Docstoc

EMSOFT03

Document Sample
EMSOFT03 Powered By Docstoc
					 Space Reductions for
 Quasi-cyclic Systems
Matthew Dwyer                     Robby      Xianghua Deng                 John Hatcliff

             SAnToS Laboratory, Kansas State University, USA
                     http://bogor.projects.cis.ksu.edu
                    http://cadena.projects.cis.ksu.edu
Support
 US Army Research Office (ARO)               Rockwell-Collins ATC
 US National Science Foundation (NSF)        Boeing
 US Department of Defense                    Honeywell Technology Center and NASA Langley
 Advanced Research Projects Agency (DARPA)   Lockheed Martin
                                             Sun Microsystems
                                             Intel
Bogor
Bogor – Software Model Checking Framework
Bogor – Direct support for OO software
                                   Extensive support for
                                   checking concurrent OO
                                   software


Direct support for…                Software targeted algorithms…
    dynamic creation of threads       thread & heap symmetry
     and objects                       compact state representation
    automatic memory                  partial order reduction
     management                         techniques driven by object
    dynamic dispatch of methods        escape analysis and locking
    exceptions                         information
    etc.
 Bogor – Eclipse-based Tool Components

Next generation of
Bandera Java Model-                               Cadena
checking Tool Set                                 CORBA Component Model
                                                  verification




SpEx
JML Verification, etc.                   Tool Development
                                               Framework


  Architecture allows encapsulation/integration with other verification
  tools using IBM’s Eclipse Integrated Development Environment
Bogor – Domain Specific Model-Checking
Modeling language and Algorithms
easily customized to different domains
                                          Domain X




           Domain Y                             Domain Z



 Extensible modeling language and plug-in architecture allows Bogor to
 be customized to a variety of application domains
Variety of Application Domains



Hardware    Device Drivers   Avionics




Telephony   Automotive             GUI
Leveraging Domain Knowledge
                       Holzmann developed a
                        customized model
                        extraction from C to Spin
                       Translation using pattern
                        matching of particular
                        domain idioms
                       In essence, an abstract
                        machine for a particular
                        domain
                       Very effective at finding
 Lucent Path Star       subtle defects
 Telephone Switch
 Variety of System Descriptions
Design Notations                  State Machines




                    Model
                    Checker



                    Different
                    levels of
Byte code          abstraction!     Source code
The Goal
   Avionics                                   State Machines




              Model-checking     Domain & Abstraction
                 Engine              Extensions



Abstract machine tailored to domain and level of abstraction
The Goal
  Device Drivers                                Source code




            Model-checking       Domain & Abstraction
                                  Domain & Abstraction
               Engine                Extensions
                                       Extensions


Abstract machine tailored to domain and level of abstraction
The Goal
  Automotive                               Design Notations




            Model-checking       Domain & Abstraction
                                  Domain & Abstraction
               Engine                Extensions
                                   Domain & Abstraction
                                       Extensions
                                        Extensions


Abstract machine tailored to domain and level of abstraction
               Avionics Mission Control Systems

                                        Mission-control software for Boeing
                                         military aircraft
                                        Boeing’s Bold Stroke Avionics
                                         Middleware
                                             …built on top of ACE/TAO RT CORBA


   Provided with an Open Experimental Platform (OEP)
    from Boeing
       a sanitized version of the real system
       100,000+ lines of C++ code (including RT CORBA middleware)
       50+ page document that outline development process and
        describe challenge problems
   One “Challenge Area”…
       reasoning about system control-flow and system/component
        mode transitions
            in essence, the sanitized version is ideal for model checking
Component-based Design

            Input                    Output
            event port               event port
Event
Ports
                           CCM
                         Component
Interface
Ports
            Require an               Provide an
            interface                interface     Component
                                                  Development

Cadena development environment allows model-based development of
   Bold Stroke applications using the CORBA Component Model (CCM)
Component-based Design




                                                  Component
                     …up to 1000+ components
                                                  Integration

Cadena development environment allows model-based development of
   Bold Stroke applications using the CORBA Component Model (CCM)
RT Middleware-based Implementation
                      Event channel




