Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings

and SAT

Victor Khomenko

University of Newcastle upon Tyne Supported by IST project 2004-511599

(RODIN)

2

Shortest violation traces

• Can be much shorter than the first computed trace

• Do not contain incidental system activity unrelated to the found error

• Facilitate debugging, saving the designer’s time

3

Petri net unfolding prefixes

• Partial-order semantics of PNs

• Concurrency represented explicitly, using an acyclic PN

• Alleviate the state space explosion problem

• Efficient model checking algorithms

4

Dining Philosophers

P5 P13

T1

P3 T3

P2 T2

P1 T5 P6 T4

P4

P7

P8

P9

P11

P10

P14

P12

T9

T7

T10 T6

T8

T1P1

T2

T3

P2

P3

P4

P5

T4 P6 T5

P1

P7

P8P7

P8

P9T6

T7P10

P11

T8 P13

P12

T9 P14 T10P9

P7

P8

5

Model checking on PN unfoldings

• A Boolean expression is built using the prefix, such that: is unsatisfiable iff the property holds Every satisfiable assignment of

gives a violation trace has a form CONFVIOL

• Some of the variables of are associated with the events of the prefix

6

CONF: Causality

If an e is executed than its causal predecessors are also executed (it’s enough to require that the direct predecessors of e are executed)

T1P1

T2

T3

P2

P3

P4

P5

T4 P6 T5

P1

P7

P8P7

P8

P9T6

T7P10

P11

T8 P13

P12

T9 P14 T10P9

P7

P8

)fe(/\/\ efe

e

7

CONF: Conflicts

If an e is executed than events in conflict cannot be executed (it’s enough to require that the events in direct conflict with e are not executed)

T1P1

T2

T3

P2

P3

P4

P5

T4 P6 T5

P1

P7

P8P7

P8

P9T6

T7P10

P11

T8 P13

P12

T9 P14 T10P9

P7

P8

)fe(/\/\}{\)(

eefe

e

8

VIOL: Deadlock

For every e: either• some direct predecessor is not executed, or

• an event in direct conflict has fired, or

• e itself has fired

T1P1

T2

T3

P2

P3

P4

P5

T4 P6 T5

P1

P7

P8P7

P8

P9T6

T7P10

P11

T8 P13

P12

T9 P14 T10P9

P7

P8

)f\/f\/(/\)(

efefe

e

9

Computing shortest tracesinput: - a Boolean expressionoutput: T - a shortest violation trace or UNSAT

A SAT_Assignment();if A = UNSAT then T UNSAT; stop

T Extract_Trace(A);r |T|; l 0;while l < r do

t (l + r)/2;A SAT_Assignment( Thresholdt );if A = UNSAT then l = t + 1else

T Extract_Trace(A);r |T|;

10

Threshold constraint

• First build a Boolean circuit and then translate it into a boolean expression (linear translation is possible by adding new variables)

• Try to minimize the changes in the circuit if the threshold changes – good for incremental SAT

Comparator

Counter

…

n

O(log n)

11

Implementation of the counter

3

2 2

1 1 1 1

n

Size (if n is a power of 2):

4n – 2 log2n – 4 auxiliary variables

16n – 10 log2n – 16 clauses

52n – 36 log2n – 52 literals

Linear translation Large multiplicative constants

12

Exploiting conflicts

• Events in a conflict cluster are mutually exclusive

• An -gate can be used as a counter

T1P1

T2

T3

P2

P3

P4

P5

T4 P6 T5

P1

P7

P8P7

P8

P9T6

T7P10

P11

T8 P13

P12

T9 P14 T10P9

P7

P8

Conflict cluster

13

Implementation of the counter• Significant gains if

the number ofclusters is muchsmaller than thenumber of events

• Need to partition the prefix into theminimum numberof conflict clusters

• An NP-completeproblem (reductionfrom partition intocliques)

• A greedy algorithm can be used in practice

2

1 1

n

\/\/ \/ \/

14

Exploiting causality

• If an event in a cluster has fired, some event in a preceding cluster has also fired

• If Cl1<Cl2<…<Cln, then the outputs of the corresponding -gates are ordered

T1P1

T2

T3

P2

P3

P4

P5

T4 P6 T5

P1

P7

P8P7

P8

P9T6

T7P10

P11

T8 P13

P12

T9 P14 T10P9

P7

P8

15

Implementation of the counterA sort-adder is simpler than a conventional one!

3

2 2

sort-1 sort-1 sort-1 sort-1

n

\/\/ \/ \/\/ \/ \/ \/\/

16

Partitioning into chains of clusters

• Gains if the number of ordered chains of clusters is small

• Need to partition the conflict clusters into the minimum number of ordered chains

• The problem can be reduced to maximum matching in bipartite graphs and solved in polynomial time, but this might be inefficient due to the need to work with an implicitly represented graph

• A greedy algorithm can be used in practice

17

Experimental results

• The first computed violation trace can be much longer than a shortest one –computing shortest violation traces can indeed greatly facilitate the debugging process

• The number of conflict clusters is by many orders of magnitude smaller than the number of events – significant reductions in the size of threshold constraint

18

The ideal case• If the adder tree can be implemented as a

single -gate: 1 (rather than 4n – 2 log2n – 4) auxiliary

variables n+1 (rather than 16n – 10 log2n – 16)

clauses 3n+1 (rather than 52n – 36 log2n – 52)

literals• Improvement ratios for n:

variables: clauses: 16 literals: 17⅓

19

Experimental results: variables

1.0

10.0

100.0

1000.0

1 10 100 1000 10000 100000

|E\Ecut|

Imp

rove

men

t ra

tio

fo

r v

aria

ble

s

20

Experimental results: clauses

0.0

2.0

4.0

6.0

8.0

10.0

12.0

14.0

16.0

18.0

1 10 100 1000 10000 100000

|E\Ecut|

Imp

rov

em

en

t ra

tio

fo

r c

lau

se

s

21

Experimental results: literals

0.0

2.0

4.0

6.0

8.0

10.0

12.0

14.0

16.0

18.0

1 10 100 1000 10000 100000

|E\Ecut|

Imp

rove

men

t ra

tio

fo

r lit

era

ls

17,3