Directed Model Checking (not only) for Timed Automata

Transcription

1 Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010

2 Model Checking Motivation Embedded Systems Omnipresent Safety relevant systems Pentium bug Ariane 5 Errors can be extremely harmful Correct functioning is absolutely mandatory

3 Model Checking Correct Systems Every system state satisfies invariant M, s 0 = ϕ Erroneous Systems Find error states fast Short error traces M, s 0 = ϕ full state space Directed Model Checking Combination of Artificial Intelligence and Model Checking Accelerate the search to error states with heuristic functions

4 Outline Introduction Timed Automata Directed Model Checking Coming up with Heuristics in a Principled Way Pattern Database Heuristics Pattern selection strategies Summary Empirical evaluation of several heuristics Literature

5 Timed Automata Syntax Definition (Timed Automaton) A timed automaton A is a tuple L, l 0, E, X, V, Σ, I, where L finite set of locations, l 0 L the initial location, X finite set of clocks, V finite set of integer variables, Σ synchronization symbols, E finite set of edges, and I assigns invariants to locations. x 1 c? s 0 x := 0 s 1 x 1 c? x < 1 x 1 s 2

6 Timed Automata Semantics Semantics States assign values to Automata, Integer variables, and Clocks Transitions Discrete Delay infinite transition system A possible Behavior x 1 c? x 1 c? s 0 x := 0 s 1 x < 1 x s 2 1 s 1 s 0 s 0 x 1 s time

7 The Zone Graph Symbolic State Space The Zone Graph Finite & exact abstraction of the timed automata semantics A symbolic state corresponds to a set of states that have the same discrete part and the clock values satisfy a conjunction of clock constraints, a so called zone x 1 c? x 1 c? s 0 x := 0 s 1 x < 1 x 1 s 2 s.. 0,... s 0,.. x 0 x < s 0,.. s 1, s.. 0,... x = 0 x = 0 x s 0, s.... 2,... x 1 x s 0, s.. 1,.. s 2,.. x = 1 x 1 x < 1

8 Model Checking Task Definition (Model Checking Task) A model checking task T is a tuple M, ϕ, where M = A 1... A n is a system of timed automata ϕ is an error formula

9 Directed Model Checking Objective in DMC Given: a model checking task T = M, ϕ with corresponding symbolic state space S(M) = S, s 0, T t... n sn 1 sn, t Find: a sequence π = s 1 t 0 2 s1 where s i S, s i t i si+1 T, and s n = ϕ Approach: informed search algorithm heuristic function

10 Directed Model Checking Model Checking + Heuristic Search Definition (heuristic function) Let T = M, ϕ be a model checking task and let S(M) = S, s 0, T be the state space of M. A heuristic function (or heuristic) is a function h : S N 0 { }. The heuristic estimate h(s) for a state s S is supposed to estimate the distance from s to the nearest error state.

11 Heuristic Search The General Idea distance estimate init distance estimate distance estimate distance estimate error

12 The Properties of Heuristics Definition (perfect heuristic) Let T = M, ϕ and let S(M) = S, s 0, T. The perfect heuristic of S(M) is the heuristic h which maps each state s S to the length of a shortest path from s to any error state. Note: h (s) = iff no error state is reachable from s. Heuristic h is called admissible if h(s) h (s) for all states s S safe if h (s) = for all s S with h(s) = goal-aware if h(s) = 0 for all error states s S consistent if h(s) h(s ) + 1 for all nodes s, s S s. t. s s T

13 A Generic Informed Search Algorithm 1 function dmc(m, ϕ, h): 2 open = empty priority queue 3 closed = 4 open.insert(s 0, priority(s 0, h)) 5 while open do: 6 s = open.getminimum() 7 if s = ϕ then: 8 return True 9 if s closed then: 10 closed = closed {s} 11 for each s succs(s) do: 12 open.insert(s, priority(s, h)) 13 return False

14 Heuristic Search Methods A Search priority(s, h) = depth(s) + h(s) If h is admissible shortest possible error traces Often high memory consumption Greedy Search priority(s, h) = h(s) Expands fewer states than A in practice No guarantee on error trace length

15 Dominance Definition (Dominance) Let h, h be two admissible heuristics. The heuristic h dominates h iff s S : h(s) > h (s) Theorem Let h, h be two admissible heuristics. If h dominates h, then every state explored by A with h is also explored by A with h.

