1 / 29

Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods. Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University. Timed Automata. Alur, Courcoubetis, & Dill, ‘90. A modeling formalism for timed systems

alec
Download Presentation

Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University

  2. Timed Automata Alur, Courcoubetis, & Dill, ‘90 • A modeling formalism for timed systems • e.g., Real-time systems, Timed asynchronous circuits • Generalization of finite automaton with: • Non-negative real-valued clock variables • Can only be reset to 0 or another clock • Constraints on clocks as guards on states and transitions x1¸ 3 /x1 := 0 s=false x1· 10 x2· 8 s=true x1· 5 x1¸ 4 Æ x2¸ 6 /x2 := 0

  3. Model Checking the Timed m Calculus System Properties expressed in the Timed m calculus [Henzinger et al. ’94] • Can express Timed CTL • Dense time version of CTL • Two kinds of TCTL formulas: • Reachability properties: Safety and bounded liveness • E.g. AG (file requested  AF· 5 (file received)) • Non-reachability properties: Unbounded liveness • E.g. AG . z:= 0 . EF (z = 1) [non-zenoness]

  4. FULLY SYMBOLIC SYMBOLIC Separate representation for real and Boolean components Combined representation for real and Boolean components Example: Two symbolic states (b, x ¸ 3), (: b, x ¸ 3) Example: Combined state set x ¸ 3 Model Checkers: RED, DDD (Difference Decision Diagram), Our approach Model Checkers: Uppaal, Kronos Symbolic vs. Fully Symbolic Unbounded Model Checking • State space has Boolean and real-valued components

  5. Unbounded, Fully Symbolic Model Checking [Henzinger, Nicollin, Sifakis, Yovine ’94] • Set of states represented as a formula f in separation logic (SL) • Boolean Combinations (Æ, Ç, :) of • Boolean variables: ei • Separation Predicates: xi¸ xj + c, xi > xj + c • Also called “difference-bound” constraints • 0 represented as special variable x0 • Adding quantifiers over clock and Boolean variables gives quantified separation logic (QSL) • Fundamental model checking operations • Image computation: Quantifier elimination for QSL • Termination check: Validity checking for SL

  6. Our Approach • Use Boolean encoding of separation predicates • Quantifier Elimination in QSL: • Eliminating quantifiers over real variables in QSL  Eliminating quantifiers over Boolean variables in quantified Boolean formulas (QBF) • Validity checking of SL: • By translation to SAT [Strichman, Seshia, Bryant, CAV’02]

  7. Talk Outline • Pre-image Computation via QSL Quantifier Elimination • QSL Quantifier Elimination  QBF Quantifier Elimination • Exploiting Special QSL Formula Structure • Optimizations • Preliminary Experimental Results • Conclusions & Future work

  8. Discrete Pre, pred x2 x2 x2 x1 := 0 b := true x1 x1 x1 b = true b = true b = false Timed Pre, pret x2 x2 time elapse x1 x1 b = true b = true Pre Operator 2

  9. Pre Operator pre(f) , pred(f) Ç pret(f) • pred(f) does not require quantifier elimination • pret(f) is expressed in Quantified Separation Logic (QSL)

  10. Timed Pre Operator in QSL pret(f) ,9d . d· x0Æf [d / x0] f

  11. Timed Pre Operator in QSL pret(f) ,9d . d· x0Æf [d / x0] Æ8e ( d·e· x0) finv[e / x0] ) • finv is the conjunction of all state guards f finv

  12. Quantifier Elimination Problem • Start with QSL formula w, where w,9 xa . f • To handle 8 xa . f, start with 9 xa . :f, and negate the result • Need to find SL formula f’ such that w,f’ • Previous approaches: • Enumerate DNF terms in f • Perform Fourier-Motzkin elimination on each • Differ in data structure used to represent f • Problem: Can be exponentially many DNF terms • E.g., Difference Decision Diagrams (DDDs) [Møller et al. ’99], RED [Wang ’03]

  13. x1¸ x2 x1¸ x3 x0¸ x2 - 5 x3¸ x1 + 2 x0¸ x2 - 5 x3¸ x2 x0¸ x1 - 3 x0¸ x3 - 5 x1¸ x3 x3¸ x2 x1¸ x2 0 1 0 1 (x1¸ x2Æ x0¸ x2-5) Ç (x0¸ x1-3 Æ x0¸ x2-5) Example: Difference Decision Diagrams (DDDs) [Møller et al. ’99] 9 x3 . (x1¸ x3Ç x3¸ x1+2) Æ x0¸ x3-5 Æ x3¸ x2

  14. QSL Quantifier Elimination via QBF Quantifier Elimination • Start with w,9 xa . f • Quantifier elimination done in 3 steps: • Translate w to another QSL formula w’ where: • w’ has quantifiers only over Boolean variables • w is equivalent to w’ • Encode w’ as a QBF • Eliminate Boolean quantifiers and translate the result back to a SL formula f’

