Symbolic Real Time Model Checking. Kim G Larsen

Size: px

Start display at page:

Download "Symbolic Real Time Model Checking. Kim G Larsen"

Winifred Melton
5 years ago
Views:

1 Smbolic Real Time Model Checking Kim G Larsen

2 Overview Timed Automata Decidabilit Results The UPPAAL Verification Engine Datastructures for zones Liveness Checking Algorithm Abstraction and Compositionalit Further Optimizations

3 Timed Automata lllllllllll Decidabilit Results

4 Decidabilit? a c b OBSTACLE: Uncountabl infinite state space Reachable?

8 Stable Quotient Partitioning a c b Reachable?

9 Stable Quotient Partitioning a c b Reachable?

10 Stable Quotient Partitioning a c b Reachable?

11 Stable Quotient Partitioning a c b Reachable?

12 Stable Quotient Partitioning a c Reachable? b Ever TA TA has has a finite TAB TAB quotient (region-constr.)

13 Regions Finite Partitioning of State Space An equivalence class (i.e. a region) in fact there is onl a finite number of regions!!

14 Fundamental Results PSPACE-c Reachabilit Alur, Dill Trace-inclusion Alur, Dill Timed ; Untimed Bisimulation Timed Cerans ; Untimed Model-checking TCTL, T mu, L nu,... PSPACE-c / EXPTIME-c

15 Updatable Timed Automata W Diagonals Patricia Bouer, Catherine Dufourd, Emmanuel Fleur, Antoine Petit W Diagonals

16 The UPPAAL Verification Engine

17 Overview Zones and DBMs Minimal Constraint Form Clock Difference Diagrams Distributed UPPAAL [CAV2000, STTT2004] Unification & Sharing [FTRTFT2002, SPIN2003] Acceleration [FORMATS2002] Static Guard Analsis [TACAS2003,TACAS2004] Storage-Strategies [CAV2003]

18 Zones From infinite to finite State (n, =3.2, =2.5 ) Smbolic state (set) (n, 1 4, 1 3) Zone: conjunction of -<=n, <=>n

19 Smbolic Transitions >3 a :=0 n m 1<=<=4 1<=<=3 delas to conjuncts to projects to 1<=, 1<= -2<=-<=3 3<, 1<= -2<=-<=3 3<, =0 Thus Thus (n,1<=<=4,1<=<=3) =a =a => => (m,3<, =0) =0)

20 Zones = Conjuctive Constraints A zone Z is a conjunctive formula: g 1 & g 2 &... & g n where g i is a clock constraint i ~ b i or i - j ~b ij Use a zero-clock 0 (constant 0) A zone can be re-written as a set: { i - j ~b ij ~ is < or, i,j n} This can be represented as a matri, DBM (Difference Bound Matrices)

21 Operations on Zones Future dela Z : Past dela Z : [Z ] = {u+d d R, u [Z]} [Z ] = {u u+d [Z] for some d R} Reset: {}Z or Z(:=0) Conjunction [{}Z] = {u[0/] u [Z]} [Z&g]= [Z] [g]

22 THEOREM The set of zones is closed under all constraint operations. That is, the result of the operations on a zone is a zone. That is, there will be a zone (a finite object i.e a zone/constraints) to represent the sets: [Z ], [Z ], [{}Z], [Z&g].

23 Smbolic Eploration Reachable?

24 Smbolic Eploration Reachable? Dela

25 Smbolic Eploration Reachable? Left

26 Smbolic Eploration Reachable? Left

27 Smbolic Eploration Reachable? Dela

28 Smbolic Eploration Reachable? Left

29 Smbolic Eploration Reachable? Left

30 Smbolic Eploration Reachable? Dela

31 Smbolic Eploration Reachable? Down

32 Forward Rechabilit Init -> Final? Init Waiting Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else (eplore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

33 Forward Rechabilit Init -> Final? Waiting n,z Init n,z Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else(eplore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

34 Forward Rechabilit Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/eplore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

35 Forward Rechabilit Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/eplore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

36 Canonical Datastructures for Zones Difference Bounded Matrices Bellman 1958, Dill 1989 Inclusion D1 D2 <=1 <=1 -<=2 z-<=2 z-<=2 z<=9 z<=9 <=2 <=2 -<=3 <=3 <=3 z-<=3 z-<=3 z<=7 z<=7 Graph Graph z ?? z 3

