Peeling the Layers of UPPAALFrom a User’s Perspective to the Engine
Alexandre DavidGerd Behrmann, Kim G. Larsen, Wang Yi
Paul Pettersson, Didier Lime, …
18-11-2010 AFSEC 2
Model-CheckingReal-time systems:
Systems where correctness depends on the logical order of events and on their timings!… in addition to correct computation.
Real Time Model-checking:Model the environment + the tasks.Model φ? Automated proof.
PlantContinuous
Controller ProgramDiscrete
sensors
actuators
18-11-2010 AFSEC 3
Controller SynthesisController synthesis:
Model the environment + what a controller can do.Generate the controller so that controller φ!Generate the right code automatically.2-player timed game:environment moves vs.controller moves.⇒ Timed Game Automata.
PlantContinuous
Controller ProgramDiscrete
sensors
actuators
?
18-11-2010 AFSEC 4
Refinement
I/O Automata used to model specifications.Check for refinement between models.Combine specifications with operators.
Specifications/Implementations
Specifications
Refine?Implement?
18-11-2010 AFSEC 5
OverviewPart 1: Model-checking with UPPAAL.
Part 2: Controller synthesis withUPPAAL-TIGA.
Part 3: Compositional verification with ECDAR.
18-11-2010 AFSEC 6
Part 1 - OverviewTool OverviewModelling LanguageSpecification LanguageVerification EngineImplementationVerification OptionsModelling Patterns
Tool Overview
18-11-2010 AFSEC 8
Model-Checking - Overview
Requirements: invariant/safety (something bad never happens), liveness (something good eventually happens).Good: intuitive formalism, press-button technology.Bad: state-space explosion – how to fight it?
Model: network of TA
ϕSpecification: formulain TCTL
UPPAAL
YES
NO
+ sometrace
+ sometrace
18-11-2010 AFSEC 9
510
2025
Unsafe Side Safe Side
If possible find schedule for all four men to reach safe side in 60 min.
lamp
night
damaged bride (max 2 men) with mines
Application to Scheduling
18-11-2010 AFSEC 10
Can be modeled and solved with timed automata in UPPAAL.
UNSAFE SAFE
5 10 20 25
Mines
Bridge Example
18-11-2010 AFSEC 11
Toolkit Overview
Modeling
Simulation
Verification
TA + LSC editor TA + MSC(+Gantt chart)
18-11-2010 AFSEC 12
Architecture
Local or remote
Linux, Windows, MacOS
Modelling Language
18-11-2010 AFSEC 14
TA in a Nutshell
off
low
highx≤5
x>5
x=0
use
push!
push?
push?
push?
push?x≤1000
x≤1000
x==1000
x==1000
x=0
18-11-2010 AFSEC 15
Timed Automata with Invariantsshake-hand and broadcast communication,urgent action channels,urgent and committed locations,data-variables (with bounded domains),arrays of data-variables, constants, guards and assignments over data-variables and arrays…,templates with local clocks, data-variables, and
constants.C subset
Timed Automata in UPPAAL
18-11-2010 AFSEC 16
Modeling LanguageNetwork of TA = instances of templates
argument const type expressionargument type& name
Typesbuilt-in types: int, int[min,max], bool, arraystypedef struct { … } nametypedef built-in-type name
FunctionsC-style syntax, no pointer but references OK.
Selectname : type
+scalar sets
18-11-2010 AFSEC 17
Operators (not clocks): Logical:
&& (logical and), || (logical or), ! (logical negation), Bitwise:
^ (xor), & (bitwise and), | (bitwise or), Bit shift:
<< (left), >> (right) Numerical:
% (modulo), ? (max) Assignments:
+=, -=, *=, /=, ^=, <<=, >>=, := Prefix and postfix:
++ (increment), -- (decrement) Quantifiers: forall, exists.Min & max: a <? b, a >? b.Sums: sum.
More on Expressions
18-11-2010 AFSEC 18
Un-timed Example: Jugs
Scalable, compact, & readable model.const int N = 2; typedef int[0,N-1] id_t;Jugs have their own id.Actions = functions.Pour: from id to another k different from id.
