Unbounded, Fully Symbolic Model Unbounded, Fully Symbolic Model Checking of Timed Automata Checking of Timed Automata

using Boolean Methodsusing Boolean Methods

Unbounded, Fully Symbolic Model Unbounded, Fully Symbolic Model Checking of Timed Automata Checking of Timed Automata

using Boolean Methodsusing Boolean Methods

Sanjit A. Seshia Sanjit A. Seshia andand Randal E. Bryant Randal E. Bryant

Computer Science DepartmentComputer Science Department

Carnegie Mellon UniversityCarnegie Mellon University

-2-

Timed AutomataTimed Automata

A modeling formalism for timed systemsA modeling formalism for timed systems• e.g., Real-time systems, Timed asynchronous

circuits

Generalization of finite automaton with:Generalization of finite automaton with:• Non-negative real-valued clock variables

Can only be reset to 0 or another clock

• Constraints on clocks as guards on states and transitions

Alur, Courcoubetis, & Dill, ‘90

s=true

x1 · 5

s=false

x1 · 10

x2 · 8

x1 ¸ 3 / x1 := 0

x1 ¸ 4 Æ x2 ¸ 6 / x2 := 0

-3-

Model Checking the Timed CalculusModel Checking the Timed CalculusSystem Properties expressed in the Timed System Properties expressed in the Timed calculus calculus

[Henzinger et al. ’94]

Can express Timed CTLCan express Timed CTL• Dense time version of CTL

Two kinds of TCTL formulas:Two kinds of TCTL formulas:• Reachability properties: Safety and bounded liveness

E.g. AG (file requested AF· 5 (file received))

• Non-reachability properties: Unbounded liveness E.g. AG . z:= 0 . EF (z = 1) [non-zenoness]

-4-

Symbolic vs. Fully Symbolic Unbounded Model CheckingSymbolic vs. Fully Symbolic Unbounded Model Checking State space has Boolean and real-valued State space has Boolean and real-valued

componentscomponents

SYMBOLIC FULLY SYMBOLIC

Separate representation for real and Boolean components

Combined representation for real and Boolean components

Model Checkers: Uppaal, KronosModel Checkers: RED, DDD (Difference

Decision Diagram), Our approach

Example: Two symbolic states

(b, x ¸ 3), (: b, x ¸ 3)

Example: Combined state set

x ¸ 3

-5-

Unbounded, Fully Symbolic Model CheckingUnbounded, Fully Symbolic Model Checking Set of states represented as a formula Set of states represented as a formula in in

separation logicseparation logic (SL) (SL)• Boolean Combinations (Æ, Ç, :) of

Boolean variables: ei

Separation Predicates: xi ¸ xj + c, xi > xj + c» Also called “difference-bound” constraints

0 represented as special variable x0

• Adding quantifiers over clock and Boolean variables gives quantified separation logic (QSL)

Fundamental model checking operationsFundamental model checking operations• Image computation: Quantifier elimination for QSL• Termination check: Validity checking for SL

[Henzinger, Nicollin, Sifakis, Yovine ’94]

-6-

Our ApproachOur Approach

Use Boolean encoding of separation Use Boolean encoding of separation predicatespredicates

Quantifier Elimination in QSL: Quantifier Elimination in QSL: • Eliminating quantifiers over real variables in QSL

Eliminating quantifiers over Boolean variables in quantified Boolean formulas (QBF)

Validity checking of SL: Validity checking of SL: • By translation to SAT [Strichman, Seshia, Bryant, CAV’02]

-7-

Talk OutlineTalk Outline

Pre-image Computation via QSL Quantifier Pre-image Computation via QSL Quantifier Elimination Elimination

QSL Quantifier Elimination QSL Quantifier Elimination QBF Quantifier QBF Quantifier EliminationElimination