16 Heuristics for Directed Model Checking Requirements for h 1. Accurate (with respect to h ) The closer the better It has to work well in practice 2. Efficiently computable for any state s Heuristic has to be computed for every encountered state Efficient = low-order polynomial in T 3. Derived automatically for a given model checking task Based on the declarative description of T No user interaction

17 A Simple Heuristic for Directed Model Checking Hamming Distance Heuristic The minimal number of variable values that have to be changed in order to turn s into an error state e. h(s) = min #different values(s, e) e S:e =ϕ Intuition The more similar to an error state the closer to an error state.

18 Criticism of the Hamming Distance Heuristic What is wrong with the Hamming distance heuristic? Quite uninformative: the range of heuristic values is small; typically, most successors have the same estimate Sensitive to reformulation: can easily transform any MC task into an equivalent one where h(s) = 1 for all non-error states (how?) Ignores almost all problem structure: heuristic values do not depend on the set of transitions! need a better, principled way of coming up with heuristics

19 Coming up with Heuristics in a Principled Way In this Lecture: Pattern Database Heuristics State-of-the-art heuristics Based on abstractions Fully automatically generated No user interaction Applicable to a wide range of transition systems

20 A Design Principle for Heuristics The General Idea Given A model checking task T = M, ϕ with Corresponding state space S(M) = S, s 0, T A Generic Approach for Obtaining Heuristics Select an overapproximation T α of T with T α = M α, ϕ α and S(M α ) = S α, s α 0, T α For every state s S encountered during the search Find a (shortest) error trace π in S α, s α, T α h(s) = π

21 A Design Principle for Heuristics The General Idea Original Transition System Overapproximation

22 A Design Principle for Heuristics The General Idea Original Transition System Overapproximation s s α h(s) = 2

23 Pattern Database (PDB) Heuristics Prior to Search Choose an abstraction α For every abstract state s α S(M α ) = S α, s α 0, T α Compute abstract error distance dist α (s α ) Store s α, dist α (s α ) in lookup table (the pattern database) During Search Map state s to corresponding abstract state s α Heuristic value: h(s) = d(s α )

24 How to Choose the Abstraction? The Original State Space

25 How to Choose the Abstraction? The Trivial Abstraction

26 How to Choose the Abstraction? The Identity Abstraction

27 How to Choose the Abstraction? The Perfect Abstraction

28 Conflicting Requirements Requirements for the Heuristic Informativeness (quality) Has to work well in practice Requirements for the Abstraction Efficient to compute Not too many abstract states Succinct representation (memory requirement) Question: where is the sweet-spot?

29 Two Different Abstraction Classes Predicate Abstraction Abstract state space defined by a set of selected predicates Use SAT or SMT to construct abstract state space Fine-grained Variable Abstraction Special case of predicate abstraction Ignores subset of the system s variables Abstract model in same formalism (can be constructed with the same tool, often more efficient than general purpose SAT solvers)

30 Pattern Selection What kind of pattern shall we use? Definition (Pattern) A pattern is a set of variables/predicates used to define a system. In this Lecture Cone-of-influence-based pattern selection Pattern selection using counterexamples Syntax-based pattern selection A local search approach

31 Pattern Selection for Variable Abstractions Pattern P Subset of the variables that are used to define the system e. g., clocks, automata, synchronization labels,... Abstraction of M with respect to P = {P, y, c, g} P M = P Q c! left g? x := 0 walk x > 2 right M α = P α c! P α g? x > 2 x := 0 left walk right y 2 y 2 Q red y 1 c? y := 0 yellow g! green red y 1 c? y := 0 yellow g! green

