Distributed CTL Model-Checking and counterexample search

In this paper, we propose a distributed algorithm for CTL model-checking and a counterexample search whenever the CTL formula is not satisﬁed. The distributed approach is used in order to cope with the state space explosion problem. A cluster of workstations performs collaborative veriﬁcation over a partitioned state space. Thus, every process involved in the distributed veriﬁcation executes a labelling procedure on its own partial state space, and uses the parse tree of the CTL formula to evaluate sub-formulas and delay the synchronisations so as to minimise idle time. A counterexample search consists in a distributed construction of the tree-like corresponding to the failure executions. Some experiments have been carried out to evaluate the efﬁciency of this approach.


INTRODUCTION
The design of critical systems requires checking properties to ensure a high level of reliability.Formal specification and verification is a means towards that goal.Model-checking is a successful verification method based on reachability analysis [McM98, BBF + 01, BCM + 92, Hol03, CES86].However, it often encounters the state space explosion problem when dealing with large and complex systems.Different methods were designed to cope with this problem using compact representations and symbolic model-checking [Bry92], symmetries [BBF + 01], on-the-fly verification [BBF + 01], etc.Another approach consists in taking advantage of a distributed environment.The idea is to increase the computational power and more specifically a large available memory, by using a cluster of computers.The use of networks of computers can provide the resources required to achieve verification of industrial case studies.
The important feature of distributed algorithms is to solve a given problem by distributing the data among the participating stations with a small amount of coordination.One of the main issues in distributing model-checking algorithms is the partitioning of the state space among the individual computers.Distributed algorithms for state space generation for high level models, such as Petri nets, using clusters or parallel computers have been recently proposed in e.g.[KM04,GMS01,CGN98].
In the same context, several works proposed to distribute the model-checking of linear temporal logic (LTL) formulae [LS99,BBC03a,BvH03,BvMv04,BBC03b], with a distributed search of accepting cycles in Büchi automata.Distributed and parallel model checking of CTL logic 3rd International Workshop on Verification and Evaluation of Computer and Communication Systems 1 Distributed CTL Model-Checking and counterexample search [BCY02,BH05,Bou05], and modal mu-calculus [BBW02] were also studied.In [BP07] we presented a distributed verification of reachability, liveness and home state properties.
Here, we focus on enumerative distributed model-checking for CTL logic, performed in a backward manner as in [BH05].We propose a distributed search of a counterexample whenever the formula is not satisfied, based on the construction of the tree-like structure [CJLV02] corresponding to the sub-graph where the negation of the formula holds.The paradigm used for our algorithms is distributed computing based on message passing on a MIMD architecture with a distributed memory.
The paper is organized as follows.In section 2, we shortly recall CTL basic definitions.Then, section 3 describes the distributed setting we use for the state space.Section 4 presents the approach for CTL model-checking in this distributed framework.The counterexample search in a distributed environment is presented in section 5.An implementation of this algorithm led to experimental results discussed in section 6.

THE COMPUTATION TREE LOGIC CTL
CTL is a branching time logic [CES86], based on models where at each moment there may be several different possible futures.The syntax of CTL formulas is given in definition 1, where the most elementary expressions are atomic propositions.The set of atomic propositions is denoted by AP with elements p, q, r. . .

Definition 1 (CTL syntax) The set of CTL formulae is inductively defined as follows:
• p ∈ AP is a CTL formula.
E and A are respectively the existential and universal path operators, expressing that a property is valid for some path and for all paths.The temporal operators X and U are called respectively next and until operators, expressing that a property is valid in the next state, and that ψ is valid until ϕ becomes valid.They must be in the scope of an existential or universal path operator.
The interpretation of the CTL formulae is defined over a Kripke structure: Definition 2 (Kripke structure) A Kripke structure is a 4-tuple M = (S, T, λ, s 0 ) where: • S is a non-empty set of states, • T ⊆ S × S associates with each state s ∈ S its possible successors, • λ : S −→ 2 AP , associates with each state s ∈ S the set of atomic propositions λ(s) valid in s. • s 0 ∈ S is the initial state.

Definition 3 (Paths) A path is an infinite sequence of states
The set of paths is denoted P.

