kim guldstrand larsen brics@aalborg

UCb

Kim Guldstrand LarsenBRICS@Aalborg

Symbolic Model Checking…and Verification Options

How UPPAAL really works&

How to make UPPAAL really work

IDA foredrag 20.4.99 UCb

THE UPPAAL ENGINE

Symbolic Reachability Checking

3TOV 2002, Lektion 3. Kim G. Larsen

UCb ZonesFrom infinite to finite

State(n, x=3.2, y=2.5 )

x

y

x

y

Symbolic state (set)(n, )

Zone:conjunction ofx-y<=n, x<=>n

3y4,1x1


UCb

Symbolic Transitions

n

m

x>3

y:=0

delays to

conjuncts to

projects to

x

y

1<=x<=41<=y<=3

x

y1<=x, 1<=y-2<=x-y<=3

x

y 3<x, 1<=y-2<=x-y<=3

3<x, y=0

x

y

Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

a


UCb

A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s Protocolanalysis using zones

Y<10

X:=0

Y:=0

X>10

Y>10

X<10


UCb

Fischers cont. B1 CS1

V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10

A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

Untimed case

A1


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case

Taking time into account

X

Y

A1


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


X

Y

A1

10X

Y1010


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10


UCb

Forward Rechability

Passed

WaitingFinal

Init

INITIAL Passed := Ø; Waiting := {(n0,Z0)}

REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add

{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed

UNTIL Waiting = Ø or Final is in Waiting

Init -> Final ?


UCb

Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add



n,Z’

Init -> Final ?


UCb

Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add



n,Z’

m,U

Init -> Final ?


UCb

Forward Rechability

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


UCb Canonical Dastructures for Zones

Difference Bounded Matrices Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

0

x

y

z

2 3

37

3

? ?

Graph

Graph


UCb

Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

ShortestPath

Closure

ShortestPath

Closure

0

x

y

z

1 2

25

0

x

y

z

2 3

37

0

x

y

z

2 3

36

3

3 3

Graph

Graph

? ?

Canonical Dastructures for ZonesDifference Bounded Matrices

Canonical Form


UCb

Bellman 1958, Dill 1989

x<=1y>=5y-x<=3

x<=1y>=5y-x<=3

D

Emptyness

0y

x1

3

-5

Negative Cycleiffempty solution set

Graph



UCb

1<= x <=41<= y <=3

1<= x <=41<= y <=3

D

Future

x

y

x

y

Future D

0

y

x4

-1

3

-1

ShortestPath

Closure

Removeupper

boundson clocks

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

y

x

-1

-1

3

2

0

4

3



UCb Canonical Dastructures for Zones

Difference Bounded Matrices

x

y

D

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

Remove allbounds

involving yand set y to 0

x

y

{y}D

y=0, 1<=xy=0, 1<=x

Reset

y

x

-1

0

0 0


UCb Improved DatastructuresCompact Datastructure for Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3

x1 x2

x3x0

-4

22

3

3 -2 -2

1

ShortestPath

ClosureO(n^3)

ShortestPath

ReductionO(n^3) 3

Canonical wrt =Space worst O(n^2) practice O(n)

RTSS’97


UCb SPACE PERFORMANCE

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

Per

cen

t Minimal Constraint

Global Reduction

Combination


UCb TIME PERFORMANCE

0

0,5

1

1,5

2

2,5

Per

cen

t Minimal Constraint

Global Reduction

Combination


UCb

v and w are both redundantRemoval of one depends on presence of other.

v and w are both redundantRemoval of one depends on presence of other.

Shortest Path Reduction1st attempt

Idea

Problem

w

<=wAn edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

An edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

w

v

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.


UCb Shortest Path ReductionSolution

G: weighted graph



G: weighted graph

1. Equivalence classes based on 0-cycles.



G: weighted graph


2. Graph based on representatives. Safe to remove redundant edges



G: weighted graph


2. Graph based on representatives. Safe to remove redundant edges

3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classesCanonical given order of clocks


UCb

Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


UCb

Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?

ZZ'


UCb


REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in Passed then STOP - else /explore/ add



Earlier Termination

Passed

Waiting Final

Init

n,Zk

m,U

n,Z

Init -> Final ?

n,Z1

n,Z2 ZZii

ZZ'


UCb Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices

CDD-representationsCDD-representations

CAV99

Nodes labeled with differences

Maximal sharing of substructures (also across different CDDs)

Maximal intervals Linear-time algorithms

for set-theoretic operations.