Exploiting Special QSL Formula StructureExploiting Special QSL Formula Structure

OptimizationsOptimizations

Preliminary Experimental ResultsPreliminary Experimental Results

Conclusions & Future workConclusions & Future work

-8-

Pre OperatorPre Operator

2x1 := 0

b := true

b = falsex1

x2

b = true

x2

x1b = true

x2

x1

b = true

x2

x1

Timed Pre, pret

Discrete Pre, pred

time elapse

b = true

x2

x1

-9-

Pre OperatorPre Operator

pre() , pred() Ç pret()

• pred() does not require quantifier elimination

• pret() is expressed in Quantified Separation Logic (QSL)

-10-

Timed Pre Operator in QSL Timed Pre Operator in QSL

preprett(() ) ,, 99 . . ·· x x00 ÆÆ [ [ / x / x00] ]

-11-

Timed Pre Operator in QSL Timed Pre Operator in QSL

inv

preprett(() ) ,, 99 . . ·· x x00 ÆÆ [ [ / x / x00] ] ÆÆ 88 ( ( ·· ·· x x00 ) ) invinv[[ / x / x00] )] )

• inv is the conjunction of all state guards

-12-

Quantifier Elimination ProblemQuantifier Elimination Problem Start with QSL formula Start with QSL formula , where , where ,, 99 x xaa . .

• To handle 8 xa . , start with 9 xa . : and negate the result

Need to find SL formula Need to find SL formula ’ such that ’ such that ,, ’’

Previous approaches:Previous approaches:• Enumerate DNF terms in • Perform Fourier-Motzkin elimination on each• Differ in data structure used to represent • Problem: Can be exponentially many DNF terms• E.g., Difference Decision Diagrams (DDDs) [Møller

et al. ’99], RED [Wang ’03]

-13-

Example: Difference Decision Diagrams (DDDs) [Møller et al. ’99]

Example: Difference Decision Diagrams (DDDs) [Møller et al. ’99]

99 x x33 . (x . (x11 ¸̧ x x33 ÇÇ x x33 ¸̧ x x11+2) +2) ÆÆ x x00 ¸̧ x x33-5 -5 ÆÆ x x33 ¸̧ x x22

x1 ¸ x3

x3 ¸ x1 + 2

x3 ¸ x2

x0 ¸ x3 - 5

10

(x(x11 ¸̧ x x22 Æ Æ xx00 ¸̧ x x22-5) -5) ÇÇ (x (x00 ¸̧ x x11-3 -3 ÆÆ x x00 ¸̧ x x22-5)-5)

0

x0 ¸ x1 - 3

x0 ¸ x2 - 5

x1 ¸ x2

x0 ¸ x2 - 5

1x1 ¸ x3

x3 ¸ x2

x1 ¸ x2

-14-

QSL Quantifier Elimination via QBF Quantifier EliminationQSL Quantifier Elimination via QBF Quantifier Elimination Start with Start with ,, 99 x xaa . .

Quantifier elimination done in 3 steps:Quantifier elimination done in 3 steps:1. Translate to another QSL formula ’ where:

’ has quantifiers only over Boolean variables is equivalent to ’

2. Encode ’ as a QBF

3. Eliminate Boolean quantifiers and translate the result back to a SL formula ’

-15-

Step 1: Real to Boolean QuantificationStep 1: Real to Boolean Quantification

99 x x33 . (x . (x11 ¸̧ x x33 ÇÇ x x33 ¸̧ x x11+2) +2) ÆÆ x x00 ¸̧ x x33-5 -5 ÆÆ x x33 ¸̧ x x22

(e(e11 ÇÇ e e22) ) ÆÆ e e33 Æ Æ e e44

e1 xx11 ¸̧ x x33

e2 xx33 ¸̧ x x11 + 2 + 2

e3 xx00 ¸̧ x x33 - 5 - 5

e4 xx33 ¸̧ x x22

Æ99 e e11, e, e22, ,

ee33, e, e44 . . (e(e11

ÆÆ ee44) ) )) (x (x11 ¸̧ x x22))

ÆÆ (e (e22 ÆÆ e e33) ) )) (x (x00 ¸̧ x x1 1 - 3)- 3)

ÆÆ (e (e33 ÆÆ e e44) ) )) (x (x00 ¸̧ x x2 2 - 5)- 5)