                                      CORBA
                                      Level

Real Time Event Channel
(from ACE/TAO RT CORBA)
 RT Middleware-based Implementation
                        Event channel
Abstractly…


              consume




              produce

                                        CORBA
                                        Level

  Real Time Event Channel
  (from ACE/TAO RT CORBA)
 RT Middleware-based Implementation
                                                   Threads run call-backs
                        Event channel              associated with event
In reality…                                        consumer ports
                            Thread Pool

 consume
                        60Hz 20Hz
                                     …
                                     5Hz 1Hz



                         …       …
                                     …    …
                                                    dispatch queues for
                                                      each rate group
                       correlation & filtering

   produce
                                 consumer refs
                                                                CORBA
                             …
                                                                Level

  Real Time Event Channel        proxy consumer holds list of
  (from ACE/TAO RT CORBA)           consumer references
Domain-Specific Modeling
Bogor -- Extensible Modeling Language

    Threads,               publish()          Event publish() {
    Objects,
    Methods,                                      Bogor API calls…
    Exceptions, etc.       subscribe()
                                              }




                                                  …
                           push()
                       +
                           connect()          Event connect() {
                                                  Bogor API calls…
                            …


                           disconnect()       }
    Core Modeling      New Bogor primitives   Java implementation of new
    Language           corresponding to       primitives inside model-
                       Event Channel API      checker
Bogor Modeling Extensions

                            Thread Pool



                          60Hz 20Hz
                                       …
                                       5Hz 1Hz



                           …       …
                                       …   …


                         correlation & filtering



                               …




Bogor extensions for representing event-channel queue data structures
Bogor Modeling Extensions

                           Thread Pool



                         60Hz 20Hz
                                      …
                                      5Hz 1Hz



                          …       …
                                      …   …


                        correlation & filtering



                              …




Bogor extensions for representing CCM component API
Bogor Algorithm Customization

      IActionTaker        IBacktrackIF        PartialStMgr
                                               IStateMgr




      IExpEvaluator       ITransformer        LTSearcher
                                               ISearcher




      IValueFactory      PrioritySchedS
                         ISchedulingStg       IStateFactory
                                                              Bogor
                                                              Modules
Bogor default modules are unplugged and replaced with state
representation, scheduling and search strategies customized to the Bold
Stroke domain
Bogor Customized To Cadena
Bogor -- Extensible Modeling Language
                                  Sets
     Threads,                                            RT CORBA
     Objects,
     Methods,
     Exceptions, etc.
                           +       Queues
                                  Tables
                                               +        Event Service
                                                       API Abstraction

  Core Modeling Language          Extensions      Domain-specific Abstractions


Bogor -- Customizable Checking Engine Modules
                   Scheduling              …existing     Event Service
                    Strategy               modules…       Scheduling

  State-space        State                 Lazy Time      Partial State
  Exploration    Representation             Search       Representation

    Core Checker Modules                   Customized Checker Modules
Assessments of Previous Work
Cadena                   dSPIN (ICSE’02) Bogor (FMCO’02)
Boeing ModalSP           1.4 M states        9.1 K states
    3 rate groups
                         58 sec              8.59 sec


   8 components
    125 events per hp    130 MB              1.61 MB



                              X


Boeing MediumSP                              740 K states
    2 rate groups
                                             3 min


   50 components
   820 events per hp                        21.5 MB

     want to check larger model
          does not seem to scale well regardless aggressive
           reductions
Possible Solutions
Stateless search (Godefroid ’97)
   pro: don’t store any states
   cons: time required is too great because of high degree
    of non-determinisms due to over-approximation

State caching (Godefroid ’93)
   keep an a priori bounded cache of states; discard to
    make room for others if the cache is full
   pro: minimum memory requirement is space needed to
    store states in longest DFS stack
   cons: selection of cache size
Key Observation


Leverage patterns of periodic computation
   use the structure of periodic systems to systematically
    drop states
  Leveraging Periodic Structure
 Periodic Tasks

10 Hz
5 Hz
1 Hz
          Hyper-period          Hyper-period          Hyper-period
           “Macro-state” S1                      S2                  S3
 Basic Idea
     break the search into several regions
     divide the problem into smaller problems
  Leveraging Periodic Structure
 Periodic Tasks

10 Hz
5 Hz
1 Hz
             Hyper-period              Hyper-period              Hyper-period
              “Macro-state” S1                              S2                      S3

