P. Godefroid. Partial-Order Methods for the Veri cation of Concurrent Systems| An Approach to the State-Explosion Problem, volume 1032 of LNCS. SpringerVerlag, 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....The generalised sweep line method has been implemented in Design CPN, and experiments have been conducted with promising results. That a state may be explored several times makes the generalised sweep line method closely related to the state space caching method [12] The experimental results in [8] showed that to be feasible for large systems, state space caching needs to be combined with partial order methods [27] to reduce the number of re explorations. The problem is that the re exploration of states caused by the limited size of the state cache induces an explosion in runtime. Judging ....

P. Godefroid. Partial-Order Methods for the Veri cation of Concurrent Systems, An Approach to the State-Explosion Problem, volume 1032 of LNCS. SpringerVerlag, 1996.

....of computations will have the desired property or none will do ( leads to deadlock is one such property) For verifying such properties one has to check the property for just one member of each equivalence class. This is the insight underlying many of the partial order based veri cation methods [17, 35, 50]. As may be guessed, the importance of these methods lies in the fact that via these methods the computational resources required for the veri cation task can often be dramatically reduced. It is often the case that the equivalence classes of computations generated by a distributed system ....

....be such that L L P r and for every 2 L P r , L 6= The key point is, the nite representation of L can be often substantially smaller than the representation of P r. This is the insight underlying many of the so called partial order methods deployed in the model checking world [17, 35, 50]. As pointed out in the introduction this is also the main motivation for considering the trace based linear time temporal logics that we will encounter later. We shall conclude this section with some examples. Recall the material on elementary net systems introduced in Section 2. Suppose N = ....

Godefroid, P.: Partial-order methods for the veri cation of concurrent systems. Lecture Notes in Computer Science 1032, Springer-Verlag (1996)

....time temporal logics, it turns out that either all members of an equivalence class satisfy a certain property or none do. For such properties the computional resources needed for the veri cation task can be substantially reduced by means of the so called partial order methods for veri cation [8, 12, 18]. Such equivalence classes can be canonically represented by restricted labelled partial orders known as Mazurkiewicz traces [5, 10] These objects apart from alleviating the state explosion problems of veri cation also allow direct formulations of properties expressing concurrency and ....

Godefroid, P.: Partial-order methods for the veri cation of concurrent systems. Lecture Notes in Computer Science 1032, Springer-Verlag (1996)

....restrictions (for example avoiding some operators of the logic CTL) or requiring transition systems of a particular kind (for example, obtained as the composition of smaller ones) Moreover, in both cases, the algorithms used to obtain the reduced transition systems are not trivial. The works [22, 30, 33] are based on the partial order approach to model checking and use the concept of representative for all possible interleavings of some actions: a property is proved only on the representative. Such approach is pro table for properties such as deadlock freedom, while our approach is more suitable ....

P. Godefroid. Partial-Order Methods for the Verication of Concurrent Systems. LNCS 1032, 1996.

....only if the properties are expressed by formulae obeying some restrictions (for example avoiding some operators of the logic CTL) or requiring transition systems of a particular kind. Moreover, in both cases, the algorithms used to obtain the reduced transition systems are not trivial. The works [21, 26, 29] follow the partial order approach to model checking, in which only a representative is considered among all interleavings of actions generated by a parallel composition. The properties well handled by these approaches do not concern precedence relations between actions, and can be pro tably used ....

P. Godefroid. Partial-Order Methods for the Verication of Concurrent Systems. Lecture Notes in Computer Science 1032, 1996.

....An advantage of the sweep line method compared to state space caching is that states are only generated and processed once. With the depth rst generation of the state space caching, the same state may be regenerated and processed several times leading to an increase in run time. As shown in [32] this run time penalty can be fought against by combining state space caching and partial order methods. The bit state hashing method always keeps the states of the depth rst search stack in memory, but reduces (in its simplest form) the information stored about a single state to a hash value ....