Jugs
2 5
Actions:•fill•empty•pour
Goal: obtain 1 unit.
Jug(const id_t id)
18-11-2010 AFSEC 19
Jugs cont.Jug levels & capacities:int level[N];const int capa[N] = {2,5};
void empty(id_t i) { level[i]=0; }
void fill(id_t i) { level[i] = capa[i]; }
void pour(id_t i, id_t j){
int max = capa[j] - level[j];int poured = level[i] <? max;level[i] -= poured;level[j] += poured;
}
Auto-instantiation: system Jug;
18-11-2010 AFSEC 20
Train-Gate Crossing
River
Crossing
StopableArea
[10,20]
[7,15]
[3,5]
18-11-2010 AFSEC 21
Train-Gate Modeling
Scale the model:const int N = 6; typedef int[0,N-1] id_t;
Trains have their local clocks.The gate has its local list & functions.
Train(const id_t id)
N trains...Gate
controller
list enqueue()dequeue()front()
Communication via channels.chan appr[N], stop[N], leave[N];urgent chan go[N];
18-11-2010 AFSEC 22
Train-Gate Crossing
River
Crossing
StopableArea
[10,20]
[7,15]
[3,5]
appr[id]! leave[id]!
stop[id]? go[id]?
18-11-2010 AFSEC 23
Implementation of the Queueid_t list[N+1];int[0,N] len;
id_t front() { return list[0]; }id_t tail() { return list[len - 1]; }void enqueue(id_t element) { list[len++] = element; }
void dequeue(){
int i = 0;len -= 1;while (i < len){
list[i] = list[i + 1];i++;
}list[i] = 0;
}
18-11-2010 AFSEC 24
Scalar SetsUse: typedef scalar[N] setA;
defines a set of N scalars,typedef scalar[N] setB;defines another set of N scalars,it is very important to use the typedef.chan a[setA]; is an array of channels ranging over a scalar set – similarly for other types.limited operations to keep scalars symmetric.
A way to specify symmetries in the model.UPPAAL uses symmetry reduction automatically.Reduction: Project the current state to a representative of its equivalence class (w.r.t. symmetry).
Specification Language
18-11-2010 AFSEC 26
Logical SpecificationsValidation Properties
Possibly: E<> PSafety Properties
Invariant: A[] PPos. Inv.: E[] P
Liveness PropertiesEventually: A<> PLeadsto: P Q
Bounded LivenessLeads to within:P ≤t Q
The expressions P and Q must be type safe, side effect free, and evaluate to a boolean.
Only references to integer variables, constants, clocks, and locations are allowed (and arrays of these).
18-11-2010 AFSEC 27
Logical SpecificationsValidation Properties
Possibly: E<> P
Safety PropertiesInvariant: A[] PPos. Inv.: E[] P
Liveness PropertiesEventually: A<> PLeadsto: P Q
Bounded LivenessLeads to within:P ≤t Q
18-11-2010 AFSEC 28
Logical SpecificationsValidation Properties
Possibly: E<> P
Safety PropertiesInvariant: A[] PPos. Inv.: E[] P
Liveness PropertiesEventually: A<> PLeadsto: P Q
Bounded LivenessLeads to within:P ≤t Q
18-11-2010 AFSEC 29
Logical SpecificationsValidation Properties
Possibly: E<> P
Safety PropertiesInvariant: A[] PPos. Inv.: E[] P
Liveness PropertiesEventually: A<> PLeadsto: P Q
Bounded LivenessLeads to within:P ≤t Q
18-11-2010 AFSEC 30
Logical Specifications
≤ t
≤ t
Validation PropertiesPossibly: E<> P
Safety PropertiesInvariant: A[] PPos. Inv.: E[] P
Liveness PropertiesEventually: A<> PLeadsto: P Q
Bounded LivenessLeads to within:P ≤t Q
18-11-2010 AFSEC 31
Jug ExampleSafety: Never overflow.
A[] forall(i:id_t) level[i] <= capa[i]
Validation/Reachability: How to get 1 unit.E<> exists(i:id_t) level[i] == 1
18-11-2010 AFSEC 32
Train-Gate CrossingSafety: One train crossing.