32 Patterns and Overapproximations But: P = {P, y, c, g} does not induce an overapproximation! Why... P c! g? x > 2 x := 0 left walk right P α c! g? x > 2 x := 0 left walk right y 2 y 2 Q red y 1 c? y := 0 yellow g! green Q α red y 1 c? y := 0 yellow g! green

33 Patterns and Overapproximations But: P = {P, y, c, g} does not induce an overapproximation! Why... P c! g? x > 2 x := 0 left walk right P α c! g? x > 2 x := 0 left walk right y 2 y 2 Q red y 1 c? y := 0 yellow g! green Q α red y 1 c? y := 0 yellow g! green... because P α = walk is not reachable (synchronization)

34 Closure of Patterns Definition (closed pattern) A pattern P is closed iff {b a P : a depends on b} P Consequences Closed patterns overapproximation Overapproximation: all error paths are preserved Overapproximation admissible heuristics Note: every abstraction set can be closed

35 Cone-of-influence-based Pattern Selection A COI-based Method Given: a model checking task T = M, ϕ and a bound b N 0. Return: Where: P = b i=0 P i P 0 = vars(ϕ) P i+1 = {v v P i : v can influence v }

36 Illustrating Example Cone of Influence Let T = M, P = right be a model checking task and let b = 1, M = P Q Cone of Influence P c! left g? x := 0 walk x > 2 right c P g x Q red y 2 y 1 c? y := 0 yellow g! green Q y

37 Illustrating Example Cone of Influence Let T = M, P = right be a model checking task and let b = 1, M = P Q Cone of Influence P c! left g? x := 0 walk x > 2 right P = c P g x Q red y 2 y 1 c? y := 0 yellow g! green Q y then P = {P, c, g, x}.

38 COI-based Pattern Selection Concluding Comments User interaction (bound b) Small values of b uninformed heuristic Larger values of b quickly converges towards original system Can be difficult to select good values for b

39 Counterexample-based Pattern Selection The Method Use the monotonicity abstraction Compute abstract error trace for the abstract MC problem Relevant variables: all variables that occur in the declarative description of the transitions that are involved in the abstract error trace Pattern P Contains all relevant variables No user interaction

40 The Monotonicity Abstraction Adaptation of Ignoring negative Effects Idea Abstract variables are set-valued A variable, once it obtained a value keeps that value forever Variables in the Abstraction v dom(v) v + dom(v) v := w v + := v + w + Clocks in the Abstraction Trivialize very fast ignored in the abstraction

41 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions P + = {l 1 }, v + = {0}, w + = {0}

42 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions P + = {l 1 }, v + = {0}, w + = {0} l 1 l 2 l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1}, w + = {0, 3}

43 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions P + = {l 1 }, v + = {0}, w + = {0} l 1 l 2 l 1 l 2 l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1}, w + = {0, 3} l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1, 2}, w + = {0, 3}

44 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions 2. Remove unnecessary transitions P + = {l 1 }, v + = {0}, w + = {0} l 1 l 2 l 1 l 2 l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1}, w + = {0, 3} l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1, 2}, w + = {0, 3}

45 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions 2. Remove unnecessary transitions P + = {l 1 }, v + = {0}, w + = {0} l 1 l 2 l 1 l 2 l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1}, w + = {0, 3} l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1, 2}, w + = {0, 3}

46 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions 2. Remove unnecessary transitions P + = {l 1 }, v + = {0}, w + = {0} l 1 l 2 l 1 l 2 l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1}, w + = {0, 3} l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1, 2}, w + = {0, 3}