 Macro-state Structure
     Same at each macro-state:
           dispatch queues empty, threads idle, correlators are at initial state

     Different: component/system mode values are different
 Quasi-Cyclic Structure
Trace Structure   Macro-states

                           S1    These successive
                                 macro-states maybe
                   equal         different (acyclic)…

                           S2
                                 …but a portion of each
                   equal         of the states is
                                 repeating…

                           S3
                   equal         …and so we say that the
                                 state-space is quasi-
                                 cyclic.
                           S4
 Quasi-Cyclic Structure
                   Φ-states
Trace Structure   Macro-states                Generalizing

                           Φ-S
                             conforming
                               1             Many applications
                   equal                      with control-loops
                                              have this property
                           Φ-conforming            GUIs, web-
                             S2                

                                                   servers,…
                   equal
                                             Use a predicate Φ
                           Φ-conforming
                                              to characterize the
                             S3               repeating portion
                   equal


                           Φ-conforming
                             S4
 Φ-Bounded Search
Trace Structure                           Global State Store
           Φ0
                                            Φ0
                  Place initial Φ-state
                  in global store, and
                  begin state
                  exploration.

                                          Region State Store
 Φ-Bounded Search
Trace Structure                       Global State Store
            Φ0
                                        Φ0
            Φ1




                                      Region State Store
       Place states in region state
       store until Φ-state is
       encountered.
 Φ-Bounded Search
Trace Structure                        Global State Store
           Φ0
                                         Φ0 , Φ1
           Φ1

                  Place Φ-state into
                  global store
                                       Region State Store
 Φ-Bounded Search
Trace Structure                Global State Store
           Φ0
                                 Φ0 , Φ1
           Φ1




                               Region State Store

                Flush region
                state store
 Φ-Bounded Search
Trace Structure                         Global State Store
           Φ0
                                          Φ0 , Φ1
           Φ1


   Φ2      Φ3
                                        Region State Store


         Place states in region state
         store until Φ-state is
         encountered.
 Φ-Bounded Search
Trace Structure                      Global State Store
           Φ0
                                       Φ0 , Φ1 , Φ2 , Φ3
           Φ1


   Φ2      Φ3
                                     Region State Store
                Non-determinism in
                region generated
                two Φ-states. Put
                these into global
                state store.
 Φ-Bounded Search
Trace Structure                Global State Store
           Φ0
                                 Φ0 , Φ1 , Φ2 , Φ3
           Φ1


   Φ2      Φ3
                               Region State Store

                Flush region
                state store
 Φ-Bounded Search
Trace Structure                           Global State Store
           Φ0
                                            Φ0 , Φ1 , Φ2 , Φ3
           Φ1


     Φ2    Φ3
                                          Region State Store
Φ4              Φ5


                     Explore these
                     regions until Φ
                     states encountered
 Φ-Bounded Search
Trace Structure      Global State Store
           Φ0
                       Φ0 , Φ1 , Φ2 , Φ3
           Φ1          Φ4 ,
                          Φ5
     Φ2    Φ3
                     Region State Store
Φ4              Φ5
Classical DFS vs. Quasi-cyclic DFS
A Quasi-cyclic System: Example
l1: y = 0; goto l2;                                       (l1,0,0)
l2: x = 0; goto l3;
l3: true -> x = 2; goto l4;                               (l2,0,0)
     true -> x = 3; goto l4;
l4: y = y + x; goto l5;                                   (l3,0,0)
l5: y > 5 -> skip; goto end;
                                           (l4,2,0)                      (l4,3,0)
     y <= 5 -> skip; goto l2;
end:                                       (l5,2,2)                      (l5,3,3)
                                           (l2,2,2)                      (l2,3,3)
                                           (l3,0,2)                      (l3,0,3)

                                   (l4,2,2)       (l4,3,2)           (l4,2,3)   (l4,3,3)
                                   (l5,2,4)       (l5,3,5)           (l5,2,5)   (l5,3,6)
                                   (l2,2,4)       (l2,3,5)           (l2,2,5)   (end,3,6)
                                   (l3,0,4)
                                                              (l3,0,5)


