We’re sorry, something doesn't seem to be working properly.

Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Skip to main content
SpringerLink
Log in

FDR3: a parallel refinement checker for CSP

  • TACAS 2014
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Failures divergence refinement 3 (FDR3) is a complete rewrite of the CSP refinement checker FDR2 that incorporates a significant number of enhancements. In this paper, we describe the operation of FDR3 at a high level and give a detailed description of several of the more important innovations. FDR3 has a new parallel refinement-checking algorithm that is able to achieve a near linear speedup as the number of cores increases. This algorithm scales linearly not only on shared-memory systems, but also on distributed systems (i.e. clusters). In particular, this paper presents experimental results that show FDR3 can achieve a speedup factor in excess of 1000 versus the sequential case on a cluster of 64, 16-core machines (i.e. 1024 cores): we obtain similar performance improvements on a supercomputer and, more interestingly, on a commodity cloud computing provider. We also present experimental results that compare FDR3 to related tools, and indicate that (as far as we know) FDR3 is unique in being able to scale beyond the bounds of main memory. This paper also describes the new algorithm that FDR3 uses to construct its internal representation of CSP processes, one of the key problems to solve in order to efficiently model-check process algebras.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

We’re sorry, something doesn't seem to be working properly.

Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. See http://aws.amazon.com/ec2/.

  2. The fact that performance improves with lower communication suggests that looking for locality in hashing remains a good idea.

  3. By using a single thread to perform all MPI related operations, we are able to use the single-threaded MPI implementation. We did experiment with an alternative and simpler design that required a multi-threaded MPI implementation, where workers sent blocks directly to remote nodes, rather than via the controller, and the processors directly received blocks from remote nodes. However, the performance was relatively poor on large machines with more than 16 cores. In particular, a large amount of time was spent inside internal MPI locks, dramatically reducing the speed-ups observed. This was particularly noticeable when using Amazon’s EC2 platform.

  4. This is also a new feature in FDR3 that is enabled by the tight coupling of the compiler with the CSP operational semantics. Encoding such checks in FDR2 would have been extremely difficult.

References

  1. Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall, Inc., Upper Saddle River (1985)

    MATH  Google Scholar 

  2. Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall, New Jersey (1997)

    Google Scholar 

  3. Roscoe, A.W.: Understanding Concurrent Systems. Springer, New York (2010)

    Book  MATH  Google Scholar 

  4. Formal Systems (Europe) Ltd.: Failures-Divergence Refinement–FDR 2 User Manual, (2011)

  5. Goldsmith, M.: Operational Semantics for Fun and Profit. In: Communicating Sequential Processes. The First 25 Years, vol. 3525 of LNCS (2005)

  6. Lawrence, J.: Practical Application of CSP and FDR to Software Design. In: Communicating Sequential Processes. The First 25 Years, vol. 3525 of LNCS (2005)

  7. Mota, A.: Model-checking CSP-Z: strategy, tool support and industrial application. Sci. Comput. Program. 40(1), 59–96 (2001)

    Article  MATH  Google Scholar 

  8. Fischer, C., Wehrheim, H.: Model-checking CSP-OZ specifications with FDR. In: IFM’99. Springer, New York (1999)

  9. Lowe, G.: Casper: a compiler for the analysis of security protocols. J. Comput. Secur. 6(1—-2), 53–84 (1998)

    Google Scholar 

  10. Roscoe, A.W., Hopkins, D.: SVA, a tool for analysing shared-variable programs. In: Proceedings of AVoCS 2007 (2007)

  11. Holzmann, G.: Spin Model Checker: The Primer and Reference Manual. Addison-Wesley Professional, Boston (2003)

    Google Scholar 

  12. Barnat, J., Brim, L., Havel, V., Havlíček, J., Kriho, J., Lenčo, M., Ročkai, P., Štill, V., Weiser, J.: DiVinE 3.0: an explicit-state model checker for multithreaded C & C++ Programs. In: CAV, vol. 8044 of LNCS (2013)

  13. Laarman, A., Pol, J.V.D., Weber, M.: Multi-core LTSmin: marrying modularity and scalability. In: NASA Formal Methods, vol. 6617 of LNCS (2011)

  14. Boulgakov, A., Gibson-Robinson, T., Roscoe, A.W.: Computing maximal bisimulations. In: Formal Methods and Software Engineering, vol. 8829 of LNCS (2014)

  15. Gibson-Robinson, T., Roscoe, A.W., Hansen, H., Wang, X.: Practical partial order reduction for CSP. In: NASA Formal Methods (2015)

