## Fast and Accurate Bitstate Verification for SPIN (2004)

Venue: | In Proceedings of the 11th International SPIN Workshop on Model Checking of Software (SPIN |

Citations: | 19 - 2 self |

### BibTeX

@INPROCEEDINGS{Dillinger04fastand,

author = {Peter C. Dillinger and Panagiotis Manolios},

title = {Fast and Accurate Bitstate Verification for SPIN},

booktitle = {In Proceedings of the 11th International SPIN Workshop on Model Checking of Software (SPIN},

year = {2004},

pages = {57--75},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Bitstate hashing in SPIN has proved invaluable in probabilistically detecting errors in large models, but in many cases, the number of omitted states is much higher than it would be if SPIN allowed more than two hash functions to be used. For example, adding just one more hash function can reduce the probability of omitting states at all from 99% to under 3%. Because hash computation accounts for an overwhelming portion of the total execution cost of bitstate verification with SPIN, adding additional independent hash functions would slow down the process tremendously. We present efficient ways of computing multiple hash values that, despite sacrificing independence, give virtually the same accuracy and even yield a speed improvement in the two hash function case when compared to the current SPIN implementation. Another key to accurate bitstate hashing is utilizing as much memory as is available. The current SPIN implementation is limited to only 512MB and allows only power-of-two granularity (256MB, 128MB, etc). However, using 768MB instead of 512MB could reduce the probability of a single omission from 20% to less than one chance in 10,000, which demonstrates the magnitude of both the maximum and the granularity limitation. We have modified SPIN to utilize any addressable amount of memory and use any number of efficiently-computed hash functions, and we present empirical results from extensive experimentation comparing various configurations of our modified version to the original SPIN.

### Citations

1680 | Space/time trade-offs in hash coding with allowable errors
- BLOOM
- 1970
(Show Context)
Citation Context ...nvolved in a Bloom filter and how these apply in the realm of verification. We also present some analysis that sets up a framework for evaluating our results. For the basics, we turn to Bloom himself =-=[1]: -=-[A Bloom filter] completely gets away from the conventional concept of organizing the hash area into cells. The hash area is considered as N individual addressable bits, with addresses 0 through N −... |

769 |
The Art of Computer Programming, Volume 3: Sorting and Searching
- Knuth
- 1975
(Show Context)
Citation Context ...hing” scheme for collision resolution in open-addressed hash tables. While we give a short overview of double hashing below, a good reference is Chapter 11 of [4], and for a more complete account se=-=e [14, 7]-=-. 3.1 Double Hashing Description Open addressing refers to a type of hashing where elements are stored directly in a hash table. To insert an element the hash table is probed until an empty location i... |

533 |
The SPIN model checker: Primer and reference manual
- Holzmann
(Show Context)
Citation Context ...functions were used. However, Holzmann notes that the choice of 2 “was adopted in SPIN as a compromise between runtime expense and coverage,” and explains why using more hash functions is impracti=-=cal [11]-=-: In a well-tuned model checker, the run-time requirements of the search depend linearly on k[, the number of hash functions used]: computing hash values is the single most expensive operation that th... |

405 | Network applications of Bloom filters: A survey
- Broder, Mitzenmacher
(Show Context)
Citation Context ...tly. The drawback of probabilistic methods, of course, is that there is a possibility of omitting states with errors. The Bloom filter is a popular choice of data structure for compactly storing sets =-=[2]-=-. The main parameter for tuning a Bloom filter is the number of hash functions used, and the bitstate mode of SPIN utilizes a Bloom filter with 2 hash functions. In [17], Wolper and Leroy promote usin... |

197 | Better verification through symmetry
- Ip, Dill
- 1996
(Show Context)
Citation Context ...To combat the state explosion problem, in addition to hashing—the main topic of this paper—explicit state model checkers use techniques such as partial order reductions [6, 8] and symmetry reducti=-=ons [3]-=-. The improvements to bitstate verification discussed in this paper do not affect its compatibility with these techniques, but we have disabled reductions in all of our tests in order to easily measur... |