Notations:
• The (i+1)th element of σ ∈ P is denoted σ The semantics of CTL formulas is then defined as follows: Definition 4 (CTL semantics) Let p ∈ AP be an atomic proposition, M = (S, T, λ, s 0 ) a Kripke structure, s ∈ S, and ϕ, ψ CTL formulae.The satisfaction relation |= is inductively defined by: The interpretations for atomic propositions, negation and conjunction are as usual.EXϕ is valid in state s if and only if there exists some path σ starting in s such that property ϕ holds in the next state of this path, σ[1].A[ϕ ∪ ψ] is valid in state s if and only if every path starting in s has an initial finite prefix such that ψ holds in the last state of this prefix and ϕ holds at all other states along the prefix.E[ϕ ∪ ψ] is valid in s if and only if there exists a path starting in s that satisfies the property ϕ ∪ ψ.
Some operators are also often defined and used in the literature: EF, AF, EG, AG and AX, but they can all be obtained from those in definition 4.
A model-checking algorithm for CTL consists in computing, for a given formula ϕ and a model M , the subset: Sat(ϕ) = {s ∈ S | s |= ϕ} in an iterative manner.The problem of checking if s |= ϕ is then reduced to checking if s ∈ Sat(ϕ).Sat is constructed inductively using the formula parse tree (see e.g.[CES86,IB06]).

DISTRIBUTED STATE SPACE EXPLORATION
Among the approaches to render verification amenable, distributed state space exploration consists in splitting the state space on different machines so as to take advantage of their memory.The partitioning of the state space is a crucial issue.Compact state representations, load balancing policies [KM04, LS99, GMS01], and similar approaches [CCBF94, CGN98] yield very good speedups.
The idea underlying a distributed algorithm for state-space generation is to use multiple processes to perform the exploration concurrently on distinct parts of the state space.Let us assume there are N machines connected by a network and communicating by message passing.To distribute the states among the different machines, we use a hash function h : S −→ {0, ..., N − 1}.Then h(s) is the owner of state s, i.e. the process responsible for storing s and exploring its successors.This defines a partition of S into N sets: The hash function must give a uniform partitioning and minimum cross arcs.A cross arc is an arc from a state s to a state s ′ such that h(s) = h(s ′ ), i.e. s and s ′ do not belong to the same station.A large number of cross arcs will necessarily lead to more communications.Hence the choice of the hash function is a crucial issue for the technique to be efficient.In general, it could either be supplied by the user or be automatically computed.The computation could be similar to symmetries computations or be derived from an initial partial state space exploration.
As in [KP04], we use two types of processes: A coordinator and N worker processes.The coordinator, which is a very light process, can be executed on the same station as any worker process.It initiates the generation, by sending the initial state s 0 to the worker process h(s 0 ), and detects termination of the overall computation.Workers execute the same code ; a worker process i is executed by station i, to generate the subset of states S i owned by this station.
In the following, for generation as well as for verification, we describe only the algorithms executed by the worker processes.The generation algorithm executed by a machine i (worker i ) is briefly described in algorithm 1, In the algorithm, Waiting contains the states which are not yet explored.At each iteration an element s of Waiting is removed to generate its successors.Node(s ′ ) adds local successors to Waiting if they have not been explored yet, distant successors are sent to their owner process.Arc(s, s ′ ) adds the arc (s, s ′ ) to the set of arcs.Arcs can be stored using either a successors or a predecessors list, and every successor is marked by its owner process identification, in particular for distant successors.
The communications are asynchronous, thus, when receiving a message, the processes are preempted and a handler function MessHandler () is executed.The excerpt of this function shown in algorithm 2, indicates the operations executed when a state is received by station i.The main procedure contains a waiting loop which stops when a TERMINATE message is received from the coordinator process.The DistGeneration(i) procedure is invoqued when the process receives the first marking.Messages vehicle states or other information ensuring the termination of the distributed algorithm.They are all taken care of by the same procedure MessHandler().The termination occurs when all processes have finished handling their states, and no message is in transit.