  16. Gibson-Robinson, T., Armstrong, P., Boulgakov, A., Roscoe, A.W.: FDR3: a modern model checker for CSP. In: TACAS, vol. 8413 of LNCS (2014)

  17. Gibson-Robinson, T., Roscoe, A.W.: FDR into the cloud. In: Communicating Process Architectures (2014)

  18. University of Oxford, libcspm. https://github.com/tomgr/libcspm (2013)

  19. Reed, G.M., Roscoe, A.W.: A timed model for communicating sequential processes. Theor. Comput. Sci. 58, 249–261 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  20. Armstrong, P., Lowe, G., Ouaknine, J., Roscoe, A.W.: Model checking timed CSP. In: Proceedings of HOWARD (Festschrift for Howard Barringer) (2012)

  21. Ouaknine, J.: Discrete analysis of continuous behaviour in real-time concurrent systems. DPhil Thesis (2001)

  22. Barringer, H., Kuiper, R., Pnueli, A.: A really abstract concurrent model and its temporal logic. In: Proceedings of the 13th ACM SIGACT-SIGPLAN symposium on Principles of programming languages. ACM, New York (1986)

  23. Roscoe, A.W., Hopcroft, P.J.: Slow abstraction via priority. In: Theories of Programming and Formal Methods, vol. 8051 of LNCS (2013)

  24. Roscoe, A.W.: Model-checking CSP. A Classical Mind: Essays in Honour of CAR Hoare (1994)

  25. Goldsmith, M., Martin, J.: The parallelisation of FDR. In: Proceedings of the Workshop on Parallel and Distributed Model Checking (2002)

  26. Leiserson, C.E., Schardl, T.B.: A work-efficient parallel breadth-first search algorithm (or how to cope with the nondeterminism of reducers). In: Proc. 22nd ACM Symposium on Parallelism in Algorithms and Architectures (2010)

  27. Korf, R.E., Schultze, P.: Large-scale parallel breadth-first search. In: Proc. 20th National Conference on Artificial Intelligence, vol. 3, AAAI (2005)

  28. Holzmann, G.J.: Parallelizing the spin model checker. In: Model Checking Software, vol. 7385 of LNCS (2012)

  29. Laarman, A., van de Pol, J., Weber, M.: Boosting multi-core reachability performance with shared hash tables. In: Formal Methods in Computer-Aided Design (2010)

  30. Barnat, J., Brim, L., Simecek, P.: Cluster-based I/O-efficient LTL model checking. In: ASE, pp. 635–639. IEEE (2009)

  31. Verstoep, K., Bal, H.E., Barnat, J., Brim, L.: Efficient large-scale model checking. In: IPDPS, pp. 1–12. IEEE (2009)

  32. Hughes, J.: Graph reduction with super-combinators. Tech. Rep. PRG28, OUCL (1982)

  33. Leuschel, M., Butler, M.: ProB: An automated analysis toolset for the B method. Softw. Tools Technol. Transf. (STTT) 10(2), 185–203 (2008)

    Article  Google Scholar 

  34. Sun, J., Liu, Y., Dong, J.S., Pang, J.: Pat: Towards flexible verification under fairness, vol. 5643 of Lecture Notes in Computer Science, pp. 709–714. Springer, New York (2009)

  35. Lowe, G.: Concurrent depth-first search algorithms. In: TACAS, pp. 202–216 (2014)

Download references

Acknowledgments

This work has benefitted from many useful conversations with Michael Goldsmith, Colin O’Halloran, Gavin Lowe, and Nick Moffat. Development of FDR3 has, of course, been profoundly influenced by the implementors of FDR2, notably Michael Goldsmith, David Jackson, Paul Gardiner, and Bryan Scattergood. We would also like to thank the anonymous reviewers for their useful comments. The authors would like to acknowledge the use of the Advanced Research Computing (ARC) in carrying out this work. Research into FDR3 has been partially sponsored by DARPA under agreement number FA8750-12-2-0247.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Oxford Wolfson Building, Parks Road, Oxford, OX1 3QD, UK

    Thomas Gibson-Robinson, Philip Armstrong, Alexandre Boulgakov & A. W. Roscoe

Authors
  1. Thomas Gibson-Robinson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philip Armstrong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alexandre Boulgakov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. A. W. Roscoe
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Gibson-Robinson.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gibson-Robinson, T., Armstrong, P., Boulgakov, A. et al. FDR3: a parallel refinement checker for CSP. Int J Softw Tools Technol Transfer 18, 149–167 (2016). https://doi.org/10.1007/s10009-015-0377-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-015-0377-y

Keywords

Search

Navigation