P. Godefroid. Partial-Order Methods for the Verication of Concurrent Systems, An Approach to the State-Explosion Problem, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996. 31

....explicit state model checkers [20, 17] The former class of tools relies on applying various static analyses such as slicing [27] and abstract interpretation [11] in order to curb the state space explosion. Speci c to the latter category are on the y optimizations such as partial order reductions [23] and symmetry reductions [2] A central issue in state space reduction is the question of property preservation. Using temporal logic as speci cation language divides state space reduction techniques into: simulation (weakly) preserving and bisimulation (strongly) preserving transformations. ....

P. Godefroid. Partial-Order Methods for the Verication of Concurrent Systems, Lecture Notes in Computer Science, Vol. 1032 (1996) 17

....there is a priori no guarantee that the selective search will actually nd a violation of MLD. Bruening does not address this issue. We show that this can happen with MLD but not with a slightly stricter variant MLD 0 . 2 System Model We adopt Godefroid s model of concurrent systems [God96] except that we call the concurrent entities threads rather than processes, disallow transitions that a ect the control state of multiple threads, and divide objects into three categories. A concurrent system is a tuple h ; O; T ; s init ; O unsh ; O syn ; O mtx i, where is a nite set of ....

....it becomes shared, i.e. there exists a synchronization object o 1 2 O syn such that, for all i startShared( o) for all 2 , if access(s i ; o) then owns o 1 s lock in s i . We don t consider read write locks, because Java does not provide built in support for them. Godefroid [God96] de nes: transition t uses object o i t s guard or command contains an operation on o. Thus, the command of a disabled transition uses o. Such uses cannot be detected by run time monitoring, so we do not want the de nition of MLD to depend on such uses. This motivates our de nition of ....

[Article contains additional citation context not shown here]

Patrice Godefroid. Partial-Order Methods for the Verication of Concurrent Systems, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

....is met by at least one member of each equivalence class of runs. The resulting savings in the computational resources used during the veri cation of trace consistent requirements can be substantial. This is the insight that underlies many of the so called partial order reduction techniques [11, 20, 31]. There is an alternative way to exploit the non sequential nature of the behaviour of distributed systems and the consequent partial order based reduction techniques. It consists of developing temporal logics that can be directly interpreted over the partial orders corresponding to equivalence ....

P. Godefroid. Partial-order methods for the verication of concurrent systems, volume 1032 of LNCS. Springer-Verlag, 1996.

....more constraints in the method than ensuring CSP equivalence. The method has been classi ed as one of the partial order methods [6] and has turned out [8, 12] successful also in the veri cation of branching time temporal properties which in turn are related to the CCS theory [4] Persistent sets [1] and ample sets [5, 7] are strikingly similar to stubborn sets, at least if we consider the actual construction algorithms that have been suggested for stubborn, persistent and ample sets. It is a system independent and intuitively appealing heuristic to minimize the number of successor states of ....

....the transformation of the above mentioned decision and optimization problems into and or graph problems, we extend the concept of stubbornness by utilizing the fact that in a sense, De nition 4.1 treats the component LTSs as indivisible units. As can be seen e.g. from Algorithm 2 in Chapter 4 of [1], it is mostly a matter of taste how the domain of elements in stubborn sets is chosen. In our extension, the elements are blocks as de ned below. De nition 4.2. The dependency graph at s is the undirected graph where the set of vertices is N n and there is an edge between i and k i i 6= k and ....

P. Godefroid, Partial-Order Methods for the Verication of Concurrent Systems | An Approach to the State-Explosion Problem, LNCS 1032, Springer, 1996, 143 p.

....and COM are combined, a (small) hash table is still required for the compression of the individual states. It is therefore prudent to set the Estimated State Space Size parameter to a low value. Since we did not employ Supertrace, we omit its description here. Finally, the Weak Fairness option [19,35,1] ensures that any process that has a transition that remains enabled will eventually execute it. The algorithm is based on a variant of Choeka s ag algorithm [8] and involves the construction of an extended state space consisting of N copies of the original state space (where N is the number of ....

P. Godefroid. Partial Order Methods for the Verication of Concurrent Systems, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

....performing SPIN veri cation, POR is applied by default. Compression [Hol97b] is a method by which each individual state is encoded in a more ecient way. The total memory required for state storage is thus reduced. We apply compression for the veri cation of all of our properties. Weak Fairness [God96, Pel96a, Bos99] ensures that any process that has a transition that remains enabled will eventually execute it. The algorithm is based on a variant of Choeka s ag algorithm [Cho74] and involves the construction of an extended state space consisting of N copies of the original state space (where ....

