Finding Liveness Errors with ACO

Hong Kong, June 1-6, 2008 1 / 24 Finding Liveness Errors with ACO Francisco Chicano and Enrique Alba

Motivation Motivation Nowadays software is very complex An error in a software system can imply the loss of lot of money and even human lifes Techniques for proving the correctness of the software are required Model checking fully automatic Hong Kong, June 1-6, 2008 2 / 24

Hong Kong, June 1-6, 2008 3 / 24 Explicit State MC State Explosion Heuristic MC Objective: Prove that model M satisfies the property : HSF-SPIN: the property f is an LTL formula Explicit State Model Checking Safety & Liveness Properties Model M LTL formula f Intersection Büchi automaton s5 s4 s3!p q = p!q q s7 s6 s3 s4 s5 s8 s9

Hong Kong, June 1-6, 2008 4 / 24 Explicit State MC State Explosion Heuristic MC Objective: Prove that model M satisfies the property : HSF-SPIN: the property f is an LTL formula Explicit State Model Checking Safety & Liveness Properties Model M LTL formula f Intersection Büchi automaton s5 s4 s3!p q = p!q q s7 s6 s3 s4 s5 s8 s9

Hong Kong, June 1-6, 2008 5 / 24 Explicit State MC State Explosion Heuristic MC Objective: Prove that model M satisfies the property : HSF-SPIN: the property f is an LTL formula Explicit State Model Checking Safety & Liveness Properties Model M LTL formula f Intersection Büchi automaton s5 s4 s3!p q q p!q = s7 s6 s3 s4 s5 s8 s9 Using Nested-DFS

Hong Kong, June 1-6, 2008 6 / 24 State Explosion Problem Number of states very large even for small models Explicit State MC State Explosion Heuristic MC Safety & Liveness Properties s3 s5 Memory s7 s6 s4 s8 s9 Example: Dining philosophers with n philosophers 3 n states 20 philosophers 1039 GB for storing the states Solutions: collapse compression, minimized automaton representation, bitstate hashing, partial order reduction, symmetry reduction Large models cannot be verified but errors can be found

Hong Kong, June 1-6, 2008 7 / 24 Explicit State MC State Explosion Heuristic MC Safety & Liveness Properties Heuristic Model Checking The search for errors can be directed by using heuristic information 2 0 s7 3 4 s6 5 2 s3 s4 0 s5 1 Heuristic value 6 s8 s9 7 Different kinds of heuristic functions have been proposed in the past: Formula-based heuristics Deadlock-detection heuristics Structural heuristics State-dependent heuristics

Hong Kong, June 1-6, 2008 8 / 24 Explicit State MC State Explosion Heuristic MC Safety & Liveness Properties Safety and Liveness Properties Safety property s3 s5 Counterexample path to accepting state Graph exploration algorithms can be used: DFS and BFS s7 s8 s6 s9 s4 Liveness property s3 s5 Counterexample path to accepting cycle It is not possible to apply DFS or BFS s7 s8 s6 s9 s4

Hong Kong, June 1-6, 2008 9 / 24 Metaheuristics ACO ACOhg ACOhg-live Metaheuristic Algorithms Designed to solve optimization problems Maximize or minimize a given function: the fitness function They can find good solutions with a reasonable amount of resources Metaheuristic Algorithms Single solution Population

Hong Kong, June 1-6, 2008 10 / 24 Greedy Randomized Adaptive Search Procedure Metaheuristics ACO ACOhg ACOhg-live Single solution Iterated Local Search Metaheuristics Classification Variable Neighborhood Search Tabu Search Simulated Annealing Iterative Improvement Guided Local Search Population Estimation of Distribution Algorithms Evolutionary Computation Scatter Search Ant Colony Optimization Particle Swarm Optimization

Hong Kong, June 1-6, 2008 11 / 24 ACO: Metaheuristics ACO ACOhg ACOhg-live Ant Colony Optimization (ACO) metaheuristic is inspired by the foraging behaviour of real ants ACO Pseudo-code

Hong Kong, June 1-6, 2008 12 / 24 Metaheuristics ACO ACOhg ACOhg-live ACO: Construction Phase The ant selects its next node stochastically The probability of selecting one node depends on the pheromone trail and the heuristic value (optional) of the edge/node The ant stops when a complete solution is built Trail τ ij Heuristic η ij j k i m N i k l

