1 / 147

CAV‘ 2002 conference, and “Formal Methods in System Design” 2005 journal

“Combining symmetry reduction and under-approximation for symbolic model checking” by Sharon Barner and Orna Grumber. CAV‘ 2002 conference, and “Formal Methods in System Design” 2005 journal Presented by: Guy Hefetz 03/04/2012. Motivation.

hosea
Download Presentation

CAV‘ 2002 conference, and “Formal Methods in System Design” 2005 journal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Combining symmetry reduction and under-approximation for symbolic model checking”by Sharon Barner and OrnaGrumber CAV‘ 2002 conference, and “Formal Methods in System Design” 2005 journal Presented by: Guy Hefetz 03/04/2012

  2. Motivation • Previous algorithms that use symmetry have some disadvantages: • The user has to supply the invariance group for each formula. • Once the Invariance group is known, calculating the orbit relation (ξ) is expensive both in time and in space. • The paper suggests methods and algorithms that avoid these disadvantages.

  3. Outline • Building the Invariance Group • On-the-fly algorithm using under-approximation. • On-the-fly algorithm using “hints” • Extensions for Liveness formulas • Alternative method to avoid orbit relation calculation • Experimental Results

  4. Symmetry (Automorphism) • Let M = (S, R, L,S0) be a Kripke structure. • A permutation σ is an automorphismof Miffσ preserves the transition relation R, and the set of initial states S0 . • Formally, σshould satisfy the following: σ: s0 s1 s0 s2 s0 s1 s2 s3 s1 s2 s3 s0 s2 s3 s1 s3 • Symmetry Group

  5. Invariance group • A symmetry groupG of a Kripke structure M = (S, R, L) is an invariance group with respect to a set of boolean formulas BS iff (σ∈G) (s∈S) (β∈BS) (s β ⇔ σ(s) β ) G= <σ > is a symmetry group of M. s0 s1 s0 s2 For: G= <σ > is an IG w.r.t BS 1={p} but is not an IG w.r.t BS 2={q} s2 s3 s1 s3

  6. Previous algorithms • The user had to supply the invariance group. • In many cases 2 formulas evaluated on the same model require different invariance groups. For example: • AGAF ( p1_in_critical) • AG (  (p1_in_critical p2_in_critical) )

  7. Building the Invariance Group • The user has to supply only a symmetry group. • The algorithm automatically generates the Invariance Group for each input formula. • Providing a symmetry group often requires only a high-level understanding of the system.

  8. Lemma • Given: • σ1,σ2,…,σk– generators of a symmetry group G of M. • A formula φ . • Let MAX be the set of maximal boolean subformulas of φ. • If IG={σi | βMAX,σi(β) = β } is not empty, then <IG> is an Invariance Group of M w.r.tMAX. Set of all states that satisfy β {σi(s) | sβ}

  9. example Symmetry (Automorphism) Group: G= < (1,4)(2,5)(3,6),(10,11),(10,12) > 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: p 6: p 9: q 10: p 11: p,q 12:

  10. example Symmetry (Automorphism) Group: G= < (1,4)(2,5)(3,6),(10,11),(10,12) > 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: p 6: p 9: q 10: p 11: p,q 12:

  11. example Symmetry (Automorphism) Group: G= < (1,4)(2,5)(3,6),(10,11),(10,12) > 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: p 6: p 9: q 10: p 11: p,q 12:

  12. example Symmetry (Automorphism) Group: G= < (1,4)(2,5)(3,6),(10,11),(10,12) > φ = AG(q) IG ={σi | βMAX, σi(β) = β } = {(1,4)(2,5)(3,6),(10,12)} <(1,4)(2,5)(3,6),(10,12)> is an Invariance group with respect to {q} 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: p 6: p 9: q 10: p 11: p,q 12:

  13. example Symmetry (Automorphism) Group: G= < (1,4)(2,5)(3,6),(10,11),(10,12) > φ = AG(p) IG ={σi | βMAX, σi(β) = β } = {(10,11)} <(10,11)> is an Invariance group with respect to {p} 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: p 6: p 9: q 10: p 11: p,q 12:

  14. example Symmetry (Automorphism) Group: G= < (1,4)(2,5)(3,6),(10,11),(10,12) > φ = AG(pq) IG ={σi | βMAX, σi(β) = β } = {(1,4)(2,5)(3,6),(10,11)} <(1,4)(2,5)(3,6),(10,11)> is an Invariance group with respect to {pq} 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: p 6: p 9: q 10: p 11: p,q 12:

  15. Proof • <IG> is a permutation group: • e  <IG> : • IG is not empty → σ  IG . • σ can be written as a composition of disjoint cycles σ = c1c2…cm of length l1,l2,…,lm respectively. • e= , which means e  <IG> . • For all σ  <IG> , σ-1 <IG> : • For all σ’ IG , , which means σ’-1  <IG> . • For all σ  <IG> , where . Since and according to the previous bullet, we get that σ-1 <IG> .