47 The Monotonicity Abstraction Computing Abstract Error Traces P l 1 w := 3 v 0 v := v + 1 l 3 l 2 Initial state: P = l 1, v = 0, w = 0 Error formula: ϕ = (v 2) Computation of Abstract Error Traces 1. Simultanios execution of all enabled transitions 2. Remove unnecessary transitions P + = {l 1 }, v + = {0}, w + = {0} l 1 l 2 l 1 l 2 l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1}, w + = {0, 3} l 1 l 3 P + = {l 1, l 2, l 3 }, v + = {0, 1, 2}, w + = {0, 3} l 1 w:=3 l 3 does not occur in the abstract error trace w P

48 Concluding Comments Where does it work, where not Works well for modular systems with little interaction (many real-world applications) Problems with systems with tight interaction identity abstraction

49 Pattern Selection for Predicate Abstractions Abstract State Space P = {p 1,..., p n } set of predicates that talk about the variables of the system Abstract states b assign each p P a truth value (can be represented as bitstrings) An abstract state b corresponds to the set of concrete states [b] = {s s = b} There is an abstract transition t = b b iff s [b] and s [b ] such that s s is a concrete transition

50 Syntax-based Pattern Selection Pattern P Set of predicates containing: All constraints that appear in guards or location invariants For each location: a location predicate Example P Q c! left red g? x := 0 walk y 2 y 1 c? y := 0 yellow x > 2 g! right green P = {P = left, P = walk, P = right, Q = red, Q = yellow, Q = green, x > 2, y 1, y 2}

51 Mapping Concrete to Abstract States Predicate Abstraction Mapping Concrete to Abstract States Let P = {p 1,... p n } be a set of predicates. For every p P check if s = p abstract state s α Looking up abstract states is straight-forward

52 Concluding Comments Syntax-based Pattern Selection Can induce large pattern databases (many predicates) This can be overcome by splitting the system into several independent parts Construct PDB for each of these parts and Combine (maximize or add) heuristic values

53 A Local Search Approach to Pattern Selection Local search in the pattern space Given: the set of variables V used to define a system and a threshold for the maximum size of the PDB Start with pattern P = While P < threshold do Select v V \ P such that P = P {v} is better than P = P {w} for all w v P = P {v 1} {v i} {v n} {v i, v 1} {v i, v j} {v i, v n} Question: how can we measure the quality of a pattern?

54 Evaluating Patterns Estimating a PDB heuristic s quality A possible quality measurement Average heuristic value h of the PDB heuristic h induced by the pattern Intuition: if h dominates h, then h > h Problems What if there are dead ends that h can detect? (how to cope with?) For the evaluation the PDB has to be constructed (can be expensive)

55 Mapping Concrete to Abstract States Variable Abstraction Symbolic state space S Discrete part d Zone Z 1. S α in hash table s α = d α, Z α Bucket: states with equal discrete part d A, Z1 s = d, Z 2. Find Abstract States s = d α, Z with Z Z α d A, Z2 d A, Z3 3. Heuristic Value h(s) = min s S α{distα (s ) s s α } Z2 Z3 Z A Z1

56 The Big Question So far, we have seen Different abstractions Different approaches for pattern selection

57 The Big Question So far, we have seen Different abstractions Different approaches for pattern selection But... Which approach works best?

58 Empirical Evaluation Experimental Setup 2.66 GHz Intel Xeon, memout at 4 GB Implemented either in Mcta or Uppaal/DMC Single-tracked Line Segment (flawed version) ES2 LS2 CS2 ES1 CS1 LS PLC 1 PLC 2

59 Empirical Results A Search explored states C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 runtime in s Edelkamp et al. Based on plain graph distance Kupferschmid et al. Monotonicity abstraction Dräger et al. Iteratively merges two automata by abstracting their cross product Hoffmann et al. Qian et al. PDB heuristic: syntax-based pattern selection PDB heuristic: COI-based pattern selection, user interaction Kupferschmid et al. PDB heuristic: CE-based pattern selection C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9

