k1, B = k2, …}
7
s
hB := c, si ! s[B = k/B = c]
Abstract semantics Variable assignation
• Let s be a state of a system
• s = {A = k1, B = k2, …}
• k, k1, k2, c ∈ 𝓝
7
s
hB := c, si ! s[B = k/B = c]
Abstract semantics Variable assignation
• Let s be a state of a system
• s = {A = k1, B = k2, …}
• k, k1, k2, c ∈ 𝓝
• A, B, etc variable names
7
s
hB := c, si ! s[B = k/B = c]
Set rewriting In context
8
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Set rewriting In context
• Rewriting and strategies
8
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Set rewriting In context
• Rewriting and strategies
• Good semantic framework [Martí-Oliet & Meseguer 1993]
8
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Set rewriting In context
• Rewriting and strategies
• Good semantic framework [Martí-Oliet & Meseguer 1993]
• Operational semantics
8
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
Set rewriting A state
• Variables
• var(A, 0, var(B, 2, var(C, 3, empty)))
9
Set rewriting Operational semantics / Variable Assignation
10
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
10
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
• var(B, $x, $s) ⤳ var(B, c, $s), k ∈ 𝓝
10
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
• var(B, $x, $s) ⤳ var(B, c, $s), k ∈ 𝓝
• Problem:
10
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
• var(B, $x, $s) ⤳ var(B, c, $s), k ∈ 𝓝
• Problem:
• Non determinism ⇒ performance hit, ambiguity
10
s
hB := c, si ! s[B = k/B = c]
Rewriting strategies Goal
• Introduced in ELAN [Borovanský et al.1996]
11
Rewriting strategies Goal
• Introduced in ELAN [Borovanský et al.1996]
• Control rewriting
11
Rewriting strategies Goal
• Introduced in ELAN [Borovanský et al.1996]
• Control rewriting
• Avoid ambiguity
11
Rewriting strategies Goal
• Introduced in ELAN [Borovanský et al.1996]
• Control rewriting
• Avoid ambiguity
• Improve speed
11
Rewriting strategies What are they
Rewrite rules
12
Rewriting strategies What are they
Strategies
Rewrite rules
12
Rewriting strategies Basic strategy
• Basic strategy (A list of rewrite rules)
13
Rewriting strategies Basic strategy
• Basic strategy (A list of rewrite rules)
• Application to root term only
13
Rewriting strategies Basic strategy
• Basic strategy (A list of rewrite rules)
• Application to root term only
• The first applicable rule is applied
13
Rewriting strategies Basic strategy
• Basic strategy (A list of rewrite rules)
• Application to root term only
• The first applicable rule is applied
• Otherwise, fail
13
Rewriting strategies Other useful strategies
14
Rewriting strategies Other useful strategies
• Identity[t] = t
14
Rewriting strategies Other useful strategies
• Identity[t] = t
• Fail[t], always fails
14
Rewriting strategies Other useful strategies
• Identity[t] = t
• Fail[t], always fails
• (S1 orElse S2)[t] = S1[t], or S2[t] if S1[t] fails
• Conditional application of strategies
14
Rewriting strategies Other useful strategies
• Identity[t] = t
• Fail[t], always fails
• (S1 orElse S2)[t] = S1[t], or S2[t] if S1[t] fails
• Conditional application of strategies
• (S1 andThen S2)[t] = S2[S1[t]]
• Sequential composition of strategies
14
Rewriting strategies Other useful strategies
• Identity[t] = t
• Fail[t], always fails
• (S1 orElse S2)[t] = S1[t], or S2[t] if S1[t] fails
• Conditional application of strategies
• (S1 andThen S2)[t] = S2[S1[t]]
• Sequential composition of strategies
• Subtermk(S)[f(t1, …, tn)] = f(t1, …, S(tk), …, tn)
• Apply strategy to subterm
14
Set rewriting Operational semantics / Variable Assignation
15
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
15
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
• assignK = { var(B, $x, $s) ⤳ var(B, c, $s) }
15
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
• assignK = { var(B, $x, $s) ⤳ var(B, c, $s) }
• applyToB(S) = S orElse (Subterm3(applyToB(S)))
15
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
• var(A, 0, var(B, 2, var(C, 3, empty)))
