Bounded Model Checking for Region Automata Fang Yu
Bounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang, Yaw-Wen Huang Institute of Information Science Academia Sinica, Taiwan
Introduction n n SAT-based model checking from discrete systems to time systems Challenge q How to handle infinite timing behavior? n n Discrete clocks Zone predicates Region Automata
Real-Time System n Discrete variables plus dense-time clocks q q q Real domain A uniform rate increase Reset X: Y: 0 1 2 …
Timed Automata n Timed Automata <D, X, A, E, I>: q q q D: A set of discrete variables X: A set of clocks A: A set of actions n q E: A set of edges, each edge is associated with n n n q Each action is a series of discrete variable assignments : Guarded condition : An action : A set of reset clocks I: An initial condition ,
Timed Automata n State q q n Discrete interpretation Clock interpretation Transition q Time elapse q Edge fire A positive real
![Region Automata n n Alur et al (1990) Equivalence class [ν] q q n](http://slidetodoc.com/presentation_image/0ed18d041707a460f3a06db5fca7ae8f/image-6.jpg "Region Automata n n Alur et al (1990) Equivalence class [ν] q q n")
Region Automata n n Alur et al (1990) Equivalence class [ν] q q n integral part fraction ordering Region Graph q State q Transition y 0 x
![What’s The Problem? n Region Graph [ACD 90] q n Precision, simplicity, and an](http://slidetodoc.com/presentation_image/0ed18d041707a460f3a06db5fca7ae8f/image-7.jpg "What’s The Problem? n Region Graph [ACD 90] q n Precision, simplicity, and an")
What’s The Problem? n Region Graph [ACD 90] q n Precision, simplicity, and an intrinsic bound However… q Prohibitive size n n Regions exponential to the number and the max constraint constants of clocks Standard model checking verification becomes infeasible even for moderately-sized systems Theoretical rather than practical!
![Bounded Model Checking n n Biere et al. [BCCFZ 99] Boolean formula satisfiability q](http://slidetodoc.com/presentation_image/0ed18d041707a460f3a06db5fca7ae8f/image-8.jpg "Bounded Model Checking n n Biere et al. [BCCFZ 99] Boolean formula satisfiability q")
Bounded Model Checking n n Biere et al. [BCCFZ 99] Boolean formula satisfiability q n n steps: Pros q Powerful SAT solvers developed n n Many heuristic approaches Over thousands of variables and millions of clauses capable A powerful support for region automata!
![Region Encoding x Xd Each odd pair a fraction relation [0, 0] [1, 1]](http://slidetodoc.com/presentation_image/0ed18d041707a460f3a06db5fca7ae8f/image-9.jpg "Region Encoding x Xd Each odd pair a fraction relation [0, 0] [1, 1]")
Region Encoding x Xd Each odd pair a fraction relation [0, 0] [1, 1] [2, 2] [3, 3] 0(0, 1) 1(1, 2) 2 (2, 3)3 (3, ∞] 0 1 2 3 4 5 6 X: Y: Z: 0 7(Mx) Xd is even a point Xd is odd an open interval Xd is Mx X>Cx X: Y: Z: 1 2 3 0 1 2 3 4 5 6 7 Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf 0 1 4 … 0 1 2 3 4 5 6 7 8 … 2 3 Xd=3, Yd=5, Zd=4, Xf<Yf
Region (In a Two-clock System) X: Y: 0 1 2 3 4 5 6 7 Xd=5, Yd=3, Xf<Yf y is even, Yd is odd or My Xd. Xd Xd is odd isis odd, isor is even, Mx, , odd, Mx, Yd Yd isodd, is is odd even My Xf<Yf Xf=Yf Xf>Yf Xd • odd, No Mx, intersection Yd isodd, My 0 • Universe x
Successor (In a Two-clock System) Xd’=Xd+1, Xd’=Xd++, Xd’=Xd, Yd’=Yd++, Yd’Xf’<Yf’ =Yd++ Xf’=Yf’ Xd is odd, Yd is odd, Xd. Xd is is even, Yd. Yd is is even odd or My and Xf<Yf
Successor Relation
A General Case: Multi-clock System n X: Y: Z: Pair Conjunction? X 0 1 2 Xd’=Xd++ 3 Xd’=Xd 0 1 2 3 4 5 6 Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>Zf Y Z A clock can progress, only when all its pairs allow it to progress!
Who is The Murderer? n Observation: when clock values are q q q Even: always progress Max: always stay Contradiction!! Odd: progress and stay at the same time n n Should consider other pairs before progresses Should not progress unless all its pairs allow it to progress How to achieve this?