                                (l4,2,4)      (l4,3,4)       (l4,2,5)     (l4,3,5)
                                (l5,2,6)      (l5,3,7)       (l5,2,7)     (l5,3,8)
                            (end,2,6)         (end,3,7)      (end,2,7)    (end,3,8)
A Quasi-cyclic System: Example
l1: y = 0; goto l2;                                       (l1,0,0)
l2: x = 0; goto l3;
l3: true -> x = 2; goto l4;                               (l2,0,0)
     true -> x = 3; goto l4;
l4: y = y + x; goto l5;                                   (l3,0,0)
l5: y > 5 -> skip; goto end;
                                           (l4,2,0)                      (l4,3,0)
     y <= 5 -> skip; goto l2;
end:                                       (l5,2,2)                      (l5,3,3)
                                           (l2,2,2)                      (l2,3,3)
                                           (l3,0,2)                      (l3,0,3)

                                   (l4,2,2)       (l4,3,2)           (l4,2,3)   (l4,3,3)
                                   (l5,2,4)       (l5,3,5)           (l5,2,5)   (l5,3,6)
                                   (l2,2,4)       (l2,3,5)           (l2,2,5)   (end,3,6)
                                   (l3,0,4)
                                                              (l3,0,5)


                                (l4,2,4)      (l4,3,4)       (l4,2,5)     (l4,3,5)
                                (l5,2,6)      (l5,3,7)       (l5,2,7)     (l5,3,8)
                            (end,2,6)         (end,3,7)      (end,2,7)    (end,3,8)
Quasi-cyclic Search: Example
      (l1,0,0)   Φ: pc = l3 Æ x = 0


                 Global States = {}

                 Queues = {}

                   l1: y = 0; goto l2;
                   l2: x = 0; goto l3;
                   l3: true -> x = 2; goto l4;
                        true -> x = 3; goto l4;
                   l4: y = y + x; goto l5;
                   l5: y > 5 -> skip; goto end;
                        y <= 5 -> skip; goto l2;
                   end:
Quasi-cyclic Search: Example
      (l1,0,0)   Φ: pc = l3 Æ x = 0
      (l2,0,0)

      (l3,0,0)
                 Global States = {}

                 Queues = {0}

                   l1: y = 0; goto l2;
                   l2: x = 0; goto l3;
                   l3: true -> x = 2; goto l4;
                        true -> x = 3; goto l4;
                   l4: y = y + x; goto l5;
                   l5: y > 5 -> skip; goto end;
                        y <= 5 -> skip; goto l2;
                   end:
Quasi-cyclic Search: Example
             (l1,0,0)              Φ: pc = l3 Æ x = 0
             (l2,0,0)

             (l3,0,0)
  (l4,2,0)              (l4,3,0)   Global States = {0}
  (l5,2,2)              (l5,3,3)
  (l2,2,2)              (l2,3,3)            {}
                                   Queues = {2,3}
                                            {2}
  (l3,0,2)              (l3,0,3)


                                     l1: y = 0; goto l2;
                                     l2: x = 0; goto l3;
                                     l3: true -> x = 2; goto l4;
                                          true -> x = 3; goto l4;
                                     l4: y = y + x; goto l5;
                                     l5: y > 5 -> skip; goto end;
                                          y <= 5 -> skip; goto l2;
                                     end:
Quasi-cyclic Search: Example
                (l1,0,0)               Φ: pc = l3 Æ x = 0
                (l2,0,0)

                (l3,0,0)
     (l4,2,0)               (l4,3,0)   Global States = {0,2}
     (l5,2,2)               (l5,3,3)
     (l2,2,2)               (l2,3,3)            {3,4,5}
                                       Queues = {3,4}
                                                {3}
     (l3,0,2)               (l3,0,3)

(l4,2,2)   (l4,3,2)                      l1: y = 0; goto l2;
(l5,2,4)                                 l2: x = 0; goto l3;
           (l5,3,5)
                                         l3: true -> x = 2; goto l4;
(l2,2,4)   (l2,3,5)                           true -> x = 3; goto l4;
(l3,0,4)                                 l4: y = y + x; goto l5;
                      (l3,0,5)           l5: y > 5 -> skip; goto end;
                                              y <= 5 -> skip; goto l2;
                                         end:
Quasi-cyclic Search: Example
                (l1,0,0)                        Φ: pc = l3 Æ x = 0
                (l2,0,0)