Transitivity Constraints

-16-

Step 2: Encode Remaining Separation PredicatesStep 2: Encode Remaining Separation Predicates

e1 xx11 ¸̧ x x33

e2 xx33 ¸̧ x x11 + 2 + 2

e3 xx00 ¸̧ x x33 - 5 - 5

e4 xx33 ¸̧ x x22

(e(e11 ÆÆ ee44) ) )) (x (x11 ¸̧ x x22))

ÆÆ (e (e22 ÆÆ e e33) ) )) (x (x00 ¸̧ x x1 1 - 3)- 3)

ÆÆ (e (e33 ÆÆ e e44) ) )) (x (x00 ¸̧ x x2 2 - 5)- 5)

Æ

Transitivity Constraints

(e(e11 ÇÇ e e22) ) ÆÆ e e33 Æ Æ e e44

99 e e11, e, e22, ,

ee33, e, e44 . .

ee5 5

ee55 xx11 ¸̧ x x22

ee6 6

ee66 xx00 ¸̧ x x11 - 3 - 3 ee77 xx00 ¸̧ x x22 - 5 - 5

ee7 7

-17-

Step 3: Eliminate Quantifiers and Map back to SLStep 3: Eliminate Quantifiers and Map back to SL

e1 xx11 ¸̧ x x33

e2 xx33 ¸̧ x x11 + 2 + 2

e3 xx00 ¸̧ x x33 - 5 - 5

e4 xx33 ¸̧ x x22

(e(e11 ÆÆ ee44) ) )) e e55

ÆÆ (e (e22 ÆÆ e e33) ) )) e e66

ÆÆ (e (e33 ÆÆ e e44) ) )) e e77

Æ

(e(e11 ÇÇ e e22) ) ÆÆ e e33 Æ Æ e e44

99 e e11, e, e22, ,

ee33, e, e44 . .

ee55 xx11 ¸̧ x x22 ee66 xx00 ¸̧ x x11 - 3 - 3 ee77 xx00 ¸̧ x x22 - 5 - 5

(e5 Æ e7) Ç (e6 Æ e7)

(x(x11 ¸̧ x x22 Æ Æ xx00 ¸̧ x x22-5) -5) ÇÇ (x (x00 ¸̧ x x11-3 -3 ÆÆ x x00 ¸̧ x x22-5)-5)

-18-

Evaluating Our ApproachEvaluating Our Approach

Our approach avoids enumerating DNF terms Our approach avoids enumerating DNF terms of of

Can use either BDD or SAT methods for Can use either BDD or SAT methods for quantifier elimination (or a combination)quantifier elimination (or a combination)• BDD-based method: Can exploit quantifier

scheduling heuristics

• SAT-based method: Rely on SAT solver to enumerate DNF terms in ’

Number of transitivity constraints is at most Number of transitivity constraints is at most OO((mm22)) where where mm is number of separation is number of separation predicates in predicates in

-19-

Exploiting Structure of pretExploiting Structure of pret

Consider QSL formulas of the form:Consider QSL formulas of the form: 9 . · x0 Æ [ / x0]

• Recall that x0 stands for 0

Can exploit special structure to generate Can exploit special structure to generate fewer quantified Boolean variablesfewer quantified Boolean variables

Can similarly handle Can similarly handle 99 . . ¸̧ x x00 ÆÆ [ [ / x / x00] ]

Half of all quantifier elimination operationsHalf of all quantifier elimination operations

-20-

A Region in R2A Region in R2

-21-

Shifting the Region by Shifting the Region by

[[ / x / x00] for ] for ·· 0 0

x1

x2

x1= x0 + c

x1= + c

-22-

Geometric Interpretation of Quantified FormulaGeometric Interpretation of Quantified Formula99 . . ·· x x00 ÆÆ [ [ / x / x00] is shaded region plus ] is shaded region plus

45°

Observation:

Only lower bounds on are eliminated;

Upper bounds and diagonals remain intact

x1

x2

x1 ¸ c

x2 · c’

x2 - x1 ¸ c’’