A General Case: Multi-clock System n An extra case for stuttering Xd=1, Yd=1, Zd=3, Zd=4, Xf=Yf Xf>Zf, Yf>Zf q n Not all stuttering X X: Y: Z: 0 1 2 3 4 5 6 Xd’=Xd++, Yd’=Yd++ 2 3 Xd’=Xd, Zd’=Zd++ Or Xd’=Xd, Yd’=Yd, R’ =R Or Xd’=Xd, Zd’=Zd R’xz=Rxz XY Y Z XY
A General Case: Multi-clock System n An extra case for stuttering q n Not all stuttering
Transition n Time elapse n Edge fire n A step condition 0
Reachability Analysis Bounded. Fwd. Reach(I, R, T, Max. Bound) var i: 0. . Max. Bound; begin i : = 0; F : = I(i); loop forever if(i=Max. Bound) return unreachable within Max. Bound; if(SAT(F R(i))) return reachable; F : = F T(i) R(i); i : = i+1; end. Results of each step are added until termination
Theorem Given a TA having n regions, Bounded. Fwd. Reach() is sound and complete when Max. Bound≥n.
Implementation n Implementation q q n Standard bit encoding A circuit representation x. BMC q q q Make use of z. Chaff x. BMC 2. 0: supports real-time systems x. BMC 1. 0: supports discrete systems, and has been used to verify program security(DSN 2004)
Fischer’s Mutual Exclusion n Each process q q n n L=Nul; {X} X: a local clock L: a global discrete variable idle Safety property q For all i<j, q Safe, only when A≥B Experiments q q Increase the number of processes Check whether a violation occurs when A<B ready L!=P; L: =Nul critical L=P X>A; wait X<B; L: =P, {X}
Time Performance of Bug Hunting # of processes Kronos 2. 5. 2 Uppaal 3. 5. 1 Red 5. 0 SAL 2. 1 ( inf. BMC ) x. BMC 2. 0 4 0. 12 0. 03 0. 57 86. 98 3. 28 5 0. 52 0. 03 1. 95 420. 98 10. 94 6 O/M 0. 06 5. 70 O/M 14. 66 7 0. 16 14. 47 16. 83 9 1. 17 75. 5 46. 90 11 5. 08 321. 04 129. 46 13 12. 21 1129. 18 111. 59 14 O/M 2005. 23 237. 89 15 4234. 41 531. 73 16 O/M 453. 83 17 414. 29 19 528. 66 22 587. 01 A=1, B=2. P 1. 7 GHz, 256 M, Linux
Compared to BBMC • Wozna, Penczek and Zbrzezny (FI 2003) • BBMC found the witness at the 12 th iteration • x. BMC 2. 0 found the witness at the 15 th iteration # of P BBMC-RG # of variables BBMC-ARG # of clauses # of variables x. BMC 2. 0 # of clauses # of variables # of clauses 2 5, 434 15, 197 5, 533 15, 102 4, 502 13, 770 5 37, 488 110, 471 30, 851 90, 079 22, 577 77, 948 10 171, 229 513, 965 126, 801 379, 470 83, 652 300, 176 15 358, 999 1, 081, 790 311, 501 942, 085 182, 842 645, 297 20 824, 374 2, 493, 481 556, 987 1, 686, 384 321, 347 1, 150, 023 Fischer’s Mutual Exclusion, A=1, B=2
Discussion and Related Works n Discretization q Discrete time unit n n General zones/polyhedra q Quantifier Boolean elimination n Penczek, Wozna and Zbrzezny (FTRTFT’ 02) Divide a time unit into 2 n segments Tool: BBMC Seshia and Bryant (CAV’ 03) Tool: TMV Region Graph q q prohibitive size from infeasible to feasible n n Simple transition relation SAT-Based Model Checking
Conclusion and Future Work n n We propose a new transition relation encoding based on region graph We realize it in x. BMC 2. 0 Standard experiments show some promise in bug hunting How about correctness guarantee? q q An intrinsic bound: usually prohibitively high to reach Unbounded approaches: Induction, interpolation. Apply inductive method (appeared in ATVA 2004)
Conclusion and Future Work n How about large constants? q Large constants did incur worse performance n Change B from 2 to 4000: 22 ->14 Apply abstraction techniques n How about clock difference conditions? Add extra Boolean predicates for clock difference conditions
Thank you for your attention. Any questions are welcome! Contact info. Bow-Yaw Wang bywang@iis. sinica. edu. tw http: //iis. sinica. edu. tw/~bywang Fang Yu yuf@iis. sinica. edu. tw http: //iis. sinica. edu. tw/~yuf ~END~
Discussion and Related Work n Symbolic Zone Model Checking q q q Unbounded State: Zone Transition: Quantifier elimination Explore states until fixed point reached Conventional Tools: RED(CRD), UPPAAL(DBM), KRONOS(DBM) SAT-based Zone Model Checker n n n Seshia and Bryant (CAV’ 03) Separation Logic and Predicate Encoding Tool: TMV
![Region Discretization n (s, [v]) (s, vd, vr) q vd : Integral part q](http://slidetodoc.com/presentation_image/0ed18d041707a460f3a06db5fca7ae8f/image-29.jpg "Region Discretization n (s, [v]) (s, vd, vr) q vd : Integral part q")
Region Discretization n (s, [v]) (s, vd, vr) q vd : Integral part q vr : Fraction part q An example
- Slides: 29
