Bounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang, Yaw-Wen Huang

Institute of Information Science

Academia Sinica, Taiwan

Introduction

SAT-based model checking from discrete systems to time systems

Challenge How to handle infinite timing behavior?

Discrete clocks Zone predicates

Region Automata

Real-Time System

Discrete variables plus dense-time clocks Real domain A uniform rate increase Reset

0 1 2

X:Y:

…

Timed Automata

Timed Automata <D, X, A, E, I>: D: A set of discrete variables X: A set of clocks A: A set of actions

Each action is a series of discrete variable assignments E: A set of edges, each edge is associated with

: Guarded condition : An action : A set of reset clocks

I: An initial condition

: | | | | 1 2ff d q x c

{ , , =}

,

Cx

Timed Automata

State Discrete interpretation Clock interpretation

Transition Time elapse

Edge fire

, ,s s v

: , ,, [ ], [ ]

es s

,s :s D N

0: X R

A positive real

Region Automata

Alur et al (1990) Equivalence class [ν]

integral part fraction ordering

Region Graph State Transition

x

y

Cx

Cy

,s

,[ ] , [ ]

: , ,,[ ] [ ],[ [ ]]

s s succ

es s

0

What’s The Problem?

Region Graph [ACD90] Precision, simplicity, and an intrinsic bound

However… Prohibitive size

Regions exponential to the number and the max constraint constants of clocks

Standard model checking verification becomes infeasible even for moderately-sized systems

Theoretical rather than practical!

Bounded Model Checking

Biere et al.[BCCFZ99] Boolean formula satisfiability

n steps: Pros

Powerful SAT solvers developed Many heuristic approaches Over thousands of variables and millions of clauses cap

able

, , ,0 0 1 1 2 1I B T B B T B B T B Bn n

A powerful support for region automata!

Region Encoding

x

Cx

0 1 2 3

Xd=3, Yd=5, Zd=4, Xf<Yf

0 1 2 3 4 5 6 7

0 1 2 3

0 1 2 3 4 5 6 7(Mx)

Xd is even a point Xd is odd an open interval

Xd is Mx X>Cx

4 …

8 …

X:Y:Z:

Xd0 1 2 3

0 1 2 3 5 6 74

X:Y:Z:

Each odd pair a fraction relation

Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf

[0,0] [1,1] [2,2] [3,3](0,1) (1,2) (2,3) (3,∞]

Region (In a Two-clock System)

x

y

Cx

Cy

0 1 2 3

Xd=5, Yd=3, Xf<Yf

0 1 2 3 4 5 6 7

0

Xd is even, Yd is evenXd is even, Yd is odd or MyXd is odd or Mx, Yd is evenXd is odd , Yd is odd, Xf=YfXd is odd, Yd is odd, Xf>YfXd is odd, Yd is odd, Xf<Yf Xd is odd, Yd is MyXd is Mx, Yd is oddXd is Mx, Yd is My• No intersection • Universe

X:Y:

Xd is even, Yd is odd or My

Xd’=Xd+1, Yd’=Yd, Xf’<Yf’

Successor (In a Two-clock System)

Xd is even, Yd is even

Xd’=Xd++, Yd’=Yd++, Xf’=Yf’

Xd is odd, Yd is odd,and Xf<Yf

Xd’=Xd, Yd’ =Yd++

Successor Relation

╱ ■▅ █

is and is

' 1, ' 1, ' ,

v x even v y evend dv x v x v y v y v x yd d d d

▏◤ ▋▅ ■

╴◢ ▋▅ ■

◢▏

◤╴

╱

▋▏▅╴

■■

is and is

' 1, ' , ' ,

v x even v y oddd dv x v x v y v y v x yd d d d

is and is

' , ' 1, ' ,

v x odd v y evend dv x v x v y v y v x yd d d d

is , 2 1, is , 2 1, ,

' 1, '

v x odd v x c v y odd v y c v x yd d x d d yv x v x v y v yd d d d

is , 2 1, is , 2 1, ,

' , ' 1

v x odd v x c v y odd v y c v x yd d x d d yv x v x v y v yd d d d

is , 2 1, is , 2 1, ,

' 1, ' 1

v x odd v x c v y odd v y c v x yd d x d d yv x v x v y v yd d d d

is , 2 1, 2 1

' 1, '

v x odd v x c v y cd d x d y

v x v x v y v yd d d d

=2c +1, is , 2 1x

' , ' 1

v x v y odd v y cd d d y

v x v x v y v yd d d d

=2 +1 and =2 +1

' , '

v x c v y cd x d yv x v x v y v yd d d d

'xy Ú

Z

A General Case: Multi-clock System Pair Conjunction?

X

Y

Xd’=Xd++

Xd’=Xd

,x y X

xy

Ù

A clock can progress, only when all its pairs allow it to progress!

0 1 2 3

0 1 2 3 4 5 6

X:Y:Z:

Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>Zf

Who is The Murderer?

Observation: when clock values are Even: always progress Max: always stay Odd: progress and stay at the same time

Should consider other pairs before progresses Should not progress unless all its pairs allow it to

progress

Contradiction!!

How to achieve this?