167 |
Handbook of Algorithms and Data Structures
- Gonnet, Baeza-Yates
- 1991
(Show Context)
Citation Context ...hing” scheme for collision resolution in open-addressed hash tables. While we give a short overview of double hashing below, a good reference is Chapter 11 of [4], and for a more complete account se=-=e [14, 7]-=-. 3.1 Double Hashing Description Open addressing refers to a type of hashing where elements are stored directly in a hash table. To insert an element the hash table is probed until an empty location i... |

153 |
Introduction to Algorithms. McGraw-Hill Higher
- Cormen, Rivest, et al.
(Show Context)
Citation Context ...techniques are similar to the “double hashing” scheme for collision resolution in open-addressed hash tables. While we give a short overview of double hashing below, a good reference is Chapter 11=-= of [4]-=-, and for a more complete account see [14, 7]. 3.1 Double Hashing Description Open addressing refers to a type of hashing where elements are stored directly in a hash table. To insert an element the h... |

115 | A partial approach to model-checking, in
- Godefroid, Wolper
- 1991
(Show Context)
Citation Context ...pecific optimizations enabled. To combat the state explosion problem, in addition to hashing—the main topic of this paper—explicit state model checkers use techniques such as partial order reducti=-=ons [6, 8]-=- and symmetry reductions [3]. The improvements to bitstate verification discussed in this paper do not affect its compatibility with these techniques, but we have disabled reductions in all of our tes... |

85 | An Analysis of Bitstate Hashing
- Holzmann
- 1998
(Show Context)
Citation Context ...d hash functions, and we present empirical results from extensive experimentation comparing various configurations of our modified version to the original SPIN. 1 Introduction “Bitstate verification=-=” [10] i-=-s a term that has been used by the model checking community to refer to explicit-state model checking with Bloom filters. Explicit-state model checkers, such as Holzmann’s SPIN, have been used with ... |

66 | Reliable hashing without collision detection
- Wolper, Leroy
- 1993
(Show Context)
Citation Context ...ture for compactly storing sets [2]. The main parameter for tuning a Bloom filter is the number of hash functions used, and the bitstate mode of SPIN utilizes a Bloom filter with 2 hash functions. In =-=[17], -=-Wolper and Leroy promote using 20 hash functions instead of Holzmann’s choice of just 2, for in many cases, SPIN would be more accurate if more hash functions were used. However, Holzmann notes that... |

34 | Algorithms for automated protocol validation
- Holzmann
- 1988
(Show Context)
Citation Context ...MB. 7 Conclusions and Future Work Early work by Holzmann and others has shown the utility of the Bloom filter data structure for probabilistically verifying systems with explicit state model checkers =-=[9]-=-. The main parameter for tuning a Bloom filter is the number of hash functions used, k, but there is a tension between accuracy and efficiency, as small values of k lead to fast running times, but the... |

22 | A New Scheme for Memory-Efficient Probabilistic Verification - Stern, Dill - 1996 |

7 |
Partial order reduction of the state space
- Holzmann, Peled
- 1995
(Show Context)
Citation Context ...pecific optimizations enabled. To combat the state explosion problem, in addition to hashing—the main topic of this paper—explicit state model checkers use techniques such as partial order reducti=-=ons [6, 8]-=- and symmetry reductions [3]. The improvements to bitstate verification discussed in this paper do not affect its compatibility with these techniques, but we have disabled reductions in all of our tes... |

7 |
Algorithm alley : Hash functions
- Jenkins
- 1997
(Show Context)
Citation Context ...ique into SPIN, we discovered other ways of improving the speed and accuracy of bitstate verification in SPIN. More specifically, we show that making more intelligent use of the Jenkins hash function =-=[13]-=- can significantly speed up verification. We tackle issues associated with accommodating an arbitrary amount of memory, and show how this simple issue can easily make orders of magnitude of difference... |

3 | Improved probilistic verification by hash compaction - Stern, Dill - 1995 |

1 | Accurate Bitstate Verification for SPIN 19 - Fast |