FASTer acceleration of counter automata in practice

Transcription

1 FASTer acceleration of counter automata in practice Sébastien Bardin Joint work with Jérôme Leroux and Alain Finkel LSV - CNRS & ENS de Cachan

2 Outline 1. Counter system model-checking (a) Presburger sets and automata (b) Acceleration (c) Heuristic 2. The tool FAST (a) Overview (b) Related tools (c) In practice 3. Verication of the TTP protocol with FAST (a) Presentation of the protocol (b) Verication for 1 fault and N stations (c) Polyhedral acceleration (d) Verication for 2 faults and N stations 4. Conclusion and future work

3 Counter systems model checking - 1 We focus on counter systems, which are automata extended with integer variables. Counter systems allow to model a large range of complex systems: Abstract multi-threaded java programs, Embedded systems (TTP/C), All Broadcast Protocols,...

4 Counter systems model checking - 1 We focus on counter systems, which are automata extended with integer variables. Counter systems allow to model a large range of complex systems: Abstract multi-threaded java programs, Embedded systems (TTP/C), All Broadcast Protocols,... But checking safety properties is undecidable for counter systems!!

5 Counter systems model checking - 2 To overcome this problem, we have chosen: A symbolic representation of integer vectors by automata. An acceleration technique to help convergence:

6 Notion of Acceleration acceleration to compute in one operation the iteration of a transition.

7 Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then

8 Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then With the classical algorithm

9 Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then If then With the classical algorithm.

10 Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then If then With the classical algorithm.

11 Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then If then With the classical algorithm.

12 ! Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then If then With the classical algorithm and so on!!

13 Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then With Acceleration

14 " Notion of Acceleration acceleration to compute in one operation the iteration of a transition. If then If With Acceleration then.

15 Related work FAST: Bardin, Finkel, Leroux, Petrucci [FSTTCS02], [CAV03], LASH: Boigelot, Rassart, Wolper [CAV94], [SAS95], [CAV98], [TACAS00], [CAV03], TREX: Asarin, Bouajjani, Collomb-Annichini, Lakhnech, Sighireanu, [SPIN00], [SAS01], [CAV01].

16 , dened & % $ " # Presburger sets and automata Presburger arithmetics is the rst order additive theory by 0 ) (/. ' )-' ', )' )+* ( % ( ' ( ) ( (. ) (54 )32 )1 (

17 " # )' )-' ', )' ( ) ( ( Presburger sets and automata Presburger arithmetics is the rst order additive theory by & % $, dened (/. 0 )+* ( % ( ' ) (54 )32 )1 (. This theory is decidable, and Presburger sets can be represented symbolically by automata: DFA [Boudet, Comon CAAP96], NDD [Wolper, Boigelot TACAS00], UBA [Leroux, INFINITY03].

18 " # )' )-' ', )' ( ) ( ( Presburger sets and automata Presburger arithmetics is the rst order additive theory by & % $, dened (/. 0 )+* ( % ( ' ) (54 )32 )1 (. This theory is decidable, and Presburger sets can be represented symbolically by automata: DFA [Boudet, Comon CAAP96], NDD [Wolper, Boigelot TACAS00], UBA [Leroux, INFINITY03]. This representation is closed under and : 9 are decidable. Moreover the image of a Presburger set by an afne function is still a Presburger set.

19 " # )' )-' ', )' ( ) ( ( Presburger sets and automata Presburger arithmetics is the rst order additive theory by & % $, dened (/. 0 )+* ( % ( ' ) (54 )32 )1 (. This theory is decidable, and Presburger sets can be represented symbolically by automata: DFA [Boudet, Comon CAAP96], NDD [Wolper, Boigelot TACAS00], UBA [Leroux, INFINITY03]. This representation is closed under and : 9 are decidable. Moreover the image of a Presburger set by an afne function is still a Presburger set. The automata representation provides an efcient framework to check safety properties on counter systems!!