DISTRIBUTED MODEL CHECKING OF CTL FORMULAS
In this section, we present algorithms to verify CTL formulas on a distributed state space.We consider the same architecture based on coordinator and worker processes.We suppose that the state space is entirely partitioned over all the stations of the cluster, each station (process) i owns the set of states S i = {s | h(s) = i}, and each process constructed the parse tree of the CTL formula [CES86].
Each process computes the set of local states Sat i (ϕ) which satisfy ϕ, such that: Propositional subformulas, atomic propositions, negation and conjunction can be verified locally by each process.However, when the CTL formula includes the temporal operators EX, AX, EU or AU , communications between processes to check the non-local neighbouring states become necessary.We consider only the operators EX, EU and AU which cover all the CTL formulae.The operator EG could be considered instead of AU , but its verification requires the computation of the stongly connected components in a distributed setting.
To compute Sat i (ϕ) for a formula ϕ containing subformulas, we proceed inductively by labelling with ϕ the states satisfying ϕ.We assume that the sets of local states satisfying these subformulas are already computed (labelled).This is always the case when the parse tree is used.

Propositional CTL formulae
When ϕ is a propositional CTL formula, all processes compute their set of local states Sat i (ϕ) which satisfy ϕ, independently of each other, using algorithm 3.
Since there is no need for communications to perform the distributed checking of logical formulas, we can expect a linear speedup, provided the hash function is appropriate.

neXt CTL formulae: ψ = EXϕ and ψ = AXϕ
Assume that the local set Sat i (ϕ) is known.To compute the set of states satisfying ψ = EXϕ, each machine executes algorithm 4.

Algorithm 4: Sat
Every process i adds each local predecessor s ′ of the states which satisfy ϕ to Sat i (ψ), and sends messages to the processes owning distant predecessors to do so.When a process j receives a state s, it adds it to Sat j (ψ) (see algorithm 7, lines 3-4).There is no need for process j to reply to process i.
Since we proceed in a backward manner, it is not necessary to wait for sets Sat j (ϕ) to be known by the other processes j = i.Thus, the processes can work independently of each other and in a parallel way.Hence, we can also expect a linear speedup.
The satisfaction of AXϕ can be obtained by checking ¬EX¬ϕ.

Exist Until formulae:
To evaluate the CTL formula ψ = E(ϕ 1 ∪ ϕ 2 ), we assume that Sat i (ϕ 1 ) and Sat i (ϕ 2 ) are known by each station i.This means that processes must wait for each other until these sets are known in all processes.Then, to compute the set Sat i (ψ), each process executes algorithm 5.
Algorithm 5: A set Snew i is used to contain the new states which satisfy ψ.Initially, Snew i contains Sat i (ϕ 2 ).
At each iteration a state s is removed from Snew i , and every predecessor s ′ / ∈ Sat i (ψ) satisfying ϕ 1 , then satisfies ψ, is included in Snew i to check whether its predecessors satisfy ϕ 1 too.For distant predecessors a message is sent to their owner process.When a process j receives a such message it adds the state to Snew j and to Sat i (ψ) (see algorithm 7, lines 10-14).

For All Until CTL formulae:
Similar ideas are used to compute the set of states which verify the AU formulae.Sat i (ϕ 1 ) and Sat i (ϕ 2 ) being known for all processes, Sat i (ψ) is computed for each process i.

Specific messages
Communications are required when successors and predecessors are not handled by the same process.Hence, function MessHandler() is extended so as to handle the messages concerning the formulae evaluation as described in algorithm 7.

end
The termination of the verification of a formula ψ occurs when the initial state is added to Sat i (ψ) or when all processes end the labelling of their own states.In the last case, the formula is not satisfied, and we propose a distributed search of the counterexample.

DISTRIBUTED COUNTEREXAMPLE SEARCH
The model-checking algorithm either terminates with success, if the property holds, or with failure otherwise.In this latter case, a counterexample provides the designer with the reasons for the failure and can be helpful to find subtle errors in the system.A large class of temporal logics admit counterexamples as simple tree-like structures [CJLV02].It consists in a structure which shows that the negation of the formula is true.
Here, we propose to determine a counterexample from the distributed state space, allowing the use of explicit state enumeration techniques on very large models, by exploiting resources of multiple stations of a cluster.In this section, we focus on determining the counterexample for a formula using the temporal operators AU and EU since they are the most challenging cases.
The counterexample search is done in a depth first manner, starting from the initial state s 0 .
It is easy to determine the counterexample in the case of a formula ψ = AXϕ: when it does not hold, there exists a successor s of s 0 such that s |= ϕ.Thus, the counterexample is the sub-graph containing only s 0 and its successors not satisfying ϕ.
However, for both formulae A(ϕ 1 ∪ϕ 2 ) and E(ϕ 1 ∪ϕ 2 ), the corresponding counterexample consists in all the paths π = s 0 s 1 . . .such that: For the distant successors, messages are sent to their owners so as to be handled.If s has no successor, or no successor satisfying either ϕ 1 or ϕ 2 , then π constitutes also a counterexample (lines 17 and 25).
When the top of the stack contains a backtrack tag, the next state to pop is distant.A message is then sent to its owner to pursue processing.
The process h(s 0 ) starts the counterexample search as described in algorithm 9 when it receives a CounterExample message.Cycle detection can be performed using depth-first exploration.However, if the exploration is carried out in a parallel way, some cycles might be overlooked.Hence, when a process sends a state, it remains idle until it receives a Backtrack message or another state to be visited.