• assignK = { var(B, $x, $s) ⤳ var(B, c, $s) }
• applyToB(S) = S orElse (Subterm3(applyToB(S)))
• transition = applyToB(assignK)
15
s
hB := c, si ! s[B = k/B = c]
Set rewriting Operational semantics / Variable Assignation
16
s
hB := c, si ! s[B = k/B = c]
assignK = { var(B, $x, $s) ⤳ var(B, c, $s) }
applyToB(S) = S orElse (Subterm3(applyToB(S)))
transition = applyToB(assignK)
Set rewriting Set extension
• In practice
• Strategies and rewrite rules applied to sets of terms
• Allow also to describe model checking computation
17
Set rewriting Set extension
18
Set rewriting Set extension
• Natural extension
• S[{t1, …, tn}] = {S[t1], …, S[tn]}
18
Set rewriting Set extension
• Natural extension
• S[{t1, …, tn}] = {S[t1], …, S[tn]}
• Set strategies, T = {t1, …, tn}
• Union(S1, S2)[T] = S1[T] U S2[T], if both succeed
• Fixpoint(S)[T] = μT.S[T]
18
Set rewriting Computing state space
19
Set rewriting Computing state space
19
s
hB := c, si ! s[B = k/B = c]transition1 = …
Set rewriting Computing state space
19
s
hB := c, si ! s[B = k/B = c]transition1 = …
semantic formula 2 transition2 = …
Set rewriting Computing state space
19
s
hB := c, si ! s[B = k/B = c]transition1 = …
semantic formula 2 transition2 = ……
Set rewriting Computing state space
19
s
hB := c, si ! s[B = k/B = c]transition1 = …
semantic formula 2 transition2 = …
semantic formula n transitionn = ……
Set rewriting Computing state space
19
s
hB := c, si ! s[B = k/B = c]transition1 = …
semantic formula 2 transition2 = …
semantic formula n transitionn = ……
calculateSS = Fixpoint(Union(transition1, transition2, …, transitionn))
Set rewriting Saturation: For connaisseurs
20
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
20
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
20
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Set rewriting Saturation: For connaisseurs
• Well known DD optimization technique
• Apply local fixpoint in order to reduce peak effect
• Satn(S) = (Subtermn(Satn(S)) orElse FixPoint(S)) andThen Fixpoint(S)
20
var(A, 1, var(B, 2, var(C, 0, empty )))
Decision Diagrams In context
• Fast
• Large state spaces
• Suitable for model checking
21
Set rewriting
Decision diagrams
Translation
Translation
Abstract semantics
Your awesome DSL
The idea is that you never have to think in terms of DD again… so we won’t talk about them :-)
22
Implementation• We have a tool that implements the approach
23
Implementation• We have a tool that implements the approach
• Stratagem http://sourceforge.net/projects/stratagem-mc/ (written in Java and Scala)
23
Implementation• We have a tool that implements the approach
• Stratagem http://sourceforge.net/projects/stratagem-mc/ (written in Java and Scala)
• ~3700 lines of Scala code (DD and Strategies engine)
23
Implementation• We have a tool that implements the approach
• Stratagem http://sourceforge.net/projects/stratagem-mc/ (written in Java and Scala)
• ~3700 lines of Scala code (DD and Strategies engine)
• Java code generated from model (Eclipse EMF, XText)
23
Implementation• We have a tool that implements the approach
• Stratagem http://sourceforge.net/projects/stratagem-mc/ (written in Java and Scala)
• ~3700 lines of Scala code (DD and Strategies engine)
• Java code generated from model (Eclipse EMF, XText)
• Implemented translation for Petri nets
23
Implementation• We have a tool that implements the approach
• Stratagem http://sourceforge.net/projects/stratagem-mc/ (written in Java and Scala)
• ~3700 lines of Scala code (DD and Strategies engine)
• Java code generated from model (Eclipse EMF, XText)
• Implemented translation for Petri nets
• Implemented translation for SPIN-like formalism
23
Practical results Presentation
24
Practical results Presentation
• Petri nets taken from the Model checking contest @ PETRI NETS 2014 [Kordon et al. 2014]
24
Practical results Presentation
• Petri nets taken from the Model checking contest @ PETRI NETS 2014 [Kordon et al. 2014]