20 @? ;? = ;? ;? = = = = Automata representation in practice - 1 in basis An automaton to < ;< = eq < ;<>= ;<>= ;< = bad

21 ;? ;? = = = = = = = = = < ;? = = < < < = = = = = = = = = = = = = = B? < B? < B? < = = = Automata representation in practice - 2 in basis An automaton to < < = ;< = ;< < < = < = <>= ;< = < <>= ;<>= < = <>= ;<>= < = ;< = C C D CED bad

22 K J F $ " : I Counter systems A Presburger-linear function is dened by where the guard is a Presburger set. I H G H G F I

23 K J F $ " : I L L L K Counter systems A Presburger-linear function is dened by where the guard is a Presburger set. I H G H G F I A counter system L is a tuple L where is a nite alphabet of actions and is a set of Presburger-linear functions. F5M P FON F5M

24 K J F $ " : I L L L K Q L K Counter systems A Presburger-linear function is dened by where the guard is a Presburger set. I H G H G F I A counter system L is a tuple L where is a nite alphabet of actions and is a set of Presburger-linear functions. F5M P FON F5M L is the multiplicative monoid generated by the set of square matrices of a counter system L. P G N

25 K J F $ " : I L L L K Q L K Counter systems A Presburger-linear function is dened by where the guard is a Presburger set. I H G H G F I A counter system L is a tuple L where is a nite alphabet of actions and is a set of Presburger-linear functions. F5M P FON F5M L is the multiplicative monoid generated by the set of square matrices of a counter system L. P G N Counter systems with a nite monoid have nice acceleration properties and appear to be well-spread in practice (transfer/reset/inhibitors Petri Nets, Broadcast protocols,... )

26 F F F R F Acceleration for counter systems Let be a function, and. TS a set, we dene the acceleration of by.

27 F F F R F F Acceleration for counter systems Let be a function, and. TS a set, we dene the acceleration of by is the relation associated with VU.

28 F F F R F F F K Acceleration for counter systems Let be a function, and. TS a set, we dene the acceleration of by is the relation associated with VU. Theorem [Finkel Leroux, FSTTCS02] For a Presburger-linear function with a nite monoid, can be computed as a Presburger formula, of the form I H G U I K Y! # [% J[ X Z Y W! - IX W ) U

29 F G Y Y Idea of the construction nite. & G # with I H G H $ \ K J $ \ ] $ \

30 F H G Y Y " NG a` NG Idea of the construction nite. & G # with I H G $ \ K J $ \ ] $ \ such that "/_ K ^ is nite, so there exists & G #

31 F H G Y Y " N N Y Y Idea of the construction nite. & G # with I H G $ \ K J $ \ ] $ \ NG a` NG such that "/_ K ^ is nite, so there exists & G # a N G b Y a èdgf $ \ K J " K Jcb Notice that

32 F H G Y Y " N N Y Y kj Y W h i m n ` N W o p W o - n b Idea of the construction nite. & G # with I H G $ \ K J $ \ ] $ \ NG a` NG such that "/_ K ^ is nite, so there exists & G # a N G b Y a èdgf $ \ K J " K Jcb Notice that $ $ _ i "/_ K W [ m a l Nl p ^ [ X [ X b. a n Y ` NG b Y. Y n n

33 F H G Y Y " N N Y Y kj Y W h i m n ` N W o p n W o - b kj F W WW - [#!! J o K Idea of the construction nite. & G # with I H G $ \ K J $ \ ] $ \ NG a` NG such that "/_ K ^ is nite, so there exists & G # a N G b Y a èdgf $ \ K J " K Jcb Notice that $ $ _ i "/_ K W [ m a l Nl p ^ [ X a n Y ` NG [ X b. b Y. Y n n [ - W U Finally we have p h WW! I K % hx K W [ [ - W is a Presburger set!! qu

34 v u u u u? v u z? v u u < x v u u? r < x? v u u u u? v u r < x u How to nd out the accelerations? < v r Wr s <>= v z Wz s w x z~ < v r Wr s w x r~ < v W us < x v r{ < v W us w x r{ u} Wz s <>= v r Wr s wyx rts Initial configuration: state=time time brake W s < = W s rts r s z s z us W us < x v < v r W s Wz s < = r s u} rts Property to check : < v r Wr s wyx z s < v W us wyx rts u}? r always holds. stop late Wz s < = W us < x v r{ < v r W s r~ u}

35 ƒ pƒ o o! ] Reduction result Theorem [reduction, Finkel Leroux FSTTCS02] Any acceleration of functions in a nite set of Presburger-linear functions can be reduced to the acceleration of functions in a reduced set, such that the cardinal of is polynomial in. p ƒ Z I 6 I m H G F m 4 I H G F I m H G F m

36 Heuristic Extension of the classic algorithm, adding cycles (meta-transitions). 2 problems: nd good cycles avoid automata explosion

37 ] Heuristic Extension of the classic algorithm, adding cycles (meta-transitions). 2 problems: nd good cycles avoid automata explosion incremental computation and reduction