Z

A General Case: Multi-clock System An extra case for stuttering

Not all stuttering

X

Y

Xd’=Xd++, Yd’=Yd++ Xd’=Xd, Zd’=Zd++

Or Xd’=Xd, Yd’=Yd, R’XY=RXY

◢ ╱ ◤ ▋ ▅◢ ╱ ◤ ▋ ▅

Or Xd’=Xd, Zd’=Zd R’xz=Rxz

0 1 2 3

0 1 2 3 4 5 6

X:Y:Z:

Xd=1, Yd=1, Zd=3, Xf=Yf, Xf>Zf, Yf>ZfXd=1, Yd=1, Zd=4, Xf=Yf

A General Case: Multi-clock System An extra case for stuttering

Not all stuttering

◢ ╱ ◤ ▋ ▅◢ ╱ ◤ ▋ ▅

,x y X

s ASxy

Ù

sxy xy

Transition

Time elapse

Edge fire

A step condition

Te eÚ

'T s s

T T Te 0

Reachability Analysis

BoundedFwdReach(I, R, T, MaxBound) var i: 0.. MaxBound;

begin i := 0; F := I(i); loop forever if(i=MaxBound)

return unreachable within MaxBound; if(SAT(FR(i)))

return reachable; F := FT(i) R(i);

i := i+1;end.

Results of each step are added until termination

Theorem

Given a TA having n regions,

BoundedFwdReach() is sound and complete

when MaxBound≥n.

Implementation

Implementation Standard bit encoding A circuit representation

xBMC Make use of zChaff xBMC 2.0: supports real-time systems xBMC 1.0: supports discrete systems, and has be

en used to verify program security(DSN2004)

Fischer’s Mutual Exclusion

idle

criticalwait

ready

L=Nul;{X}

X<B;L:=P, {X}

L!=P;

L=PX>A;

L:=Nul

Each process X: a local clock L: a global discrete variable

Safety property For all i<j,

Safe, only when A≥B Experiments

Increase the number of processes

Check whether a violation occurs when A<B

. .i critical j critical

Time Performance of Bug Hunting# of

processesKronos 2.5.2

Uppaal 3.5.1

Red 5.0 SAL 2.1 ( infBMC )

xBMC 2.0

4 0.12 0.03 0.57 86.98 3.28

5 0.52 0.03 1.95 420.98 10.94

6 O/M 0.06 5.70 O/M 14.66

7 0.16 14.47 16.83

9 1.17 75.5 46.90

11 5.08 321.04 129.46

13 12.21 1129.18 111.59

14 O/M 2005.23 237.89

15 4234.41 531.73

16 O/M 453.83

17 414.29

19 528.66

22 587.01

A=1, B=2. P1.7 GHz, 256M, Linux

Compared to BBMC

# of P

BBMC-RG BBMC-ARG xBMC 2.0# of variables # of clauses # of variables # of clauses # of variables # of clauses

2 5,434 15,197 5,533 15,102 4,502 13,770

5 37,488 110,471 30,851 90,079 22,577 77,948

10 171,229 513,965 126,801 379,470 83,652 300,176

15 358,999 1,081,790 311,501 942,085 182,842 645,297

20 824,374 2,493,481 556,987 1,686,384 321,347 1,150,023

• Wozna, Penczek and Zbrzezny (FI 2003)• BBMC found the witness at the 12th iteration• xBMC 2.0 found the witness at the 15th iteration

Fischer’s Mutual Exclusion, A=1, B=2

Discussion and Related Works Discretization

Discrete time unit Penczek, Wozna and Zbrzezny (FTRTFT’02) Divide a time unit into 2n segments Tool: BBMC

General zones/polyhedra Quantifier Boolean elimination

Seshia and Bryant (CAV’03) Tool: TMV

Region Graph prohibitive size from infeasible to feasible

Simple transition relation SAT-Based Model Checking

Conclusion and Future Work

We propose a new transition relation encoding based on region graph

We realize it in xBMC 2.0 Standard experiments show some promise in bug h

unting

How about correctness guarantee? An intrinsic bound: usually prohibitively high to reach Unbounded approaches: Induction, interpolation.

Apply inductive method (appeared in ATVA2004)

Conclusion and Future Work

How about large constants? Large constants did incur worse performance

Change B from 2 to 4000: 22->14

How about clock difference conditions?

Apply abstraction techniques

Add extra Boolean predicates for clock difference conditions

Thank you for your attention.Any questions are welcome!

Contact info.

Bow-Yaw Wangbywang@iis.sinica.edu.tw

http://iis.sinica.edu.tw/~bywang

Fang Yuyuf@iis.sinica.edu.tw

http://iis.sinica.edu.tw/~yuf~END~

Discussion and Related Work

Symbolic Zone Model Checking Unbounded State: Zone Transition: Quantifier elimination Explore states until fixed point reached Conventional Tools: RED(CRD), UPPAAL(DBM), KRONOS

(DBM) SAT-based Zone Model Checker

Seshia and Bryant (CAV’03) Separation Logic and Predicate Encoding Tool: TMV

Region Discretization

(s, [v])(s, vd, vr) vd :Integral part

vr :Fraction part

An example

2 , if ( ) 0

2 1, if ( ) 0

2 1, otherwise

t t c frac txv x t t c frac td x

c x

, if

, , if

, if

frac v x frac v y

v x y frac v x frac v y

frac v x frac v y

1 2 1x y z

3 3 2 ,v x v y v z v x yd d d

v x t