37 Canonical Datastructures for Zones Difference Bounded Matrices Inclusion D1 D2 <=1 <=1 -<=2 z-<=2 z-<=2 z<=9 z<=9 <=2 <=2 -<=3 <=3 <=3 z-<=3 z-<=3 z<=7 z<=7 Graph Graph z ?? z 3 Shortest Path Closure Shortest Path Closure z z 3

38 Canonical Datastructures for Zones Difference Bounded Matrices Emptiness Compact D <=1 <=1 >=5 >=5 -<=3 Graph Negative Ccle iff empt solution set

39 Canonical Datastructures for Zones Difference Bounded Matrices Future D 1<= 1<= <=4 <=4 1<= 1<= <=3 <= Shortest Path Closure Remove upper bounds on clocks Future D 1<=, 1<=, 1<= 1<= -2<=-<=

40 Canonical Datastructures for Zones Difference Bounded Matrices Reset D 0-1 1<=, 1<=, 1<= 1<= -2<=-<= {}D Remove all bounds involving and set to =0, =0, 1<= 1<= -1 0

41 Canonical Datastructures for Zones Difference Bounded Matrices 1-2<=4 1-2<=4 2-1<=10 2-1<=10 3-1<=2 3-1<=2 2-3<=2 2-3<=2 0-1<=3 0-1<=3 3-0<=5 3-0<= Shortest Path Closure O(n^3)

42 Canonical Datastructures for Zones Minimal Constraint Form RTSS <=4 1-2<=4 2-1<=10 2-1<=10 3-1<=2 3-1<=2 2-3<=2 2-3<=2 0-1<=3 0-1<=3 3-0<=5 3-0<= Shortest Path Reduction O(n^3) Shortest Path Closure O(n^3) Space worst O(n^2) practice O(n) 0 3

43 1 0,9 0,8 0,7 0,6 0,5 0,4 0,3 0,2 0,1 0 Percent SPACE PERFORMANCE Minimal Constraint Global Reduction Combination M. Plant Fischer 2 Fischer 3 Fischer 4 Fischer 5 Train Crossing Bo Sorter B&O Audio Audio w Col

44 2,5 2 1,5 1 0,5 0 Percent TIME PERFORMANCE Minimal Constraint Global Reduction Combination M. Plant Fischer 2 Fischer 3 Fischer 4 Fischer 5 Train Crossing B&O Bo Sorter Audio Audio w Col

45 Shortest Path Reduction 1st attempt Idea Problem w w v <=w An An edge is is REDUNDANT if if there eists an an alternative path path of of no no greater weight THUS Remove all all redundant edges! v and and w are are both both redundant Removal of of one one depends on on presence of of other. Observation: If If no no zero- or or negative ccles then then SAFE to to remove all all redundancies.

46 Shortest Path Reduction Solution G: weighted graph

47 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-ccles.

48 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-ccles. 2. Graph based on representatives. Safe to remove redundant edges

49 Shortest Path Reduction Solution G: weighted graph Canonical given order of clocks 1. Equivalence classes based on 0-ccles. 2. Graph based on representatives. Safe to remove redundant edges 3. Shortest Path Reduction = One ccle pr. class + Removal of redundant edges between classes

50 Earlier Termination Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/eplore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

51 Earlier Termination Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z' Z Z Z (n,z ) in Passed then STOP -else/eplore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

52 Earlier Termination Init -> Final? Waiting n,z 1 n,z 2 n,z k Init n,z m,u Final U i Z Passed i INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z' Z (n,z ) in Passed then STOP -else/eplore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Z UNTIL Waiting = Ø or Final is in Waiting

53 Clock Difference Diagrams = Binar Decision Diagrams + Difference Bounded Matrices CAV99 CDD-representations Nodes labeled with differences Maimal sharing of substructures (also across different CDDs) Maimal intervals Linear-time algorithms for set-theoretic operations. NDD s Maler et. al DDD s Møller, Lichtenberg

54 4,5 4 3,5 3 2,5 2 1,5 1 0,5 0 SPACE PERFORMANCE CDD Reduced CDD CDD+BDD Fischer5 PowerDown1 PowerDown2 Dacapo GearBo Fischer4 BRP B&O Percent Philips Philps col

55 TIME PERFORMANCE CDD Reduced CDD CDD+BDD BRP PowerDown1 PowerDown2 Dacapo GearBo Fischer4 Fischer5 B&O Percent Philips Philps col

56 UPPAAL Dec 96 Sep 98 Ever 9 month 10 times better performance! 3.

57 in UPPAAL Liveness Properties F ::= E P A P P Q Bouajjani, Tripakis, Yovine 97 On-the-fl smbolic model checking of TCTL Possibl alwas P Eventuall P is equivalent to ( E P) P leads to Q is equivalent to A ( P A Q)

58 in UPPAAL Liveness E[]φ (A φ)

59 in UPPAAL Passed (A φ) Liveness E[]φ (A φ) ST WS Uneplored

60 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Uneplored

61 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Uneplored

62 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Uneplored

63 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Uneplored?

