Bit-State Space Exploration
• It’s a variation on reachability analysis
• The reachability analysis:
– Keeps track of the already explored states
– Performs full state space search
– Most implementations use Hashing to quickly
access an element on the table of already
explored states
Bit-State Space Exploration
• Hashing function
– Given a hash space table of H slots
– and a Hashing function h(s) for A states
h(s)
– h(s) points a slot in the hash table without the
need to search for the states in the whole table
Bit-State Space Exploration
• In case of collision
– the use of a linked list is a common option
h(s)
S1
S2
S3
• To minimize collision, two hashing
functions are used.
Bit-State Space Exploration
• Say we have two states s1 and s2.
– With only one hash function, these are the
possibilities:
h(s1) = x and h(s2) = x
or
h(s1) = x and h(s2) = y
Bit-State Space Exploration
• Say now we use two hashing functions h1
and h2.
• The four possibilities are:
h1(s1)=x , h1(s2)=x , h2(s1)=v , h2(s2)=w
h1(s1)=x , h1(s2)=x , h2(s1)=v , h2(s2)=v
h1(s1)=x , h1(s2)=y , h2(s1)=v , h2(s2)=w
h1(s1)=x , h1(s2)=y , h2(s1)=v , h2(s2)=v
• Only the green shaded row causes collision.
We have thus reduced collision risk.
Bit-State Space Exploration
• Memory space analysis
–
–
–
–
–
Hash table size (H)
Pointer size (B)
Hash table will occupy HxB bytes
State data will use (S+B)xA bytes
Total memory: HxB + (S+B)xA
next pointer
state data size
• Example
– H = 1,000,000, B=4  Table size = 4Mb
– S and A depend on the specification under test
Bit-State Space Exploration
• Workaround: Bit-state space exploration
– By using a depth search algorithm, there is no
need any more for storing the visited states, so:
– M = HxB + (S+B)xA M = H, or H/8,
– where M is the total amount of memory used
Because one state now can
for the hash table.
be represented by only one
– Constraints
bit: reached (1), or not (0)
• Collision avoidance is a matter of probability of
occurrence
• has to use depth search algorithm
• only goes until maximum depth is reached
Bit-State Space Exploration
• Example 2: (Even better than previous)
– if M = 1,000,000, H=8,000,000
– previous example: 4Mb = 106 states only for
the hashing table
– this example: 4Mb = 32x 106 states, and no
need for extra storage for the states data
Bit-state Space exploration
• How it works
– Storing the state data in a stack as it goes…
G.S.1
Depth-first
G.S.1.1
G.S.1.1.1
G.S.1.2
G.S.1.1.2
G.S.1.3
G.S.1.1.3
– Go until any of the following conditions...
G.S. = Global State
Bit-state Space exploration
a)
b)
G.S.i
No new state or possible action
Simply backtrack in the stack
G.S.i
G.S.j
(already
visited)
G.S.k
No new state or possible action
backtrack and go the next on the right
Bit-state Space exploration
c)
G.S.i
Maximum depth
Simply backtrack
d) Problem encountered:
– e.g. Unspecified reception, or deadlock
– reads the whole stack, creates an MSC
– adds a report to the list of reports with the MSC
– backtrack and go again.
Rem: For each new visited state (hash table bit = 0),
sets the hash table to 1.
Bit-state Space exploration
• In the TAU Validator Bit-State space
exploration tool, the results are like:
–
–
–
–
–
–
–
–
–
–
–
No of reports: No of reports generated
Generated states: No of global states generated
Truncated paths: No of states cut by the maximum depth constraint
Unique system states: No of unique global states from the generated ones
Size of hash table: The size of the hash table (H)
No of bits set in hash table: No of bits in the hash table set to 1 (visited)
Collision risk: the risk of having two states colliding in the same slot
Max Depth: the maximum depth set for this bit-state exploration
Current depth: the depth after the execution (should be -1 if went ok)
Min state size and Max state size: (limit sizes of states, used by h(s))
Symbol coverage: The percentage of the SDL symbols covered