1 / 29

Bounded Model Checking for Region Automata

Bounded Model Checking for Region Automata. Fang Yu, Bow-Yaw Wang, Yaw-Wen Hu ang Institute of Information Science Academia Sinica, Taiwan. Introduction. SAT-based model checking from discrete systems to time systems Challenge How to handle infinite timing behavior? Discrete clocks

oma
Download Presentation

Bounded Model Checking for Region Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bounded Model Checking for Region Automata Fang Yu,Bow-Yaw Wang, Yaw-Wen Huang Institute of Information Science Academia Sinica, Taiwan

  2. Introduction • SAT-based model checking from discrete systems to time systems • Challenge • How to handle infinite timing behavior? • Discrete clocks • Zone predicates Region Automata

  3. Real-Time System • Discrete variables plus dense-time clocks • Real domain • A uniform rate increase • Reset X: Y: … 0 1 2

  4. Timed Automata • Timed Automata <D, X, A, E, I>: • D: A set of discrete variables • X: A set of clocks • A: A set of actions • Each action is a series of discrete variable assignments • E: A set of edges, each edge is associated with • : Guarded condition • : An action • : A set of reset clocks • I: An initial condition ,

  5. Timed Automata • State • Discrete interpretation • Clock interpretation • Transition • Time elapse • Edge fire A positive real

  6. Region Automata • Alur et al (1990) • Equivalence class [ν] • integral part • fraction ordering • Region Graph • State • Transition y 0 x

  7. What’s The Problem? • Region Graph [ACD90] • Precision, simplicity, and an intrinsic bound • However… • Prohibitive size • Regions exponential to the number and the max constraint constants of clocks • Standard model checking verification becomes infeasible even for moderately-sized systems Theoretical rather than practical!

  8. Bounded Model Checking • Biere et al.[BCCFZ99] • Boolean formula satisfiability • n steps: • Pros • Powerful SAT solvers developed • Many heuristic approaches • Over thousands of variables and millions of clauses capable A powerful support for region automata!

  9. Region Encoding Each odd pair  a fraction relation [0,0] [1,1] [2,2] [3,3] X: (0,1) (1,2) (2,3) (3,∞] 0 1 2 3 Y: x Z: 0 1 2 3 7(Mx) Xd 3 1 5 2 0 6 4 Xd is evena point Xd is odd  an open interval Xd is Mx  X>Cx 7 3 1 5 2 0 6 4 Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf X: Y: Z: … 0 1 2 3 4 … 7 8 3 1 5 2 0 6 4 Xd=3, Yd=5, Zd=4, Xf<Yf

  10. Region (In a Two-clock System) X: Y: 0 1 2 3 3 1 4 5 7 2 0 6 Xd=5, Yd=3, Xf<Yf y Xd is even, Yd is odd or My Xd is odd or Mx, Yd is even Xd is odd, Yd is odd, Xf<Yf Xd is odd , Yd is odd, Xf=Yf Xd is odd, Yd is odd, Xf>Yf Xd is even, Yd is even Xd is Mx, Yd is odd Xd is odd, Yd is My Xd is Mx, Yd is My • No intersection • Universe 0 x

  11. Successor (In a Two-clock System) Xd’=Xd+1, Yd’=Yd, Xf’<Yf’ Xd’=Xd++, Yd’=Yd++, Xf’=Yf’ Xd’=Xd, Yd’ =Yd++ Xd is odd, Yd is odd, and Xf<Yf Xd is even, Yd is even Xd is even, Yd is odd or My

  12. Successor Relation

  13. A General Case: Multi-clock System • Pair Conjunction? X: X Y: Z: Xd’=Xd++ 0 1 2 3 Xd’=Xd 3 1 5 2 0 6 4 Z Y Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>Zf A clock can progress, only when all its pairs allow it to progress!

  14. Who is The Murderer? • Observation: when clock values are • Even: always progress • Max: always stay • Odd: progress and stay at the same time • Should consider other pairs before progresses • Should not progress unless all its pairs allow it to progress Contradiction!! How to achieve this?