P. Godefroid. Partial Order Methods for the Verication of Concurrent Systems, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

....all the possible states of the system. Such methods however suoeer from the state space explosion problem, an instance of icombinatorial explosionj. To alleviate this problem several techniques have been developed, among them reduction techniques that exploit the independence of events (cf. [8] for a good overview) The intuition behind these techniques is that if two events can be executed in any order such that we always end up in the same state then they are independent (cf. Fig. 1(a) aka. the idiamond propertyj ) If these independent events do not aoeect the property we are ....

....extract persistent sets from the branching prex. In this way the persistent sets are calculated once at the beginning of the analysis. The last contribution is actually of independent interest: it establishes a connection between the partial order approaches based on explicit state representation [8] and partial order approaches based on the implicit branchingpre x representation of states [7] 2 Time Petri Nets Time Petri nets are a simple yet powerful formalism for modeling concurrent systems with time constraints. In time Petri nets, transitions are labeled with time intervals. There is ....

[Article contains additional citation context not shown here]

P. Godefroid. Partial-Order Methods for the Verication of Concurrent Systems An Approach to the State-Explosion Problem, volume 1032 of LNCS. Springer Verlag, 1996.

....reachability graphs (without losing important properties) In industrial projects where the reachability graph often is very large or in nite and even the unfolded net is huge, it is necessary to use on the y methods on the folded (high level) system. There are partial order reduction methods [God94] which can reduce the size of the reachability graph considerably like the stubborn set method [Val88, Var98, Var99, Var00] which is implemented in PROD. Other important reduction methods are symmeries [Jun99] and abstraction. The Emma project, however, generated a whole set of new ideas about how ....

Patrice Godefroid. Partial-Order Methods for the Verication of Concurrent Systems - An Approach to the State-Explosion Problem. Phd thesis, University of Liege, November 1994.

.... do this (in the mutual exclusions) or eventually leaving the waiting queue for each process that has entered it (in the scheduling) 7] Partial order reduction is one of the main techniques that are used to alleviate the problem of state space explosion in the veri cation of concurrent systems [16, 8, 11, 14] and it is indeed one of Spin s main strengths. The idea is, instead of exploring all the execution sequences of a given program, to group them in equivalence classes which are interleaving of independent program statements. Then only representatives for each equivalence class are considered. In ....

....to be independent even if a can enable b (and vice versa) The main requirement is that the statements do not disable each other. This is unusual in a sense, because in the literature a more strict de nition prevails that does not allow that a statement can enable another statement (e.g. [16, 8]) The advantage of the subtlety in De nition 1 is that ensures a greater set of independent statements than the classical de nition and consequently a better reduction of the state space. However, we must be careful with this, because as we will see later this feature is closely connected with ....

Godefroid, P., Partial Order Methods for the Verication of Concurrents Systems: An Approach to the State Space Explosion, LNCS 1032, Springer, 1996

....not true for the Eraser locking discipline [15] whose treatment of initialization is slightly too liberal and therefore orderdependent. Our result is for a slightly stricter locking discipline, introduced in Section 8. Our proofs are based on partial order methods, speci cally, on persistent sets [10]. Our framework handles distributed (i.e. multi process) multi threaded systems. It combines and extends ideas in VeriSoft [11] which targets distributed systems of single threaded processes, and ExitBlock [3] which handles single process multi threaded systems in which all shared variables ....

....in which all shared variables are known to be protected by locks. Section 9 describes a prototype model checker for single process multi threaded Java programs that uses state less search [11] and incorporates our reduction. 2 System Model We adopt Godefroid s model of concurrent systems [10], except that we call the concurrent entities threads rather than processes, disallow transitions that a ect the control state of multiple threads, and divide objects into four categories. An object is characterized by a pair hDom; Opi, where Dom is the set of possible values of the object, and ....