                (l3,0,0)
     (l4,2,0)                (l4,3,0)           Global States = {0,2,3}
     (l5,2,2)                (l5,3,3)
     (l2,2,2)                (l2,3,3)           Queues = {4,5}
     (l3,0,2)                (l3,0,3)

(l4,2,2)   (l4,3,2)        (l4,2,3) (l4,3,3)      l1: y = 0; goto l2;
(l5,2,4)                                          l2: x = 0; goto l3;
           (l5,3,5)        (l5,2,5) (l5,3,6)
                                                  l3: true -> x = 2; goto l4;
(l2,2,4)   (l2,3,5)        (l2,2,5) (end,3,6)          true -> x = 3; goto l4;
(l3,0,4)                                          l4: y = y + x; goto l5;
                      (l3,0,5)                    l5: y > 5 -> skip; goto end;
                                                       y <= 5 -> skip; goto l2;
                                                  end:
 Quasi-cyclic Search: Example
                   (l1,0,0)                        Φ: pc = l3 Æ x = 0
                   (l2,0,0)

                   (l3,0,0)
        (l4,2,0)                (l4,3,0)           Global States = {0,2,3,4}
        (l5,2,2)                (l5,3,3)
        (l2,2,2)                (l2,3,3)           Queues = {5}
        (l3,0,2)                (l3,0,3)

  (l4,2,2)    (l4,3,2)        (l4,2,3) (l4,3,3)      l1: y = 0; goto l2;
  (l5,2,4)                                           l2: x = 0; goto l3;
              (l5,3,5)        (l5,2,5) (l5,3,6)
                                                     l3: true -> x = 2; goto l4;
  (l2,2,4)    (l2,3,5)        (l2,2,5) (end,3,6)          true -> x = 3; goto l4;
  (l3,0,4)                                           l4: y = y + x; goto l5;
                         (l3,0,5)                    l5: y > 5 -> skip; goto end;
                                                          y <= 5 -> skip; goto l2;
                                                     end:
(l4,2,4)   (l4,3,4)
(l5,2,6)   (l5,3,7)
(end,2,6) (end,3,7)
 Quasi-cyclic Search: Example
                   (l1,0,0)                        Φ: pc = l3 Æ x = 0
                   (l2,0,0)

                   (l3,0,0)
        (l4,2,0)                (l4,3,0)           Global States = {0,2,3,4,5}
        (l5,2,2)                (l5,3,3)
        (l2,2,2)                (l2,3,3)           Queues = {}
        (l3,0,2)                (l3,0,3)

  (l4,2,2)    (l4,3,2)        (l4,2,3) (l4,3,3)      l1: y = 0; goto l2;
  (l5,2,4)                                           l2: x = 0; goto l3;
              (l5,3,5)        (l5,2,5) (l5,3,6)
                                                     l3: true -> x = 2; goto l4;
  (l2,2,4)    (l2,3,5)        (l2,2,5) (end,3,6)          true -> x = 3; goto l4;
  (l3,0,4)                                           l4: y = y + x; goto l5;
                         (l3,0,5)                    l5: y > 5 -> skip; goto end;
                                                          y <= 5 -> skip; goto l2;
                                                     end:
(l4,2,4)   (l4,3,4)   (l4,2,5) (l4,3,5)
(l5,2,6)   (l5,3,7)   (l5,2,7) (l5,3,8)
(end,2,6) (end,3,7) (end,2,7) (end,3,8)
 Quasi-cyclic Search: Example
                   (l1,0,0)                        Φ: pc = l3 Æ x = 0
                   (l2,0,0)

                   (l3,0,0)
        (l4,2,0)                (l4,3,0)           Global States = {0,2,3,4,5}
        (l5,2,2)                (l5,3,3)
        (l2,2,2)                (l2,3,3)           Queues = {}
        (l3,0,2)                (l3,0,3)