38 ] ] Heuristic Extension of the classic algorithm, adding cycles (meta-transitions). 2 problems: nd good cycles avoid automata explosion incremental computation and reduction minimization step

39 ] ] 1!! % 6 1!! Š Heuristic 1. Extension of the classic algorithm, adding cycles (meta-transitions). 2 problems: nd good cycles avoid automata explosion 2. Compute ƒ Z incremental computation and reduction minimization step, the reduced set of cycles of length 3. Use the search algorithm with ˆ and 4. if a xpoint is found then return else (the stop criterion is met) do ƒ Z Œ

40 F F F Heuristic -2 The search algorithm: 2 nested greedy algorithms while there exists such that reaches new states do end while return

41 F F F # F Heuristic -2 The search algorithm: 2 nested greedy algorithms while there exists such that reaches new states do while there exists f such that ) F ) ) ) do end while end while return

42 Fast We implement our results in the tool FAST. FAST is a tool: with a powerful model, that automatically computes the reachability set in most practical cases, easy to use thanks to the GUI interface.

43 v Ž v v s s Ÿ s? Ÿ Tools with acceleration and counters acceleration auto. cycle search guards actions variable type yes yes W s Presburger FAST yes no W s convex sets LASH no W s convex sets v ž yes yes v šœš š ž TREX ž yes yes šœš šœÿ s

44 Fast architecture Machine M1 InterFAST guided edition of models and strategies control and feedback during the analysis network Machine M2 ServerFAST FAST Heuristic Acceleration Automata library

45 ( W Fast Inputs Input Model : A counter system such that each transition is: ] H 4 ] 4G ] W 4 P ] 4 ' ( P

46 ( W Fast Inputs Input Model : A counter system such that each transition is: ] H 4 ] 4G ] W 4 P ] 4 ' ( P Input Strategy : A high level query language with Automatic computation of reachability sets, Presburger solver, Modular analyzer.

47 Case Studies 80% of 40 counter systems (mainly taken from ALV, BABYLON, TREX) have been automatically analysed. In particular: Abstract multi-threaded java programs, Embedded systems (TTP/C), All Broadcast Protocols, Complex toy examples (Swimming Pool),

48 The TTP protocol - overview From car industry. Communications between embedded microprocessors (stations). Clique avoidance mechanism to prevent the partitioning of valid stations after a failure.

49 The TTP protocol - overview From car industry. Communications between embedded microprocessors (stations). Clique avoidance mechanism to prevent the partitioning of valid stations after a failure. N stations communicating through a shared bus messages are broadcast, static time slots to send and receive messages

50 The TTP protocol - overview From car industry. Communications between embedded microprocessors (stations). Clique avoidance mechanism to prevent the partitioning of valid stations after a failure. N stations communicating through a shared bus messages are broadcast, static time slots to send and receive messages Idea: a station which considers itself as faulty becomes inactive. a station which receives more invalid messages than valid ones must be faulty.

51 G [ [ The TTP protocol ƒ N a boolean matrix of size (ack) and station station ƒ U _ (fail) integer vectors of size receiving message sending from station

52 G [ o p o[ G [ The TTP protocol ƒ N a boolean matrix of size (ack) and station if else station ƒ U _ (fail) integer vectors of size receiving message correctly received then p o[ ƒ U sending p from station p o[ ƒ N

53 G [ o p o[ G [ G G The TTP protocol ƒ N a boolean matrix of size (ack) and station if else station if else ƒ U _ (fail) integer vectors of size receiving message correctly received then p o[ ƒ U sending p o[ ƒ U & p o[ ƒ N then p po[ o[ p p o[ ƒ N from station, becomes inactive, p o[ ƒ N,! p o[ ƒ U p o[

54 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

55 ª m m ª The TTP protocol - In practice ack fail inactive stations ƒ U ƒ N A failure occurs while is sending.

56 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

57 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

58 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

59 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

60 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

61 ª m m ª ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive # p o ª ƒ N p o ª ƒ U then becomes inactive.

62 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

63 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

64 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

65 ª m m ª m The TTP protocol - In practice ack fail inactive stations ƒ U ƒ N # p o m ƒ N p o m ƒ U then becomes inactive.

66 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive

67 ª m m ª The TTP protocol - In practice stations ƒ U ƒ N ack fail inactive Valid stations belongs to the same clique!!

