1 / 59

Kim Guldstrand Larsen BRICS@Aalborg

Symbolic Model Checking …and Verification Options How UPPAAL really works & How to make UPPAAL really work. Kim Guldstrand Larsen BRICS@Aalborg. THE UPPAAL ENGINE Symbolic Reachability Checking. y. y. x. x. Zones From infinite to finite. Symbolic state (set )

sasha
Download Presentation

Kim Guldstrand Larsen BRICS@Aalborg

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symbolic Model Checking …and Verification Options How UPPAAL really works & How to make UPPAAL really work Kim Guldstrand LarsenBRICS@Aalborg

  2. THE UPPAAL ENGINESymbolic Reachability Checking IDA foredrag 20.4.99

  3. y y x x ZonesFrom infinite to finite Symbolic state (set) (n, ) State (n, x=3.2, y=2.5) Zone: conjunction of x-y<=n, x<=>n

  4. 1<=x<=4 1<=y<=3 1<=x, 1<=y -2<=x-y<=3 y y x x y y 3<x, 1<=y -2<=x-y<=3 x x 3<x, y=0 Symbolic Transitions delays to n x>3 conjuncts to a y:=0 projects to m Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

  5. Fischer’s Protocolanalysis using zones 2 • ´ V Criticial Section X<10 X:=0 X>10 Init V=1 V:=1 V=1 A1 CS1 B1 Y<10 Y:=0 Y>10 V:=2 V=2 CS2 B2 A2

  6. Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

  7. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account

  8. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10

  9. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10

  10. Y 10 Y X X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10 10

  11. Y 10 Y X X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10 10

  12. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Final Waiting Init Passed

  13. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Final Waiting n,Z n,Z’ Init Passed

  14. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  15. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  16. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Inclusion x 1 2 x<=1 y-x<=2 z-y<=2 z<=9 D1 Graph y 0 9 2 z ? ? D2 x<=2 y-x<=3 y<=3 z-y<=3 z<=7 x 2 3 3 Graph y 0 7 3 z

  17. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Inclusion x x 1 2 x<=1 y-x<=2 z-y<=2 z<=9 1 2 Shortest Path Closure D1 3 Graph y 0 y 0 9 5 2 z 2 z ? ? D2 x x<=2 y-x<=3 y<=3 z-y<=3 z<=7 x 2 3 Shortest Path Closure 2 3 3 3 Graph y 0 y 0 6 3 7 3 z z Canonical Form

  18. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Emptyness x 1 D x<=1 y>=5 y-x<=3 3 Graph 0 y -5 Negative Cycle iff empty solution set

  19. Canonical Dastructures for ZonesDifference Bounded Matrices Future y y Future D D x x 1<= x <=4 1<= y <=3 1<=x, 1<=y -2<=x-y<=3 x 4 4 x x Remove upper bounds on clocks -1 Shortest Path Closure -1 -1 3 3 0 0 0 3 3 2 2 -1 y -1 y -1 y

  20. Canonical Dastructures for ZonesDifference Bounded Matrices Reset y y {y}D D x x 1<=x, 1<=y -2<=x-y<=3 y=0, 1<=x x x Remove all bounds involving y and set y to 0 -1 -1 3 0 0 0 2 -1 y 0 y

  21. Improved DatastructuresCompact Datastructure for Zones RTSS’97 -4 -4 x1-x2<=4 x2-x1<=10 x3-x1<=2 x2-x3<=2 x0-x1<=3 x3-x0<=5 Shortest Path Closure O(n^3) x1 x2 x1 x2 4 10 3 3 2 3 2 -2 -2 2 2 x0 x3 x0 x3 1 5 5 -4 Shortest Path Reduction O(n^3) x1 x2 Canonical wrt = Space worst O(n^2) practice O(n) 3 3 2 2 x0 x3

  22. Shortest Path Reduction1st attempt Idea An edge is REDUNDANT if there exists an alternative path of no greater weight THUS Remove all redundant edges! <=w w Problem v and w are both redundant Removal of one depends on presence of other. v w Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

  23. Shortest Path ReductionSolution G: weighted graph

  24. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles.

  25. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges

  26. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges 3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes Canonical given order of clocks

  27. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  28. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  29. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z1 n,Z2 n,Zk Init Passed

  30. Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices CAV99 CDD-representations • Nodes labeled with differences • Maximal sharing of substructures (also across different CDDs) • Maximal intervals • Linear-time algorithms for set-theoretic operations. • NDD’s Maler et. al • DDD’s Møller, Lichtenberg

  31. Verification Options • Breadth-First • Depth-First • Clock Reduction • State Space Reduction • State Space Repr. • DBM • Compact • Over-approximation • Under-approx • Reuse State Space • Diagnostic Trace Case Studies

  32. Definition x is inactive at Sif on all path from S, x is always reset before being tested. S x:=0 x:=0 x>3 x<5 Representation of symbolic states(In)Active Clock Reduction x is only active in location S1 x<7

  33. Representation of symbolic states Active Clock Reduction S Definition g1 x is inactive at Sif on all path from S, x is always reset before being tested. gk g2 r1 r2 rk S1 S2 Sk x>3 x<5 Only save constraints on active clocks

  34. When to store symbolic stateState Space Reduction However, Passedlist useful for efficiency No Cycles: Passed list not needed for termination

  35. When to store symbolic stateState Space Reduction Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list

  36. Reuse State Space Waiting prop2 A[] prop1 A[] prop2 A[] prop3 A[] prop4 A[] prop5 . . . A[] propn Search in existing Passed list before continuing search prop1 Passed Which order to search?

  37. Reuse State Space Waiting prop2 A[] prop1 A[] prop2 A[] prop3 A[] prop4 A[] prop5 . . . A[] propn Search in existing Passed list before continuing search prop1 Passed Which order to search? Hashtable

  38. Over-approximationConvex Hull y 5 3 1 x 1 3 5 Convex Hull

  39. Under-approximationBitstate Hashing Waiting Final m,U n,Z n,Z’ Init Passed

  40. Under-approximationBitstate Hashing 1 Passed= Bitarray Waiting Final m,U 0 1 n,Z 0 UPPAAL 8 Mbits Hashfunction F n,Z’ 0 Init Passed 1

  41. Bitstate Hashing INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Passed(F(n,Z)) = 1 Passed(F(n,Z)) := 1

  42. Best Options for Fischer

  43. Best Options for Fischer

  44. Overview • Timed Automata (review) • UPPAAL 3.2 • Symbolic Reachability & Datastructures • DBMs • Compact Datastructure • CDDs • Verification Options • Beyond Model Checking

  45. a a a a a a a a b b b b b b b b c c c c c c c c The State Explosion Problem Sys Model-checking is either EXPTIME-complete or PSPACE-complete (for TA’s this is true even for a single TA)

  46. a a a a a a a a 1 2 b b b b b b b b c c c c c c c c 3 4 Abstraction Sys REDUCE TO Preserving safety properties Abs

More Related