3Murphi Home/Documentation

Intro

3Murphi (pronounced "Triple Murphy") is a modified version of the Murphi verifier with advances in the efficiency, configurability, and usability of probabilistic explicit-state verification. I will try to match up releases of 3Murphi with versions of its cousin, 3SPIN, with which it shares much code and many features. The most notable features 3Murphi offers to users of Murphi are Bloom filters, an improved hash compaction implementation, and more useful feedback from verification runs.

The Papers

Although these papers use Spin for experimental validation, the ideas are relevant to the design and use of 3Murphi, which incorporates virutally all of the techniques discussed therein:

Fast and Accurate Bitstate Verification for SPIN,
by Peter C. Dillinger and Panagiotis Manolios,
In Proc. of 11th Int'l SPIN Workshop,
Volume 2989 of Springer LNCS

Bloom Filters in Probabilistic Verification,
by Peter C. Dillinger and Panagiotis Manolios,
In Proc. of FMCAD 2004, Formal Methods in Computer-Aided Design, 2004,
Volume 3312 of Springer LNCS

Using 3Murphi v3.2

The process of generating a C++ verifier with 3Murphi is exactly as with generating a hash compaction based verifier with Murphi, mu -c mymodel.m. Using -b with 3Murphi presents a similar trade-off as it does with a hash compaction based Murphi verifier.

Users should refer to Murphi documentation for details on the process of building a model and generating a verifier.

Compile time

After adding 3Murphi capabilities to a Murphi 3.1 installation, the user won't notice any difference (aside from some bug fixes and compiler warning fixes) unless the C++ verifier (mymodel.C) is compiled with -DTRIPLE_MURPHI. Specifying -DTRIPLE_MURPHI means the compiled verifier includes 3Murphi's implementations of both bitstate hashing (Bloom filter) and hash compaction. Total (non-probabilistic) verification is only available as usual, without -DTRIPLE_MURPHI, but when given the amount of memory required for total verification, probabilistic approaches will typically be a less likely source of error than the verification software or hardware itself.

-DTRIPLE_MURPHI may or may not be compatible with other various preprocessing flags used in compiling the verifier, but none should be required. However, we recommend compiling with optimizations (e.g. -O3) because we have seen greater than two-fold speed-ups from enabling optimization in Murphi and 3Murphi.

Run time

3Murphi is highly-configurable from the verifier command line. These options are either exclusive to 3Murphi or behave differently in 3Murphi:

`-c`	Use hash compaction instead of the default of using a Bloom filter. Note that this is a change of default behavior from regular Murphi, but it works well with the probabilistic verification methodology described in our research papers.
`-b`xx	In Bloom filter mode (no `-c`): Set xx bits per state instead of the default of 3 (inherited from Spin and "supertrace"). Must be at least 1 and values larger than 40 will be truncated to 40. In Hash Compaction mode (with `-c`): Store xx bits per state instead of the 3Murphi default of 32. Values outside the valid range of 4 to 64 will be truncated to the nearest valid value.
`-j`	Use the Jenkins LOOKUP2 hash function instead of Murphi's default. This hash function can be faster but might not be quite as accurate.
`-m`xxx	Use xxx megabytes for the Bloom filter or compacted hash table. No subtractions are made for stack/queue space. (see below)
`-k`xxx	Use xxx kilobytes for the Bloom filter or compacted hash table. No subtractions are made for stack/queue space. (see below)

Memory usage

Regardless of the verification mode and regardless of what the output seems to indicate, Murphi stores states on the "todo" list (stack for DFS or queue for BFS) explicitly, and only a small portion of this space is included in the memory amount specified with -m or -k. 3Murphi also stores todo states explicitly, but does not take any of this space from that specified by -m or -k. This is related to another feature of 3Murphi: the number of states in the todo list is only limited by the vitrtual memory of the machine.

The storage of todo states presents some interesting trade-offs. Using bit-compaction (-b to mu) means these states will be much smaller, but Murphi is much slower at processing bit-compacted states. This is the first trade-off.

The second trade-off deals with how much memory to dedicate to the visited list. Dedicating nearly all of main memory to the visited list (e.g. -m480 on a 512MB machine) maximizes accuracy without killing the execution time by having the visited list spill into swap space. However, in our experience, the todo list gets much bigger than an appropriately-sized visited list, meaning the bulk of the todo list will be swapped out if the visited list is taking up 90+% of main memory. This will slow down the verification process, but not intractably. The todo list is accessed linearly, whereas the visited list is accessed randomly. But the entire process is fastest if both lists fit in main memory.

A good strategy would be to dedicate about 20% of main memory to the visited list when first verifying a model. Using the default setting of a 3-bit Bloom filter will almost certainly find errors if there are any, and the todo list is likely to fit in the rest of main memory. In following up to double-check error-freedom, one could dedicate more memory to the visited list, enabling more accuracy at a possible speed cost. Notice that the recommendations output by 3Murphi are based on -e, which does not need to change if you increase the memory dedicated to the visited list. Drastically reducing the visited list memory could, however, hurt coverage enough to make the visitable size estimate too large.

Supported platforms

3Murphi is optimized for 32-bit machines and may or may not work on machines with different word sizes. 3Murphi is also optimized for Intel x86 architectures such as the Pentium 4. We developed 3SPIN with various versions of GNU/Linux, but should work for other 32-bit platforms supported by Murphi.

Taking advantage of 64-bit architectures would require significant changes/updates to 3Murphi and might happen in the future.

Getting 3Murphi v3.2

Downloads

3Murphi version 3.2 is a patch against Murphi 3.1, available here, according to this license. You should install and be familiar with Murphi 3.1 before using 3Murphi.

Download 3Murphi 3.2 here

Install Instructions

To install 3Murphi, save the patch file into the Murphi 3.1 directory, along side of include, ex, etc., and apply the patch:

patch -p0 < 3murphi-3_2.patch

This patches files in include, so no rebuilding is necessary other than compiling verifiers with -DTRIPLE_MURPHI (see instructions above).

The Author(s)

Peter C. Dillinger, advised by Panagiotis (Pete) Manolios