68 Validation of the TTP protocol A protocol difcult to validate. Merceron and Bouajjani (FTRTFT'02):

69 Validation of the TTP protocol A protocol difcult to validate. Merceron and Bouajjani (FTRTFT'02): Manual proof of correctness (N stations, k faults). Provide a family of abstractions depending on the number of faults. Semi-automatic verication with tools LASH and ALV (N stations, 1 fault).

70 Validation of the TTP protocol A protocol difcult to validate. Merceron and Bouajjani (FTRTFT'02): Manual proof of correctness (N stations, k faults). Provide a family of abstractions depending on the number of faults. Semi-automatic verication with tools LASH and ALV (N stations, 1 fault). large parametric counter automaton (16 transitions) complex guards

71 Validation of the TTP protocol A protocol difcult to validate. Merceron and Bouajjani (FTRTFT'02): Manual proof of correctness (N stations, k faults). Provide a family of abstractions depending on the number of faults. Semi-automatic verication with tools LASH and ALV (N stations, 1 fault). large parametric counter automaton (16 transitions) complex guards Few tools are adapted.

72 Validation of the TTP protocol A protocol difcult to validate. Merceron and Bouajjani (FTRTFT'02): Manual proof of correctness (N stations, k faults). Provide a family of abstractions depending on the number of faults. Semi-automatic verication with tools LASH and ALV (N stations, 1 fault). large parametric counter automaton (16 transitions) complex guards Few tools are adapted. Interesting to test FAST on the TTP.

73 Model for the TTP, 1 fault N stations init / CF=0,CW=N,Cp=0 d=0,df=0 df<cf / df++,cp++ d<cw / d++,cp++ normal Cp=N / Cp=0,d=0,dF=0 df<cf / df++, Cp++ / C1>=0, C0>=0, C1+C0=CW, d1=1,d0=0, df=0,cp=1 d1<c1 & C1+C0 2d0>0 / d1++, Cp++ round1 d1<c1 & C1+C0 2d0<=0/ C1,dF++,CF++,Cp++ d0<c0 & C1+C0 2d1>0 / d0++, Cp++ d0<c0 & C1+C0 2d1<=0 / C0,dF++,CF++,Cp++ Cp=N / CW=C1+C0,Cp=0, d=0,df=0 df<cf / df++,cp++ Cp=N / d1=0,d0=0,df=0,cp=0 Cp=N &!(C1=0) &!(C0=0) / d1=0,d0=0,df=0,cp=0 later d1<c1 & C1>C0 / d1++,cp++ d1<c1 & C1<=C0 / C1,CF++,dF++,Cp++ d0<c0 & C0<=C1 / C0, CF++, df++,cp++ d0<c0 & C0>C1 / d0++,cp++

74 Model for the TTP, 1 fault N stations d<cw / d++,cp++ Cp=N / Cp=0,d=0,dF=0 df<cf / df++, Cp++ d1<c1 & C1+C0 2d0>0 / d1++, Cp++ d1<c1 & C1+C0 2d0<=0/ C1,dF++,CF++,Cp++ init / C1>=0, C0>=0, C1+C0=CW, d1=1,d0=0, df=0,cp=1 CF=0,CW=N,Cp=0 d=0,df=0 normal df<cf / df++,cp++ round1 d0<c0 & C1+C0 2d1>0 / d0++, Cp++ d0<c0 & C1+C0 2d1<=0 / C0,dF++,CF++,Cp++ df<cf / df++,cp++ Cp=N / d1=0,d0=0,df=0,cp=0 Cp=N &!(C1=0) &!(C0=0) / d1=0,d0=0,df=0,cp=0 later d1<c1 & C1>C0 / d1++,cp++ d1<c1 & C1<=C0 / C1,CF++,dF++,Cp++ d0<c0 & C0<=C1 / C0, CF++, df++,cp++ d0<c0 & C0>C1 / d0++,cp++

75 Verication with Fast, 1 fault A large model: 16 transitions, 9 variables easy to describe in FAST input model, full automatic verication (no intermediate property) the exact reachability set is computed the property is veried cycles of length 1, the reachability set has 27,932 nodes on a pentium 4 (2.4 GHz) with 1 Gbyte RAM, computation takes 940 sec. and 73 Mbytes.