Hong Kong, June 1-6, 2008 13 / 24 Pheromone update Metaheuristics ACO ACOhg ACOhg-live ACO: Pheromone Update During the construction phase with After the construction phase with Trail limits (particular of MMAS) Pheromones are kept in the interval [τ min, τ max ]

Metaheuristics ACO ACOhg ACOhg-live ACOhg: Huge Graphs Exploration The length of the ant paths is limited by λ ant What if? λ ant Objective node Initial node Starting nodes for path construction change After σ s steps Second stage Third stage Hong Kong, June 1-6, 2008 14 / 24

Hong Kong, June 1-6, 2008 15 / 24 ACOhg-live Metaheuristics ACO ACOhg ACOhg-live The search is an alternation of two phases First phase: search for accepting states Second phase: search for cycles from the accepting states ACOhg-live Pseudocode First phase

Hong Kong, June 1-6, 2008 16 / 24 ACOhg-live Metaheuristics ACO ACOhg ACOhg-live The search is an alternation of two phases First phase: search for accepting states Second phase: search for cycles from the accepting states ACOhg-live Pseudocode Second phase

Hong Kong, June 1-6, 2008 17 / 24 ACOhg-live Metaheuristics ACO ACOhg ACOhg-live The search is an alternation of two phases First phase: search for accepting states Second phase: search for cycles from the accepting states ACOhg-live Pseudocode

Hong Kong, June 1-6, 2008 18 / 24 Promela Models We selected 7 Promela models for the experiments Model LoC Scalable Processes LTL formula (liveness) alter 64 no 2 (p q) ^ (r s) giopij 740 yes i+3(j+1) (p q) phij 57 yes j+1 (p q) Parameters for ACOhg-live ACOhg-live implemented in HSF-SPIN 100 independent executions Models & parameters Results Discussion Parameter msteps colsize λ ant σ s ξ a ρ α β 1st phase 10 20 0.7 100 4 2nd phase 20 4 0.5 5 0.2 1.0 2.0

Hong Kong, June 1-6, 2008 19 / 24 Promela Models We selected 7 Promela models for the experiments Model LoC i=2,6,10 Scalable Processes LTL formula (liveness) alter 64 j=2 no 2 (p q) ^ (r s) giopij 740 yes i+3(j+1) (p q) phij 57 j=8,14,20yes j+1 (p q) Parameters for ACOhg-live ACOhg-live implemented in HSF-SPIN 100 independent executions Models & parameters Results Discussion Parameter msteps colsize λ ant σ s ξ a ρ α β 1st phase 10 20 0.7 100 4 2nd phase 20 4 0.5 5 0.2 1.0 2.0

Hong Kong, June 1-6, 2008 20 / 24 Models & parameters Results Discussion Results I: Comparison of Heuristic Information Comparison of H ham and H fsm

Hong Kong, June 1-6, 2008 21 / 24 Models & parameters Results Discussion Results II: Comparison of ACOhg-live and NDFS Comparison of ACOhg-live and NDFS

Hong Kong, June 1-6, 2008 22 / 24 Models & parameters Results Discussion How to use ACOhg-live ACOhg-live should be used in the first/middle stages of the software development, when software errors are expected ACOhg-live can also be used in other phases of the software development for testing concurrent software Large model or a short couterexample is needed ACOhg-live Model Small model and any counterexample is needed fast NDFS

Hong Kong, June 1-6, 2008 23 / 24 ACOhg-live is the first algorithm based on metaheuristics (to the best of our knowledge) applied to the search for liveness errors in concurrent models The heuristic function based on finite state machines is a better guide in the second phase of ACOhg-live ACOhg-live is able to outperform Nested-DFS in efficacy and efficiency in the search for liveness errors Future Work Use of Strongly Connected Components of the never claim graph for improving the search (in progress) Analysis of parameterization for reducing the parameters Include ACOhg-live into JavaPathFinder for finding liveness errors in Java programs

Hong Kong, June 1-6, 2008 24 / 24 Finding Liveness Errors with ACO Thanks for your attention!!!