SPINtoGRAPE: A tool for analysing symmetry in Promela models

1
SPIN-to-GRAPE A tool for analysing symmetry in
Promela models

• Alastair Donaldson, Alice Miller and Muffy Calder
• Department of Computing Science,
• University of Glasgow
• ally,alice,muffy_at_dcs.gla.ac.uk

2
Overview

• Model checking Allows automatic verification of
  concurrent systems. Hindered by state explosion

Symmetry Can be exploited to reduce state space.
Most approaches use scalarsets, which are limited
SPIN-to-GRAPE Allows analysis of SPIN
verification models using GAP and GRAPE
Examples Models which have interesting forms of
symmetry which scalarsets cannot handle
Extending scalarsets More general forms of
symmetry could be exploited
Future work Automatic symmetry detection.
3
Model checking
System design
Requirements
Abstract verification model M
Temporal logic properties fi
for each i
Adapted from a presentation by Theo Ruys
Model checker M fi ?
No
Yes
4
Symmetry

• Kripke structure M Finite set S of states.
  Transitions R ? S x S. Labelling L of each state
  with values of variables

Automorphism of M Bijection s S ? S such that
if (s,t) ? R then (s(s),s(t)) in R
Aut(M) The group of all automorphisms of M
G Aut(M) Partitions states into orbits.
States s and t are in the same orbit (under G) if
s s(t) for some s ? G.
5
Symmetry

• Choose orbit representatives rep(s) rep(t) if
  and only if s and t are in the same orbit (under
  G)

Quotient Kripke structure MG State set SG
consists of orbit representatives. Transition
relation RG (rep(s),rep(t)) (s,t) ? R).
Labelling LG is the same
Theorem Let f be a symmetric CTL formula.
Then M f iff MG f.
6
Scalarsets (Ip and Dill 1993)

• Used to identify symmetry type ltnamegt
  Scalarsetsize e.g. type pid
  Scalarset5 self pid

If restrictions are satisfied consistently
permuting scalarset values throughout Kripke
structure is an automorphism

• Restrictions
• array indexing
• terms of scalarset type
• comparison
• assignments
• for loop indexing

7
Limitations of scalarsets

• Scalarsets can only be used when symmetries are
  total
• Many interesting models have non trivial
  symmetries which are not total
• Let C(P) denote the channel diagram of the system
• Theorem under similar restrictions to those for
  scalarsets, Aut(C(P)) Aut(M).

8
SPIN and Promela

• SPIN Explicit state, on-the-fly model checker.
  Uses partial order reduction and compression
  successfully. Can verify LTL, sublogic of CTL

• Promela Specification language for SPIN.
  C-like syntax. Constructs for concurrency,
  non-determinism, parameterised processes,
  channels etc.

9
GAP, GRAPE and nauty

• GAP Groups, Algorithms and Programming.
  Powerful framework for working with (permutation)
  groups

• GRAPE GRaph Algorithms using PErmutation
  Groups. We use GRAPE to find Kripke structure
  automorphisms. It does this using nauty

nauty No AUTomorphisms, Yes. Fast program for
finding automorphisms of directed, coloured
graphs.
10
SPIN-to-GRAPE

• VERBOSE option in SPIN causes every step of
  verification to be output to a file

SPIN-to-GRAPE analyses output file, and creates a
GAP input file with GRAPE commands to build state
graph
GRAPE can then be used to find automorphism group
of the state graph
GAP can be used to identify group abstractly, and
compute quotient state graph, check that group of
channel diagram is a subgroup etc.
11
SPIN-to-GRAPE

• Implemented in PERL
• Retraces the verification, so would be better if
  incorporated into SPIN
• Can only deal with small models
• Very useful for analysing symmetry in small
  models
• Does not do symmetry reduction

12
Example three tiered architecture

• Three process types client, server and database
• Clients continuously send request to servers,
  receive response
• Servers continuoulsly receive request from
  client, send query to database, receive result,
  send response back to client
• Database continuously receive query from server,
  send result to server.

13
Example three tiered architecture
Wait for result
User interface (presentation)
Request operation
Return result
Wait for data
Application server
Request data
Return data
Database server
Time
Diagram from Distributed Systems, Principles and
Paradigms (Tanenbaum and Van Steen)
14
Channel diagram C(P)
15
Results for three tier model

• Using SPIN-to-GRAPE with GAP and GRAPE we
  find Aut(M) ? Aut(C(P)) ? (S3 S2) x S2
• Original model 4,393 states
• Quotient model 281 states

Altering one of the server communication channels
reduced the symmetry group to S3 x S2 x S2, and
reduced the factor of reduction.
16
Hypercube model

• Similar analysis and results
• Interesting as it does not obey scalarset-like
  restrictions
• Original model 15,409 states
• Reduced model 411 states

17
Extending the scalarset data type

• Associated scalarsets
• type server_id AssocScalarset(3,Scalarset(3),S
  calarset(3),Scalarset(2))
• Topology-based scalarsets
• type node_id TopologyScalarset(8,cube) where
  cube 1?2,3,5, 2?1,4,6, 3?1,4,7,
  4?2,3,8, 5?1,6,7, 6?2,5,8, 7?3,5,8,
  8?4,6,7
• Need to prove what symmetry preserving ops are
• Both are a bit clumsy.

18
Conclusions

• SPIN-to-GRAPE allows us to analyse symmetry in
  Promela models
• Using SPIN-to-GRAPE, we have shown that our
  examples cannot be handled by scalarsets
• Altering communication channels can reduce
  symmetry
• Associated scalarsets and topology-based
  scalarsets are possible alternatives to handle
  our examples
• The scalarset approach in general is a bit clumsy

19
Future work

• Automatic symmetry detection from source text by
  channel diagram analysis
• Exploiting symmetry during model checking more
  complex when symmetries are not total
• Symmetry reduction at the source code level
  instead of during search

20
The end!

• Any questions?