  15. A General Case: Multi-clock System • An extra case for stuttering • Not all stuttering Xd=1, Yd=1, Zd=4, Xf=Yf Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>Zf X: Y: Z: 0 1 2 3 3 1 5 2 0 6 4 X Xd’=Xd++, Yd’=Yd++ Xd’=Xd, Zd’=Zd++ Or Xd’=Xd, Yd’=Yd, R’XY=RXY Or Xd’=Xd, Zd’=Zd R’xz=Rxz Y Z

  16. A General Case: Multi-clock System • An extra case for stuttering • Not all stuttering

  17. Transition • Time elapse • Edge fire • A step condition 0

  18. Reachability Analysis BoundedFwdReach(I, R, T, MaxBound) var i: 0.. MaxBound; begin i := 0; F := I(i);loop foreverif(i=MaxBound) returnunreachable within MaxBound;if(SAT(FR(i))) returnreachable; F := FT(i) R(i); i := i+1; end. Results of each step are added until termination

  19. Theorem Given a TA having n regions, BoundedFwdReach() is sound and complete when MaxBound≥n.

  20. Implementation • Implementation • Standard bit encoding • A circuit representation • xBMC • Make use of zChaff • xBMC 2.0: supports real-time systems • xBMC 1.0: supports discrete systems, and has been used to verify program security(DSN2004)

  21. Fischer’s Mutual Exclusion • Each process • X: a local clock • L: a global discrete variable • Safety property • For all i<j, • Safe, only when A≥B • Experiments • Increase the number of processes • Check whether a violation occurs when A<B L=Nul; {X} idle ready L!=P; L:=Nul X<B; L:=P, {X} critical wait L=PX>A;

  22. Time Performance of Bug Hunting A=1, B=2. P1.7 GHz, 256M, Linux

  23. Compared to BBMC • Wozna, Penczek and Zbrzezny (FI 2003) • BBMC found the witness at the 12th iteration • xBMC 2.0 found the witness at the 15th iteration Fischer’s Mutual Exclusion, A=1, B=2

  24. Discussion and Related Works • Discretization • Discrete time unit • Penczek, Wozna and Zbrzezny (FTRTFT’02) • Divide a time unit into 2n segments • Tool: BBMC • General zones/polyhedra • Quantifier Boolean elimination • Seshia and Bryant (CAV’03) • Tool: TMV • Region Graph • prohibitive size • from infeasible to feasible • Simple transition relation • SAT-Based Model Checking

  25. Conclusion and Future Work • We propose a new transition relation encoding based on region graph • We realize it in xBMC 2.0 • Standard experiments show some promise in bug hunting • How about correctness guarantee? • An intrinsic bound: usually prohibitively high to reach • Unbounded approaches: Induction, interpolation. Apply inductive method(appeared in ATVA2004)

  26. Conclusion and Future Work • How about large constants? • Large constants did incur worse performance • Change B from 2 to 4000: 22->14 • How about clock difference conditions? Apply abstraction techniques Add extra Boolean predicates for clock difference conditions

  27. Thank you for your attention. Any questions are welcome! Contact info. Bow-Yaw Wang bywang@iis.sinica.edu.tw http://iis.sinica.edu.tw/~bywang Fang Yu yuf@iis.sinica.edu.tw http://iis.sinica.edu.tw/~yuf ~END~

  28. Discussion and Related Work • Symbolic Zone Model Checking • Unbounded • State: Zone • Transition: Quantifier elimination • Explore states until fixed point reached • Conventional Tools: RED(CRD), UPPAAL(DBM), KRONOS(DBM) • SAT-based Zone Model Checker • Seshia and Bryant (CAV’03) • Separation Logic and Predicate Encoding • Tool: TMV

  29. Region Discretization • (s, [v])(s, vd, vr) • vd :Integral part • vr :Fraction part • An example

More Related