A[] forall (i : id_t) forall (j : id_t)Train(i).Cross && Train(j).Cross imply i == j
Liveness: Approaching trains eventually cross.
Train(0).Appr --> Train(0).CrossTrain(1).Appr --> Train(1).Cross…
No deadlock.A[] not deadlock
UPPAAL Verification Engine
18-11-2010 AFSEC 34
OutlineSymbolic Exploration with ZonesDifference Bound Matrices
Operations
Reachability AlgorithmLiveness Algorithm
18-11-2010 AFSEC 35
Zones in a NutshellFrom Infinite to Finite
State(n, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set)
Zone:conjunction ofx-y<=n,x<=n,x>=n
(n, 1 ≤ x ≤ 4, 1 ≤ y ≤ 3)
18-11-2010 AFSEC 36
Symbolic Transitions
n
m
x>3
y:=0
delays to
conjuncts to
projects to
x
y1 ≤ x ≤ 41 ≤ y ≤ 3
x
y1 ≤ x, 1 ≤ y-2 ≤ x-y ≤ 3
x
y 3 < x, 1 ≤ y-2 ≤ x-y ≤ 3
3 < x, y=0
x
y
Thus (n, 1 ≤ x ≤ 4, 1 ≤ y ≤ 3) →a (m,3 < x, y=0)Thus (n, 1 ≤ x ≤ 4, 1 ≤ y ≤ 3) →a (m,3 < x, y=0)
a
18-11-2010 AFSEC 37
Symbolic Exploration
Reachable?
x
y
18-11-2010 AFSEC 38
Symbolic Exploration
Reachable?
x
y
Delay
18-11-2010 AFSEC 39
Symbolic Exploration
Reachable?
x
y
Left
18-11-2010 AFSEC 40
Symbolic Exploration
Reachable?
x
y
Left
18-11-2010 AFSEC 41
Symbolic Exploration
Reachable?
x
y
Delay
18-11-2010 AFSEC 42
Symbolic Exploration
Reachable?
x
y
Left
18-11-2010 AFSEC 43
Symbolic Exploration
Reachable?
x
y
Left
18-11-2010 AFSEC 44
Symbolic Exploration
Reachable?
x
y
Delay
18-11-2010 AFSEC 45
Symbolic Exploration
Reachable?
x
y
Down
The simulator shows yousymbolic states!
18-11-2010 AFSEC 46
A zone Z is a conjunctive formula:g1 & g2 & ... & gn
where gi is a clock constraint:xi ~ bi or xi-xj~bij
Use a zero-clock x0 (constant 0)A zone can be re-written as a set:
{xi-xj ~ bij | ~ is < or ≤, i,j≤n}This can be represented as a MATRIX, DBM(Difference Bound Matrices)
Zones = Conjunctive Constraints
18-11-2010 AFSEC 47
Let Z be a zone (a set of constraints)
Let [Z]={ u | u is a solution of Z }The semantics
(We write Z instead [Z] )
Solution Set as Semantics
18-11-2010 AFSEC 48
Strongest post-condition (Delay): SP(Z) or Z↑[Z↑] = {u+d| d ∈ R, u∈[Z]}
Weakest pre-condition: WP(Z) or Z↓ (the dual of Z↑)[Z↓] = {u| u+d∈[Z] for some d∈R}
Reset: {x}Z or Z(x:=0)[{x}Z] = {u[0/x] | u ∈[Z]}
Conjunction[Z&g]= [Z]∩[g]
Operations on Zones
18-11-2010 AFSEC 49
The set of zones is closed under all constraint operations (including x:=x-c or x:=x+c)That is, the result of the operations on a zone is a zoneThat is, there will be a zone (a finite objecti.e a zone/constraints) to represent the sets: [Z↑], [Z↓], [{x}Z]
Theorem on Zones
18-11-2010 AFSEC 50
One-Step Seachability: Si Sj
Delay: (n,Z) (n,Z’) where Z’= Z↑ ∧ inv(n)
Action: (n,Z) (m,Z’) where Z’= {x}(Z ∧g)
Successors(n,Z)={(m,Z’) |(n,Z) (m,Z’), Z’≠Ø}
Sometime we write: (n,Z) (m,Z’) if (m,Z’) is a successor of (n,Z)
n mg x:=0
if
18-11-2010 AFSEC 51
Implementation:Difference Bound Matrices
x2-x2<=0x2-x1<=1x2-x0<=5
x1-x2<=3x1-x1<=0x1-x0<=6
x0-x2<=-1x0-x1<=-2x0-x0<=0
xi-xj<=cij
x1
x2
Zone
18-11-2010 AFSEC 52
Difference Bound Matrices
x2-x2<=0x2-x1<=3x2-x0<=5
x1-x2<=3x1-x1<=0x1-x0<=6
x0-x2<=-1x0-x1<=-2x0-x0<=0
xi-xj<=cij
x1
x2 Canonical representation:All constraints as tight as possible.Needed for inclusion checking.→ Unique DBM to represent a zone.
