Bounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang, Yaw-Wen Huang
Institute of Information Science
Academia Sinica, Taiwan
Introduction
SAT-based model checking from discrete systems to time systems
Challenge How to handle infinite timing behavior?
Discrete clocks Zone predicates
Region Automata
Real-Time System
Discrete variables plus dense-time clocks Real domain A uniform rate increase Reset
0 1 2
X:Y:
…
Timed Automata
Timed Automata <D, X, A, E, I>: D: A set of discrete variables X: A set of clocks A: A set of actions
Each action is a series of discrete variable assignments E: A set of edges, each edge is associated with
: Guarded condition : An action : A set of reset clocks
I: An initial condition
: | | | | 1 2ff d q x c
{ , , =}
,
Cx
Timed Automata
State Discrete interpretation Clock interpretation
Transition Time elapse
Edge fire
, ,s s v
: , ,, [ ], [ ]
es s
,s :s D N
0: X R
A positive real
Region Automata
Alur et al (1990) Equivalence class [ν]
integral part fraction ordering
Region Graph State Transition
x
y
Cx
Cy
,s
,[ ] , [ ]
: , ,,[ ] [ ],[ [ ]]
s s succ
es s
0
What’s The Problem?
Region Graph [ACD90] Precision, simplicity, and an intrinsic bound
However… Prohibitive size
Regions exponential to the number and the max constraint constants of clocks
Standard model checking verification becomes infeasible even for moderately-sized systems
Theoretical rather than practical!
Bounded Model Checking
Biere et al.[BCCFZ99] Boolean formula satisfiability
n steps: Pros
Powerful SAT solvers developed Many heuristic approaches Over thousands of variables and millions of clauses cap
able
, , ,0 0 1 1 2 1I B T B B T B B T B Bn n
A powerful support for region automata!
Region Encoding
x
Cx
0 1 2 3
Xd=3, Yd=5, Zd=4, Xf<Yf
0 1 2 3 4 5 6 7
0 1 2 3
0 1 2 3 4 5 6 7(Mx)
Xd is even a point Xd is odd an open interval
Xd is Mx X>Cx
4 …
8 …
X:Y:Z:
Xd0 1 2 3
0 1 2 3 5 6 74
X:Y:Z:
Each odd pair a fraction relation
Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf
[0,0] [1,1] [2,2] [3,3](0,1) (1,2) (2,3) (3,∞]
Region (In a Two-clock System)
x
y
Cx
Cy
0 1 2 3
Xd=5, Yd=3, Xf<Yf
0 1 2 3 4 5 6 7
0
Xd is even, Yd is evenXd is even, Yd is odd or MyXd is odd or Mx, Yd is evenXd is odd , Yd is odd, Xf=YfXd is odd, Yd is odd, Xf>YfXd is odd, Yd is odd, Xf<Yf Xd is odd, Yd is MyXd is Mx, Yd is oddXd is Mx, Yd is My• No intersection • Universe
X:Y:
Xd is even, Yd is odd or My
Xd’=Xd+1, Yd’=Yd, Xf’<Yf’
Successor (In a Two-clock System)
Xd is even, Yd is even
Xd’=Xd++, Yd’=Yd++, Xf’=Yf’
Xd is odd, Yd is odd,and Xf<Yf
Xd’=Xd, Yd’ =Yd++
Successor Relation
╱ ■▅ █
is and is
' 1, ' 1, ' ,
v x even v y evend dv x v x v y v y v x yd d d d
▏◤ ▋▅ ■
╴◢ ▋▅ ■
◢▏
◤╴
╱
▋▏▅╴
■■
is and is
' 1, ' , ' ,
v x even v y oddd dv x v x v y v y v x yd d d d
is and is
' , ' 1, ' ,
v x odd v y evend dv x v x v y v y v x yd d d d
is , 2 1, is , 2 1, ,
' 1, '
v x odd v x c v y odd v y c v x yd d x d d yv x v x v y v yd d d d
is , 2 1, is , 2 1, ,
' , ' 1
v x odd v x c v y odd v y c v x yd d x d d yv x v x v y v yd d d d
is , 2 1, is , 2 1, ,
' 1, ' 1
v x odd v x c v y odd v y c v x yd d x d d yv x v x v y v yd d d d
is , 2 1, 2 1
' 1, '
v x odd v x c v y cd d x d y
v x v x v y v yd d d d
=2c +1, is , 2 1x
' , ' 1
v x v y odd v y cd d d y
v x v x v y v yd d d d
=2 +1 and =2 +1
' , '
v x c v y cd x d yv x v x v y v yd d d d
'xy Ú
Z
A General Case: Multi-clock System Pair Conjunction?
X
Y
Xd’=Xd++
Xd’=Xd
,x y X
xy
Ù
A clock can progress, only when all its pairs allow it to progress!
0 1 2 3
0 1 2 3 4 5 6
X:Y:Z:
Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>Zf
Who is The Murderer?
Observation: when clock values are Even: always progress Max: always stay Odd: progress and stay at the same time
Should consider other pairs before progresses Should not progress unless all its pairs allow it to
progress
Contradiction!!
How to achieve this?
