## Parallel External Directed Model Checking with Linear I/O (2006)

Venue: | In VMCAI |

Citations: | 20 - 5 self |

### BibTeX

@INPROCEEDINGS{Jabbar06parallelexternal,

author = {Shahid Jabbar and Stefan Edelkamp},

title = {Parallel External Directed Model Checking with Linear I/O},

booktitle = {In VMCAI},

year = {2006},

pages = {237--251},

publisher = {Springer}

}

### OpenURL

### Abstract

In this paper we present Parallel External A*, a parallel variant of external memory directed model checking. As a model scales up, its successors generation becomes complex and, in turn, starts to impact the running time of the model checker. Probings of our external memory model checker IO-HSF-SPIN revealed that in some of the cases about 70% of the whole running time was consumed in the internal processing.

### Citations

1302 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...ing the exploration even if all available reduction techniques, like symmetry or partial-order reduction [20, 24] have been applied. Besides advanced implicit storage structures for the set of states =-=[19]-=- three different options have been proposed to overcome the internal space limitations for this so-called state explosion problem, namely, directed, external and parallel search. Directed or heuristic... |

71 | Directed explicit-state model checking in the validation of communication protocols
- Edelkamp, Leue, et al.
- 2004
(Show Context)
Citation Context ...t of software errors. The main observation is that using this guidance, the number of explored states needed to establish an error is smaller than with blind search. Moreover, directed model checking =-=[29, 7]-=- often reduces the length of the counter-example, which in turn eases the interpretation of the bug. External search algorithms [26] store and explore the state space via hard disk access. States are ... |

69 | I/O complexity of graph algorithms
- Munagala
- 1999
(Show Context)
Citation Context ...are removed with respect to the levels i, i−1 and i−2, then no duplicate state will remain for the entire search process. For breadth-first-search in explicit graphs, this is in fact the algorithm of =-=[22]-=-. We consider each bucket as a different file that has an individual internal buffer. A bucket is active if some of its states are currently expanded or generated. If a buffer becomes full, then it is... |

63 | Distributed-Memory model checking with SPIN
- Lerda, Sista
- 1999
(Show Context)
Citation Context ...nets based model checking where the notion of time is used as a progress measure. While some approaches to parallel and distributed model checking are limited to the verification of safety properties =-=[2, 10, 17]-=-, other work propose methods for checking liveness properties expressed in linear temporal logic (LTL) [4, 18]. Recall that LTL model checking mainly entails finding accepting cycles in a state space,... |

62 | Validation with guided search of the state space
- Yang, Dill
- 1998
(Show Context)
Citation Context ...t of software errors. The main observation is that using this guidance, the number of explored states needed to establish an error is smaller than with blind search. Moreover, directed model checking =-=[29, 7]-=- often reduces the length of the counter-example, which in turn eases the interpretation of the bug. External search algorithms [26] store and explore the state space via hard disk access. States are ... |

53 |
Depth-first search is inherently sequential
- Reif
- 1984
(Show Context)
Citation Context ...is performed with the nested depth-first search algorithm. The correctness of this algorithm depends on the depth-first traversal of the state space. Since depth-first search is inherently sequential =-=[25]-=-, additional data structures and synchronization mechanisms have to be added to the algorithm. These requirements can waste the resources offered by the distributed environment. Moreover, formally pro... |

51 | Achieving Scalability in Parallel Reachability Analysis of Very Large Circuits
- Heyman, Geist, et al.
(Show Context)
Citation Context ...nets based model checking where the notion of time is used as a progress measure. While some approaches to parallel and distributed model checking are limited to the verification of safety properties =-=[2, 10, 17]-=-, other work propose methods for checking liveness properties expressed in linear temporal logic (LTL) [4, 18]. Recall that LTL model checking mainly entails finding accepting cycles in a state space,... |

49 | Heuristics for model checking Java programs
- Groce, Visser
- 2004
(Show Context)
Citation Context ...ristics for invariant checking that extract information from the invariant specification and heuristics that base on already given errors states. The second class has been denoted as being structural =-=[9]-=-, in the sense that source code metrics govern the search. This class includes coverage metrics (such as branch count) as well as concurrency measures (such as thread preference and thread interleavin... |

48 | Divide-and-conquer frontier search applied to optimal sequence alignment
- Korf, Zhang
- 2000
(Show Context)
Citation Context ...teen-Puzzle are regular permutation games, each state can be perfectly hashed to a unique index. Since all state spaces are undirected, in order to avoid regenerating explored states, frontier search =-=[15]-=- stores, with each node, its used operators in form of a bit-vector in the size of the operator labels available. This allows to distinguish neighboring states that have already been explored from tho... |

