Real-Time Model Checking on Secondary Storage

1. Real-Time Model Checking on Secondary Storage Stefan Edelkamp and Shahid Jabbar Chair for Programming Systems and Compiler Construction Computer Science Department University of Dortmund, Dortmund, Germany

2. Real-Time Model Checking • Model checking of real time critical systems. • Example: A rail-road crossing that has to follow strict time constraints. • Systems are modeled by Timed-Automata • Extension of ordinary automata with clocks and constraints. x ←0 x and y are real-time clocks Constraints y ≤ 4 y ≤ 4 0 ≤ y ≤ 4 s3 s2 s1 x ←0 x ←0 Reset Real-time Model Checking on Secondary Storage

3. Timed Automata • A state in timed automata is a pair (l, u), where • l is the current location/state in the automata • u:C  IR is the Clock valuation function. • Two types of Transitions: • Delay Transition: (l,u)  (l, u+d) that increases the values of all clocks by a positive real d. • Edge Transition: (l,u)  (l’, u’) that changes the location to l’. u’ is obtained from u by executing the reset statements on the edges. Only possible if the constraints on the edge are satisfied by the clocks. x ←0 y ≤ 4 x and y are real-time clocks Constraints y ≤ 4 0 ≤ y ≤ 4 s3 s2 s1 x ←0 x ←0 Reset Real-time Model Checking on Secondary Storage

4. Priced Timed Automata • Timed Automata extended with cost variables. • Each transition can have a cost for taking it. • Each location/state can have a cost for staying at it. • Used in Scheduling – also in this paper. x ←0 y ≤ 4 x and y are real-time clocks Constraints y ≤ 4 0 ≤ y ≤ 4 s3 s2 s1 x ←0 x ←0 Reset c = 2 c = c + 4 c = c + 1 c = 4 Cost for taking the transition Cost per unit time for staying at s1 Real-time Model Checking on Secondary Storage

5. Cost-optimal reachibility using Priced Timed Automata (UPPAAL-CORA) • UPPAAL-CORA uses admissible but inconsistent heuristics as guidance. • the first solution found is not optimal. • But can be taken as an upper bound to prune the non-promising states – branch-and-bound. goal Pruning value cost Search frontier Real-time Model Checking on Secondary Storage

6. Problems • Since clocks are real-values variables •  infinite state spaces. • Classical approach for proving decidability is to divide the state space into regions. • In practice, tools like KRONOS and UPPAAL use a Zone-based representation – a symbolic representation for sets of states. • Still the combinatorial explosion due to adding new components is inevitable. Real-time Model Checking on Secondary Storage

7. Problem with the Virtual Memory Virtual Address Space 0x000…000 Memory Page 0xFFF…FFF Real-time Model Checking on Secondary Storage

8. B Disk External Memory Model (Aggarwal and Vitter) If the input size is very large, running time depends on the I/Os rather than on the number of instructions. M Scan(N) = O(N / B) Sort(N) = O(N/B log M/B N/B) Input of size N and N >> M Real-time Model Checking on Secondary Storage

9. Duplicates’ Removal X Y Z A X A X Y Z X Y Z B C D A t t+1 t+2 External Breadth-First Search for Explicit Graphs (Munagala & Ranade, SODA-99) • I: Remove Duplicates by sorting the nodes according to the indices and doing an scan and compaction phase. • II: Subtract layers t andt+1from t+2. Real-time Model Checking on Secondary Storage

10. External Breadth-First Branch-and-Bound in UPPAAL-CORA • Can we use the same approach by Munagala and Ranade here ? YES and NO • Duplicate Elimination is not trivial! l: active locations in local automata Z: Zone - set of constraints satisfied by clocks Real-Time state spaces Trivial state spaces (l,Z4) (l,Z5) (l,Z6) (l,Z1) (l,Z2) (l,Z3) A A Zone Union – same location but different zones A state (l,Z) is a duplicate of (l,Z’) iff Z  Z’ and f(Z)  f(Z’) cost  No total order on Zones => O(n^2) comparisons for each location Search frontier Real-time Model Checking on Secondary Storage

11. Bucket • A Bucket is a set of states, residing on the disk, having the same g value, • Where, g = number of transitions needed to transform the initial state to the states of the bucket, • No state is inserted again in a bucket that is expanded. • If Active (being read or written), represented internally by a small buffer. when full, sort and flush Insert state Buffer in internal memory File on disk Real-time Model Checking on Secondary Storage

12. I/O Complexity of Breadth-First Branch-and-Bound • Assumption: At least two zone unions can fit into the main memory. • Expansion: O(scan(|V|)) I/Os • Duplicates Removal: • Stage 1: Removal of duplicates within a layer. • O(sort(|E|) I/Os for sorting, • O(scan(|E|) I/Os for scanning and compacting. • Stage 2: Removal of duplicates wrt previous layers. • Depends on the locality of the graph – the longest back-edge • locality(G) x scan(|V|) I/Os • Cumulative Complexity: • O(sort(|E|) + locality(G) x scan(|V|) I/Os. Real-time Model Checking on Secondary Storage

13. External Breadth-First Branch-and-Bound Real-time Model Checking on Secondary Storage

14. Problems with Breadth-First BnB • Too much efforts until some solution is found. • Solution: • Explore partial space to search for some solution. • Increase the coverage of the space and improve the solution. Iterative Broadening External Breadth-First BnB Real-time Model Checking on Secondary Storage

15. Iterative Broadening External Breadth-First BnB 100% 80% 60% cost 40% k=20% Search frontier Only pick best k% nodes for expansion. Real-time Model Checking on Secondary Storage

16. Selection Criteria • How can we guarantee that the solution will be improved or at least remain the same ? • Possible if • Selection Criteria: • Best k% of the nodes PLUS • All the states that have the same cost as that of the last state of the selected list PLUS • All the sates that have the cost smaller or equal to the maximum cost selected in the previous iteration. i: layer number l: iteration Select the whole cost plateau Select all plateaus from the previous iteration Real-time Model Checking on Secondary Storage

17. Iterative Broadening External BF BnB Real-time Model Checking on Secondary Storage

18. Aircraft Landing Scheduling Problem1 runway 10 planes External Breadth-First BnB Real-time Model Checking on Secondary Storage

19. Aircraft Landing Scheduling Problem2 runway 20 planes Out-of-space with External Breadth-First BnB Real-time Model Checking on Secondary Storage

20. Alternate Modeling of Aircraft Landing Scheduling (Dierks, VVPS’05) Incomplete exploration due to space constraints. • 3 runways but 13 clocks • External Breadth-First BnB • Harddisk usage = 311 Gigabytes • RAM usage = 1.8 Gigabytes • Time = 12 hours Iterative Broadening did not pay off due to large cost plateaus Real-time Model Checking on Secondary Storage

21. Issues in External Exploration • Error trace: • No predecessor pointers! • Save the predecessor with each state. • Trace back from the goal state to the start state breadth-wise. • Disk space eaten by duplicate states: • Start “Early”Delayed Duplicate Detection Real-time Model Checking on Secondary Storage

22. Summary & Outlook • Contribution • External storage can provide the facility to save open and closed lists. • Iterative broadening strategy can outperform simple breadth-first branch-and-bound. • Future Work • Externality => promising for distributed execution by distributing a layer on multiple processors. • Can pause-and-resume your execution to add more harddisks. • Completely orthogonal - Can be combined with other state-space reduction techniques. Real-time Model Checking on Secondary Storage