64 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Uneplored???

65 Liveness E φ (A φ) in UPPAAL Passed (A φ) ST WS Uneplored [FORMATS05] Etensions allowing for automatic snthesis of smallest bound t such that A t φ holds

66 Compositionalit & Abstraction

67 The State Eplosion Problem Ss a b c a b c a a a b c b c b c a a a b c b c b c sat ϕ Model-checking is is either EXPTIME-complete or or PSPACE-complete (for TA s this is is true even for for a single TA)

68 Abstraction ϕ ϕ Ss sat Abs Ss sat Abs a c b a c b a c b a c b a c b a c b a c b a c b ϕ sat Ss ϕ sat Abs REDUCE TO Preserving safet properties

69 Compositionalit Ss b b a a a a c b c b c b c a a a a c b c b c b c Ss 1 Ss 2 Abs 1 Abs Ss 1 Ss 1 Ss2 Ss Ss 1 Ss 2 2 Abs Abs Abs Abs1 Abs2 Abs Ss Abs 1 Abs2 Abs Abs 2

70 Abstraction Eample a1 a2 a3 a4 a5 a b

71 Eample Continued abstracted b

72 Proving abstractions using reachabilit Applied to IEEE 1394a Root contention protocol (Simons, Stoelinga) B&O Power Down Protocol (Ejersbo, Larsen, Skou, FTRTFT2k) A[] not TestAbstPoP1.BAD Recognizes all the BAD computations of PoP1 Henrik Ejersbo Jensen PhD Thesis 1999

73 Further Optimizations

Difference Diagrams [CAV99] 1 2 4 3 3-2 -2 2

74 Datastructures for Zones DBM package -4 Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] Elegant RUBY 1bindings for 5 eas implementations

75 Zone Abstractions [TACAS03,TACAS04] Abstraction taking maimum constant into account necessar for termination Utilization of distinction between lower and upper bounds Utilization of location-dependenc

76 LU Abstraction [TACAS04] THEOREM For an state in the LU- abstraction there is a state in the original set simulating it LU abstraction is eact wrt reachabilit

77 Zone abstractions Classical Loc. dep. Ma Loc. dep. LU Conve Hull

78 Smmetr Reduction Eploitation of full smmetr ma give factorial reduction Man timed sstems are inherentl smmetric Computation of canonical state representative using swaps. [Formats 2003]

inherentl smmetric Computation of canonical state

79 Smmetr Reduction Eploitation of full smmetr ma give factorial reduction Man timed sstems are inherentl smmetric Computation of canonical state representative using swaps. [Formats 2003] SWAP: 1 2 ; 3 4

80 Smmetr Reduction [Formats 2003]

81 Smmetr Reduction UPPAAL 3.6 [Formats 2003] Iterators for (i: int[0,4]) { } Quantifiers Selection forall (i: int[0,4]) a[i]==0 select i: int[0,4]; guard... Template sets process P[4](...) { } Scalar set based smmetr reduction Compact state-space representations Priorities Martijn Henriks, Nijmegen U

D-UPPAAL Gerd Behrman Distributed implementation of UPPAAL on

Applications Snthesis of Dnamic Voltage Scaling strategies

Ad-hoc mobile real-time protocol (Leslie Lamport) - 25GB in 3

82 D-UPPAAL Gerd Behrman Distributed implementation of UPPAAL on PC-cluster [CAV'00, PDMC'02, STTT'03]. Applications Snthesis of Dnamic Voltage Scaling strategies (CISS). Ad-hoc mobile real-time protocol (Leslie Lamport) - 25GB in 3 min! Running on NorduGrid. Local cluster: 50 CPUs and 50GB of RAM To be used as inspiration for verification GRID platform within ARTIST2 NoE.

Timed Automata lllllllllll Decidability Results

Timed Automata lllllllllll Decidability Results Decidability? a c b OBSTACLE: Uncountably infinite state space Reachable? Stable Quotient Partitioning a c b y y x Reachable? x Stable Quotient Partitioning