48 | External-memory breadth-first search with sublinear i/o
- Mehlhorn, Meyer
- 2002
(Show Context)
Citation Context ...e [22] for explicit and implicit graphs. However, the precomputation and access efforts are by far larger for the explicit graph representation. The breadthfirst search algorithm has been improved by =-=[21]-=-. Even for implicit search, the body of literature is rising at a large pace. Edelkamp and Schrödl [8] consider external route-planning graphs that are naturally embedded into the plane. This yields a... |

47 |
Ten Years of Partial Order Reduction, in
- Peled
- 1998
(Show Context)
Citation Context ...t main memory is often not sufficient for a lossless storage of the set of reachable states during the exploration even if all available reduction techniques, like symmetry or partial-order reduction =-=[20, 24]-=- have been applied. Besides advanced implicit storage structures for the set of states [19] three different options have been proposed to overcome the internal space limitations for this so-called sta... |

42 |
Large-scale parallel breadth-first search
- Korf, Schultze
- 1385
(Show Context)
Citation Context ... of resources provided by parallel environments. A speedup is expected if the load is distributed uniformly with a low inter-processes communication cost. In large-scale parallel breadth-first search =-=[14]-=-, the state space is fully enumerated for increasing depth. Using this approach a complete exploration for the Fifteen-Puzzle with 16!/2 states has been executed on six disks using a maximum of 1.4 te... |

41 | Distributed LTL Model-Checking in SPIN
- Barnat, Brim, et al.
- 2001
(Show Context)
Citation Context ...l and distributed model checking are limited to the verification of safety properties [2, 10, 17], other work propose methods for checking liveness properties expressed in linear temporal logic (LTL) =-=[4, 18]-=-. Recall that LTL model checking mainly entails finding accepting cycles in a state space, which is performed with the nested depth-first search algorithm. The correctness of this algorithm depends on... |

40 |
The stanford murphi verifier
- Dill
- 1996
(Show Context)
Citation Context ...ficient solution can only be obtained, if the organization between the different tasks can be optimized and distributed in a way that the working power is effectively used. Distributed model checking =-=[28]-=- tackles with the state explosion problem by profiting from the amount of resources provided by parallel environments. A speedup is expected if the load is distributed uniformly with a low inter-proce... |

37 |
Best-first frontier search with delayed duplicate detection
- Korf
- 2004
(Show Context)
Citation Context ...sion process in best-first search. The projection preserves the duplicate scope or locality of the state space graph, so that states that are outside the locality scope do not need to be stored. Korf =-=[13]-=- highlights different options to combine A*, frontier and external search. His proposal is limited as only any two options were compatible. Edelkamp [5] extends the External A* with BDDs to perform a ... |

34 | Using magnetic disk instead of main memory in the murphi verifier
- Stern, Dill
- 1998
(Show Context)
Citation Context ... algorithm is to control the locality of the file access, where block-transfers are in favor to random accesses. Since hashing has a bad reputation for preserving locality, in external model checking =-=[27, 11]-=- duplicateselimination is delayed by applying a subsequent external sorting and scanning phase of the state set to be refined. During the algorithm only a part of the graph can be processed at a time;... |

29 | Structured duplicate detection in external-memory graph search
- Zhou, Hansen
- 2004
(Show Context)
Citation Context ...rnal route-planning graphs that are naturally embedded into the plane. This yields a spatial partitioning that is exploited to trade state exploration count for improved local access. Zhou and Hansen =-=[30]-=- impose a projection function to have buckets to control the expansion process in best-first search. The projection preserves the duplicate scope or locality of the state space graph, so that states t... |

28 | Scalable Distributed On-the-Fly Symbolic Model Checking
- Ben-David, Heyman, et al.
- 2000
(Show Context)
Citation Context ...nets based model checking where the notion of time is used as a progress measure. While some approaches to parallel and distributed model checking are limited to the verification of safety properties =-=[2, 10, 17]-=-, other work propose methods for checking liveness properties expressed in linear temporal logic (LTL) [4, 18]. Recall that LTL model checking mainly entails finding accepting cycles in a state space,... |

19 | External A
- Edelkamp, Jabbar, et al.
- 2004
(Show Context)
Citation Context ...inherit guidance from the system designer in form of source annotations, yielding preference and pruning rules for the model checker.sg 4 External A* h Fig. 2. Exploration in External A*. External A* =-=[6]-=- maintains the search horizon on disk. The priority queue data structure is represented as a list of buckets. In the course of the algorithm (cf. Figure 2), each bucket (i, j) will contain all states ... |