IMPLEMENTATION AND EXPERIMENTAL RESULTS
The previous algorithms were implemented within a prototype tool.Given a Petri net, the reachability graph is generated on a cluster of stations, and then a CTL formula is verified.In this section, we give the results obtained for the dining philosophers problems.Other problems like the distributed database managers were also studied.Whenever the formula is not satisfied, the subgraph corresponding to the counterexample is entirely computed, and reported to the user.The tests were carried on a cluster composed of 12 stations (Pentium IV with 512 Mbytes of memory).

The dining philosophers
The dining philosophers problem, introduced by Dijkstra, concerns the problem of resources allocation between processes.Several philosophers sit around a circular table.There is a fork between each pair of neighbouring philosophers.Each philosopher spends his life alternating thinking and eating phases, and may arbitrarily decide to use either the fork to his left or the one to his right, but needs both of them to eat.
The states of the dining philosophers problem can be partitioned into sets S 1 , S 2 . . .such that S i does not contain all the states corresponding to i eating philosophers.Indeed, these states are not linked by any transition, they constitute a stable, so it is more interesting to store them on different stations.On the contrary, a state where there are i eating philosophers is only linked to states where there are i − 1 and i + 1 eating philosophers, such that there are respectively i − 1 and i eating philosophers common to both states.Hence, our hash function tries to store them on the same station.
The experimental results for this problem are given in table 1.We can note that the number of cross arcs compared to the total number of transitions, given by the ratio N 1 /N 2 , grows to reach more then 8, which means that there is one traversal transition for more then eight local transitions.The ratio N 3 /N 2 shows that the number of messages is approximately 2 messages for each traversal transition.A superlinear speedup is obtained, as shown in the last two columns.In table 2 the first columns give results concerning formulas verification containing the EU operator, respectively the maximum CPU time for each process and the CPU time of a single process verification.Here also we have an interesting speedup.
The second part of columns concerns the distributed counterexample search.The first column gives the total number of counterexamples, the second column the number of counterexamples which are paths (others are cycles), followed by the number of messages needed for the distributed search of the first counterexample and the total number of messages to find all the counterexamples.In the last column the maximum CPU time for each process to find all counterexamples.

CONCLUSION
In this paper, we proposed algorithms for CTL distributed model-checking.First, the state space is both generated and partitioned over a cluster of stations; this step is achieved by a set of machines which collaborate to explore the entire state space.Then, the same set of machines is used to achieve a distributed model-checking of CTL formulas.We have adapted the sequential algorithms used to verify the CTL formulas to the distributed case.This permits to model check systems using explicit representation of the states, taking advantage of the memory of all the involved machines.A counterexample, based on a partitioned search, is given whenever the CTL formula is not satisfied.Several tests were performed over a cluster of workstations, a super-linear speedup is obtained for large problems, also allowing for verification of examples not amenable on a single machine.Future work will include large case studies issued from industrial size applications.

Algorithm 1 :
DistGeneration(i) begin input : The Petri net N /* Process states in Waiting */ while Waiting = ∅ do Choose s ∈ Waiting

TABLE 1 :
Distributed generationWe analysed several formulae which do not hold, e.g. two thinking philosophers can start eating at the same time, The analysis of these formulae always leads to a failure, and a counterexample search.The second formula gives only cycles involving the entire state space.The results obtained for the first formula are given in tables 1 and 2 where the last column indicates the computation time with a single process (i.e.not distributed).

TABLE 2 :
Distributed verification and counterexample search