76 Model for the TTP, 2 faults N stations t4 t6 t7 d00=0 & d11=0 & d10=0 & da00=0 & da11=0 & da10=0 & df00=0 & df11=0 & df10=0 & df=0 & Cp2=1 & Cp1=d0+d1+1 & N>=0 & CW=N & C11>=1 & C00>=1 & C10>=1 & d1<=c10 & d0<=c00 & C11+C00+C10=CW t2 t3 t25 round1 t8 t19 t18 t2 : Cp1<N & d11<c11 & CW 2d0 2d00 2d10>0/ d11++,cp1++,cp2++ t3: Cp1<N & d10<c10 d1 & CW 2d0 2d00 2d11>0/ d10++,cp1++,cp2++ t4 : Cp1<N & d00<c00 d0 & CW 2d1 2d10 2d11>0/ d00++,cp1++,cp2++ t6 : Cp1<N & d11<c11 d1 & CW 2d0 2d00 2d10<=0/ df++,cp1++,cp2++,c11 t7 : Cp1<N & d10<c10 & CW 2d0 2d00 2d11<=0/ df++,cp1++,cp2++,c10 t8 : Cp1<N &d00<c00 d0 & CW 2d1 2d10 2d11<=0/ df++,cp1++,cp2++,c00 t18 : Cp1>=N & Cp2<N & Pred1/ d11++,cp1++,cp2++,da11++ t19 : Cp1>=N & Cp2<N & Pred2/ d10++,cp1++,cp2++,da10++ t21 : Cp1>=N & Cp2<N & Pred3/d00++,Cp1++,Cp2++,dA00++ t22 : Cp1>=N & Cp2<N &!Pred1/ df++,df11++,cp1++,cp2++,c11 t23 : Cp1>=N & Cp2<N &!Pred2/ df++,df10++,cp1++,cp2++,c10 t25 : Cp1>=N & Cp2<N &!Pred3/ df++, df00++,cp1++,cp2++,c00 t33 t34 t23 later t26 t22 t27 t28 t21 t26 : Cp2=N / df=0,d11=0,d10=0,d00=0,cp2=0 t27 : Cp2<N & d11<c11 & C11 C10 C00>0 / d11++,cp2++ t28 : Cp2<N & d10<c10 & C10 C11 C00>0 / d10++,cp2++ t30 : Cp2<N & d00<c00 & C00 C10 C11>0 / d00++, Cp2++ t31 : Cp2<N & d11<c11 & C11 C10 C00<=0 / C11,Cp2++,dF++,CF++ t32 : Cp2<N & d10<c10 & C10 C11 C00<=0 / C10,Cp2++,CF++,dF++ t33 : Cp2<N & d00<c00 & C00 C10 C11<=0 / C00,Cp2++,CF++,dF++ t34 : Cp2<N & df<cf / Cp2++,dF++ t32 t30 t31 Pred1 : d1+d11 da11 df11 da10 df10 d0 d10 d00+da00+df00>0 Pred2 : d1+d10 da10 df10 da11 df11 d0 d11 d00+da00+df00>0 Pred3 : d0+d00 da00 df00 d1 d11 d10+da11+da10+df11+df10>0

77 Verication with Fast, 2 faults A very large model: 20 transitions, 18 variables Guards are very complex.

78 Verication with Fast, 2 faults A very large model: 20 transitions, 18 variables Guards are very complex. When computing the acceleration relation of transition representation exceeds its limits and FAST stops. ( «, the internal

79 Verication with Fast, 2 faults A very large model: 20 transitions, 18 variables Guards are very complex. When computing the acceleration relation of transition representation exceeds its limits and FAST stops. Intermediate automata have more than states!! ( «, the internal

80 Verication with Fast, 2 faults A very large model: 20 transitions, 18 variables Guards are very complex. When computing the acceleration relation of transition representation exceeds its limits and FAST stops. Intermediate automata have more than states!! ( «, the internal Our acceleration formula is too expensive in this case!!

81 Faster acceleration Almost all the transitions are translations over convex polyhedra

82 Faster acceleration Almost all the transitions are translations over convex polyhedra Don't need to test if all the predecessors are in the guard.

83 Faster acceleration Almost all the transitions are translations over convex polyhedra Don't need to test if all the predecessors are in the guard. We can use a simpler acceleration formula:

84 K Faster acceleration Almost all the transitions are translations over convex polyhedra Don't need to test if all the predecessors are in the guard. We can use a simpler acceleration formula: W ) U X Z Y W! - IX 1 I K Y! # [% J[

85 K Y W K! W Y Faster acceleration Almost all the transitions are translations over convex polyhedra Don't need to test if all the predecessors are in the guard. We can use a simpler acceleration formula: 1 I! # [% J[ X Z Y! - IX K W ) U I m Z l k & X Z Y! - IX K W ) U