  16. Proof • <IG> is a permutation group: • For all σ1,σ2 <IG> , σ1σ2 <IG> : • where all are in IG. • Since we get σ1σ2 <IG> . • <IG> is a symmetry group: • IG is a subset of the generators of a symmetry group.

  17. Proof • <IG> is an Invariance group with respect to MAX: • For all σ  <IG> , where . For every β in MAX and every j, . Thus (σ∈ <IG>)(s∈S)(β∈MAX) (s β ⇔ σ(s) β )

  18. Largest invariance group • The largest invariance group Ginv with respect to a symmetry group G, is an Invariance group such that for each Invariance Group G’G, |G’||Ginv| .

  19. Largest invariance group • <IG> may not be the largest Invariance Group: • G={e,(p1 ,p2),(p2 ,p3),(p1 ,p3),(p1 ,p2 ,p3),(p1 ,p3 ,p2)} = <e,(p1 ,p2),(p2 ,p3)> • φ = AG (  (p1 _in_critical p3 _in_critical) ) • We get IG={e} which leads to <IG>={e} . • While the largest Invariance Group w.r.t G is {(p1 ,p3),e} .

  20. Implementation with BDDs • The construction of IG can be implemented with BDDs: • A permutation σ can be represented as the BDD: but sometimes it can be represented using index permutation: • A boolean formula β represented by , and • We check that σ(β) = β using the  operator.

  21. Outline • Building the Invariance Group • On-the-fly algorithm using under-approximation. • On-the-fly algorithm using “hints” • Extensions for Liveness formulas • Alternative method to avoid orbit relation calculation • Experimental Results

  22. Quotient Model • M = (S, R, L) is a Kripke structure. • G is an invariance group w.r.t BS. • The quotient structure MG = (SG, RG, LG): • SG = {θ(s) | s∈S} the set of orbits of the states in S (groups of states) • RG = { (θ(s1), θ(s2)) | (s1, s2) ∈R } • LG( θ(s) ) = L( rep(θ(s)) ) Taken from lecture #2 by Anastasia Braginsky

  23. Quotient Model • M = (S, R, L) is a Kripke structure. • G is an invariance group w.r.t BS. • The quotient structure MG = (SG, RG, LG): • SG = {[s] | s∈S} • RG = { ([s1], [s2]) | (s1, s2) ∈R } • LG( [s] ) = L(s)  BS

  24. Quotient Structure for multiple representatives • M = (S, R, L) is a Kripke structure. • G is an invariance group w.r.t BS. • Rep  S – a group of representatives. • ξ  RepS is a representative relation: • For all s,s’ : (s,s’)  ξ  s  Rep  [s] = [s’] • The quotient structure for multiple representativesMm = (Sm, Rm, Lm) : • Sm = Rep • Rm = ξ-1Rξ • Lm( [s] ) = L(s)  BS

  25. Example – quotient structures Q || P1||…||Pi t , n, … , n Q || P1||…||Pi c , n, … , n [t , n, … , n] [c , n, … , n] Q || P1||…||Pi n , t, … , n Q || P1||…||Pi n , c, … , n t, n, n, n,… ,n c , n, … , n … n, n, t, n,… ,n (One possible option)

  26. Quotient Models • We’ve proved that MG ≡bisM . • Similar proof can be applied in order to show that for every kripke structure M, every Invariance Group G and every set Rep  S which contains at least one representative from each orbit , MG ≡bisMm . • Prove that B= {(s,[s])| sRep} is a bisimulation relation. • In this case, for every formula , M    Mm  

  27. Quotient Models • For every kripke structure M, every Invariance Group G and every set Rep  S which may contain zero representatives for some of the orbits , Mm M . • Prove that B= {(s,s)| sRep} is a simulation relation. • This case can be used for falsification. • The algorithm uses Mm instead of MG. If bisimulation was achieved, the algorithm can verify and falsify. If only simulation was achieved, The algorithm can only falsify.

  28. The algorithm Symmetry_MC

  29. The algorithm Symmetry_MC

  30. The algorithm Symmetry_MC Group of representatives of the reachable states

  31. The algorithm Symmetry_MC

  32. The algorithm Symmetry_MC

  33. The algorithm Symmetry_MC Calculates the states belonging to the orbits of states in reach_rep

  34. Calculating the states belonging to the orbits of states in reach_rep

  35. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  36. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  37. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  38. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  39. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  40. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  41. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  42. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  43. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  44. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  45. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  46. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  47. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  48. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  49. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

  50. example IG = {(1,4)(2,5)(3,6),(10,11)} φ = AG(pq) 8: p,q M:: 1: p,q Step:: 4: q 7: p 2: q 5: q 3: q 6: p 9: q 10: p 11: p,q 12:

More Related