NDD’s Maler et. al

DDD’s Møller, Lichtenberg


UCb

SPACE PERFORMANCE

0

0,5

1

1,5

2

2,5

3

3,5

4

4,5

Per

cen

t CDD

Reduced CDD

CDD+BDD


UCb

TIME PERFORMANCE

0

1

2

3

4

5

6

Per

cen

t CDD

Reduced CDD

CDD+BDD


UCb

Verification Options• Breadth-First• Depth-First

• Clock Reduction • State Space Reduction

• State Space Repr.• DBM• Compact • Over-approximation• Under-approx

• Reuse State Space• Diagnostic Trace

• Breadth-First• Depth-First

• Clock Reduction • State Space Reduction

• State Space Repr.• DBM• Compact • Over-approximation• Under-approx

• Reuse State Space• Diagnostic Trace

Case Studies


UCb Representation of symbolic states (In)Active Clock Reduction

x is only active in location S1

x>3x<5

x:=0

x:=0

S x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitionx<7


UCb Representation of symbolic states Active Clock Reduction

x>3x<5

S

x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitiong1

gkg2r1

r2 rk

iii

ii

rClocks/SAct

gClocks

)S(Act

S1

S2 Sk

Only save constraints on active clocks


UCb When to store symbolic stateState Space Reduction

No Cycles: Passed list not needed for termination

However,Passed list useful forefficiency


UCb When to store symbolic stateState Space Reduction

Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list


UCb

Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?

prop2


UCb

Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?Hashtable

prop2


UCb Over-approximationConvex Hull

x

y

Convex Hull

1 3 5

1

3

5


UCb Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z


UCb Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z

Passed= Bitarray

1

0

1

0

0

1

UPPAAL 8 Mbits

HashfunctionF


UCb

Bitstate Hashing


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add




REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add



Passed(F(n,Z)) = 1

Passed(F(n,Z)) := 1


UCb

Best Options for Fischer


UCb

Overview

Timed Automata (review)UPPAAL 3.2 Symbolic Reachability & Datastructures

DBMs Compact Datastructure CDDs

Verification OptionsBeyond Model Checking


UCb

The State Explosion Problem

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

sat

Model-checking is either EXPTIME-complete or PSPACE-complete

(for TA’s this is true even for a single TA)

Model-checking is either EXPTIME-complete or PSPACE-complete

(for TA’s this is true even for a single TA)

Sys


UCb Abstraction

satSys AbsSys satAbs

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

sat

Sys

1 2

43 sat

Abs

REDUCE TO Preserving safetyproperties


UCb Compositionality

AbsSysAbsAbs |Abs

Abs Sys

Abs Sys

21

22

11

Sys

1 2

43

1 2

43

Sys1 Sys2

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

Abs1 Abs2

2121

22

11

Abs |AbsSys |Sys Abs Sys

Abs Sys


UCb

Timed Simulation

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -

then Rt)(s,Whenever b)

R)t,(s a)

s.t. StStR

relation a is there if TT

a

a

00

21

21

)(

)(

de

de

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -


R)t,(s a)

s.t. StStR


a

a

00

21

21

)(

)(

de

de

)Test(T ||Tfor question

ty reachabili a to reduced bemay

TT then cdetermisti is T If *

decidable is *

ncompositio parallelby preserved is *

propertiessafety preserves *

21

212




decidable is *



21

212

UPPAALUPPAAL


UCb

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -


R)t,(s a)

s.t. StStR


a

a

00

21

21

)(

)(

de

de

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -


R)t,(s a)

s.t. StStR


a

a

00

21

21

)(

)(

de

de

Timed Simulation




decidable is *



21

212




decidable is *



21

212

UPPAALUPPAAL

Applied to

IEEE 1394a Root contention protocol (Simons, Stoelinga)

B&O Power Down Protocol (Ejersbo, Larsen, Skou, FTRTFT2k)

Modifications identified

when urgency

and shared integers

IDA foredrag 20.4.99 UCb

THE END (almost)


UCb

kim guldstrand larsen brics@aalborg

Documents