86 K Y W K! W Y " µ ² H H Faster acceleration Almost all the transitions are translations over convex polyhedra Don't need to test if all the predecessors are in the guard. We can use a simpler acceleration formula: 1 I! # [% J[ X Z Y! - IX K W ) U I m Z l k & X Z Y! - IX K W ) U Œ ² µ ³c µ ±c² c 3 K W 4 P _ K W U

87 K Y W K! W Y " µ ² H H Faster acceleration Almost all the transitions are translations over convex polyhedra Don't need to test if all the predecessors are in the guard. We can use a simpler acceleration formula: 1 I! # [% J[ X Z Y! - IX K W ) U I m Z l k & X Z Y! - IX K W ) U Œ ² µ ³c µ ±c² c 3 K W 4 P _ K W U The polyhedral acceleration is quadratic in the size of the function while the generic formula (1) is at most elementary in the size of the function.

88 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults.

89 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed.

90 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed. For ( «it takes 18 sec, 460 Mbytes (413,447 states!!)

91 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed. For ( «it takes 18 sec, 460 Mbytes (413,447 states!!) For a small xed number of stations (about 10), the reachability set is computed.

92 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed. For ( «it takes 18 sec, 460 Mbytes (413,447 states!!) For a small xed number of stations (about 10), the reachability set is computed. For an arbitrary value of, the intermediate automata exceed the limit.

93 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed. For ( «it takes 18 sec, 460 Mbytes (413,447 states!!) For a small xed number of stations (about 10), the reachability set is computed. For an arbitrary value of We have to use an overapproximation for, the intermediate automata exceed the limit..

94 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed. For ( «it takes 18 sec, 460 Mbytes (413,447 states!!) For a small xed number of stations (about 10), the reachability set is computed. For an arbitrary value of We have to use an overapproximation for simplify some guards, remove some variables, modular analysis., the intermediate automata exceed the limit..

95 Polyhedral acceleration in practice We use the polyhedral acceleration on the TTP with 2 faults. Acceleration relations are computed. For ( «it takes 18 sec, 460 Mbytes (413,447 states!!) For a small xed number of stations (about 10), the reachability set is computed. For an arbitrary value of We have to use an overapproximation for simplify some guards, remove some variables, modular analysis., the intermediate automata exceed the limit. The protocol is veried with FAST for 2 fauts and N stations..

96 Abstraction for the TTP with 2 faults t3 t19: Cp2<N & d10<c10 / d10++,cp2++ t2 t18 : Cp2<N & d11<c11 / d11++,cp2++ t4 t21 : Cp2<N & d00<c00 / d00++,cp2++ d00=0 & d11=0 & d10=0 & Cp2=1 & N>=0 & C11>=1 & C00>=1 & C10>=1 & C00+C11+C10=N t8 t25 : Cp2<N &d00<c00 / Cp2++,C00 round1 t7 t23 : Cp2<N & d10<c10 / Cp2++,C10 t6 t22 : Cp2<N & d11<c11 / Cp2++,C11 Compute reachable states R1 t34 : Cp2<N & df<cf / Cp2++,dF++ t27 : Cp2<N & d11<c11 & C11 C10 C00>0 / d11++,cp2++ t33 : Cp2<N & d00<c00 & C00 C10 C11<=0 / C00,Cp2++,CF++,dF++ reachable states R1 later t28 : Cp2<N & d10<c10 & C10 C11 C00>0 / d10++,cp2++ t32 : Cp2<N & d10<c10 & C10 C11 C00<=0 / C10,Cp2++,dF++,CF++ t31 : Cp2<N & d11<c11 & C11 C10 C00<=0 / C11,Cp2++,dF++,CF++ t30 : Cp2<N & d00<c00 & C00 C10 C11>0 / d00++, Cp2++ Check Property P2 : Cp2=N => C11=0&C10=0&C00>0 C11=0&C10>0&C00=0 C11>0&C10=0&C00=0

97 ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ Results Presburger acceleration polyhedral acceleration time1 memory1 time2 memory2 number of seconds Mbytes seconds Mbytes states 1 fault, N stations ,932 2 faults, 5 stations 2 faults, 10 stations 2 faults, 15 stations 2 faults, N stations ,684 12, ,427 2 faults, N stations ,036 (abstraction)

98 Conclusion and Future Works Conclusion: Polyhedral acceleration appears to be interesting in practice, But for complex systems like the TTP, we are never far from the limits of the tool. Future Works: Other specic acceleration formula, More efcient Presburger library to scale up to wider systems.