• Marcie [Heiner et al. 2013] was the best model checker for the state space category
24
Practical results Presentation
• Petri nets taken from the Model checking contest @ PETRI NETS 2014 [Kordon et al. 2014]
• Marcie [Heiner et al. 2013] was the best model checker for the state space category
• Since then we only improved the translation
24
Practical results Kanban problem
25
Practical results Kanban problem
• Small Petri net
25
Practical results Kanban problem
• Small Petri net
• 16 places & 16 transitions, marking changes with scale parameter
25
Practical results Kanban problem
• Small Petri net
• 16 places & 16 transitions, marking changes with scale parameter
• State space for scale parameter 100
25
Practical results Kanban problem
• Small Petri net
• 16 places & 16 transitions, marking changes with scale parameter
• State space for scale parameter 100
• 1.7263 ·1019 states
25
Practical results Kanban problem
26
Tim
e in
sec
onds
0.1
1
10
100
Model size (scale parameter)
10 20 50 100
Marcie Stratagem
Practical results Kanban problem
26
Tim
e in
sec
onds
0.1
1
10
100
Model size (scale parameter)
10 20 50 100
Marcie Stratagem
Practical results Kanban problem
26
Tim
e in
sec
onds
0.1
1
10
100
Model size (scale parameter)
10 20 50 100
Marcie Stratagem
Practical results Sharedmem problem
27
Practical results Sharedmem problem
• Petri net’s places and transition increase with scale parameter
27
Practical results Sharedmem problem
• Petri net’s places and transition increase with scale parameter
• 2651 places & 5050 transitions for scale parameter 50
27
Practical results Sharedmem problem
• Petri net’s places and transition increase with scale parameter
• 2651 places & 5050 transitions for scale parameter 50
• State space for scale parameter 50
27
Practical results Sharedmem problem
• Petri net’s places and transition increase with scale parameter
• 2651 places & 5050 transitions for scale parameter 50
• State space for scale parameter 50
• 5.87 ·1026 states
27
Practical results SharedMem problem
28
Tim
e in
sec
onds
0.1
1
10
100
1000
Model size (scale parameter)
5 10 20 50
Marcie Stratagem
Practical results SharedMem problem
28
Tim
e in
sec
onds
0.1
1
10
100
1000
Model size (scale parameter)
5 10 20 50
Marcie Stratagem
Practical results SharedMem problem
28
Tim
e in
sec
onds
0.1
1
10
100
1000
Model size (scale parameter)
5 10 20 50
Marcie Stratagem
Limitations
29
Limitations
• Non-linear rules are not allowed (but can be simulated)
29
Limitations
• Non-linear rules are not allowed (but can be simulated)
• Verification not yet implemented
29
Conclusions
30
Conclusions
• New approach
30
Conclusions
• New approach
• Better results just by changing the strategy
30
Conclusions
• New approach
• Better results just by changing the strategy
• More general and unified
30
Conclusions
• New approach
• Better results just by changing the strategy
• More general and unified
• Good benchmarks
30
Future work
31
Future work
• Systematically go from SOS rules to rewrite strategies
31
Future work
• Systematically go from SOS rules to rewrite strategies
• Create more translations
31
Future work
• Systematically go from SOS rules to rewrite strategies
• Create more translations
• Implement CTL model checking using strategies
31
Questions ?
32
Bibliography!
Narciso Martí-Oliet and José Meseguer. Rewriting Logic as a Logical and Semantic Framework.1993
Peter Borovanský and Claude Kirchner and Hélène Kirchner and Pierre-Etienne Moreau and Marian Vittek. ELAN: A logical framework based on computational systems. Electronic Notes in Theoretical Computer Science 4(0):35 – 50, 1996.
M Heiner, C Rohr and M Schwarick. MARCIE - Model checking And Reachability analysis done effiCIEntly; In Proc. PETRI NETS 2013, Milano, Springer, LNCS, volume 7927, pages 389–399, June 2013
Kordon et al. HTML results from the Model Checking Contest @ Petri Net (2014 edition). http://mcc.lip6.fr/2014, 2014
33
The paper for this presentation can be found at: http://
edmundo.lopezbobeda.net/ publications
34
