Partial-Order Reduction for General State Exploring Algorithms

Partial-Order Reduction for General State Exploring Algorithms Dragan Boanački Eindhoven University of Technology Stefan Leue University of Konstanz Alberto Lluch Lafuente Empoli

Main Messages " Partial order reduction for General State Exploring Algorithms Covers Depth First Search, Breadth First Search and different Directed Search Heuristics Crucial novelty: new cycle proviso Implementation in HFS Spin, an extension of Spin for directed model checking, with encouraging results

Model Checking System

S

Model

M

(Modeling Language)

satisfies

p

f

property

Formal property (Temporal Logic) State space explosion - reduction techniques needed

Partial Order Reduction Proc B

Proc A a1

s0

s0r0 a1

a2

r0

s1

b1 r1

s0r1

s1r0 s2

b1

a2

b1

a1

b2 r2 s0r2

s1r1

s2r0 b1

b2

a2

a1

s1r2

s2r1 b2

b2

a2

s2r2 Proc A || B

Partial Order Reduction reduction function r assigns to a state the set of actions being considered example (reduced action set) a1 s9

b0

s0

a0 s1

s12

c0 b0 s11 s4 04

c0

s10

a1

s6

partial-order reduction exploits independence of actions of concurrent processes

c0

independence

s5

b1

a

s7

b b

c1

b a a

s8

restrictions needed to guarantee that reduction preserves properties of interest

Partial-Order Reduction

restrictions on reduced action set

C0: empty iff no actions enabled C1 ( persistency ) c d a reduced action set

b

e

independent

8 deadlock preservation

? 8 assertion (local-property) preservation

Action Ignoring Partial Order Reduction

a1

a3

Proc B

a3

Proc A

s0

s0r0 a1

a2

r0

s1

b1 r1

s0r1

s1r0 s2

b1

a2

b1

a1

b2 r2 s0r2

s1r1

s2r0 b1

b2

a2

a1

s1r2

s2r1 b2

b2

a2

s2r2 Proc A || B

Action Ignoring Partial Order Reduction

a1

a3

Proc B

a3

Proc A

s0

s0r0

r0

b1

a1 a2

s1

r1 s1r0

s2

a2

b2 r2

s2r0 b1

Reduced Proc A || B

Action Ignoring Solution [Valmari 89] Any action which is temporarily ignored in a given state s must be eventually executed in some state reachable from s s0

a s1

a

s2

a

Main Theorem Each execution sequence σ from the original state space S that begins in a state s of the reduced state space S_r has a representative execution sequence σ in the reduced state space which contains a permutation of σ. s

a1

a2

a3

a4

b1 b2

π(a1) π(a2)

π(a3)

π(a4)

π(b1)

π(b2)

Local Properties /Assertions

f

f a

a

b

f

¬f b

a f

b

f

¬f b

a ¬f

Efficient Provisos Because of efficiency reasons we need a locally checkable version of the condition that prevents action ignoring

Stack Proviso C2s: [Godefroid/Wolper 91, Godefroid 96, Holzmann/Godefroid/Pirottin 92] For any s in S_r, there exists at least one action a in r(s) and state s such that s-a→ s and s is not on the DFS stack, i.e., s is not in stack(s ). Otherwise, r(s) = enabled_T(s). s

r(s) a s’

s’ not on DFS stack

Partial Order Reduction with Stack Proviso

a1

a3

Proc B

a3

Proc A

s0

s0r0

r0

b1

a1 a2

s1

r1 s0r1

s1r0 s2

a1

a2

b2

b2 r2 s0r2

s1r1

s2r0 b1

b2

a2

a1

s1r2

s2r1 b2

a2

s2r2 Stack Proviso Reduced Proc A || B

Queue Proviso C2q: [Boanački/Holzmann 05, Alur/Brayton/Henzinger/Qadeer/Rajamani 97] For any s in S_r there exists at least one action a in r(s) and state s such that s-a→ s and s is in the BFS queue, i.e., s is in queue (s). Otherwise, r(s) = enabled_T(s). s

r(s) a s’

s’ in the queue

General State Exploring/Expanding Algorithm

procedure GSEA(s) Closed = ∅; Open = {s} while not Open.empty() do r(u) u ← Open.extract(); Closed.insert(u); If goal(u) then return solution; For each a in enabled_T(u) do  v ← τ(u,a); process(v); If reopenOK(v) then Closed.delete(v); If v not in Closed and v not in Open then Open.Insert(v);

A* Search Algorithm

procedure A*(s) Closed = ∅; Open = {s}; s.g ← 0; s.f ← h(s); Open.insert(s); while not Open.empty() do u ← Open.extractmin(); Closed.insert(u); r(u) if goal(u) then return solution; for each a in enabled_T(u) do v ← t(u,a); v.g ← u.g+cost(a); f’ ← v.g+h(v); if v in Open then if (f’