  (l4,2,2)    (l4,3,2)        (l4,2,3) (l4,3,3)      l1: y = 0; goto l2;
  (l5,2,4)                                           l2: x = 0; goto l3;
              (l5,3,5)        (l5,2,5) (l5,3,6)
                                                     l3: true -> x = 2; goto l4;
  (l2,2,4)    (l2,3,5)        (l2,2,5) (end,3,6)          true -> x = 3; goto l4;
  (l3,0,4)                                           l4: y = y + x; goto l5;
                         (l3,0,5)                    l5: y > 5 -> skip; goto end;
                                                          y <= 5 -> skip; goto l2;
                                                     end:
(l4,2,4)   (l4,3,4)   (l4,2,5) (l4,3,5)
(l5,2,6)   (l5,3,7)   (l5,2,7) (l5,3,8)
(end,2,6) (end,3,7) (end,2,7) (end,3,8)
 Quasi-cyclic Search: Example
                   (l1,0,0)                                       (l1,0,0)

                   (l2,0,0)
                                                                    3
                                                               (l3,0,0)
                   (l3,0,0)
        (l4,2,0)                (l4,3,0)
                                                               (l3,0,0)
        (l5,2,2)                (l5,3,3)
        (l2,2,2)                (l2,3,3)                             9
        (l3,0,2)                (l3,0,3)               (l3,0,2)           (l3,0,3)

  (l4,2,2)    (l4,3,2)                                 (l3,0,2)              (l3,0,3)
                              (l4,2,3) (l4,3,3)
  (l5,2,4)
                                                          8                     8
              (l5,3,5)        (l5,2,5) (l5,3,6)
  (l2,2,4)    (l2,3,5)        (l2,2,5) (end,3,6)
  (l3,0,4)                                         (l3,0,4)(l3,0,5)          (l3,0,5)
                         (l3,0,5)
                                                       (l3,0,4)              (l3,0,5)
(l4,2,4)   (l4,3,4)   (l4,2,5) (l4,3,5)
(l5,2,6)   (l5,3,7)   (l5,2,7) (l5,3,8)
(end,2,6) (end,3,7) (end,2,7) (end,3,8)
                                                          7                     7
Quasi-cyclic Search: Example
   Search each region
    independently                            3
       max of 9 versus 37 states in
        classical DFS
       note that the sum here is >37        9
            same states may appear in
             multiple regions
   Regions can be searched in
    parallel                             8       8
   Works well when
       reasonable fraction of state
        variables are cyclic
        low-degree of overlapping
                                         7       7
    

        between regions
Bogor Algorithm Customization

      IActionTaker        IBacktrackIF        PartialStMgr
                                               IStateMgr




      IExpEvaluator       ITransformer        QCSearcher
                                              LTSearcher
                                               ISearcher




      IValueFactory      PrioritySchedS
                         ISchedulingStg       IStateFactory
                                                              Bogor
                                                              Modules
Bogor default modules are unplugged and replaced with state
representation, scheduling and search strategies customized to the Bold
Stroke domain
       Scaling Boeing ModalSP
           6000000




           5000000




           4000000




                                                                                     Classic v<=3
           3000000
                                                                                     Cyclic v<=3
# states




           2000000




           1000000




                0
                           1         2         3         4        5       6




               both searches have exponential time growth
                        quasi-cyclic search takes more time (overlapping regions)
               parallel quasi-cyclic takes 25% less time than classical DFS
                        actively pursuing distributed solution
Related Work
   State caching (e.g., Godefroid ’93)
       remove some states if the cache is full
       pro: minimum memory requirement is space needed to
        store states in longest the DFS stack
       cons:
            selection of cache size
            cannot easily be parallelizable
   Stateless search (e.g., Godefroid ’97)
       do not store states
       pro: scales better
       cons: does not work well for system with a high degree
        of non-determinism (e.g., Cadena systems)
Conclusion and Future Work
   Conclusion
       leveraging domain knowledge for scalability
            divide-and-conquer algorithm for periodical system
            made easier because of the customizability of Bogor
   Future Work
       distributed solution
            larger systems (500< components)
       global properties, i.e., inter-region properties
       heuristic algorithms to find quasi-cyclic
        predicates
For More Information…
            SAnToS Laboratory,
            Kansas State University
            http://www.cis.ksu.edu/santos


            Bogor Project
            http://bogor.projects.cis.ksu.edu


            Cadena Project
            http://cadena.projects.cis.ksu.edu


            Bandera Project
            http://bandera.projects.cis.ksu.edu

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:1/2/2012
language:
pages:57