  15. e1 x1¸ x3 (e1Ç e2) Æ e3 Æ e4 e2 e3 e4 x3¸ x1 + 2 x0¸ x3 - 5 x3¸ x2 Æ 9 e1, e2, e3, e4 . (e1Æe4) ) (x1¸ x2) • Æ (e2Æ e3) ) (x0¸ x1 - 3) • Æ (e3Æ e4) ) (x0¸ x2 - 5) Transitivity Constraints Step 1: Real to Boolean Quantification 9 x3 . (x1¸ x3Ç x3¸ x1+2) Æ x0¸ x3-5 Æ x3¸ x2

  16. e1 x1¸ x3 e2 e3 e4 x3¸ x2 x3¸ x1 + 2 x0¸ x3 - 5 e5 e6 e7 e5 e6 e7 x0¸ x2 - 5 x0¸ x1 - 3 x1¸ x2 Step 2: Encode Remaining Separation Predicates (e1Ç e2) Æ e3 Æ e4 Æ 9 e1, e2, e3, e4 . (e1Æe4) ) (x1¸ x2) • Æ (e2Æ e3) ) (x0¸ x1 - 3) • Æ (e3Æ e4) ) (x0¸ x2 - 5) Transitivity Constraints

  17. e1 x1¸ x3 e2 e3 e4 x3¸ x1 + 2 x0¸ x3 - 5 x3¸ x2 (e5Æ e7) Ç (e6Æ e7) e6 e5 e7 x0¸ x2 - 5 x0¸ x1 - 3 x1¸ x2 (x1¸ x2Æ x0¸ x2-5) Ç (x0¸ x1-3 Æ x0¸ x2-5) Step 3: Eliminate Quantifiers and Map back to SL (e1Ç e2) Æ e3 Æ e4 Æ 9 e1, e2, e3, e4 . (e1Æe4) ) e5 • Æ (e2Æ e3) ) e6 • Æ (e3Æ e4) ) e7

  18. Evaluating Our Approach • Our approach avoids enumerating DNF terms of f • Can use either BDD or SAT methods for quantifier elimination (or a combination) • BDD-based method: Can exploit quantifier scheduling heuristics • SAT-based method: Rely on SAT solver to enumerate DNF terms in f’ • Number of transitivity constraints is at most O(m2) where m is number of separation predicates in f

  19. Exploiting Structure of pret • Consider QSL formulas of the form: 9e . e· x0Æf [e / x0] • Recall that x0 stands for 0 • Can exploit special structure to generate fewer quantified Boolean variables • Can similarly handle 9e . e¸ x0Æf [e / x0] • Half of all quantifier elimination operations

  20. A Region in R2 • f

  21. x1= x0 + c x1= e + c • e Shifting the Region by e • f x2 • e • f [e / x0] for e· 0 x1

  22. x2· c’ x2 - x1 ¸ c’’ x1¸ c Geometric Interpretation of Quantified Formula 9e . e· x0Æf [e / x0] is shaded region plus f x2 45° x1 Observation: Only lower bounds on f are eliminated; Upper bounds and diagonals remain intact

  23. Quantifier Elimination Strategy • To eliminate e from 9e . { e· x0Æf [e / x0] } • Introduce existential quantifiers only over Boolean variables encoding lower bound predicates in f (bounds of the form xi¸ c) • Generate only those transitivity constraints involving lower bound predicates • Empirically, results in 10-20 times speedup

  24. Optimization: Checking if Bounds are Conjoined • Avoid generating transitivity constraints wherever possible • 9x2 . x1¸ x2Ç x2¸ x3 • x1¸ x2 and x2¸ x3 not conjoined, hence no transitivity constraint generated • “Conjunctions matrix” [Strichman, FMCAD’02] • 9x2 . (x1¸ x2Æ x2¸ x3) Ç x3 > x2 • x1¸ x2 and x2¸ x3 not conjoined in minimized DNF of quantifier-free part • 9x2 . x1¸ x2Ç x3 > x2 • Can check easily using BDDs

  25. Optimization for a BDD-based Implementation • Suppose we use BDDs to represent the Boolean encodings of SL formulas • Some BDD paths might be infeasible (as in the case of DDDs) • Use “Restrict” operator to eliminate paths in the BDD that violate transitivity constraints • Problems: • Not all infeasible paths eliminated due to BDD variable ordering constraints • Imposes an overhead

  26. Experimental Setup • Benchmark: Fischer’s timed mutual exclusion protocol, for increasing numbers of processes • Compared against DDD and RED fully symbolic model checkers • For 1 reachability property and 1 non-reachability property • Our model checker used the CUDD package as the Boolean (quantification) engine

  27. Results (1) • Results for non-reachability formula (non-zenoness) • TMV: Our model checker • Kronos & Red are the only other model checkers that can handle non-reachability properties

  28. x1¸ x2 + 2 x1¸ x2Ç x1¸ x2+2 x1¸ x2 x1¸ x2 x1¸ x2 0 1 0 1 Results (2) • Results for reachability property (mutual exclusion) • Reason: DDD’s local node elimination operations

  29. Conclusions & Ongoing Work • New fully symbolic model checking technique based on Boolean methods • Solving QSL via translation to QBF can • Outperform other fully symbolic approaches • Check any property in Timed m calculus • Leverage advances in SAT/QBF • Ongoing Work • Using a SAT-based QBF solver • Improving BDD-based implementation • Lazy vs eager Boolean encoding tradeoffs

More Related