15 | Localizing A
- Edelkamp, Schrödl
- 2000
(Show Context)
Citation Context ...er for the explicit graph representation. The breadthfirst search algorithm has been improved by [21]. Even for implicit search, the body of literature is rising at a large pace. Edelkamp and Schrödl =-=[8]-=- consider external route-planning graphs that are naturally embedded into the plane. This yields a spatial partitioning that is exploited to trade state exploration count for improved local access. Zh... |

13 |
Algorithms for Memory Hierarchies
- Meyer
- 2003
(Show Context)
Citation Context ...maller than with blind search. Moreover, directed model checking [29, 7] often reduces the length of the counter-example, which in turn eases the interpretation of the bug. External search algorithms =-=[26]-=- store and explore the state space via hard disk access. States are flushed to and retrieved from disk. As virtual memory already can exceed main memory capacity, it can result in a slow-down of speed... |

13 |
E.: External-memory pattern databases using structured duplicate detection
- Zhou, Hansen
(Show Context)
Citation Context ...Ds to perform a externalssymbolic BFS in abstract space, followed by an external symbolic A* search in original space that take the former result as a lower bound to guide the search. Zhou and Hansen =-=[31]-=- propose structure preserving state space projections to have a reduced state space to be controlled on disk. They also propose external construction of pattern databases. The drawback of their approa... |

12 |
Formalization and validation of the General
- Kamel, Leue
(Show Context)
Citation Context ...tion. As all input files are pre-sorted the stated I/O complexity of the algorithm is still linear. We chose two characteristics protocols for our experiments, the CORBAGIOP protocol as introduced by =-=[12]-=-, and the Optical Telegraph protocol that comes with SPIN distribution. The CORBA-GIOP can be scaled according to two different parameters, the number of servers and the number of clients. We selected... |

11 |
Time-Efficient Model Checking with Magnetic Disks
- Bao, Jones
- 2005
(Show Context)
Citation Context ...g that is not available in model checking. In Stern and Dill’s initial paper on external model checking in the Murφ Verifier variants of external breadth-first search are considered. In Bao and Jones =-=[1]-=-, we see another faster variant of Murφ Verifier with magnetic disk. They propose two techniques: one is based on partitioned hash tables, and the other on chained hash table. They targeted to reduce ... |

10 | I/O efficient directed model checking
- Jabbar, Edelkamp
- 2005
(Show Context)
Citation Context ... algorithm is to control the locality of the file access, where block-transfers are in favor to random accesses. Since hashing has a bad reputation for preserving locality, in external model checking =-=[27, 11]-=- duplicateselimination is delayed by applying a subsequent external sorting and scanning phase of the state set to be refined. During the algorithm only a part of the graph can be processed at a time;... |

9 |
Directed search for the verification of communication protocols
- Lluch-Lafuente
- 2003
(Show Context)
Citation Context ...ion of Parallel External A* in our extension to the model checker SPIN. Our tool, entitled IO-HSF-SPIN and first introduced in [11], is in fact an extension of the model checker HSF-SPIN developed by =-=[18]-=-. Instead of implementing all four stages for the bucket exploration, we restricted to three stages and use one server processor to merge the sorted outcome of the others. A drawback is that all proce... |

8 |
Systems and Software Verification
- Bérard, Bidoit, et al.
- 2001
(Show Context)
Citation Context ...r of open file pointers per process, the I/O complexity is reduced to linear by exploiting a hash-function based state space partition scheme. 1 Introduction In explicit-state model checking software =-=[3]-=-, state descriptors are often so large, so that main memory is often not sufficient for a lossless storage of the set of reachable states during the exploration even if all available reduction techniq... |

8 | Efficient path finding with the sweep-line method using external storage
- Kristensen, Mailund
- 2003
(Show Context)
Citation Context ...e that, in turn, diminishes the size of the set to be checked. They claim their technique to be inherently serial having less room for a distributed variant. In the approach of Kristensen and Mailund =-=[16]-=- repeated scans over the search space in a geometric scan-line approach with states that are arranged in the plane wrt. some progress measure based on a given partial order. The scan over the entire s... |

2 |
External symbolic pattern databases
- Edelkamp
- 2005
(Show Context)
Citation Context ... locality scope do not need to be stored. Korf [13] highlights different options to combine A*, frontier and external search. His proposal is limited as only any two options were compatible. Edelkamp =-=[5]-=- extends the External A* with BDDs to perform a externalssymbolic BFS in abstract space, followed by an external symbolic A* search in original space that take the former result as a lower bound to gu... |