x2-x1<=5 ?x2-x1<=4 ?
18-11-2010 AFSEC 53
DBMsHow to make them canonical:Floyd-Warshall algorithm.for k in 1..dim dofor i in 1..dim dofor j in 1..dim dodbm[i,j] = min(dbm[i,j],dbm[i,k]+dbm[k,j])
Why?Inclusion checking.Unique representation per zone – storage.Note 1: The algorithm leaves negative values on the diagonal for empty zones.Note 2: DBMs can also be seen as graphs.
18-11-2010 AFSEC 54
DBMsFuture:for i in 2..dim do
dbm[i,1] = infinity
Constrain (tighten bounds):if old[i,j] ≥ newi,j then
old[i,j] = newi,jfloyddim(i,j,old)
Reset:dbm[k,0] = (≤value)dbm[0,k] = (≤-value)for i in 1..dim do
dbm[k,i] = dbm[k,0] + dbm[0,i]dbm[i,k] = dbm[i,0] + dbm[0,k]
More in the DBM library.Important: Preserve canonicity.
18-11-2010 AFSEC 55
(The DBM Library
DBM library (GPL).federations,subtractions,merge.
Ruby binding (GPL).UTAP (UPPAAL TA Parser) library (LGPL).
syntax of UPPAAL,canonical TA representation.
http://www.cs.aau.dk/~adavid/UDBM/
http://www.cs.aau.dk/~behrmann/utap/
18-11-2010 AFSEC 56
DBM Library - Overview
C APIBasic functions.
C++ APIHigh level types.
Ruby (udbm)Fed wrapper.
Ruby (udbm-gtk)Graphical viewer.
Ruby (udbm-sys)High level abstraction.
Ruby(nice & intuitiveobject orientedinterpreted language)
C/C++
18-11-2010 AFSEC 57
C/C++ APIBasic functions: delay, constrain, intersection, minimal graph, relation… all basic operations.High level types: dbm_t and fed_t.
Transparent memory management.Copy-on-write semantics (transparent).Support for different merging/reduction algorithms of federations.More complex operators, e.g., subtractions, predt…
18-11-2010 AFSEC 58
Ruby API)Fed wrapper.
All operations of fed_t.Hooks to the graphical viewer (transparent).
High level abstraction.Set to represent a set of clock valuations defined by a system of constraints.Context of Clock(s).
Graphical viewer.Observer for Fed and Set.
Great educational & research tool!
18-11-2010 AFSEC 59
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 60
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 61
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 62
Forward Reachability Algorithm
Passed
WaitingFinal?
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 63
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 64
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 65
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 66
Forward Reachability Algorithm
Passed
Waiting Final
Init
INITIAL Passed := Ø;Waiting := {(n0,Z0)}
REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):
if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed
UNTIL Waiting = Øreturn false
Init -> Final ?
PW
18-11-2010 AFSEC 67
PassedST Unexplored
A} φ
: φ
S
Bouajjani, Tripakis, Yovine, 97Liveness Algorithm
18-11-2010 AFSEC 68
PassedST Unexplored
A} φ
: φ
= ?
Liveness Algorithm
18-11-2010 AFSEC 69
PassedST Unexplored
A} φ
: φ
Liveness Algorithm
18-11-2010 AFSEC 70
PassedST Unexplored
A} φ
: φ
??
Liveness Algorithm
18-11-2010 AFSEC 71
PassedST Unexplored
A} φ
: φ
⊆
??
Liveness Algorithm
18-11-2010 AFSEC 72
PassedST Unexplored
A} φ
: φ
Liveness Algorithm
18-11-2010 AFSEC 73
PassedST Unexplored
A} φ
: φ
Liveness Algorithm
18-11-2010 AFSEC 74
PassedST Unexplored
A} φ
: φ
Liveness Algorithm
Implementation
18-11-2010 AFSEC 76
Outline
Architecture of UPPAALFiltersReachability + liveness + leadsto pipelinesPWList
Other optimizationsActive clock reductionSharingSymmetryReuseVirtual machine
18-11-2010 AFSEC 77
Architecture of UPPAALPipeline architecture
In terms of components and flow of dataNot with parallel processing units
Basic componentsSinkSourceBufferFilter
18-11-2010 AFSEC 78
Pipeline Components
Source
Sink
Filter
State
Successor
Data
Buffer
18-11-2010 AFSEC 79
Reachability Pipeline
Expression
Delay Extrapolation Active clock reduction
Accept? Dealloc
yes
noPWList
TransitionSuccessor
Trace
Initialstate
18-11-2010 AFSEC 80
FeaturesReusable/exchangeable componentsFlexible architecturePWList = passed & waiting list
Unified structure
Early terminationCheck property after successor computation, not when taking states from waiting list
18-11-2010 AFSEC 81
DelayInitial state pushed hereFuture operation + invariant
Delay
Delay Extrapolation Active clock reduction
Accept? Dealloc
yes
noPWList
TransitionSuccessor
Trace
18-11-2010 AFSEC 82
Different algorithms (choice automatic)Correctness depends on which kind of constraints are usedBasic extrapolation:
Extrapolationmaxx
maxy
+ active clock reduction:if bound = -∞ then free clock
x
y maxx
maxy
x
y
ExtrapolationDelay Extrapolation Active clock reduction
Accept? Dealloc
yes
noPWList
TransitionSuccessor
Trace
18-11-2010 AFSEC 83
PWList
PWList = unified passed and waiting listAccept = add state if not included in passed + waiting statesIN: add state to passed + waiting listOUT: remove from waiting list
Accept?PWList
Delay Extrapolation Active clock reduction
Accept? Dealloc
yes
noPWList
TransitionSuccessor
Trace
18-11-2010 AFSEC 84
Transition computes possible transitions, not states
Transition
Successor computes successor state
Successor
Possible resets+ variable updates
Transition &Successor
Delay Extrapolation Active clock reduction
Accept? Dealloc
yes
noPWList
TransitionSuccessor
Trace
18-11-2010 AFSEC 85
Liveness Pipeline
Delay Extrapol.+act. clock red.
Transition
Successor
Trace
Initialstate
ExpressionDeadlocked?
Unbounded?
Accept?
Loop?
Passed
Stack
yes
yes
Waiting
18-11-2010 AFSEC 86
Leadsto Pipeline
Initialstate Reachability Liveness
p leadsto q
A[](p ⇒ A<> q)
18-11-2010 AFSEC 87
Hashtable
States
Passed list
Hashtable
Waiting queue
Searching:•pop state•hash•push to passed(inclusion check)•successor computation•hash•push to waiting queue(inclusion check)
2 hash tables2 inclusion checks1 queue
Standard Passed + Waiting Lists
18-11-2010 AFSEC 88
PWList
Hashtable
StatesUnified list
Waiting queue
Searching:•pop state reference•successor computation•hash•push to unified list(inclusion check) and appendstate reference
1 hash table1 inclusion check1 queue
18-11-2010 AFSEC 89
Active Clock Reduction
x is only active in location S1
x>3x<5
x:=0
x:=0
S
Clock x is inactive at S if on allpaths from S, x is always resetbefore being tested.
Definition
18-11-2010 AFSEC 90
Active Clock Reduction
x>3x<5
Sg1
gkg2r1
r2 rkS1
S2 Sk ( )
( ) ( )( )iii
ii
rClocksSAct
gClocksSAct
/ )(
U
U
U
=
Only save constraints onactive clocks.
Clock x is inactive at S if on allpaths from S, x is always resetbefore being tested.
Definition
18-11-2010 AFSEC 91
Data SharingKey idea: Working states different from stored states
Working states optimized for computationSymbolic state = discrete part (location+variables) + symbolic part (DBM).Stored states optimized for memoryStored state = <lockey,varkey,dbmkey>.
18-11-2010 AFSEC 92
Data Sharing
Location vector
Variables
DBM
Symbolic statefor computation
lockeyvarkeydbmkey
Symbolic statefor storage (PWList)
save
load
inclusion?
Discretestorage
Symbolicstorage
Sharing of data
~80% memory reduction.
Easy to change the implementationto favor speed over memory.
18-11-2010 AFSEC 93
Data SharingIn practice: 80% reduction.Easy to change storage implementation to favor speed or memory.
Compression of integer paired with minimal graphConvex hull is a special storage
18-11-2010 AFSEC 94
PWList & Sharing in Figures
[SPIN03]
18-11-2010 AFSEC 95
Symmetry Reduction
Exploitation of full symmetry may give factorial reduction.Many timed systems are inherently symmetric.Computation of canonical state representative using swaps.
[Formats 2003]
SWAP: 1 2 ; 3 4
18-11-2010 AFSEC 96
Symmetry Reduction
[Formats 2003]
18-11-2010 AFSEC 97
Support For SymmetryScalar set based symmetry reduction
typedef scalarset[4] pid_t;scalarset[n] = {0,…,n-1}int[0,4] = set of integersTemplate sets process P[i:pid_t](...) {(i)}Iterators for (i:pid_t) { a[i+1]=0 }
Quantifiers forall (i:int[0,4]) a[i+1]==0exists (i:int[0,4]) a[i+1]==1
Selection select i: int[0,4]; guard...
Martijn Henriks, Nijmegen U
18-11-2010 AFSEC 98
Re-using the State-space
Several properties to check:A[] prop1A[] prop2…Search in existing passed list (from previous checks) first.Expand missing states (not all states stored).
init
goal3Passed + Waiting List
Passed
goal1
goal2
18-11-2010 AFSEC 99
Virtual MachineExpressions (guards & actions) are compiled to bytecode and executed by a virtual machine.Stack machine, minimal instruction set, peep-hole optimization.Open the door to other optimizations or use of 3rd party VM.
Nips (Michael Weber): VM for Promela matches performance of Spin.
Verification Options
18-11-2010 AFSEC 101
Verification Options
Search OrderDepth FirstBreadth First
State Space ReductionNoneConservativeAggressive
State Space RepresentationDBMCompact FormUnder ApproximationOver Approximation
Diagnostic TraceSomeShortestFastest
18-11-2010 AFSEC 102
Conservative Reduction
Passed list is notneeded for terminationwhen there is no loop…
but useful forefficiency.
18-11-2010 AFSEC 103
Conservative Reduction
In case of loops,it is enough to storeloop entry points toensure termination.
Slight loss in efficiency,good gain in memory.
18-11-2010 AFSEC 104
Over-approximationConvex Hull
x
y
Convex Hull
1 3 5
1
3
5
TACAS04: An EXACT method performingas well as Convex Hull has been developed based on abstractions taking max constants into account.
18-11-2010 AFSEC 105
Under-approximationBitstate Hashing
Passed
Waiting Final
Init
PW
18-11-2010 AFSEC 106
Passed
Waiting Final
Init
PW 1
0
1
0
0
1
Hash function
1 bit perpassed state
Under-approx.Several statesmay collide onthe same bit.
Inclusion checkonly with
waiting states.“Equality” with
passed.
Bit Array
Under-approximationBitstate Hashing
18-11-2010 AFSEC 107
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1 x2
x3x0
-4
10
22
5
3
x1 x2
x3x0
-4
4
22
5
3
x1 x2
x3x0
-4
22
3
3 -2 -2
1
ShortestPath
ClosureO(n^3)
ShortestPath
ReductionO(n^3) 3
Space worst O(n^2)practice O(n)
RTSS 1997
Compact RepresentationMinimal Constraint Form
Large gain in space.Small price in time.
Verificationoption “CDS”.
18-11-2010 AFSEC 108
Graph Reduction Algorithm
G: weighted graph1. Equivalence classes based
on 0-cycles.
18-11-2010 AFSEC 109
Graph Reduction Algorithm
G: weighted graph1. Equivalence classes based
on 0-cycles.
2. Graph based onrepresentatives. Safe to remove redundant edges
18-11-2010 AFSEC 110
Graph Reduction Algorithm
1. Equivalence classes basedon 0-cycles.
2. Graph based onrepresentatives. Safe to remove redundant edges
3. Shortest Path Reduction=
One cycle pr. class+
Removal of redundant edgesbetween classesCanonical given order of clocks
G: weighted graph
Modelling Patterns
18-11-2010 AFSEC 112
Variable ReductionReduce size of state space by explicitly resetting variables when they are not used!
Automatically performed for clock variables (active clock reduction)
18-11-2010 AFSEC 113
Synchronous Value Passing
18-11-2010 AFSEC 114
AtomicityLoops & complex control structures:C-functions.
To allow encoding of multicasting.
Committed locations.
18-11-2010 AFSEC 115
Bounded Liveness
Leads to within: φ ≤t ψMore efficient than leadsto:φ leadsto≤t ψ reduced toA□(b⇒z ≤ t) withbool b set to true and clockz reset when φ holds.When ψ holds set b to false.
≤ t
≤ t
18-11-2010 AFSEC 116
Bounded LivenessThe truth value of b indicates whether or not ψ should hold in the future.
φ
ψ
¬ψ
¬φ
b=truez=0
b=false
b true, check z ≤ t
b=false
A[] (b imply z ≤ t)E<> b (for meaningful check)
18-11-2010 AFSEC 117
Parametric timer:(re-)start(value)start! var=value
expired?active (bool)active go?(bool+urgent chan)time-out eventtimeout?
Declare ‘to’ with a tight range.
Timers
18-11-2010 AFSEC 118
Urgent Edges
Intent: take an edge as soon as it is enabled (without delay).
Condition on the edge, not the location.Solution limit: no clock constraint (yet).
x≤2
i==1 i==2
x==2
urgent
time-out
urgent chan go;
18-11-2010 AFSEC 119
ZenonessProblem: UPPAAL does not check for zenoness directly.
A model has “zeno” behavior if it can take an infinite amount of actions in finite time.That is usually not a desirable behavior in practice.Zeno models may wrongly conclude that some properties hold though they logically should not.Rarely taken into account.
Solution: Add an observer automata and check for non-zenoness, i.e., that time will always pass.
18-11-2010 AFSEC 120
Zenoness
x≤1 x≤1x=0
ZenoOK Detect by•adding theobserver:
Constant (10) can be anything(>0), but choose it well w.r.t.your model for efficiency.Clocks ‘x’ are local.
•and check the propertyZenoCheck.A --> ZenoCheck.B
x ≥ 1x==1
18-11-2010 AFSEC 121
Some PitfallsUnbounded integers
Model uses the full range.
Unsynchronized processesCombinatorial explosion.
Unused active variables specially in arrays
18-11-2010 AFSEC 122
Case-Studies: ControllersGearbox Controller [TACAS’98]
Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]
SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]
Real-Time RCX Control-Programs [ECRTS’2k]
Experimental Batch Plant (2000)
RCX Production Cell (2000)
Terma, Memory Management for Radar (2001)
18-11-2010 AFSEC 123
Case Studies: Protocols
Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]Collision-Avoidance Protocol [SPIN’95]
Bounded Retransmission Protocol [TACAS’97]
Bang & Olufsen Audio/Video Protocol [RTSS’97]
TDMA Protocol [PRFTS’97]
Lip-Synchronization Protocol [FMICS’97]
Multimedia Streams [DSVIS’98]
ATM ABR Protocol [CAV’99]
ABB Fieldbus Protocol [ECRTS’2k]
IEEE 1394 Firewire Root Contention (2000)
End Part 1