1 / 21

Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT

Supported by IST project 2004-511599 (RODIN). Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT. Victor Khomenko University of Newcastle upon Tyne. Shortest violation traces. Can be much shorter than the first computed trace

evan-salazar
Download Presentation

Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Supported by IST project 2004-511599 (RODIN) Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT Victor Khomenko University of Newcastle upon Tyne

  2. Shortest violation traces • Can be much shorter than the first computed trace • Do not contain incidental system activity unrelated to the found error • Facilitate debugging, saving the designer’s time

  3. Petri net unfolding prefixes • Partial-order semantics of PNs • Concurrency represented explicitly, using an acyclic PN • Alleviate the state space explosion problem • Efficient model checking algorithms

  4. T7 P10 T2 P4 P12 P2 P7 P1 P14 P9 T10 T5 P6 T4 T6 T1 T9 P8 P3 T8 T3 P11 P2 T2 P4 P7 T1 T4 T5 P6 P1 P1 T3 P5 P8 P3 P7 T7 P12 P8 P10 P7 T9 P14 T10 P9 P9 T8 P13 T6 P8 P11 Dining Philosophers P13 P5

  5. Model checking on PN unfoldings • A Boolean expression is built using the prefix, such that: •  is unsatisfiable iff the property holds • Every satisfiable assignment of  gives a violation trace •  has a form CONFVIOL • Some of the variables of  are associated with the events of the prefix

  6. P2 T2 P4 P7 T1 T4 T5 P6 P1 P1 T3 P5 e P8 P3 P7 T7 P12 P8 P10 P7 T9 P14 T10 P9 P9 T8 P13 T6 P8 P11 CONF: Causality If an e is executed than its causal predecessors are also executed (it’s enough to require that the direct predecessors of e are executed)

  7. P2 T2 P4 P7 T1 T4 T5 P6 P1 P1 T3 P5 e P8 P3 P7 T7 P12 P8 P10 P7 T9 P14 T10 P9 P9 T8 P13 T6 P8 P11 CONF: Conflicts If an e is executed than events in conflict cannot be executed (it’s enough to require that the events in direct conflict with e are not executed)

  8. P2 T2 P4 P7 T1 T4 T5 P6 P1 P1 T3 P5 e P8 P3 P7 T7 P12 P8 P10 P7 T9 P14 T10 P9 P9 T8 P13 T6 P8 P11 VIOL: Deadlock For every e: either • some direct predecessor is not executed, or • an event in direct conflict has fired, or • e itself has fired

  9. Computing shortest traces input:  - a Boolean expression output: T -a shortest violation trace or UNSAT ASAT_Assignment(); if A = UNSATthenTUNSAT; stop T  Extract_Trace(A); r |T|; l  0; while l < r do t (l + r)/2; A  SAT_Assignment(Thresholdt); if A = UNSATthenl = t + 1 else T  Extract_Trace(A); r |T|;

  10. First build a Boolean circuit and then translate it into a boolean expression (linear translation is possible by adding new variables) Try to minimize the changes in the circuit if the threshold changes – good for incremental SAT … n Threshold constraint O(log n)

  11. n Implementation of the counter Size (if n is a power of 2): 4n – 2 log2n – 4 auxiliary variables 16n – 10 log2n – 16 clauses 52n – 36 log2n – 52 literals • Linear translation • Large multiplicative constants

  12. P2 T2 P4 P7 T1 T4 T5 P6 P1 P1 T3 P5 Conflict cluster P8 P3 P7 T7 P12 P8 P10 P7 T9 P14 T10 P9 P9 T8 P13 T6 P8 P11 Exploiting conflicts • Events in a conflict cluster are mutually exclusive • An -gate can be used as a counter

  13. \/ \/ \/ \/ n Implementation of the counter • Significant gains if the number of clusters is much smaller than the number of events • Need to partition the prefix into the minimum number of conflict clusters • An NP-complete problem (reduction from partition into cliques) • A greedy algorithm can be used in practice

  14. P2 T2 P4 P7 T1 T4 T5 P6 P1 P1 T3 P5 P8 P3 P7 T7 P12 P8 P10 P7 T9 P14 T10 P9 P9 T8 P13 T6 P8 P11 Exploiting causality • If an event in a cluster has fired, some event in a preceding cluster has also fired • If Cl1<Cl2<…<Cln, then the outputs of the corresponding -gates are ordered

  15. \/ \/ \/ \/ \/ \/ \/ \/ \/ Implementation of the counter A sort-adder is simpler than a conventional one! n

  16. Partitioning into chains of clusters • Gains if the number of ordered chains of clusters is small • Need to partition the conflict clusters into the minimum number of ordered chains • The problem can be reduced to maximum matching in bipartite graphs and solved in polynomial time, but this might be inefficient due to the need to work with an implicitly represented graph • A greedy algorithm can be used in practice

  17. Experimental results • The first computed violation trace can be much longer than a shortest one –computing shortestviolation traces can indeed greatly facilitate the debugging process • The number of conflict clusters is by many orders of magnitude smaller than the number of events – significant reductions in the size of threshold constraint

  18. The ideal case • If the adder tree can be implemented as a single -gate: • 1 (rather than 4n – 2 log2n – 4) auxiliary variables • n+1 (rather than 16n – 10 log2n – 16) clauses • 3n+1 (rather than 52n – 36 log2n – 52) literals • Improvement ratios for n: • variables:  • clauses: 16 • literals: 17⅓

  19. Experimental results: variables

  20. Experimental results: clauses

  21. Experimental results: literals

More Related