Z
A General Case: Multi-clock System An extra case for stuttering
Not all stuttering
X
Y
Xd’=Xd++, Yd’=Yd++ Xd’=Xd, Zd’=Zd++
Or Xd’=Xd, Yd’=Yd, R’XY=RXY
◢ ╱ ◤ ▋ ▅◢ ╱ ◤ ▋ ▅
Or Xd’=Xd, Zd’=Zd R’xz=Rxz
0 1 2 3
0 1 2 3 4 5 6
X:Y:Z:
Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>ZfXd=1, Yd=1, Zd=4, Xf=Yf
A General Case: Multi-clock System An extra case for stuttering
Not all stuttering
◢ ╱ ◤ ▋ ▅◢ ╱ ◤ ▋ ▅
,x y X
s ASxy
Ù
sxy xy
Transition
Time elapse
Edge fire
A step condition
Te eÚ
'T s s
T T Te 0
Reachability Analysis
BoundedFwdReach(I, R, T, MaxBound) var i: 0.. MaxBound;
begin i := 0; F := I(i); loop forever if(i=MaxBound)
return unreachable within MaxBound; if(SAT(FR(i)))
return reachable; F := FT(i) R(i);
i := i+1;end.
Results of each step are added until termination
Theorem
Given a TA having n regions,
BoundedFwdReach() is sound and complete
when MaxBound≥n.
Implementation
Implementation Standard bit encoding A circuit representation
xBMC Make use of zChaff xBMC 2.0: supports real-time systems xBMC 1.0: supports discrete systems, and has be
en used to verify program security(DSN2004)
Fischer’s Mutual Exclusion
idle
criticalwait
ready
L=Nul;{X}
X<B;L:=P, {X}
L!=P;
L=PX>A;
L:=Nul
Each process X: a local clock L: a global discrete variable
Safety property For all i<j,
Safe, only when A≥B Experiments
Increase the number of processes
Check whether a violation occurs when A<B
. .i critical j critical
Time Performance of Bug Hunting# of
processesKronos 2.5.2
Uppaal 3.5.1
Red 5.0 SAL 2.1 ( infBMC )
xBMC 2.0
4 0.12 0.03 0.57 86.98 3.28
5 0.52 0.03 1.95 420.98 10.94
6 O/M 0.06 5.70 O/M 14.66
7 0.16 14.47 16.83
9 1.17 75.5 46.90
11 5.08 321.04 129.46
13 12.21 1129.18 111.59
14 O/M 2005.23 237.89
15 4234.41 531.73
16 O/M 453.83
17 414.29
19 528.66
22 587.01
A=1, B=2. P1.7 GHz, 256M, Linux
Compared to BBMC
# of P
BBMC-RG BBMC-ARG xBMC 2.0# of variables # of clauses # of variables # of clauses # of variables # of clauses
2 5,434 15,197 5,533 15,102 4,502 13,770
5 37,488 110,471 30,851 90,079 22,577 77,948
10 171,229 513,965 126,801 379,470 83,652 300,176
15 358,999 1,081,790 311,501 942,085 182,842 645,297
20 824,374 2,493,481 556,987 1,686,384 321,347 1,150,023
• Wozna, Penczek and Zbrzezny (FI 2003)• BBMC found the witness at the 12th iteration• xBMC 2.0 found the witness at the 15th iteration
Fischer’s Mutual Exclusion, A=1, B=2
Discussion and Related Works Discretization
Discrete time unit Penczek, Wozna and Zbrzezny (FTRTFT’02) Divide a time unit into 2n segments Tool: BBMC
General zones/polyhedra Quantifier Boolean elimination
Seshia and Bryant (CAV’03) Tool: TMV
Region Graph prohibitive size from infeasible to feasible
Simple transition relation SAT-Based Model Checking
Conclusion and Future Work
We propose a new transition relation encoding based on region graph
We realize it in xBMC 2.0 Standard experiments show some promise in bug h
unting
How about correctness guarantee? An intrinsic bound: usually prohibitively high to reach Unbounded approaches: Induction, interpolation.
Apply inductive method (appeared in ATVA2004)
Conclusion and Future Work
How about large constants? Large constants did incur worse performance
Change B from 2 to 4000: 22->14
How about clock difference conditions?
Apply abstraction techniques
Add extra Boolean predicates for clock difference conditions
Thank you for your attention.Any questions are welcome!
Contact info.
Bow-Yaw [email protected]
http://iis.sinica.edu.tw/~bywang
Fang [email protected]
http://iis.sinica.edu.tw/~yuf~END~
Discussion and Related Work
Symbolic Zone Model Checking Unbounded State: Zone Transition: Quantifier elimination Explore states until fixed point reached Conventional Tools: RED(CRD), UPPAAL(DBM), KRONOS
(DBM) SAT-based Zone Model Checker
Seshia and Bryant (CAV’03) Separation Logic and Predicate Encoding Tool: TMV
Region Discretization
(s, [v])(s, vd, vr) vd :Integral part
vr :Fraction part
An example
2 , if ( ) 0
2 1, if ( ) 0
2 1, otherwise
t t c frac txv x t t c frac td x
c x
, if
, , if
, if
frac v x frac v y
v x y frac v x frac v y
frac v x frac v y
1 2 1x y z
3 3 2 ,v x v y v z v x yd d d
v x t