[Article contains additional citation context not shown here]

Patrice Godefroid. Partial-Order Methods for the Veri- cation of Concurrent Systems, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

....a large class of interesting properties expressed by linear time temporal logics, it turns out that either all members of an equivalence class satisfy a certain property or none do. For such properties the veri cation task can be substantially improved by the partial order methods for veri cation [6, 10]. Such equivalence classes can be canonically represented by restricted labelled partial orders known as Mazurkiewicz traces [4, 8] These objects allow direct Part of this work was done at Lehrstuhl f ur Informatik VII, RWTH Aachen, Germany Basic Research in Computer Science, Centre of ....

Godefroid, P.: Partial-order methods for the verication of concurrent systems. LNCS 1032, Springer-Verlag (1996)

....of the statespace exploration, or transform the Promela model to generate a smaller space, without fundamentally altering the level of abstraction of the model Several possible approaches have been explored and are discussed below. Partial order reduction Partial order reduction (POR) see [9, 6]) reduces the size of the state space by exploiting the fact that many checked properties are insensitive to the interleaving of concurrent activities: certain permutations of safe transitions can be excluded. However, POR has only limited e ect on our model. Closer examination shows that this ....

P. Godefroid. Partial Order Methods for the Verication of Concurrent Systems. Lecture Notes in Computing Science, vol. 1032, 1996. 16

....the state space of a concurrent system is the state explosion, caused by the arbitrary interleaving of independent actions of the various components of the system. Several techniques have been developed to cope with this problem. Partial order reduction is a very prominent one (see, for example, [1, 7, 8, 11, 12, 18, 19, 20, 21, 22]) It exploits the independence of actions to reduce the state space of a system while preserving properties of interest. During the generation of a state space, in each state, a subset of the enabled actions satisfying certain criteria is chosen for further exploration. Following [12, 19] we ....

....in the state labeling of the LTS representing the state space of the system. Thus, at this point, the reason for including a set of boolean propositions and an accompanying state labeling in the de nition of an LTS becomes apparent. For more details on the veri cation of local properties, see [7, 11, 20]. The third class of properties are those expressible in (next time free) Linear time Temporal Logic (LTL) Also LTL properties are formulated in terms of the propositions in an LTS. It is beyond the scope of this paper to give a formal de nition of LTL; the interested reader is referred to [16] ....

[Article contains additional citation context not shown here]

P. Godefroid. Partial-Order Methods for the Verication of Concurrent Systems: An Approach to the State-Explosion Problem. LNCS 1032. Springer, 1996.

....traces is interesting because it is far from trivial and it requires new methods and new insights. Next, traces can model systems more faithfully than words as they do not introduce ad hoc dependencies. Because of this, traces also seem to be of some help in coping with the state explosion problem [15, 5, 8]. If we agree that modelling systems with traces is a good enough idea to try then the immediate question is: how to express properties of traces. For this we must understand the complexity of checking properties over traces. Instead of talking about particular properties it is often better to ....

P. Godefroid. Partial-order methods for the verication of concurrent systems, volume 1032 of LNCS. Springer-Verlag, 1996.

....only in non on the AEy verication. Otherwise it is ignored. See sections 3.3, 4.1 and 4.5 to know what is meant by a visible transition instance. Otherwise they would be visible by default. Visibility information is essential when option i Aj or i Cj is given. ffl S The sleep set method [7, 8, 23, 25, 26, 28] is used. The sleep set method alone as well as the combination of the sleep set method and the stubborn set method preserve all reachable terminal markings and are correct and complete in onthe AEy verication. However, the graph generator complains and refuses to use the sleep set method if the ....

Godefroid, P.: Partial-Order Methods for the Verication of Concurrent Systems An Approach to the State-Explosion Problem. Doctoral thesis, University of Li#ge, November 1994, 134 p.

No context found.

P. Godefroid. Partial-Order Methods for the Veri cation of Concurrent Systems| An Approach to the State-Explosion Problem, volume 1032 of LNCS. SpringerVerlag, 1996.

No context found.

Godefroid, P.: Partial-Order Methods for the Verication of Concurrent Systems, An Approach to the State-Explosion Problem. Ph.D. thesis, 1995.

No context found.

P. Godefroid. Partial Order Methods for the Verication of Concurrent Systems. Lecture Notes in Computing Science, vol. 1032, 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC