290 likes | 296 Views
Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods. Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University. Timed Automata. Alur, Courcoubetis, & Dill, ‘90. A modeling formalism for timed systems
E N D
Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University
Timed Automata Alur, Courcoubetis, & Dill, ‘90 • A modeling formalism for timed systems • e.g., Real-time systems, Timed asynchronous circuits • Generalization of finite automaton with: • Non-negative real-valued clock variables • Can only be reset to 0 or another clock • Constraints on clocks as guards on states and transitions x1¸ 3 /x1 := 0 s=false x1· 10 x2· 8 s=true x1· 5 x1¸ 4 Æ x2¸ 6 /x2 := 0
Model Checking the Timed m Calculus System Properties expressed in the Timed m calculus [Henzinger et al. ’94] • Can express Timed CTL • Dense time version of CTL • Two kinds of TCTL formulas: • Reachability properties: Safety and bounded liveness • E.g. AG (file requested AF· 5 (file received)) • Non-reachability properties: Unbounded liveness • E.g. AG . z:= 0 . EF (z = 1) [non-zenoness]
FULLY SYMBOLIC SYMBOLIC Separate representation for real and Boolean components Combined representation for real and Boolean components Example: Two symbolic states (b, x ¸ 3), (: b, x ¸ 3) Example: Combined state set x ¸ 3 Model Checkers: RED, DDD (Difference Decision Diagram), Our approach Model Checkers: Uppaal, Kronos Symbolic vs. Fully Symbolic Unbounded Model Checking • State space has Boolean and real-valued components
Unbounded, Fully Symbolic Model Checking [Henzinger, Nicollin, Sifakis, Yovine ’94] • Set of states represented as a formula f in separation logic (SL) • Boolean Combinations (Æ, Ç, :) of • Boolean variables: ei • Separation Predicates: xi¸ xj + c, xi > xj + c • Also called “difference-bound” constraints • 0 represented as special variable x0 • Adding quantifiers over clock and Boolean variables gives quantified separation logic (QSL) • Fundamental model checking operations • Image computation: Quantifier elimination for QSL • Termination check: Validity checking for SL
Our Approach • Use Boolean encoding of separation predicates • Quantifier Elimination in QSL: • Eliminating quantifiers over real variables in QSL Eliminating quantifiers over Boolean variables in quantified Boolean formulas (QBF) • Validity checking of SL: • By translation to SAT [Strichman, Seshia, Bryant, CAV’02]
Talk Outline • Pre-image Computation via QSL Quantifier Elimination • QSL Quantifier Elimination QBF Quantifier Elimination • Exploiting Special QSL Formula Structure • Optimizations • Preliminary Experimental Results • Conclusions & Future work
Discrete Pre, pred x2 x2 x2 x1 := 0 b := true x1 x1 x1 b = true b = true b = false Timed Pre, pret x2 x2 time elapse x1 x1 b = true b = true Pre Operator 2
Pre Operator pre(f) , pred(f) Ç pret(f) • pred(f) does not require quantifier elimination • pret(f) is expressed in Quantified Separation Logic (QSL)
Timed Pre Operator in QSL pret(f) ,9d . d· x0Æf [d / x0] f
Timed Pre Operator in QSL pret(f) ,9d . d· x0Æf [d / x0] Æ8e ( d·e· x0) finv[e / x0] ) • finv is the conjunction of all state guards f finv
Quantifier Elimination Problem • Start with QSL formula w, where w,9 xa . f • To handle 8 xa . f, start with 9 xa . :f, and negate the result • Need to find SL formula f’ such that w,f’ • Previous approaches: • Enumerate DNF terms in f • Perform Fourier-Motzkin elimination on each • Differ in data structure used to represent f • Problem: Can be exponentially many DNF terms • E.g., Difference Decision Diagrams (DDDs) [Møller et al. ’99], RED [Wang ’03]
x1¸ x2 x1¸ x3 x0¸ x2 - 5 x3¸ x1 + 2 x0¸ x2 - 5 x3¸ x2 x0¸ x1 - 3 x0¸ x3 - 5 x1¸ x3 x3¸ x2 x1¸ x2 0 1 0 1 (x1¸ x2Æ x0¸ x2-5) Ç (x0¸ x1-3 Æ x0¸ x2-5) Example: Difference Decision Diagrams (DDDs) [Møller et al. ’99] 9 x3 . (x1¸ x3Ç x3¸ x1+2) Æ x0¸ x3-5 Æ x3¸ x2
QSL Quantifier Elimination via QBF Quantifier Elimination • Start with w,9 xa . f • Quantifier elimination done in 3 steps: • Translate w to another QSL formula w’ where: • w’ has quantifiers only over Boolean variables • w is equivalent to w’ • Encode w’ as a QBF • Eliminate Boolean quantifiers and translate the result back to a SL formula f’
e1 x1¸ x3 (e1Ç e2) Æ e3 Æ e4 e2 e3 e4 x3¸ x1 + 2 x0¸ x3 - 5 x3¸ x2 Æ 9 e1, e2, e3, e4 . (e1Æe4) ) (x1¸ x2) • Æ (e2Æ e3) ) (x0¸ x1 - 3) • Æ (e3Æ e4) ) (x0¸ x2 - 5) Transitivity Constraints Step 1: Real to Boolean Quantification 9 x3 . (x1¸ x3Ç x3¸ x1+2) Æ x0¸ x3-5 Æ x3¸ x2
e1 x1¸ x3 e2 e3 e4 x3¸ x2 x3¸ x1 + 2 x0¸ x3 - 5 e5 e6 e7 e5 e6 e7 x0¸ x2 - 5 x0¸ x1 - 3 x1¸ x2 Step 2: Encode Remaining Separation Predicates (e1Ç e2) Æ e3 Æ e4 Æ 9 e1, e2, e3, e4 . (e1Æe4) ) (x1¸ x2) • Æ (e2Æ e3) ) (x0¸ x1 - 3) • Æ (e3Æ e4) ) (x0¸ x2 - 5) Transitivity Constraints
e1 x1¸ x3 e2 e3 e4 x3¸ x1 + 2 x0¸ x3 - 5 x3¸ x2 (e5Æ e7) Ç (e6Æ e7) e6 e5 e7 x0¸ x2 - 5 x0¸ x1 - 3 x1¸ x2 (x1¸ x2Æ x0¸ x2-5) Ç (x0¸ x1-3 Æ x0¸ x2-5) Step 3: Eliminate Quantifiers and Map back to SL (e1Ç e2) Æ e3 Æ e4 Æ 9 e1, e2, e3, e4 . (e1Æe4) ) e5 • Æ (e2Æ e3) ) e6 • Æ (e3Æ e4) ) e7
Evaluating Our Approach • Our approach avoids enumerating DNF terms of f • Can use either BDD or SAT methods for quantifier elimination (or a combination) • BDD-based method: Can exploit quantifier scheduling heuristics • SAT-based method: Rely on SAT solver to enumerate DNF terms in f’ • Number of transitivity constraints is at most O(m2) where m is number of separation predicates in f
Exploiting Structure of pret • Consider QSL formulas of the form: 9e . e· x0Æf [e / x0] • Recall that x0 stands for 0 • Can exploit special structure to generate fewer quantified Boolean variables • Can similarly handle 9e . e¸ x0Æf [e / x0] • Half of all quantifier elimination operations
A Region in R2 • f
x1= x0 + c x1= e + c • e Shifting the Region by e • f x2 • e • f [e / x0] for e· 0 x1
x2· c’ x2 - x1 ¸ c’’ x1¸ c Geometric Interpretation of Quantified Formula 9e . e· x0Æf [e / x0] is shaded region plus f x2 45° x1 Observation: Only lower bounds on f are eliminated; Upper bounds and diagonals remain intact
Quantifier Elimination Strategy • To eliminate e from 9e . { e· x0Æf [e / x0] } • Introduce existential quantifiers only over Boolean variables encoding lower bound predicates in f (bounds of the form xi¸ c) • Generate only those transitivity constraints involving lower bound predicates • Empirically, results in 10-20 times speedup
Optimization: Checking if Bounds are Conjoined • Avoid generating transitivity constraints wherever possible • 9x2 . x1¸ x2Ç x2¸ x3 • x1¸ x2 and x2¸ x3 not conjoined, hence no transitivity constraint generated • “Conjunctions matrix” [Strichman, FMCAD’02] • 9x2 . (x1¸ x2Æ x2¸ x3) Ç x3 > x2 • x1¸ x2 and x2¸ x3 not conjoined in minimized DNF of quantifier-free part • 9x2 . x1¸ x2Ç x3 > x2 • Can check easily using BDDs
Optimization for a BDD-based Implementation • Suppose we use BDDs to represent the Boolean encodings of SL formulas • Some BDD paths might be infeasible (as in the case of DDDs) • Use “Restrict” operator to eliminate paths in the BDD that violate transitivity constraints • Problems: • Not all infeasible paths eliminated due to BDD variable ordering constraints • Imposes an overhead
Experimental Setup • Benchmark: Fischer’s timed mutual exclusion protocol, for increasing numbers of processes • Compared against DDD and RED fully symbolic model checkers • For 1 reachability property and 1 non-reachability property • Our model checker used the CUDD package as the Boolean (quantification) engine
Results (1) • Results for non-reachability formula (non-zenoness) • TMV: Our model checker • Kronos & Red are the only other model checkers that can handle non-reachability properties
x1¸ x2 + 2 x1¸ x2Ç x1¸ x2+2 x1¸ x2 x1¸ x2 x1¸ x2 0 1 0 1 Results (2) • Results for reachability property (mutual exclusion) • Reason: DDD’s local node elimination operations
Conclusions & Ongoing Work • New fully symbolic model checking technique based on Boolean methods • Solving QSL via translation to QBF can • Outperform other fully symbolic approaches • Check any property in Timed m calculus • Leverage advances in SAT/QBF • Ongoing Work • Using a SAT-based QBF solver • Improving BDD-based implementation • Lazy vs eager Boolean encoding tradeoffs