I/O Efficient Directed Model

CheckingShahid Jabbar

and Stefan Edelkamp,

Computer Science DepartmentUniversity of Dortmund, Germany

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 2

Problem In explicit-state model checking, most

real-world models require enormous amount of memory.

How to cope with this state space explosion problem ?

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 3

Directed Model Checking (Edelkamp, Leue, Lluch-Lafuente, 2004)

A guided search in the state space. Usually by some heuristic estimate. Only promising states are explored. Under-certain conditions proved to be

complete.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 4

A Closer look at different strategies

Depth first

Breadth first

A*Best first

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 5

Advantages of Directed Model Checking Partial exploration of the state space. Shorter error trails

Better for human comprehension

Problem: The inevitable demands of the model .. Space,

space and space.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 6

Possible Solution Use Virtual Memory.

Assume a bigger address space divided into pages.

Saved on the hard disk but are moved back to the main memory whenever they are “called” – Page Faults.

Pages are mapped to physical locations within the main memory and the desired content is returned from the main memory location.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 7

Problem with the Virtual Memory

0x000…000

0xFFF…FFF

Virtual Address Space

Memory Page

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 8

External Memory Model (Aggarwal and Vitter)

Input of size N and N >> M

M

B

Disk

If the input size is very large, running time depends on the I/Os rather than on the number of instructions.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 9

External Memory Graph Algorithms External breadth first search [Munagala and

Ranade, 2001]: Generated states flushed to the disk for every BFS level.

No hash table.

Duplicates are removed by sorting the nodes according to the indices and doing an scan and compaction phase.

Before expanding a layer t, the nodes in the layer t-1 and t-2 are subtracted from t.

O(|V| + sort(|V| + |E|)) I/Os. where sort(N) = O(N / B logM/B N / B) I/Os

[Korf, 2003] presented the breadth first search version for implicit graphs.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 10

A* Algorithm A.k.a Goal-directed Dijkstra A heuristic estimate is used to guide the search.

E.g. Straight line distance from the current node to the goal in case of a graph with a geometric layout.

Reweighing: w’(u,v) = w(u,v) – h(u) + h(v) Problems:

A* needs to store all the states during exploration.

A* generates large amount of duplicates that can be removed using an internal hash table – only if it can fit in the main memory.

A* do not exhibit any locality of expansion. For large state spaces, standard virtual memory management can result in excessive page faults.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 11

Take a closer look Implicit, unweighted,

undirected graphs

Consistentheuristic estimates.

=> ∆h ={-1,0,1}

g

0

1

2

3

4

5

0 1 2 3 4 5 6

h

It’s a Bucket !

!

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 12

Bucket A Bucket is a set of states, residing on the disk, having the

same (g, h) value, Where, g = number of transitions needed to transform the

initial state to the states of the bucket, and h = Estimated distance of the bucket’s state to the goal

No state is inserted again in a bucket that is expanded. If Active (being read or written), represented internally by a

small buffer.

File on diskBuffer in internal memory

Insert state Flush when full

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 13

External A* [Edelkamp, Jabbar, and

Schroedl, 2004]

Buckets represent temporal locality – cache efficient order of expansion.

If we store the states in the same bucket together we can exploit the spatial locality.

Munagala and Ranade’s BFS and Korf’s delayed duplicate detection for implicit graphs.

External A*

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 14

Complexity Analysis Internal A* => Each edge is

looked at most once. Duplicates Removal:

Sorting the green bucket having one state for every edge from the 3 black buckets.

Scanning and compaction. O(sort(|E|))

Subtraction: Removing states of orange

buckets (duplicates free) from the green one.

O(scan(|V|) + scan(|E|))

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 15

I/O Performance of External A*

Theorem: The complexity of External A* in an implicit unweighted and undirected graph with a consistent estimate is bounded by O(sort(|E|) + scan(|V|)) I/Os.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 16

Directed Graphs in Model Checking In undirected graphs, we are required to look at only two

layers for duplicate detection.

But in model checking, we are mainly concerned with directed graphs.

Result by [Zhou & Hansen, 2004] Duplicate detection scope = Locality of the search

Locality = max{\delta(s,u)-\delta(s,v), 0} for all edges (u, v) \delta denotes the shortest path.

In directed graphs, scope corresponds to the largest cycle in the graph.

Largest cycle ≤ Sum of the largest cycles in individual processes.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 17

From SPIN to HSF-SPIN to IO-HSF-SPIN SPIN: A well-known model checker.

HSF-SPIN (Edelkamp, Leue, Lluch-Lafuente): Directed Model Checking Extension of SPIN.

IO-HSF-SPIN: External HSF-SPIN. Incorporates External A* in HSF-SPIN. Successfully implemented for deadlock detection. Active process heuristic is used to guide the search.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 18

Experimental Results -1 Deadlock Detection in Dining Philosophers

# Philoso-phers

Solution Depth

#stored sates

#expanded states

# transitions

Space

100 402 980,003 19,503 999,504 2.29 GB

150 603 3,330,003 44,253 3,374,254 10.4 GB

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 19

Experimental Results -2 Deadlock Detection in Optical Telegraph

# Sta-tions

Solution Depth

#stored sates #expanded states

# transitions Space

5 33 10,874 4,945 24,583 3.85 MB

7 45 333,848 115,631 820,319 137 MB

8 50 420,498 103,667 917,011 186 MB

9 57 9,293,203 2,534,517 23,499,519 4.29 GB

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 20

Experimental Results -3 CORBA GIOP – 1 Server, N Clients

# Clients

Solution Depth

#stored sates #expanded states

# transitions Space

2 58 48,009 39,260 126,478 33.5 MB

3 70 825,789 670,679 2,416,823 0.57 GB

4 75 7,343,358 5,727,909 22,809,278 5.17 GB

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 21

Experimental Results -4 CORBA GIOP – 2 Servers, N Clients

# Clients

Solution Depth

#stored sates #expanded states

# transitions Space

2 64 158,561 125,514 466,339 0.12 GB

3 76 2,705,766 2,134,724 8,705,588 2.1 GB

4 81 26,340,417 20,861,609 88,030,774 20.7 GB

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 22

Pause and Resume What if even your harddisk becomes full ?

Solution: Since the states are stored on the disk, the algorithm can be stopped at any time and resumed from the last working diagonal.

Shahid Jabbar (Dortmund) I/O Efficient Directed MC 23

Summary State space explosion problem can be circumvented by

Directed Model Checking.

But even Directed Model Checking can fail for the state spaces that cannot fit into the main memory.

External A* helps in overcoming this problem.

Extended for directed graphs as appear in Model checking.

First external directed model checker IO-HSF-SPIN.

Problem having a state space size of 20.7 GB is successfully solved.