-23-

Quantifier Elimination StrategyQuantifier Elimination Strategy

To eliminate To eliminate from from 99 . { . { ·· x x00 ÆÆ [ [ / x / x00] }] }• Introduce existential quantifiers only over Boolean

variables encoding lower bound predicates in (bounds of the form xi ¸ c)

• Generate only those transitivity constraints involving lower bound predicates

Empirically, results in 10-20 times speedupEmpirically, results in 10-20 times speedup

-24-

Optimization: Checking if Bounds are Conjoined Optimization: Checking if Bounds are Conjoined Avoid generating transitivity constraints Avoid generating transitivity constraints

wherever possiblewherever possible

99 xx22 . x . x11 ¸̧ x x22 ÇÇ x x22 ¸̧ x x33 • x1 ¸ x2 and x2 ¸ x3 not conjoined, hence no

transitivity constraint generated• “Conjunctions matrix” [Strichman, FMCAD’02]

99 xx22 . (x . (x11 ¸̧ x x22 ÆÆ x x22 ¸̧ x x33) ) ÇÇ x x33 > x > x22 • x1 ¸ x2 and x2 ¸ x3 not conjoined in minimized DNF

of quantifier-free part

• 9 x2 . x1 ¸ x2 Ç x3 > x2

Can check easily using BDDsCan check easily using BDDs

-25-

Optimization for a BDD-based ImplementationOptimization for a BDD-based Implementation Suppose we use BDDs to represent the Suppose we use BDDs to represent the

Boolean encodings of SL formulasBoolean encodings of SL formulas

Some BDD paths might be infeasible (as in Some BDD paths might be infeasible (as in the case of DDDs)the case of DDDs)• Use “Restrict” operator to eliminate paths in the

BDD that violate transitivity constraints

• Problems: Not all infeasible paths eliminated due to BDD variable

ordering constraints Imposes an overhead

-26-

Experimental SetupExperimental Setup

Benchmark: Fischer’s timed mutual Benchmark: Fischer’s timed mutual exclusion protocol, for increasing numbers exclusion protocol, for increasing numbers of processesof processes

Compared against DDD and RED fully Compared against DDD and RED fully symbolic model checkerssymbolic model checkers• For 1 reachability property and 1 non-reachability

property

Our model checker used the CUDD package Our model checker used the CUDD package as the Boolean (quantification) engineas the Boolean (quantification) engine

-27-

Results (1)Results (1) Results for non-reachability formula (non-zenoness) Results for non-reachability formula (non-zenoness)

• TMV: Our model checker

• Kronos & Red are the only other model checkers that can handle non-reachability properties

Number of Processes

Kronos Time (sec.)

Red Time (sec.)

TMV Time (sec.)

3 0.03 0.28 0.24

4 0.23 1.30 0.44

5 1.98 5.05 0.80

6 * 17.80 2.15

7 * 57.95 6.61

-28-

Results (2)Results (2) Results for reachability property (mutual exclusion)Results for reachability property (mutual exclusion)

Num. Proc

Red Time (sec.)

DDD Time (sec.)

TMV Time (sec.)

3 0.21 0.06 0.114 1.13 0.11 0.385 4.53 0.33 1.856 15.11

0.90 17.41

7 46.31 2.65 *

Reason: DDD’s local node elimination operationsReason: DDD’s local node elimination operations

x1 ¸ x2

x1 ¸ x2 + 2

10

xx11 ¸̧ x x22 ÇÇ x x11 ¸̧ x x22+2+2x1 ¸ x2

10 xx11 ¸̧ x x22

-29-

Conclusions & Ongoing WorkConclusions & Ongoing Work

New fully symbolic model checking New fully symbolic model checking technique based on Boolean methods technique based on Boolean methods

Solving QSL via translation to QBF canSolving QSL via translation to QBF can• Outperform other fully symbolic approaches

• Check any property in Timed calculus

• Leverage advances in SAT/QBF

Ongoing WorkOngoing Work• Using a SAT-based QBF solver

• Improving BDD-based implementation

• Lazy vs eager Boolean encoding tradeoffs