60 Empirical Results Greedy Search 10 8 explored states 10 7 error trace length C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C runtime in s C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 Edelkamp et al. Kupferschmid et al. (monotonicity abstraction) Dräger et al. Hoffmann et al. Qian et al. Kupferschmid et al. (CE-based pattern selection)

61 Literature About this List This list is meant to be focused, not comprehensive. Hence, it is a somewhat subjective mix of papers we consider important and relevant to the lecture s topic. If a paper is not listed, there are many possible reasons: We do not know it. We forgot it. We do not think it is (sufficiently) important. It overlaps considerably with another paper listed here. Its topic is not close enough to the focus of this lesson (e. g., papers on domain-dependent search).

62 References: Directed Model Checking C. Han Yang and David L. Dill. Validation with guided search of the state space. In Proc. Conference on Design Automation, pp , First paper about MC + heuristic search Stefan Edelkamp, Alberto Lluch-Lafuente, and Stefan Leue. Directed explicit model checking with HSF-SPIN. In Proc. SPIN 2001, pp , Coined the term directed model checking Judea Pearl. Heuristics: Intelligent Search Strategies for Computer Problem Solving. Addison-Wesley, Discusses the foundations of heuristic search

63 References: Pattern Database Heuristics Joseph C. Culberson and Jonathan Schaeffer. Pattern databases. Computational Intelligence, 14(3): , First paper on pattern database heuristics Stefan Edelkamp. Symbolic pattern databases in heuristic search planning. In Proc. AIPS 2002, pp , Uses BDDs to store pattern databases more compactly. Kairong Qian and Albert Nymeyer. Guided invariant model checking based on abstraction and symbolic pattern databases. In Proc. TACAS 2004, pp , COI-based pattern selection

64 References: Pattern Database Heuristics (ctd.) Stefan Edelkamp. Automated creation of pattern database search heuristics. In Proc. MOCHART 2006, pp , First search-based pattern selection method. Jörg Hoffmann, Jan-Georg Smaus, Andrey Rybalchenko, Sebastian Kupferschmid, and Andreas Podelski. Using predicate abstraction to generate heuristic functions in Uppaal. In Proc. MOCHART 2006, pp , Uses predicate abstraction to generate PDB heuristics Sebastian Kupferschmid, Jörg Hoffmann, and Kim G. Larsen. Fast directed model checking via russian doll abstraction. In Proc. TACAS 2008, pp , Introduces CE-based pattern selection

65 References: Other Heuristics Sebastian Kupferschmid, Jörg Hoffmann, Henning Dierks, and Gerd Behrmann. Adapting an AI planning heuristic for directed model checking. In Proc. SPIN 2006, pp , Introduces the monotonicity abstraction (for model checking) Klaus Dräger, Bernd Finkbeiner, and Andreas Podelski. Directed model checking with distance-preserving abstractions. International Journal on Software Tools for Technology Transfer, 11(1):27 37, Introduces distance-preserving abstractions

66 References: Other Heuristics (ctd.) Martin Wehrle and Malte Helmert. The causal graph revisited for directed model checking. In Proc. SAS 2009, pp , Adapts the causal graph heuristic from AI planning Martin Wehrle, Sebastian Kupferschmid, and Andreas Podelski. Transition-based directed model checking. In Proc. TACAS 2009, pp , General framework to accelerate heuristic search

67 References: DMC Tools for Timed Automata Sebastian Kupferschmid, Klaus Dräger, Jörg Hoffmann, Bernd Finkbeiner, Henning Dierks, Andreas Podelski, and Gerd Behrmann. Uppaal/DMC abstraction-based heuristics for directed model checking. In Proc. TACAS 2007, pp , DMC extension of Uppaal Sebastian Kupferschmid, Martin Wehrle, Bernhard Nebel, and Andreas Podelski. Faster than Uppaal? In Proc. CAV 2008, pp , Open source directed model checker for timed automata